Please Do Not Take More Risks

Sometimes I think IT leaders are missing a key point in the way they speak to their non-technology counterparts. Case in point: we keep saying things like, “The company has to be more comfortable taking risks,” or “We have to fail fast,” or “We need to be less risk-averse.” I can guarantee that none of these are welcome messages to a CFO, or a CEO, or a board of directors. Nor should they be! Companies owe it to their shareholders not to fail—neither slowly nor fast. Changing the risk posture of the company is not a pre-requisite to using the cloud or DevOps or microservices.

As a matter of fact, the cloud reduces risk. DevOps reduces risk. Experimentation, rapid iteration, agility, minimum viable products—these are all techniques that were designed to reduce risk. Why, oh why, do we keep suggesting the opposite? Especially since our nervous colleagues, perhaps already overwhelmed by rapid change, perhaps frightened by news stories about disruption and security breaches, are quite willing to believe that moving into the digital world is risky. We have a serious communication problem here.

Now, I know what we are trying to say, and of course it is correct. In the digital age, one proceeds by trying out ideas and adjusting them as necessary. We are just as willing to pivot as to persevere. We believe that the market or internal users will let us know quickly if we are on the right track.

To proceed in that way, the enterprise needs to be willing to try more new ideas than they have in the past. We think it is a good idea to have a bias for action, to move forward quickly without over planning, to deploy new capabilities dozens or hundreds of times a day. But despite the way they sound, these techniques are not risky. On the contrary, they are risk-mitigating, and deliberately so. They are ways to succeedin product design. A pivot is not a failure, but rather a successful incorporation of feedback from the market.

Take the idea of “failing fast.” What we mean is the tactic of trying out ideas quickly and abandoning them if they are not promising. That’s simply a way to reduce risk. Compare this tactic to the alternative, the traditional way of investing in an IT capability. A go-no-go decision was made based on a paper business case, and the company committed the entire funding for delivering the capability with only uncertain projections of returns to justify it. Now that was risky.

In place of that dangerous, risky, business tactic, we can now develop minimal viable products, with very limited funding, to test ideas before we commit the remainder of the funding to them. If we discover that the investment will not produce the return we expect, then we terminate it, thereby reducing risk considerably and using market feedback to invest our money more wisely. Is that really “failure?” Please compare: you can risk the entire investment on an upfront projection, or gather hard data to improve your business result. A better term for “failing fast” is “reducing risk and incorporating market feedback.”

Let’s think about the cloud. If you buy hardware for a datacenter, you are taking the risk that over the five or so years you will use that hardware, it will become obsolete or at least no longer the best hardware available. Or that it might no longer meet your needs. How likely is that in today’s environment? Ummm…rather likely. In the cloud, you pay as you go. You can increase, decrease, or change the infrastructure you have provisioned as your needs change. Dramatically less risk, right? You can even try out advanced technologies like machine learning at extremely low costs until you build up a substantial scale. Low risk. The cloud supports your DevOps practices so you can deploy small changes—lower risk—and more quickly incorporate customer feedback—lower risk—and reduce your time to repair if a problem is detected—lower risk.

Wait, I’m not done. With the reliability and scalability of AWS, you can increase the availability of your IT systems. Using AWS’s availability zone and region architecture you can design your infrastructure to survive natural and manmade disasters. The cloud infrastructure is highly secure, designed from the ground up by AWS’s world-class security professionals and used by organizations like the CIA, the Department of Homeland Security, and numerous banks and healthcare providers. The cloud gives you additional tools you can use to secure your systems, like the artificial intelligence–based Amazon Guard Duty and Amazon Macie. In other words, your security posture can be substantially better in the cloud. Lower risk!

Why, then, do enterprises talk as if there is risk in moving to the cloud? Why do we technologists even suggest that the company will need to become comfortable with taking more risks to survive disruption? OK, there is fear of the new and the unknown—but fear is not the same as risk.

It is not just that DevOps and the cloud happen incidentally to reduce risk. They were intentionally designed to do so. DevOps allows for automated guardrails and fast feedback from production to quickly spot and fix issues. Infrastructure as code, a popular technique in the cloud, eliminates the possibility of careless mistakes or configurations that diverge from the standard. Immutable infrastructure, another contemporary technique, lets you remove employees’ access to production systems, thereby reducing insider threat.

We’ve all seen the chaos that the old style of large, infrequent deployments typically brings. DevOps replaces them with small, incremental deliveries far less likely to cause unexpected problems. Less risk!

The cloud allows for automated policy enforcement. It gives great transparency into your running infrastructure—no more server under the desk that no one knows about, as everything in the cloud can be labeled and tagged and reported on. With the cloud you know you’ll be able to keep up with technology changes as AWS continues to release new features…one every five hours or so at the current rate. Less risk!

Yes, there are other risks that must be managed, even with the cloud and DevOps. But if you itemize them you will find mitigations, and, in an apples-to-apples comparison, you will see that the cloud, DevOps, fast-feedback, pivot-or-persevere, and minimum viable products vastly reduce risk better than the status quo.

So, why do we say that companies must become less risk averse or willing to take more risks? On the contrary, the more risk averse a company is, the faster it should be moving to DevOps and the cloud. I’m serious. Remember that I was a CIO in Homeland Security. I am extremely risk averse when it comes to security. That is one reason why I moved us to the cloud.

But to frame this even more bluntly—what is the biggest risk for an enterprise today? It is the risk of being disrupted, the risk of a new startup or even an entrenched incumbent changing the rules of the game. They can do so because they are using today’s technologies. If you do not, then your risk is attenuated. The only way to manage this risk is to use those technologies yourself. And their associated business processes, like minimal viable products and rapid experimentation—yes, lower risk.

In an environment of rapid change, complexity, and uncertainty, the best way to manage risk—that is, deal with the unexpected—is to be agile, to be prepared for continuous change. These new digital approaches—the cloud, DevOps—can give you the agility to thrive.

So instead of telling our colleagues—and our CFOs, CEOs, and boards—that we want to “fail fast” and take more risks, tell them that we want to reduce risk and succeed faster? That’s a truer story, and one that will be well received.

–Mark

@schwartz_cio
A Seat at the Table: IT Leadership in the Age of Agility
The Art of Business Value
War and Peace and IT: Business Leadership, Technology, and Success in the Digital Age