As we review the transformation plans and business outcomes of cloud-based initiatives of clients, a common thread of six business dimensions of risk is visible. It comes down to Process, Architecture, Security, Sourcing, Expertise and Data. (PASSED)
Organisations need to have “passed” successfully the risk examination during the planning and implementation phases of the transformation. Equally importantly, they need to maintain the highest grade on the six dimensions while operating their cloud-based business solutions.
To mitigate the risks, leading organisations
- Plan for process decays with continuous monitoring
- Decide the right architecture with relevant work-loads
- Adopt the zero-trust approach to security
- Execute a cost-effective multi-vendor sourcing strategy
- Develop the expertise for an agile organisational model
- Manage the topography of data trains across the business
1. Plan for Process decays with continuous monitoring
Organisations spend significant time and resources in defining their business processes. Unfortunately, business process decay, the deterioration of the value creation potential of process over time, is a reality and is accelerated by rapid technological advances.
End-users, with little to no coding knowledge, can try a new business task or extend a business process on an ad-hoc basis using open APIs. e.g. A product category manager at an FMCG company could leverage the wealth of data provided by Best Buy with access to 100+ Brands, 725,000+ Products across 1400+ locations.
It is critical to have a comprehensive Business process monitoring (BPM) tool to ensure that the processes and tasks follow the defined standards.
2. Decide the right architecture with relevant work-loads
When a client asks “What is the best cloud deployment model for my business?”, the correct answer is “It depends”! e.g. A small team in a global pharma company working on the early stages of an abbreviated new drug application (ANDA) would need a private cloud or even an on-premise infrastructure. At the same -time, the corporate website could be on the public cloud.
The need for flexibility, reliability, security, scalability and reasonable costs should define the right cloud architecture for the business. These factors should help decide the development and deployment destinations for each application (work-load)
3. Adopt the Zero-trust approach to security
IT security has traditionally developed in a “Castle and Moat’ framework where the moats are passwords, firewalls and one-time authentication tools. Clearing the “moat” gives full access to the “castle” – a principle that a person who crosses the moat is trusted and will use the castle by the rules. The distinct disadvantage is that a hacker, who gains illegal entry, can cause complete havoc inside the castle and even destroy it.
The Zero-trust approach, first articulated by John Kindervag, works on the principle of strict identity verification, both at the perimeter and within the corporate network. This approach is possible through the application of techniques like Micro-segmentation, and Multi-Factor Authentication.
The large vendors – AWS, Google, IBM and Microsoft – provide the technology for this approach. However, an organisation adopting a multi-cloud strategy will have to invest in processes, tools and techniques and audit them continuously to test the efficacy of the Zero-trust approach.
4. Execute a cost-effective multi-vendor sourcing strategy
Clients are very vigilant about the potential lock-in to a particular technology or vendor on the cloud. Some, on a project-by-project basis, divide their development and production loads between different vendors.
Others have followed specific multi-vendor policies around deployment. e.g. As a part of a multi-year program, NAB, Australia’s largest business bank, has moved over 505 applications to AWS, Azure or Google Cloud Platform (GCP).
Organisations need to have a well-defined app and data portability strategy that can be activated in a predefined time interval and cost. The Interoperability and portability for Cloud Computing: A Guide is an excellent place to start planning in this area.
5. Develop the expertise for an agile operating model
An agile approach has long moved from being a method for software development to a organisation wide method for handling innovation and projects with a focus on outcomes based governance.
Shorter project cycles and continuous deployment models necessitate the risk management professionals to be a part of the implementation team and not play a point-of-time inspection and remediation role. e.g. Traditionally, Banks have invest a significant amount of risk resources in areas like Asset-Liability mismatch, Concentration Risk and Fraud. Increasingly, a lot more effort is needed to manage risk in using business decision models using machine learning especially, those that rely on externally available / procured data.
6. Manage the topography of data trains across the business
A monolithic ERP system has a well-defined data flows, and the product vendor provides an implicit assurance of data integrity. However, most businesses today run multiple applications, sometimes loosely coupled with potentials for data leakage, duplication and jurisdictional violations. e.g. An automotive major operating in Japan and USA is not subject to data localisation requirements. Expanding to a market like India, which mandates local storage of data, would necessitate significant changes to data storage and access methods.
Leading organisations manage this complexity by a well-articulated data train policy. The policy addresses questions of data ownership, storage, backup, privacy, process support, infrastructure and destruction.
Summary
While planning for cloud-based initiatives, organisations should assess risks in the dimensions of Process, Architecture, Security, Sourcing, Expertise and Data. (PASSED). They can learn and build on the learnings from leading organisations that
- Plan for process decays with continuous monitoring
- Decide the right architecture with relevant work-loads
- Adopt the zero-trust approach to security
- Execute a cost-effective multi-vendor sourcing strategy
- Develop the expertise for an agile organisational model
- Manage the topography of data trains across the business