Cloud Computing Governance Framework – Cloud Computing Governance Processes

 

At the most abstract level, governance seeks to ensure that what we are governing is doing the right things right:

  • Are we doing the right things?
  • Are we doing them the right way?
  • How do we know?

To do this, it is vital that there is a clear definition of the processes that govern versus the processes that are governed. Like other governance domains, cloud computing governance involves the systemic execution of processes that exercise governance over other processes.

Cloud Computing Lifecycle

While it is true that cloud initiatives tend to have lifecycles of their own, governance needs to be overarching across all initiatives on an ongoing basis all the time. Therefore, cloud computing governance does not have a lifecycle (begin and end) by itself. Instead, cloud computing governance is exercised across the lifecycle for all cloud initiatives.

The figure shows a typical cloud computing lifecycle and its governance aspects.

Cloud Governance Process Characteristics

Cloud computing governance processes provide the overarching framework for governing the lifecycle of the cloud. The defining characteristics of governance processes include:

  • Communication – make sure everyone knows what they should be doing and the right way to do it.
  • Compliance – verify that everyone is following the principles, policies, standards, and guidelines that have been established as best practice.
  • Exceptions and Appeals/Dispensation – allow edge-of-the-bell-curve requirements to quickly get consideration and possibly special treatment.
  • Vitality/Continuous Improvement – be sure things do not get stale or fail to improve over time; in effect, recasting the definition of what is the right thing to do and the right way to do it to avoid becoming obsolete.

Process Pairs

It is essential to understand that governance processes are not the same as governed processes.

Governed processes execute the strategy, creation, operation, use, and retirement of cloud services under the overarching framework of the cloud computing governance process.

A process pair is a pair of processes, one of which is a governance process and the other of which is a process that is governed by the governance process. The cloud governance process pairs are shown in the table.

Process Pair

Description

Planning

This process makes a business case for cloud transformation. Governance exercised around this process ensures that the business initiative planned considers appropriate use of cloud services and supports the cloud transformation strategy.

Reference Architecture

This process defines the reference architecture for cloud transformation. It ensures that the cloud reference architecture is consistent with enterprise and industry standards, and the proposed changes to technology support the cloud transformation strategy.

Subscribe

Confirms service definitions by ensuring that provider services can scale to meet consumer requirements. Executes a service contract with the proper funding model in place and instantiates the service with proper validation.

Service Reuse

Maximizes the appropriate use of services in the cloud, avoids redundant services, and ensures that the appropriate services are being registered in the service catalog.

Unsubscribe

Ensures that discontinuing use of a cloud service is according to contract, and impacts to consumer and provider are accounted for.

Consume

Outlines how consumers ensure that a service is doing what the consumer expects. This involves capturing meaningful measurements about the behavior of the service, and combining that with analysis that can identify SLA exceptions, as well as actions taken to resolve the exceptions.

Operate

Ensures there is a continuous monitoring of the incidents and events with appropriate measurements in place that add context with subsequent analysis of the impact to SLAs. Appropriate actions are taken by the consumer and provider to realize their business outcomes.

Retire

Identifies obsolete services, informs stakeholders, and drives decision to retire based on impact assessment. Retires services with minimal impact to existing consumer base by taking appropriate risk mitigation measures.

Process Interactions

Interactions between governance processes and governed processes arise from and are characterized by several key factors:

  • The concept that governance seeks to ensure that we are “doing the right things right”
  • To help us answer “how do we know?” (… that we are doing the right things right)
  • That governance involves several core processes (communication, compliance, and dispensation)
  • That the general pattern of interactions can be specialized to suit the context of each governed process where roles and requirements vary
  • That similar to the thought that cloud computing can provide elasticity and adaptability, effective governance also can benefit from a degree of elasticity and adaptability, since it can be difficult or impossible to account in advance for all possible future circumstances and requirements

Governance Interactions

A common feature of each process pair is a set of interactions that take place between the governance and governed processes. These interactions can be grouped based on the foundational governance process they are related to (communication, compliance, and dispensation).

Each interaction supports the concept that governance seeks to ensure that we are “doing the right things right”. Interactions have been described at a high level so that just as cloud computing offers elasticity and adaptability, these interactions can do so as well by being adapted in more detail for specific situations.

Communication-related interactions enable governed processes to know how they should be carried out. Governance should ensure that methods that guide a governed process, and the standards and other information a process should consume in order to execute properly, are documented and available in known authoritative repositories. Good communication should answer questions about “How do we do this?”, “Who should do this?”, “What else do we need to know to do this properly?”, and “Where is the right place to find that information?”.

