A Method for Assessing Cloud Adoption Risks
The move to a cloud environment provides significant benefits. For example, cloud resources can be scaled quickly, updated frequently, and widely accessed without geographic limitations. Realizing these benefits, however, requires organizations to manage associated organizational and technical risks effectively. This blog post presents a prototype set of cloud adoption risk factors and describes a method that managers can employ to assess their cloud initiatives against these risk factors. This post is adapted and excerpted from a recently published white paper. It also builds on foundational work that is presented in an SEI blog post on cloud migration risks, threats, and vulnerabilities and an SEI technical report on cloud security best practices.
Cloud adoption affects many business units across an organization and can change how those business units operate. Senior leaders must balance a variety of stakeholder interests, opportunities, risks, and issues. Technology developers might want immediate access to new technologies or services. At the same time, finance managers might favor initiatives that reduce costs and provide a high return on investment. If left unchecked, these competing goals can prevent an organization from optimizing its investment in cloud computing.
In some organizations, managers of business units have the authority to charter cloud initiatives based on the needs of their units. In such cases, a cloud initiative might align with a business unit’s parochial goals. If these local benefits do not align with the organization’s business strategy and goals the overall organization might not achieve the benefits that senior management desires. This misalignment of organization and business-unit goals, and the lack of a coordinated governance, can put cloud adoption at risk.
A variety of organizational and technical factors can adversely affect an organization’s cloud initiative. Organizational factors include an insufficient organizational cloud strategy, ill-defined organizational roles and responsibilities, insufficient technical skill set, and poor change management practices. Technical factors include inadequate architecture and design; poor integration of on-premises and cloud technologies; and cloud service that lacks needed agility, availability, and security properties. Managers need an effective way to assess risks that can affect a successful adoption of cloud services.
Mission Risk Diagnostic (MRD) Method
Since the early 1990s, the SEI has conducted research and development in risk management and has applied risk management methods, tools, and techniques across the software lifecycle (including acquisition, development, and operations) and supply chain. In addition, past SEI research examined various types of risk, including software development risk, system acquisition risk, operational risk, mission risk, cybersecurity engineering risk, incident management risk, and information security risk. A key result of our research into the practice of risk management was the development of the Mission Risk Diagnostic (MRD) method, which is a mission-oriented approach for assessing risk in mission threads, business processes, and organizational initiatives.
The overarching goal of the MRD method is to determine the extent to which a mission thread, business process, or organizational initiative is positioned to achieve its mission objective(s). To date, we have piloted the MRD in software acquisition and development, cybersecurity incident management, software security, software supply-chain, and business portfolio management, among others. This blog post describes how we are proposing to apply the MRD to the adoption of cloud services.
An MRD assessment typically requires an assessment team to evaluate 15-25 risk factors for a given set of objectives. A question for each risk factor is documented in a format prescribed in the MRD method description. Each risk question is a yes/no question that is phrased from the success perspective. For example, one of the MRD questions for cloud adoption is: Does the organization’s business case justify the decision to move to the cloud?
Respondents can select one of the following choices for an MRD question:
- Yes— The answer is almost certainly “yes.” Almost no uncertainty exists. There is little or no probability that the answer could be “no.” (~ > 95% probability of yes)
- Likely yes—The answer is most likely “yes.” There is some chance that the answer could be “no.” (~ 75% probability of yes)
- Equally likely—The answer is just as likely to be “yes” or “no.” (~ 50% probability of yes)
- Likely no—The answer is most likely “no.” There is some chance that the answer could be “yes.” (~ 25% probability of yes)
- No—The answer is most likely “no.” There is some chance that the answer could be “yes.” (~ < 5% probability of yes)
The rationale for the response to each driver question should also be documented since it captures the reasons why the response was selected. Any evidence supporting the rationale, such as the results of interviews with system stakeholders and information cited from system documentation, should also be cited. Recording the rationale and evidence is important for validating the data and associated information products, for historical purposes, and for developing lessons learned.
