Is risk-averse governance holding back cloud maturity?

Every company that has understood and acted on the fact that the cloud is not just ‘another IT thing that only IT people should care about’ has triumphed.

Whether this be through the ability to launch new products or services more quickly than their competition, streamlining their processes, cutting administrative costs, or simply delivering the same service more quickly or elegantly than the competition, the cloud has undoubtedly unlocked innovation when it’s been allowed to flourish.

By enabling organisations to realise a pace of agility never previously achievable, the cloud has turned the business world on its head. In the pre-cloud days, it was not uncommon for a new idea to take six months before it could be tested at even the smallest scale. Today, you can have an idea in the shower that morning and have it deployed company-wide by the end of the day. The difference in pace is that profound. Unfortunately, while most companies will claim to understand this, most have done nothing more than pay it lip service.

Most organisations could work at this ‘cloud pace,’ where new services are deployed within a day, but most don’t. They might have the technology, leadership support, budget etc. to operate at this ‘same day’ pace, but they don’t. Why not?

Cutting edge tech meets legacy attitudes

The main bottleneck to cloud-enabled innovation are legacy attitudes, particularly when it comes to their heavy focus on risk management. These attitudes ultimately drive processes and policies, which slam the brakes on change.

What are the priorities for an IT project for example? In most organisations, when you strip everything back, the ultimate goal of IT is to minimise risks to the organisation’s reputation. Make changes sure, but don’t break anything! ‘Is it safe, secure and legal?’ are the first and last questions asked by senior leaders when considering whether to sign off on a project. Since IT projects were traditionally very large in scope, this emphasis on risk mitigation made a lot of sense, since the changes such a project would make to the organisation would be so significant that, if it failed, it would fail big time. You can’t hide an IT failure when your entire organisation uses it every day.

You may have all the cloud tools in the world and have everyone praising your new idea in the morning meeting, but the delays in raising the budget through the appropriate channels of bureaucracy and sign-off, alongside the security and legal checks, still slows everything down. Traditional IT did a very good job at ensuring the necessary security, safety and legal checks were taken – but it’s just too slow for today when you want to deliver a solution quickly. But the cloud doesn’t forego these steps – it is just more efficient at them. Most PaaS or IaaS solutions for example have all the safe and legal steps built into them already through their functionality (see Amazon’s shared responsibility model for example, where AWS provides the infrastructure so the customer only has to focus on the software).

Iterative change requires a new approach to risk management

Cloud, thanks to its DevOps approach to implementation, is the polar opposite to the waterfall/monolithic IT projects of the past; where the focus is now on iterative development and deployment. Since changes are delivered in small increments which can be tested quickly and rolled back relatively easily, the risk to the organisation is reduced significantly. While most organisations will recognise this new approach, the majority of them have not changed how they measure risk in response.

The solution is to measure IT differently, shifting the primary focus of a project away from risk management, and onto outcomes. Ultimately, what outcomes will this project deliver to my customer? This is the only question to ask.

The real risk is not doing anything at all

Evidence shows that, given the option, most people are happy to avoid change altogether. But we live in a world where change is a constant and is getting faster. The over-emphasis on ‘what could go wrong,’ instead of ‘what value will this bring?’ often leads to organisations talking themselves out of a necessary change, or delaying it so long that the inevitable change eventually becomes a firefight. The better question to ask is. ‘What could happen if we don’t make this change?’

  • Employee frustration?
  • Loss of market share?
  • Employee walk out or strike?
  • Irrecoverable damage to brand?

Could you afford not to make the change if these are the potential outcomes if you do nothing?

The public sector – hardly known for leading change the pace of change in anything – is already mature in attempting to shift its projects in this direction. Can the private sector learn something here? The GDS framework for example is already written for this form of agile project delivery by focusing more on outcomes than risk. The question therefore becomes, ‘How do you change your internal governance to reflect this?’ As with most change, this starts with the person in the mirror.

Related Articles

Top Stories