The importance of being earnest, eh, compliant

  • Published

Or why governance is crucial to realising the value of automation, with practical tips on setting up a good governance framework.

Corporate governance is a bulky word, and for me, elicits associations of stacks of paperwork, slight fear of being punished for non-compliance, and always seemed like something complicated and slightly mystical. 

In this blog post, I want to demystify the topic, and show how important and valuable good governance can be – particularly in the context of IT automation. I also give some hands-on tips on how to get started with governance in practice.

What is governance?

Corporate governance are all the processes and rules that are in place in a company.

Their purpose is to ensure consistency, and reduce risk. For example, when updating a complex server software, there is often an update checklist that describes all steps needed to do the update. It helps whoever does the update understand how to do it, and ensures that nothing is forgotten. This checklist is part of the organization’s governance.

Read more in our glossary post: Governance

Governance and automation

In essence, governance is concerned with ensuring that an organization functions smoothly. In respect to automation, this means taking care that processes are automated with high quality so that they can be relied upon to work.

It also means that there are fallback processes in place in case an automation should fail, and that failure of an automation is noticed and acted upon.

In practice, this means coming up with and enforcing best practice rules that ensure that automation is of high quality, auditable, robust, secure, documented, monitored and that there are fallbacks in place.

What is good governance?

A good governance model is characterized by striking a good balance between effort and outcome.

Effort for governance can quickly spiral out of control if, for example, extensive documentation is required for the automation of even very small and uncritical processes, which makes automation unfeasible for many use cases.

On the other hand, letting every person in a large enterprise automate whatever they like without any visibility, rules on maintenance, or plans for what to do when automations fail, means low effort for governance, but high risk for the organization.

This balance between effort of governance and risk it mitigates, is essential. The goal of governance is to minimize risk, so risk is the guiding metric when deciding on governance rules and processes.

The guiding metric: risk

Risk is composed of two factors:

  • The likelihood of an error
  • The consequences of an error

For example, the likelihood of the entire AWS cloud infrastructure becoming unavailable for several days is very low, but the consequences of it would be massive, so the resulting risk might still be worth considering.

There are certainly a high number of rules and processes in place that make sure that any changes to the technical underpinnings of the AWS cloud do not result in a massive outage – in this case, high investment in governance is sensible.

On the other hand, the likelihood that a timesheet formatter that someone put together in Excel will fail is fairly high, but the consequences are low: the person will just have to format their timesheets manually. Putting governance rules in place for timesheet formatting automation would therefore be nonsensical.

The most important part of any governance framework is the one that assesses risk.

If the assessment of risk is imprecise or – as is often the case – doesn’t happen, then it is likely that ad-hoc governance over-regulates areas where something has gone wrong in the past (e.g. failed updates at a customer’s site) and in turn doesn’t regulate areas that are risky, just because nothing has happened yet (e.g. being hacked).

Based on the assessment of risk, tougher or more lenient rules should be enforced. Also in the same area, not the same rules need to apply to everything.

Governance in IT automation

IT automation is a great example for this. There are some rules that relate to organization-wide risk that every automated process should follow: e.g. sensitive data shouldn’t leave the organization’s network, or two-factor authentication should be used for all applications in which sensitive data is stored.

However there are many rules that make sense only for critical processes. For example, automation of core processes of an organization will have to be deployed in a high-availability system and any changes to such critical processes will have to be audited before they are deployed.

Good governance makes things easier

Another characteristic of good governance is that it makes things easier. If you are like me, you might sigh when you hear of governance because you think of instances where you had to fill in endless governance reports, or write a lot of documentation that nobody ever read, or jump through other seemingly nonsensical hoops that felt like they were there mainly to make life harder for you.

Good governance should not be like this. Good governance should focus on those areas where risk is high, and explain why the rules that are put in place are important. Hardly anyone will argue that it is important to be extra careful in areas that are highly sensitive.

How does good governance make things easier?

By providing helpful information and reassuring people.

The update checklist from the first example above is such a piece of good governance: whoever uses it will be grateful that such a list exists, because it provides information that makes it easier to do the update, and reassures the person who does the update that they have thought of everything when they have reached the last point on the list.

Practical tips for implementation of good governance in IT automation

For IT automation, this means that any processes that are automated should first be assessed for its risk.

Ideally, this can happen with a very short questionnaire that the person who wants this process to be automated should fill in. Ideally, the questionnaire would:

  • have about 5 questions, ideally most are multiple choice,
  • should take less than 5 minutes to fill in, and
  • the person filling it in should get feedback right away regarding the next steps.

An example question in such a questionnaire would be “Who is affected by the automation of this process?” With multiple choice answers ranging from “only myself” to “the entire organization”. In combination with a few other simple questions, a rough assessment of risk and benefit can be done by one person by themselves in a handful of minutes.

When getting to the end of the survey, the person should get feedback right away. For example, if the assessed risk is very low and the benefit intermediate, the feedback could be a large green box saying:

Congratulations, you have identified a great candidate for automation

with additional information of maximum effort that can be invested in automating this, which rules should be followed, which tools could be used, and if anybody else should be informed.

Investing five minutes in this survey will enable people across the organization to test their automation ideas.

It is also hugely beneficial in terms of communication across an organization: a person filling in the survey has to reflect on the involved risk and benefits, and will understand much better if the survey shows that an automation might not be a good idea – much better than if they heard a simple “no” from someone else.

It can also provide peace of mind to a person wanting to quickly automate a simple process for themselves. And most importantly, it will enable management to ensure that risk from automation is managed sensibly, with reasonable effort.

Summary

  • Governance describes rules and processes that make sure that an organization runs smoothly.
  • A core aspect of governance is risk. Therefore, a good governance framework is based on assessments of risk.
  • Based on the level of risk, more or less stringent rules should be applied
  • A secondary benefit of a good governance framework is that it reassures people and provides helpful information.
  • Enabling people across the organization to assess risk themselves and to do so quickly reduces cost for governance, makes it accessible and improves compliance.
  • A simple way to do this are short risk-benefit questionnaires.

Subscribe to the Cloudomation newsletter

Become a Cloudomation Insider. Always receive new news on “Cloud Development Environments” and “DevOps” at the end of the month. 




    Margot Mückstein

    CEO & co-founder of Cloudomation