Cloud Adoption Risk Factors
We have developed a prototype set of 24 risk factors for cloud adoption. They were developed using published cloud-adoption reports and frameworks, as well as input from people with expertise in cloud adoption. Consider these risk factors to be a starter set that can be tailored to unique environments. Risk factors that share common organizational and management attributes are assigned to a common area. We established the following areas for the MRD cloud adoption risk factors:
- planning and preparation
- governance and management
- organizational capability
- engineering lifecycle
- quality of service
Assigning risk factors to areas facilitates leveraging common risk mitigation activities based on shared risk characteristics. The remainder of this blog post describes the risk factors and associated MRD questions for each area.
Planning and Preparation
The successful adoption of cloud technologies begins with an organization’s planning and preparation activities. Effective planning and preparation provide a solid foundation for a cloud initiative by ensuring that the organization has sufficient funding and resources in place to support the cloud initiative. The Planning and Preparation area includes the following risk factors and associated MRD questions:
Governance and Management
Governance focuses on the alignment of the organization’s IT strategy and goals with its business strategy and goals. An effective governance program is designed to maximize the business value of IT investments while minimizing the associated risks. Management is the coordination and administration of tasks to achieve business goals. An organization’s management activities must be implemented in accordance with the organization’s system of governance rules, practices, and processes. The Governance and Management area includes the following risk factors and associated MRD questions:
Organizational capability is the unique combination of people, processes, and technologies that differentiates an organization and enables it to execute its strategy. An organization’s capabilities enable it to perform a coordinated set of tasks, utilizing organizational resources, for the purpose of achieving a specific set of business objectives. For cloud adoption, the capabilities of interest enable the development and implementation of a systematic framework for adopting cloud services. The Organizational Capability area includes the following risk factors and associated MRD questions:
An organization’s environment consists of internal and external conditions that influence an organization’s performance, operations, and resources. Internal conditions include the organization’s structure, culture, and politics, as well as its communication infrastructure. External conditions include any constraints that a program inherits from its parent organization(s) or from the broader business environment. Constraints can include restrictions imposed by laws and regulations, as well as limitations with services provided by third parties. The Environment area consist of the following risk factors and associated MRD questions:
Risk factors for a cloud initiative need to address both organizational and technical issues that can affect the initiative’s potential for success. Until this point, we have focused on organizational risk factors related to preparation and planning, governance and management, organization capability, and environment. We now turn our attention toward the technical issues, beginning with the engineering lifecycle risk factors. The engineering lifecycle addresses the phases of a system’s development, including concept development, requirements, architecture, implementation, test and evaluation, deployment, operations, and disposal. Technical issues related to the lifecycle include missing or incomplete requirements, inadequate architecture, poor integration of on-premises and cloud technologies, and inadequate operational support for cloud technologies. The Engineering Lifecycle area includes the following risk factors and associated MRD questions:
Quality-of-service (QoS) describes or measures how well cloud services are expected to meet the needs and requirements of users during operations. This area examines risks that are inherent in the technical solution provided by a project or initiative. The QoS service risk factors focus on the correctness and completeness of the implemented technical solution. For a cloud initiative, QoS addresses the performance and functionality provided by a cloud environment, as well as quality attributes, such as availability and security. The Quality-of-Service area includes the following risk factors and associated MRD questions:
Piloting the MRD for Cloud Adoption
The cloud adoption risk factors described above are a protype set that were developed using published information on cloud adoption frameworks and input from SEI technical staff who have experience with both cloud computing and technology adoption initiatives. To date, these risk factors have not been piloted in the field. Those who intend to apply the risk factors in this post should be mindful that the factors have not been vetted in the field by SEI developers. However, the risk factors do incorporate information from reliable sources, including Amazon, Microsoft, and Google.
We view the publication of this blog and associated white paper as an initial step in the development of cloud adoption risk factors rather than the culmination of our work in this area. A potential next step is to pilot the current version of the MRD for cloud adoption with organizations that plan to adopt cloud services. Future development and transition activities will ultimately be determined by the feedback that we receive from people throughout the community. No matter which transition activities are implemented, we believe that the content presented in this blog will help organizations to manage their risks more effectively as they plan and manage the adoption of cloud technologies.
Read the SEI white paper, “A Prototype Set of Cloud Adoption Risk Factors,” from which this post was excerpted and adapted.