AWS Cloud Enterprise Strategy Blog
Evolving GRC to Maximize Your Business Benefits from the Cloud
Introduction by Mark Schwartz
This post continues our series on governance in the cloud. In earlier posts we discussed new strategies for governance, the governance that requires standardization and rules, and governance that oversees projects and investments. In another post John Thorp of AWS Professional Services wrote about AWS’s frameworks for evolving your Governance, Risk, and Compliance (GRC) practices to get the most out of the cloud. In this post, John dives deeper into what GRC looks like in the digital world.
—Mark
Twitter | LinkedIn | Blogs | Email
In the words of John Thorp,
Senior Governance, Risk and Compliance Assurance Consultant,
AWS Global Professional Services, Security Assurance and Advisory Practice
In my previous blog post, I explained that the transformational effects of cloud adoption are broader than technology and can positively impact every corner of your enterprise. I also discussed how AWS can support the evolution of your GRC framework to support cloud adoption and drive innovation in your organisation.
As I previously noted, 70% of cloud adoption programmes stall or fail due to nontechnical challenges. So, there is a considerable possibility that, during your cloud adoption journey, you’ll face some nontechnical challenges. We regularly help our customers face these kinds of challenges. I present here some solutions that you may consider for some such nontechnical challenges. For more specific and tailored solutions, please reach out to me directly or your local Amazon Web Services contact.
Solutions to Common Barriers
Understand the Nontechnical Changes You Will Have to Make
In the early phases of cloud adoption, you often see quick successes delivered through small development and test environments that support a proof of concept. Because you’re only using development and test environments, the project teams involved are given exceptions to internal policies, and only technology people have the time to be involved because the other departments and other stakeholders (such as Risk and Compliance) have priorities that are perceived to be more important at that point in time. These other departments are kept informed, but are not really engaged. The project is too technical or too small, or the departments are too busy. Small proofs of concept continue to be done with agility, populated principally by technology staff. Technology staff get the investment and training. At this point, the cloud is delivering.
But as your cloud programme grows, your applications move from development and test environments to production environments. Stakeholders previously invited but not able to participate start to take an interest, but they don’t necessarily understand the technology. They don’t even really understand the cloud. They apply controls they’re familiar with, but those controls are designed for on-premises environments, not for agile cloud environments. When there are clashes between the two cultures, the traditional approaches win: because traditional approaches worked in the past, some stakeholders demand that you “change the cloud” to fit these traditional requirements. The result is, when you require the cloud to comply with on-premises policies, you lose the benefits of your cloud adoption. Slowly but surely, your cloud programmes begin to stall. And then they fail.
To avoid these failures, it’s important that you recognise the changes you need to make to the corporate GRC at the outset. You can ensure that all key stakeholders, not just technology staff, are engaged early and are encouraged to participate by explaining the vision and goal of your cloud programme. To continue your successful adoption of the cloud, your organisation needs to make investments beyond your technology departments and include investment in all areas of the business where the cloud will support delivery of your strategy and objectives.
For instance, many firms use the “three lines of defence” model to clarify responsibility for risk management. Individuals in the first line own and manage risk directly. The second line oversees the first line, setting policies, defining risk tolerances, and ensuring they are met. The third line, Internal Audit, provides independent assurance of the first two lines. Investment in the cloud, including training, should be applied across the first, second, and third lines of defence as early as possible, not just technology staff.
Use Challenger Operating Models
The committee and consensus-based decision-making of traditional GRC frameworks can create a blocker to new and disruptive developments. This can be overcome by adopting parallel “challenger operating models,” as I call them, to compete against the incumbent systems. By “challenger operating models”, I mean alternative operating models that experiment with new GRC approaches designed to support your cloud and digital transformation goals. Challenger operating models seek to remove some of the barriers that may be inherent in legacy GRC approaches by adopting potentially more suitable GRC approaches that match the speed of innovation that is sought and expected from a cloud and digital transformation. By running challenger operating models in parallel, you can demonstrate how a new approach to GRC can successfully accelerate your cloud adoption and achieve desired business outcomes faster. A working case study, specific to your organisation, can then be considered for a wider rollout based on the lessons learned from the experience.
For example, large traditional banks have created digital banks as subsidiaries, allowing them to develop outside the existing GRC framework of the enterprise. This enables the digital banking subsidiary to more easily adopt agile methodologies and respond to changing customer demands.
Alternatively, you might adopt an agile project methodology to replace your existing waterfall approach, or you could restructure your existing governance model for a dedicated project to assess how it functions in practice. By adopting parallel challenger operating models, you can find out what benefits different models would bring to your organisation and your customers, and you can assess the feasibility of scaling those changes across your enterprise.