Compliance-related interactions ensure conformity with things like policies, processes, standards, and guidelines that have been determined in advance by parties with authority and decision rights to be appropriate for a governed process. The method or process definition that guides a governed process should identify the point or points where the compliance process intersects. A “compliance checkpoint” looks for proof that a governed process is working as designed before it proceeds to the next step, and is expected to “say no” when it finds that the “right thing” is not being done. A governed process should be able to be in compliance if it has leveraged the communication-related interactions effectively.

Dispensation-related interactions acknowledge that despite the best efforts to define what “the right thing” is, there is always the potential for an unanticipated requirement, a novel circumstance, or a change over time that could justify an exception to the normal prevailing rules. Knowing that things can vary over time, and that some new or unanticipated circumstance or requirement can emerge, the governance disposition process provides some elasticity and adaptability so that a “no” answer from compliance can be reconsidered (usually by a different level of authority than the checkpoint review) to see if an exception can be allowed. Exceptions can be one of the forces that drive the evolution of standards and policies over time.

High-Level Interactions

Cloud computing governance process pairs typically have ten high-level interactions between governance and governed processes. Short phrases are used in the process pair diagrams to identify these interactions. Each interaction will be described here at a high level, and additional information may be provided in later sections for individual process pairs to explain how they are specialized.

  1. Communication: methods, repositories, standards, process-specific inputs, process-specific outputs
  2. Compliance: review compliance, approve (or reject) compliance
  3. Dispensation: consider exception, grant exception, reject exception

Communication: Methods

The governance communication process provides information about methods to the governed process to ensure that those participating in the governed process know how that process should be carried out. This includes information about where to find important and authoritative information about principles, policies, processes, standards, and guidelines that the governed process needs to apply as it executes.

Communication: Repositories

The governance communication process identifies authoritative sources of information to the governed process. It is essential for those participating in governed processes to know where and how to find the information they need, and to have confidence that the information is correct and current. The communication process ensures that everyone participating in a governed process knows where current and authoritative information is made available. Repositories represent a generalized concept of where known good information is stored. The information in these repositories should be maintained with ongoing stewardship to ensure that it remains current and authoritative over time – otherwise, the trustworthiness of the information will come into question and the repository will no longer be effective.

Knowledge repositories can hold information of many types in many forms including reference architectures and the content represented in methods and standards.

Communication: Standards

The governance communication process identifies the principles, policies, standards, and guidelines that are of key importance to the governed process. Standards articulate the bounds within which governed processes can make decisions and take actions.

Communication: Process-Specific Inputs and Outputs

Governed processes consume specific inputs and produce specific outputs. The governance communication process identifies the appropriate communication mechanisms, tools, and procedures that should be used to communicate, store, and retrieve these inputs and outputs.

Compliance: Review Compliance

A governed process makes a request to the governance compliance process to carry out a specific compliance checkpoint review.

Governed processes should have explicit points defined where the compliance process needs to be invoked. A common pattern is to hold a compliance review at points in a process where there is a risk of wasting time and resources due to compliance-related rework. A governed process may have concerns that the compliance process could interfere with its schedule; but compliance should be viewed as a way to avoid significant costs and delays that could arise later.

Compliance: Approve Compliance

The governance compliance process communicates to the governed process its finding to approve compliance.

The results of a compliance checkpoint review are communicated to the governed process (and other stakeholders). Approval should reflect full compliance with expected policies, standards, and guidelines – the information that describes the “right thing” the process should have achieved by that point in the process.

Compliance: Reject Compliance

The governance compliance process communicates to the governed process its finding to reject as not in compliance with prevailing policies. A rejection should include a clear statement about what is not compliant and guidance for achieving compliance. In some cases, it may be acceptable for a governed process to continue forward while making corrections in parallel to achieve compliance. In other cases, the nature of what is out of compliance could create too much risk, and corrections may be required before the governed process is allowed to proceed.

Dispensation: Consider Exception

A governed process makes a request to the governance dispensation process to consider allowing an exception to a policy.

A governed process may believe that a “reject” decision from the compliance process is not reflecting new or unique requirements that current policies do not adequately account for. In effect, the compliance process has its hands tied – it is expected to apply the letter of the law and does not have the authority to make exceptions. The governed process should be able to use a defined request procedure to trigger the dispensation process in order to make a case for an exception. The dispensation process has the authority to grant exceptions as appropriate when it finds that a current policy is running counter to core principles and goals due to requirements that had not been anticipated when the policies were originally decided upon.

Dispensation: Grant Exception

The governance dispensation process communicates its decision to grant the request for a compliance exception to the governed process.

If it finds that the process has an unusual requirement that current policies do not account for, it can grant an exception.

Dispensation: Reject Exception

The governance dispensation process communicates its decision to reject the request for a compliance exception to the governed process.

