This is the third instalment in a four-part series that highlights what you can avoid, and what to implement so that you can build solid foundations to expand, and work toward extracting the full benefits of the cloud.
Last week, we focused on Security. This week we turn the spotlight on Finance, Governance, and Controls.
Whilst architecture and security rely on technical skills to implement, and the problems they solve, Finance, Governance, and Controls focus on how organisations manage and operate the cloud.
We see many organisations refuse to acknowledge that costs for the cloud are different from costs for on-premises platforms and services; they move from capital expenditure (CapEx) to operational expenditure (OpEx). For many public sector organisations, the switch can be difficult to quickly navigate.
More fundamentally, control in the cloud is not the same as it is for on-premises services. Traditionally, a team puts in a request to the infrastructure team, which approves it, provisions it, and then manages it. By doing so, organisations know exactly what it is they are spending , and can directly control that expenditure. In the new world, if you do not have controls in place, what you are effectively doing is giving a company credit card to your developers, who have never had to worry about costs. It is not unlike giving a group of teenagers a credit card and telling them to go out and have fun. No one is surprised by the outcome. We often see this scenario. Cloud costs are difficult to forecast, hard to keep in check, and without controls, can quickly escalate.
Another issue we see is organisations without defined risk frameworks. They lack clarity on what should and should not go on the cloud . Consideration needs to be given to the types of workloads or applications, data sensitivity, and service criticality. In doing so, and in line with a well-defined risk framework, you can easily derive acceptable levels of risk, be that business, operational or reputational. This in turn informs the decision of whether an application is, or is not, a suitable candidate for cloud hosting. It is a simple problem to solve, but our experience is that few organisations do so, and therefore, cause all manner of havoc. Typically, either the wrong things go on the cloud, or nothing does.
It all comes back to having a clear cloud strategy in place to ensure the correct direction of travel, along with revised cloud-centric governance processes, supported by people with the right cloud skills. When combined, it enables teams, rather than hinders them.
Organisations that combine the right controls and governance, can achieve clear cost-control mechanisms . They have automated the required controls, have guardrails in place, and established clear principles for their development teams to follow. Successful organisations provide workable operating models and aim to give their teams accountability in a scalable and proactive way, supporting them with guidance and training as needed. Those organisations have a cloud-specific approach to governance, which promotes pace, with security and risk management embedded.
To ensure that you are getting it right, it is worth asking yourself the following:
- Are you comfortable with your organisation’s current cloud maturity in relation to financial control?
- Have you embraced FinOps? Or are your unsupervised teenagers running amok with your credit card? If so, do something about it
- Have you defined your risk appetite, and baked it into your governance approach that works for the cloud?
In our final instalment we will focus on Skills and Delivery Structures and the importance that your people and your organisational culture play in helping you gain the most from the cloud.
Helping you get the most out of the Cloud. Chapter Four: Skills and Delivery Structures Read more
