The closer IT expenditure is to the front line of genuine business need, the better the return on investment should be. So the positives arising from the growth in shadow IT – spend on digital applications and services by business teams rather than the IT function – are huge. Estimates suggest that shadow IT expenditure now accounts for over 30% of total spend and 55% of digital spend. And a key driver of this growth is the increasing prevalence of cloud solutions which can be deployed by a business team with minimal support from IT.
But the full scale of benefits will only be realised if risks created by business owners’ unfamiliarity with technology solution governance and inefficiencies generated by distributed decision-making are identified and managed. The traditional IT-led approach to solution governance, based on large ERP or CRM implementations, will not work for Shadow IT solutions – it is over-engineered for the rapid evolution demanded by business teams. A new model is required – one that is business-led and balances the need of business functions for speed and flexibility with the assurance that IT teams can provide.
So what risks does business ownership of IT solutions create? Operational risk increases in direct proportion to any gap between the knowledge managers need for effective supervision and the knowledge they actually have. The increasing digital divide between senior managers and their younger, junior tech-savvy colleagues is one such example. And as cloud offerings enable solutions to be deployed by functional teams without IT oversight, the need for digital understanding among senior managers is increasing. Research by the Harvard Business Review Analytics Services concluded “Digital acumen is essential for business leaders in today’s hyper-competitive, technology enabled world. But most companies lack the knowledge and skills needed to succeed in the digital aspects of their business.”
With high risk activities – such as proprietary trading in investment banks – these knowledge gaps can be catastrophic. But most cloud solution deployments will not come into this category. A more relevant analogy can be found in the recent history of data and reporting solutions. These are often owned and deployed by business functions – marketing, finance, risk, compliance, operations and HR – in which case multiple reporting solutions are typically being licensed when one would do, generating inefficiency and excess maintenance costs.
Alternatively the deployment may be centrally owned (by IT) with space in the enterprise data warehouse made available to different functions to do with as they would wish. This typically results in multiple ungoverned cottage industries with no documentation of which marts are being used for what purpose and what would happen if they were removed (and probably multiple versions of the truth as well).
This is the type of trap that business-owned, cloud based applications will fall into if there is a lack of management understanding of how such solutions should be governed. Governance has always created tension between business functions and IT teams, with the former seeing the controls IT teams introduce as being over-engineered and a brake on rapid progression. In the absence of IT involvement, the risk – as we have seen with reporting and analytics solutions – is that such disciplines are ignored.
Obviously a balance is required. With digital implementations, there need to be good enough levels of governance. Our experience with delivering data management and reporting solutions over the past fifteen years has given us relevant insights into what this looks like. As one client put it, ‘you provide enough governance to keep IT happy and not so much as to delay delivery’.
So with that in mind, herewith our primer for business leaders on good enough governance.
Every cloud solution should have an owner who maintains a business case for the solution’s continued use as part of their accountability to whoever the budget holder is. Unlike traditional implementations where most of the investment is sunk up front, the rental model for cloud solutions requires a living business case with quantifiable improvements in KPIs the solution is delivering tracked against ongoing and forecast costs (including potential spikes). Such an approach facilitates the solution being swapped out should a new one that will generate greater value become available.
The business case requires the determination or inference of linkages between the operational metrics that the solution can impact and the strategic goals and financial objectives of the organisation. These metrics and the hypothesised linkages need to be tracked so both the operational efficacy of the solution and its strategic relevance can be tracked. Hence the second component is the creation of a dashboard to support the living business case. The dashboard also needs to track compliance related metrics and cover change request progress.
Effective governance requires a sequence in solution deployment of requirement documentation, solution design, delivery, test, release and support, with the same process applying for subsequent changes requests. In the traditional model, these activities are performed by different teams. Cloud solutions typically follow a DevOps model whereby these activities are carried out in rapid sequence by a single business team. Either way, all stages need to be completed so both processes for how changes will be managed and who will be responsible need to be defined.
The governance committee needs to have both business and IT representation – IT teams’ experience of solution design and demand management being particularly important to success. The governance committee needs to meet on a regularly scheduled basis – monthly or quarterly – and focus on organisational (e.g. responsibilities), security and the commercial model (to avoid the risk of unbudgeted spikes in costs).
There are two facets to the knowledge that needs to be captured in documentation – explicit and tacit. The former includes the business requirements the solution is meeting, process maps for the processes that the solution enables, and the underlying policies and procedures. It should provide all the information required for someone new to operate the solution from scratch under normal conditions. Tacit knowledge covers what to do in abnormal conditions, when problems arise and the process isn’t running smoothly – e.g. who to contact if an important feed is not available, fixes for when the solution doesn’t run as it should, answers to common questions about the outputs generated. Tacit knowledge is typically captured as FAQs and answers. The basic principle should be that a solution SME can’t progress to a new role unless all the necessary knowledge that their replacement will need has been codified and documented.
Cloud solutions don’t stand in isolation. Typically they require data inputs of some form and generate data outputs. Where does this data come from, how is static data in the solution maintained, what happens with the outputs? All integration points need to be included in the documentation.
Cloud solutions need to comply with the organisation’s security policies for access control and data protection. Equally the organisation’s security policies need to evolve to reflect the new cloud-based world – relying on firewalls to lock data in a chamber with one door in and one door out is no longer feasible. Cloud enables and encourages collaborative working practices and the inter-connectivity of system to system processes – data is moving all over the place – and security policies need to evolve to reflect this new reality while still effectively mitigating risk. And the more integrated a cloud solution is, the greater the risk that it opens a gate to other parts of the IT estate, hence controlling access or levels of access is critical. Any data that resides in the solution also needs to be secured (e.g. via encryption or tokenisation) and where that data is hosted needs to comply with data protection legislation and organisational policy.
The rise of cloud requires IT teams to operate differently to how they have historically. Control is no longer an option, collaboration will become the norm. In turn, business owners of cloud solutions need to make the IT function their friend. That will require compromises on both sides – less governance than IT are used to applying, more than business solution owners would like. We believe that addressing the seven factors above will provide the ‘good-enough’ governance required to mitigate operational risk without inhibiting agility and slowing progress to a halt.
With thanks to my colleagues Manoj Bhatt, Mark Howard, Andrea Pesoli and Venkatesh Ramawamy for their contributions to this piece.