Cloud Computing Governance Process Pair Template

The figure shows the template used for the descriptions of cloud computing governance process pairs in the next section.

The characteristics that can be used to define logical pairs of governance and governed processes are provided in the tables that follow.

Characteristic

Description

Name of Process Pair

Identifies the combination of the governance and governed process for which key characteristics of cloud computing governance are represented.

Governance Process Inputs and Interactions

Inputs needed for the governance process to be executed on the governed process.

Outputs from the governance process that impact the execution of the governed process.

Governed Process Outline

Conceptual representation of the governed process.

Governance Process Outcomes

Desired business outcome from the governance process being executed on the governed process.

Metrics

Mechanisms used to measure the effectiveness of the governance process to produce the desired outcomes.

Cloud Computing Governance Process Pairs

Planning

Description

The governed process makes a business case for cloud transformation. Governance exercised around this process should ensure that the business initiative planned considers appropriate use of cloud services and supports the cloud transformation strategy.

Govern Cloud Planning

Additional Context

Characteristic

Description

Governed Process Outline

Drives the business case for cloud-based initiatives with a roadmap for strategic transformation with appropriate metrics for continuous measurement.

Process-specific Inputs

Prevalent business drivers around the enterprise cloud strategy.

Process-specific Outputs

Decision on whether this initiative is part of the cloud transformation with supporting rationale.

Projected quantified returns out of cloud transformation.

Proposed refinements to enterprise cloud strategy.

Governance Process Outcomes

Consistency in cloud transformation across the enterprise with consistent adherence to cloud principles with the ability to continuously track the returns on investment.

Process Pair-specific Metrics

A key success factor is ensuring the sustained allocation of the right percentage of the corporate budget for IT driven by a track record of proof points through cloud transformation.

Reference Architecture

Description

The governed process defines the reference architecture for cloud transformation. Governance should ensure that the cloud reference architecture is consistent with enterprise and industry standards, and the proposed changes to technology support the cloud transformation strategy.

Govern Cloud Reference Architecture Definition

Additional Context

Characteristic

Description

Governed Process Outline

Evolves a reference architecture that drives the strategic transformation to cloud, factoring in the viability of existing systems while addressing what needs to change with appropriate impact analysis.

Process-specific Inputs

Cloud transformation strategy roadmap for the enterprise.

Pointers to applicable architectural standards and frameworks.

Strategy for determining the ecosystem of applicable cloud service providers and consumers.

Process-specific Outputs

Cloud reference architecture including principles for interoperability in the cloud.

Refinements to cloud transformation strategy roadmap.

Governance Process Outcomes

Continuous evolution and sustenance of business-driven transformation to the cloud with minimal disruption to the existing environment.

Process Pair-specific Metrics

These metrics can be used to evaluate the consistency of cloud-based initiatives with the overall strategy by measuring overall adoption; low adoption may indicate lack of consistency.

Subscribe

Description

The governed process subscribes to cloud services. Governance should confirm service definitions by ensuring that provider services can scale to meet consumer requirements, that the service contract is executed with the proper funding model in place, and that the service is instantiated with proper validation.

Govern Cloud Subscription

Additional Context

Characteristic

Description

Governed Process Outline

Ensures that the subscriptions to the right cloud services are instantiated with the proper business and financial sponsorship.

Process-specific Inputs

Guidelines for performing the due diligence for the viability of the service contract for this subscription.

Process-specific Outputs

Applicable refinements to due diligence guidelines and funding model for cloud service subscriptions.

Governance Process Outcomes

A key outcome here is to drive up the usage of services that matter, for effective cloud adoption pan-enterprise.

Process Pair-specific Metrics

These metrics are vital to monitoring the pace of cloud adoption pan-enterprise.

Service Reuse

Description

The governed process identifies services for use and possible implementation. Governance should maximize the appropriate use of services in the cloud, avoid redundant services, and ensure that the appropriate services are being registered in the service catalog.

Govern Service Reuse for Cloud

Additional Context

Characteristic

Description

Governed Process Outline

Based upon the requirements gathered, if a compatible service is not found in the service catalog, new services or changes to existing services are proposed. After an analysis of potential for this service to be adopted in the cloud, it is registered in the service catalog.

Process-specific Inputs

Key inputs are the techniques and standards used to assess the suitability of a service for the cloud and its compatibility. These techniques tend to vary by enterprise and it is important that the governance process provides these key inputs to this governed process.

Process-specific Outputs

Decision on whether a cloud service could be reused or not for a given scenario with supporting rationale.

Proposed refinements to techniques and standards for cloud suitability analysis.

Governance Process Outcomes

Even though the context for this process is a single reusable service, the idea is to have the appropriate governance mechanisms in place to ensure the overall integrity of the service catalog with cloud services that are effectively meeting the business requirements.

