Governance in the Cloud and in the Digital Age: Part One
Governance must balance two objectives: it must control, and at the same time it must enable.
Its control objective flows from management’s fiduciary duty to the owners (or, in the case of a government agency, to the public). As part of that fiduciary duty, management must ensure that the organization’s money is spent well, that security is maintained, that legal and ethical concerns are satisfied, and that compliance frameworks like Sarbanes-Oxley are adhered to. To ensure that these objectives are met, companies institute standardized processes and an accountability framework.
At the same time, governance must be designed such that it enables the company to proceed with its profit-making activities (or, for a government agency, its delivery of mission value). It’s pointless to have governance that just prevents errors; it must also support activity that will earn a positive return for investors.
An ideal governance mechanism, as I’ll show, can actually do both: there’s no real need to trade off between the two. But it’s difficult to achieve, because firms generally focus more on prevention, believing it to be risk mitigating. Curiously, in an environment of disruption, risk mitigating is just what that approach isn’t. When stasis is dangerous, even a risk-averse company must actively seize opportunities and sidestep hazards. It’s become riskier to throw impediments in the way of progress and change.
In the digital world, and in particular in the cloud, we aim to have it both ways: to maintain even stricter controls than before, and yet to free up activity that will grow revenues, reduce costs, establish competitive advantages, and reduce risk. This has become possible because we have the help of new technology and new organizational models. Many people fear that fast-moving digital technologies require a loss of control. They assume that speed adds risk, or, to put it another way, that only time and careful planning can mitigate risk.
That’s wrong—today we use speed and innovation to reduce risk. Our new ways of working are progress—they let us do everything better, including governance.
But…to govern better, we have to govern differently.
Two Types of Governance
If you look carefully at our traditional ways of governing, you’ll find that they’re based on two distinct governance strategies: (1) standardize to formulate (and then apply) universal rules, and (2) plan carefully and execute according to plan.
The first type of governance is used when there’s a universal control we want to apply. For example, there are the processes that we set up to meet compliance frameworks like SOX, HIPAA, GDPR, and so on, or to get a clean audit at the end of the year. There are controls for approving expenditures, for HR, for information security. In IT, we often create enterprise architecture standards, such as which programming languages and platforms to use, how to tag cloud resources, or how we’ll implement authentication and authorization. The standards become rules that are enforced through mechanisms and processes, like architectural or peer code reviews. This type of governance is about rules and their enforcement; it’s essential that they be applied rigorously and auditably. In the strictest sense of the word, they are bureaucracy.
The second strategy for governance is what we use when there isn’t a fixed rule, but when we have to use our judgment to make decisions that are consistent with stakeholder wishes and then act on them as promised. So, for example, budgeting processes and budget execution are treated through annual planning and then rigorous execution according to plan. Capital planning is similar: we select among possible investments those that align best with earning a good return for shareholders, basing our decision on a business case and plan, and then we execute the plan as closely as we can to achieve the returns projected by the business case. Governance, in this model, is the process of making these spending decisions—or more generally, decisions about how to employ the resources we have available—and then adhering to them.
Two types of governance: rigorous application of strict, formal rules, and well-defined initiatives aligned with investor objectives. In the rest of this post, we’ll look at the first type of governance. The second is discussed in this post.
Type 1: Rule-Based Governance
First, rule-based governance. As we move into the digital world, nothing changes in this type of governance…except that we can do it much better. The digital world opens up myriad opportunities for applying rules in an automated and auditable way. Automated rules, particularly in the cloud, can prevent certain behaviors or inform the right people when a particular behavior is observed. For example, you can set up and enforce an automated policy in the cloud that prevents code that is known to be insecure from being deployed; that sends a message to finance when spending limits are exceeded; that notes anomalous network activities or user behaviors and takes action. Automated governance has a number of benefits:
- It is lean. It costs almost nothing to apply an automated control, as opposed to a human enforcement process. It is also fast.
- It is rigorous. You specify the rule, and it is enforced. There are no accidental lapses where someone forgets to apply an important control.
- It is self-documenting. It is easy to keep an electronic record of what controls were applied and when.
- It provides transparency. Instead of shutting down activity that might be legitimate, you can instead report on it, and decide later what actions to take.
- It can be changed. In a fast-changing environment, you might need to change your policies and rules. Automated rules can be changed virtually instantaneously, with the appropriate controls, and with full auditability of the changes.
- It can be a comforting guardrail. Employees don’t need to worry that they might inadvertently violate a rule, because the rule will be enforced automatically. This is especially important for security rules, which can be complex and confusing.
I’m not just saying that rule-based governance is just as possible in the digital world as in the traditional world—I’m strongly suggesting that you take advantage of it! The digital way of governing mitigates risk and at the same time frees up productive business activity.
When we automate compliance, it becomes an enabler of activity. Employees can innovate freely and work quickly, knowing that the automated rules will give them feedback if they veer outside the guardrails, at which point they can make corrections to get back on track. The conditions for compliance become well-defined and easily actionable: if the automated controls don’t squeak in complaint, then we’re compliant; if they do squeak, we have to do something right away to get back in compliance. Compare that to old-style controls, where a gatekeeper might suddenly appear later and object to something that’s already been done, leading to rework and wasted effort.
In IT, we see the benefits of automated governance particularly in the way we secure our systems today. In a typical DevOps model, the security team will prepare automated security tests and place automated security policy enforcement in the company’s cloud environment. As the software engineers are developing code, they run the automated tests frequently and immediately learn whether they’ve done something that introduces a vulnerability. If they have, they correct it right away. The automated security tests are a tool for the software engineers—at the same time, they rigorously enforce the security rules and do so quickly, before a problem can find its way to the public.
With the cloud and the various digital ways of working, this first type of governance—adherence to formal, strict rules, becomes better at both control and enablement, thereby reducing both types of risk—the risk of erring and the risk of stasis. In the next blog post, I’ll turn to the second type of governance, plan-decide-execute.
Creating the Cloud Business Office, Jonathan Allen