Update Project Management Approaches
The traditional waterfall approach to programme and project management breaks down project activities into linear, sequential phases. This waterfall approach typically fails to keep up with the pace of iterative changes necessary for cloud adoption and operations. Moreover, the waterfall approach tends to cement the siloed approach, with stakeholders in GRC examining cloud adoption only from their own perspective and therefore looking at the adoption through a single lens, rather than collaborating and discussing the opportunities, risks, and issues together.
To take advantage of the agility and cost management features of cloud services, your organisation should encourage programme and project managers to gain new skills in agile project management, an iterative development methodology that values human communication and feedback, adapting to change, and producing working results. Your organisation should create new processes for managing agile-style projects that drive the culture of your organisation toward improved GRC frameworks from the bottom up.
Adopting an enterprise-wide agile approach is a great way to enable rapid escalation of issues, efficient redirection of resources and priorities, and continual improvement of execution.
Prioritise Cross-Organisational Change and Transformation
One symptom of the traditional GRC approach is a resistance to cross-organisational change. This can be overcome by a set of targeted strategies at different levels of the organisation, including the board, the executive suite, the functional management, and all staff.
For example, if you develop a clear strategy to communicate your enterprise’s vision and how organisational transformation supports it, you can ensure alignment across your enterprise. Assigning a board-level executive sponsor to oversee the transformation provides a strong message of support from the top to your employees. It also gives the project someone who has the authority to support delivery and help overcome blockers within your organisation. Designating “transformation champions” across your business can help drive organisational change at the staff level and will encourage the significant cultural shift that often has to take place to move into new GRC approaches.
In particular, regulated industries need to engage with their regulators to explain any significant business transformation. AWS has experts from regulated fields to help you prepare for these discussions. Check with your AWS contact to see if we can help you, or contact me directly.
Adopt Additional Supportive Strategies
When your organisation adopts other complementary strategies that support and are supported by your cloud ambitions, you can accelerate your cloud adoption, as each drives the other forward. For example, some enterprises have realised the importance of the data they hold. They are adopting a strong and robust data strategy to maximize the value of that data both for their customers and their business, as well as enabling decisions and personalized actions for customers. In this space, data-specific regulatory developments are helping firms enhance and cleanse their data. AWS services such as big data, data analytics, and machine learning can help you generate benefits from your cleansed data.
Conduct a Skills Gap Analysis
To ensure all the stakeholders in your GRC framework have the correct competencies and capabilities to support your transformation goals, you should offer training and education to employees at all levels within your business. For the executive-level managers and board members, you need to provide training so they have a good knowledge and understanding of the technology being adopted. Please contact me if you would like to hear more about our Executive Security Simulation (ESS), a tabletop gamification of the first two years of your cloud adoption journey delivered to senior executives from all disciplines in your organisation. For more mature customers, we offer ESS NextGen, which considers years three to four of your journey. Both programmes can be delivered in person or virtually.
There is dividend in developing training and certification programmes for your other employees. For example, the National Australia Bank (NAB) has a programme called the AWS Cloud Guild to train its employees at all levels in cloud computing. Many enterprises have their own versions of a Cloud Guild, leveraging available AWS training. Conducting a skills gap analysis will reveal where your training needs are and help determine if those gaps can be filled by training existing employees or using other sources, such as short-term contract hires, third party resources, or permanent positions.
Conclusion
This is by no means an exhaustive list of solutions to common barriers. This is a prompt to help you think about how you can do things in GRC differently to both enhance your GRC framework by removing silos and duplication and to enhance and accelerate your cloud adoption journey. The two things are symbiotic and drive each other. As you evolve your GRC frameworks, cloud adoption accelerates. As cloud adoption accelerates, your GRC frameworks evolve.
To maximize your benefits when moving to the AWS Cloud, examine your GRC frameworks and create complementary strategies that will support cloud adoption. Remove any barriers to decision-making. Begin to think differently about the issues you face and the possible solutions. The cycle is self-perpetuating. After you see the links between your cloud adoption journey and enhancements to your GRC frameworks, your desired outcomes can be achieved more efficiently.
If you need help finding practical solutions and prescriptive guidance on reviewing your GRC and security frameworks, or if you’d like to discuss the SRC Blueprint further, reach out to your AWS contact, your AWS Security Assurance and Advisory team contact, or a division of the AWS Security, Risk, and Compliance Professional Services team, or contact me directly.
Transform Your GRC Strategy to Get the Most Out of the Cloud
Governance in the Cloud and in the Digital Age: Part One
Governance in the Cloud and in the Digital Age: Part Two
Creating a Culture of Security, Mark Schwartz
Scaling a Governance, Risk, and Compliance Program for the Cloud, Emerging Technologies, and Innovation
AWS Security and Compliance Quick Reference Guide
Security on AWS Executive Insights