How to Move Critical Business Processes to the Cloud

How effectively does your organization support remote work?  The current Coronavirus pandemic is testing many businesses’ ability to remain productive and effective while remote. Beyond the social impact, many are experiencing difficulty, slowness, or inability to execute critical business processes in this time of social distancing.

What can you do?

AAFCPAs advises clients to take the following approach to identify and prioritize the processes, systems, and resources that should be addressed first:

Form a team.  Before any type of plan can be produced, a small team should be established and charged with the responsibility of setting priorities and making decisions. The team should be empowered to make decisions. The team should include leaders in the organization with cross-functional representation to ensure there is a depth of knowledge of the functions and services provided by the organization.

Identify and prioritize the services you must continue to provide.  We advise our clients to facilitate meetings to identify the services you must continue to provide. Once these services are identified, they should be categorized into customer or constituent facing, and not customer or constituent facing. This will begin to help employees understand priorities.

Services should be rated based on business impact. Categories such “critical,” “essential,” and “complementary” are most commonly used. This categorization helps stakeholders understand how to prioritize bringing operations back online, and on what timeline.

These three categories may seem simple enough to apply; however, in our experience, we have observed that individuals need some definition or criteria to apply.

  • Critical functions are those that must be restored for the business or organization to provide a minimal level of service to their customers or constituents. These are normally the functions that produce revenue.
  • Essential functions provide for ongoing health of the business and enhance the level of service.  These functions would not cause the business to cease operations in the short term but would cause extensive issues or disruption if not restored shortly thereafter the critical items.
  • Complementary functions are those that provide for comfort and reliability of operations or may contribute to ancillary processes.

Identify who is needed to deliver the services.  In order to provide services, the organization needs to identify which job functions are tasked with delivering the services. In a crisis, one must also consider the circumstances and limitations of the individual staff charged with delivering the services. In some cases, these circumstances may be confidential. Contingencies should also be considered in the event the designated employee is no longer able to perform the job function. AAFCPAs recommends that Human Resources be involved, especially at this step of the process.

Identify what tools are needed.  Many organizations still rely heavily on paper to drive a portion of their business.  Some organizations rely on applications only accessible from the office. We also see a mix of desktops and laptops in these environments.  With the extensive “non-essential” business closures, your employees may be unable to go to the office.

IT companies are deemed essential and may be able to enter your office to resolve issues impeding remote work.  To do this, the organization must determine what tools are needed in order to function.

Determine the gaps in tools.  Gaps in tools may include hardware such as laptops, remote access tools such as a VPN or Citrix, or access to applications.  Once your gaps are identified, we advise clients to consult with their IT departments or with AAFCPAs’ Business & IT Consulting to determine pragmatic ways to fill the gaps.  Those gaps can often be filled with cloud software or third party services.

AAFCPAs advises clients to remain vigilant about how filling a gap may create a security risk. Printing at home sounds like an innocuous activity, but if the data printed contains personally identifiable or personal health information then the activity may be a HIPAA violation. Allowing employees to use their personal laptops may also sound like a quick fix. However, unless the organization can determine and enforce a baseline security configuration on those devices, short term access could yield greater issues such as viruses, malware, and ransomware. AAFCPAs advises clients to create a pragmatic game plan while being attentive to the risks.  If the organization does not feel confident in assessing the security implications, they can reach out to AAFCPAs’ Business and IT Consulting practice which provides technology security and employs a Certified Ethical Hacker to identify holes.

Train Employees.  Many organizations may already be experienced at working remotely, others are not. Staff may need various levels of training to properly use the tools. Training may occur using virtual meeting tools such as Skype, Microsoft Teams, Zoom, or GoToMeeting.  These tools are easy to load, intuitive, and can be installed by users with minimal help from IT.  Although it was originally started to share online videos amongst friends, YouTube has a wealth of tutorials that may help your employees utilize distancing technology.

How may AAFCPAs help?

AAFCPAs’ Business & IT Consulting practice is available to assist with the identification, prioritization, and execution of the key financial and operational changes required to support a thriving remote workforce.

AAFCPAs works as needed with our clients’ key user groups, conducts process discovery sessions, develops system(s) requirements specifications (SRS), and evaluates IT and cyber security risks. This ensures that functionality is clearly defined, and that user and company needs are satisfied while minimizing risks. Once cloud systems are identified, AAFCPAs assists clients with installation and user training.

Our top priority is to help ensure the economic well-being of our clients. Our consultants have extensive expertise advising clients on business process improvement and leveraging cloud technologies.

If you have any questions, please contact James Jumes, MBA, M.Ed. at 774.512.4062,; or your AAFCPAs Partner.

About the Author

James Jumes
James joined AAFCPAs in 2013 to lead the Business Consulting Services practice. He has more than 25 years of experience working with information technology systems and diverse business operational processes. James is highly experienced in IT controls and assurance, SOX 404, and Service Organization Control (SOC) reports: SOC 1 (SSAE 18), SOC 2, SOC 2+ and 3 attestation reporting.  James developed a unique methodology to delivering SOC reporting services, and he is an AICPA-approved Peer Review SOC Specialist, assisting peer review teams to review SOC 1, 2, 2+ and 3 engagements. He is a HITRUST Certified Common Security Framework (CSF) Practitioner, providing HITRUST CSF self-assessment consulting, or SOC 2 + HITRUST for assessing against the evolving compliance landscape shaped by HITECH, HIPAA, CMS and various other federal, state and business requirements.