Hi there! we really must stop meeting like this! Kidding, i’m delighted you came back! So we’re now in the 4th of our series of 6 Blogs exploring the people and process requirements of Cloud transformation. As before a quick recap and then we’re into reason 3.
Cloud utilisation needs be the focus not just adoption if your aim is to acheive the needed benefits and competitive advantage. It is only when Technology, People and Process all come together that that is achieved.
We are two reasons in – Clarity of intention and purpose, appropriate C-suite engagement and CEO Orchestration. Now onto the the 3rd of our 4 reasons.
REASON 3: RISK MANAGEMENT BEFORE RISK APPETITE
The third key aspect that is critical, is to assess and decide at the outset of a cloud journey (or now if you are mid-adoption) is the approach you are taking to risk management and articulating your risk appetite and how your adoption of Cloud changes it.
Whether in a regulated industry or not, this is essential, as Cloud affords risk professionals a different mindset which leads to different approaches and therefore processes across all lines of defence but can only be effective if underpinned by a clear and articulated systemic risk appetite.
Essentially the rate of change is a representation of your level of risk, and the adoption of DevOps, the automation of processes, testing and controls increases that rate of change.
Do you know where you are today?
If you don’t have a clear risk taxonomy and you aren’t clear on how you have gotten to the risk appetite you have today; (i.e the aggregate view of all the actions and decisions you’ve taken to date) then will not be able to articulate what additional or different risks you need to mitigate or accept to derive the collective-action aligned benefits you’ve stated you want and/or need from Cloud.
Today is not riskier than the past, and new technology like Cloud, does not remove any risks, but it can transmute them – changing the balance and our ability to mitigate them.
Risk is more part of our day-to-day experience, and there is a certain uncertainty to this. Some industry leaders call this ‘risk consciousness’.
“Risk consciousness rises when conditions of uncertainty and the perception of powerlessness increase.”
For many organisations with aging estates (legacy) there has been little choice over the recent years to take on more risk. Sometimes that leads to a habituation that makes you less consciously aware of your current risk position and prevents you from effectively discerning your starting position; and therefore the risk appetite that is appropriate to help achieve your articulated Cloud aspirations.
Stepping back, and reviewing your current position ensures you have real accuracy of your risk appetite – based on your risk taxonomy, your risk management approach and articulation of which risks are mitigated, and which are accepted is required before you overlay your business drivers and technical strategy.
Education is key
Educating your risk teams to understand Cloud is important. Whilst it is relatively new, and does have some unique properties that affect risk, it does not fundamentally alter the types of risk the organisation face.
For example, are areas such as compliance, counsel and audit capable today of assisting with risk evaluation or threat monitoring? Can you employ technical strategies to keep tabs on threats, vulnerabilities and other factors that present risk? You may be able to tolerate a higher level of risk if you have a clear understanding of your ability to track, manage and react to those risks over time.
Risk in relation to Business Strategy
Your overall business strategy also plays a massive part in this view as your culture and risk appetite are heavily intertwined. For example, if you’re committed to Cloud as a long-term strategy but your organisation is one where external perception is important to how you differentiate yourself to your customers, you might paradoxically be less willing to tolerate Cloud risk in the short term. Why? Because a highly visible attack could erode confidence in Cloud and jeopardize your strategy.
Only once you’ve evaluated areas like the above and many others will you be in a position to document your cloud risk appetite formally.
This will stand you in greater stead – not only to make effective risk-based decisions but also in providing clarity of process, thought and outcome to any regulators that need to have comfort in you, your approach and your ability to control and manage your cloud usage effectively.
A theme that runs through this and the previous two blogs is education, and that’s the final reason we will be exploring in the next blog. So please do join me next time to talk Proactive Upskilling
Read the next installment here
To recap on the blog series so far, then click here