Cloud Computing Governance Framework – Governance Concepts
This appendix looks at key governance concepts that drive the interactions.
Before discussing individual interactions it is worthwhile reviewing how governance principles and the core governance processes are expected to influence governed processes. While some of this may initially seem to be stating the obvious, much of governance is focused on making sure that the obvious is not being overlooked – and recognizes that what is obvious to one person may not be obvious to another.
Considering the broad generalization that governance helps ensure that we are “doing the right things right”, it quickly becomes clear that we need to have a way to decide upon (have an appropriate party make a decision) and express (put that decision in an appropriate form) what a “right thing” is. It also becomes clear that if we expect to have things done the right way, we cannot keep what a “right thing” is secret – it needs to be communicated. Things can be communicated in a variety of ways, but however it is done, the communication needs to reach those who need it when they need it, in a form that encourages it to be efficiently consumed and used, and that it will be recognized and trusted as correct, current, and authoritative. The governance communication process has the responsibility of making sure that important information comes from a source that has the authority to make the decisions reflected in that information, is made available to consumers of that information in an agreed way, and is held in an agreed location for information of its type.
Thinking about the question “how do we know”, it becomes clear that just saying that something “should be so” does not guarantee that it will actually be so. To be sure that governed processes are actually doing the “right thing”, even after that “right thing” has been communicated, the governance compliance process provides a way to verify that what we expect to be happening really is happening. The communication process offers a governed process the opportunity to do the right thing and the compliance process confirms that the right thing is actually being done. From that it follows that compliance process checkpoint reviews should be based on what the communication process has communicated, and likewise the communication process needs to be sure it is doing as much as it can to ensure that a governed process has the information it needs to be in compliance.
For governance to be effective it needs to operate as more than a rigid “just say no” system. The governance compliance process seeks to ensure conformity with things like policies, processes, standards, and guidelines that have been determined in advance, by parties with agreed authority and decision rights, to be appropriate for a governed process to operate with. Compliance is expected to “say no” when it finds that whatever has been defined as a “right thing” is not being done in the way that it has been defined and communicated. Knowing that things can change over time, and that some new or unanticipated circumstance or requirement can emerge, the governance disposition process provides some elasticity and adaptability so that a “no” answer from compliance can be reviewed by an agreed higher-level authority in light of special or changing circumstances. Disposition looks at special or changing circumstances and reapplies core principles to policies, standards, and guidelines to see if there is reason to allow an exception to the usual rule. Besides providing an adaptability and innovation safety valve to avoid overly rigid compliance, the disposition process can also help identify new emerging conditions that signal the need to revise the definition of what a “right thing” is.
Both governance processes and governed processes create results that others may need to be aware of. The governance communication process needs to ensure that processes know how that works, what information the process is responsible for communicating, and the form that information should be in, and where the information should be placed.
In short, if governance has done its job right, it will make sure that:
- A decision about what a right thing is has been made by those with the right to make that decision.
- The description of a right thing is captured in an authoritative form that can be communicated.
- Governed processes have a fair chance of succeeding by being informed about how authoritative communication happens, what the governed process needs to be informed about, and where to find the information.
- Governed processes are checked to be sure they are following the rules.
- Things do not grind to a halt when something new or unexpected arises.
The net effect on governed processes should be that by being better informed about what the right thing is, they should be able to do that more naturally and consistently, that an independent third party will help the process be more successful by making sure it is doing things the right way, and that they can see as many green lights as possible by removing uncertainty about how to handle new or unexpected circumstances.