IIM Lucknow Faculty Develops Framework to Guide SaaS Adoption in Regulated Industries

Business MInutes

Researchers at Indian Institute of Management Lucknow led by Prof. Arunabha Mukhopadhyay, Information Technology and Systems department, have developed a new framework to guide organisations in India’s capital markets and banking sectors in adopting Software-as-a-Service (SaaS) technologies. While SaaS is widely used globally, its adoption in India, particularly among regulated industries, has been slower. The research delves into the reasons for this hesitation and offers insights into how firms assess the risks involved in adopting SaaS.


The findings of this study have been published in the prestigious Journal of Organisational Computing and Electronic Commerce, in a paper co-authored by Prof. Arunabha Mukhopadhyay from IIM Lucknow, Prof. Swati Jain from IIM Amritsar, and Mr. Shubhendu Dutta, PhD candidate, IIM Kashipur.


SaaS refers to cloud-based services that deliver software applications over the internet, eliminating the need for organisations to install and maintain software on their own servers. Popular SaaS applications include Google Drive and Microsoft 365. While SaaS offers cost savings and flexibility, its adoption in India has been slow, especially in highly regulated industries, due to concerns over data security, privacy, and compliance with stringent regulations.


IIM Lucknow research addresses these concerns by introducing a risk-based IT governance framework, designed to help organisations in regulated sectors assess the risks associated with using cloud-based software. The framework focuses on how top management makes these decisions, especially about data security, loss of control, and regulatory compliance. Researchers have found that the decision to adopt SaaS within an organisation depends on two key factors:


The top management’s approach to risk, including their preferences, problem framing, decision-making domain, and considerations for data security


The organisational practices in place, such as the IT governance archetype and risk management processes. Building on these insights, the study developed a risk score for a capital market firm, enabling it to effectively weigh the potential benefits and risks associated with SaaS adoption.


Prof. Arunabha Mukhopadhyay and his team found that decisions about adopting SaaS in regulated industries depend largely on how leadership views and manages risks. The researchers developed a model that considers factors such as the organisation’s risk tolerance, security measures, and internal processes. If the perceived risks are deemed too high, the model suggests taking steps to mitigate them before adopting SaaS. If the risks are manageable, the organisation can proceed with the adoption.


Explaining the study, Prof. Mukhopadhyay said, “Our study, which includes a case study of a capital market firm, shows that organisations make decisions about SaaS adoption not just by evaluating the technology itself but by carefully assessing the risks involved. We emphasise the importance of managing risks related to data security and regulatory compliance. The framework we developed helps organisations evaluate these risks and make more informed decisions about whether to adopt SaaS.”


The practical implications of the study are significant. SaaS providers can leverage these findings to tailor their offerings to better meet the needs of companies in regulated industries, addressing their security and compliance concerns. For organisations, especially in banking and capital markets, understanding how to evaluate and manage risks will help them adopt SaaS solutions more confidently.


This research contributes to a deeper understanding of the factors influencing technology adoption, particularly in sectors where regulatory requirements and security concerns are paramount.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Check Now
Ok, Go it!