Do you still need an internal IT team if your ERP is SaaS?

By Saurabh Goyal, Founder & CEO of Phlo Systems. Published 22 April 2026.

Most SME finance directors believe SaaS means they can wind down the internal IT function. Some can — others build up an unexpected technology debt by trying. This article explains what work SaaS actually removes, what it leaves, and what an SME on a modern SaaS ERP or CTRM should be staffing for.

What SaaS removes from your plate

This is real. SaaS vendors (us included) take over:

• Infrastructure. No more servers to provision, virtualise, patch, replace.
• Database administration. No DBA needed for backups, replication, performance tuning, capacity planning.
• Application patching. Security and feature updates roll out continuously without your team's involvement.
• Network for the application itself. No internal network architecture for the system.
• Disaster recovery for the platform. The vendor runs hot standby, geo-replication, and tested failover.
• Major version upgrades. No more 12-month upgrade projects every 2 years.

For an SME running a legacy on-premise stack, this typically removes 1–2 FTE of infrastructure work and the vendor consulting fees that came with major upgrades.

What SaaS does not remove

Six categories of work that remain firmly with the customer:

1. Identity and access management. Someone has to provision new users, deactivate departing users, configure SSO, set up MFA, manage role assignments, and audit access regularly. SaaS makes this easier (web admin panel, API) but doesn't do it for you. For a 50-person firm with normal turnover, this is 4–8 hours per week.

2. Integrations. SaaS removes the integration platform infrastructure but not the integrations themselves. Connecting your ERP to your bank, your customs broker, your warehouse, your CRM, your payroll provider, your tax filer — that's all still your responsibility. Modern SaaS platforms have better APIs and pre-built connectors than legacy systems, but somebody has to configure, test, and maintain them.

3. Security governance. SaaS vendors are responsible for the security of their platform. You're responsible for the security of how your firm uses it. That includes data classification, access reviews, incident response procedures, vendor risk assessments, and compliance with frameworks (ISO 27001, SOC 2, GDPR) that auditors will ask about.

4. Change management. When the SaaS vendor releases a new feature, someone has to evaluate it, decide whether to enable it, communicate the change to users, train staff, and update internal documentation. Continuous deployment makes this lower-stakes per change but more frequent. Cumulative effort: 4–10 hours per week for a 50-person firm.

5. Data ownership and exports. Your data is yours, but extracting it from a SaaS platform takes effort. Regular extracts for management reporting, ad-hoc exports for board reports, full backups in case you ever need to switch vendors — all your responsibility. An SME running 4–6 SaaS systems should have a designated data owner.

6. End-user support. Users will still ask "how do I" questions, get locked out, request feature changes, escalate bugs to the vendor, request reports. Frontline support is yours. SaaS vendors handle escalated technical bugs, not user training.

What an SME on SaaS should staff

Three patterns that work, depending on firm size:

Pattern 1: Outsourced + part-time internal owner (10–30 person firm). Outsourced MSP for identity, end-user support, basic security: £25K–£45K per year. Internal: a senior person (often the CFO or COO) owns vendor relationships and integration decisions, ~2 hours per week. Total cost: £25K–£60K per year all-in.

Pattern 2: Internal IT lead + outsourced overflow (30–80 person firm). One internal IT person (£60K–£80K) owns identity, integrations, end-user support, security governance. Outsourced overflow for specialist work (network, infosec audits, project work). Total cost: £80K–£130K per year all-in.

Pattern 3: Small internal IT team (80+ person firm). IT manager + 1–2 technical staff covering the same scope at higher volume. Outsourced security audits, penetration testing. Total cost: £200K–£350K per year all-in.

The pattern to avoid: assuming SaaS means zero IT and ending up with an IT-by-accident situation where the CFO is locked into doing identity management at 9pm because nobody owns it.

What changes vs on-premise — by the numbers

Function	On-premise legacy	SaaS	Change
Infrastructure	1+ FTE	0	Eliminated
Database admin	0.5–1 FTE	0	Eliminated
Application patching	0.5 FTE + vendor	0	Eliminated
Major upgrades	£80K–£200K every 2 years	0	Eliminated
Identity & access	0.2 FTE	0.2 FTE	Same
Integrations	0.5–1 FTE	0.3–0.5 FTE	Reduced
Security governance	0.3 FTE	0.3 FTE	Same
Change management	0.1 FTE	0.2 FTE	Increased
End-user support	0.5 FTE	0.5 FTE	Same

Net: a typical 50-person firm goes from ~3.5 FTE to ~1.5 FTE on internal IT.

Frequently Asked Questions

Is SaaS as secure as on-premise?

For most SMEs, more secure. SaaS vendors invest more in security infrastructure than any 50-person firm can justify. The exception is firms with unique compliance requirements (defence, state secrets) where data residency or air-gapped operation is non-negotiable.

What if our SaaS vendor goes out of business?

A real risk that should be addressed in the contract: data export rights, source code escrow for mission-critical applications, transition assistance commitments. Don't sign a SaaS contract for a critical system without these provisions.

How does SaaS affect compliance with ISO 27001 / SOC 2 / GDPR?

You're still the data controller; the SaaS vendor is a processor. You need a data processing agreement, vendor risk assessment, and to confirm the vendor's certifications cover the relevant controls. Most modern SaaS vendors maintain ISO 27001 / SOC 2 audits and provide auditor reports under NDA.

What about offline / air-gapped operation?

Pure SaaS doesn't support this. Hybrid models (with edge appliances) exist for some platforms but are rare in commodity trading software. For SMEs, the requirement almost never justifies the architectural complexity.

Should we have an in-house developer if we use SaaS?

Usually no, unless you're integrating heavily across many SaaS platforms or building unique automation. Most SaaS platforms now have low-code automation builders (workflows, calculated fields, custom reports) that make in-house development unnecessary at SME scale.

How Phlo Systems helps

opsPhlo is cloud-native SaaS — there is nothing to install, patch, back up, or upgrade. We run the platform, the database, the disaster recovery, and the security infrastructure. Your team retains identity management, integrations, change governance, and end-user support, with admin tooling designed to make those tasks low-effort.

For a 50-person commodity trading firm, this typically means going from 3.5 FTE of internal IT (legacy stack) to 1.0–1.5 FTE (opsPhlo + standard SaaS productivity tools). The IT cost saving funds most of the platform subscription.

If you'd like a structured comparison of your current IT operating model vs running on a modern SaaS stack, request an IT operating model assessment.

---

Related reading:

• The true total cost of owning an ION Trading or ETRM system in 2026
• Why SME commodity traders deserve an integrated ERP + CTRM + Treasury system
• What is the difference between Commodity Management (CM) and CTRM?

Saurabh Goyal is the Founder & CEO of Phlo Systems. He has led the cloud migration of trading firms ranging from 12-person specialty traders to multi-hundred-person mid-market houses.