Process Pair-specific Metrics

Refer to Cloud Computing Governance Metrics for the rationale for each metric. There are no specific nuances pertaining to this process pair for these metrics.

Unsubscribe

Description

The governed process unsubscribes from a service. Governance should ensure that discontinuing use of a cloud service is according to contract and impacts to consumer and provider are accounted for.

Govern Cloud Unsubscription

Additional Context

Characteristic

Description

Governed Process Outline

Ensures that cloud services are de-allocated for sound business reasons in the least disruptive manner.

Process-specific Inputs

Guidelines for assessing the impact of cloud service de-allocation.

Process-specific Outputs

Applicable refinements to enterprise cloud strategy.

Trigger for retiring services that no longer have any subscriptions.

Governance Process Outcomes

A key outcome here is to drive down the usage of services that no longer matter, for effective cloud adoption pan-enterprise.

Process Pair-specific Metrics

These metrics are vital to ensure the integrity and effectiveness of the service catalog.

Consume

Description

The governed process ensures that a service is doing what the consumer expects. This involves capturing meaningful measurements about the behavior of the service, and combining that with analysis that can identify SLA exceptions, as well as actions taken to resolve the exceptions.

Governance should ensure that cloud service consumers have the information they need to use the right service for the right purpose, and to use a service properly, that measurements are being collected to support reporting on metrics, that services are operating within SLA expectations, and that services are meeting the objectives that led to their subscription in the first place.

Consume

Additional Context

Characteristic

Description

Governed Process Outline

When the service subscription process completes and a service begins to be used, it can be monitored to collect measurements about its behavior. Measurement “events” are combined with other contextual information producing results that may be analyzed to confirm that the service consumption pattern is in alignment with corporate standards and guidelines.

Process-specific Inputs

Cloud service consumers need information to ensure they are using the right service for the right purpose. They may also need guidance about how to use a cloud service properly, what the SLA expectations are for the service, and what action to take if the service is not operating within those SLAs.

Process-specific Outputs

Information about how well a cloud service operates relative to SLAs. This includes SLA exceptions as well as indications of how well a service is meeting the business drivers and functional capabilities.

Governance Process Outcomes

The footprint of effective governance in this process pair shows up in two areas:

·  The ability to demonstrate quantifiably measurable proof that the right service was subscribed to, and that it is achieving expected business outcomes (e.g., functional, financial).

·  Both the cloud service consumer and provider are able to utilize (operate) the service reliably and meet SLA commitments.

Process Pair-specific Metrics

Refer to Cloud Computing Governance Metrics for the rationale for each metric. There are no specific nuances pertaining to this process pair for these metrics.

Operate

Description

The governed process operates a cloud service. Governance should ensure that there is a continuous monitoring of the incidents and events with appropriate measurements in place that add context with subsequent analysis of the impact to SLAs and that appropriate actions are taken by the consumer and provider to realize their business outcomes.

Govern Operations

Additional Context

Characteristic

Description

Governed Process Outline

Sustain the operation of the services deployed while continuously measuring their effectiveness in meeting the business requirements and SLAs.

Process-specific Inputs

Best practices for mapping business and technical SLAs.

Best practices for ensuring unambiguous accountability and mitigating risks related to security and location-independence.

Process-specific Outputs

Ongoing refinements to enterprise cloud strategy.

Proactive notification of events that could impact SLAs to consumers.

Cost of execution and resource utilization.

Governance Process Outcomes

Stable operations in the cloud in alignment with the business and financial objectives of the provider.

Proactive mitigation of potential future incidents.

Consumer’s seamless experience using these services with little to no disruption is the overall outcome desired.

Process Pair-specific Metrics

These metrics are well-positioned for predictive analysis so that anticipated risks can be mitigated well in advance.

Retire

Description

The governed process retires a cloud service. Governance should ensure that obsolete services are identified, stakeholders are informed, and that the decision to retire is based on impact assessment. Services should be retired with minimal impact to their existing consumer bases by taking appropriate risk mitigation measures.

Governance Cloud Service Retirement

Additional Context

Characteristic

Description

Governed Process Outline

Ensures that cloud services that are not in alignment with the enterprise business objectives are retired in a timely fashion with least disruption.

Process-specific Inputs

Guidelines for assessing the impact of cloud service retirement.

Process-specific Outputs

Applicable refinements to enterprise cloud strategy and cloud service retirement guidelines.

Governance Process Outcomes

A key outcome here is to drive down the allocation of resources to cloud services that no longer matter.

Process Pair-specific Metrics

A key success factor is ensuring the continued cost-effective usage of the corporate budget for IT by demonstrated release of under-utilized resources.