Cloud Strategy Begins with Value and Balances Risk

In my previous post, Understanding Which Investments Should Go to the Cloud, I opened the door to a discussion around qualifying opportunities for the cloud, and looked at the best ways to determine what’s right for your organization. Today, I’m going to take that discussion one step further, and talk a bit about how to achieve balance between value and risk to get the most out of your cloud investment.  
In recent years, cloud service providers have faced quite a bit of fear, uncertainty, and doubt from customers. The broad and impactful benefits of cloud can be overwhelming for decision makers as many aspects of their solutions need to be re-evaluated in a world where solutions are not safely behind a firewall.  
While many of these concerns are valid, they also hold us back from making decisions and we often defer, ignore or discredit. To further this point, the 2010 ISACA IT Risk/Reward Barometer survey reported that nearly half of US IT professionals felt that the risks of cloud computing outweighed the benefits. The survey also indicated that 45 percent of IT professionals think that the risks of the cloud far outweigh the benefits—and only 10 percent of those surveyed said they'd consider moving mission-critical applications to the cloud. And there’s more. In 2010, IDC stated that, “Cloud computing and virtualization change the risk profile of information assets. The layers of abstraction inherent in these technologies also pose challenges in effectively tracking and executing the technical controls around confidentiality, data integrity, and availability. These information governance issues impede higher adoption of cloud computing among organizations.”
Consider this: We have been implementing cloud-like architectural styles for many years before it was ever called “cloud.” As an example, think about the banking industry. They have been doing cloud-based work since the 1970s. The browsers were a bit more green and less graphical, but they nonetheless performed the same basic tasks as modern browsers. The service models were very similar, and the monetization model was eerily similar, charging only for usage, not the entire infrastructure.
Even the application of the technologies draws parallels. Software as a Service has been in use in banking since the dawn of Correspondent Banking, where a larger bank would build an application for its own purposes, but also build it in a multi-tenant way to offer it as a service to other banks. An example here is debit card services, where a bank can let other banks use all the debit processing services, and even issue cards under their own brand. 
What has changed in the model is the technology enablement around this paradigm. It has opened this type of architecture for not just the largest of the large companies, but also for small and mid-sized businesses. Below is a depiction of how the modern cloud technologies have transformed how we handle this from a business, economic, and technology perspective.
So why do we start with value and then risk? It's very simple: That is how businesses make decisions. Starting with risk alone can lead down a path of minimal value; the two must be assessed in the right order and then brought together in order to get an accurate view of the potential gains. 
It’s important to take a value-driven approach to correctly understand how investments are made. Companies don’t make decisions in an uninformed way. They start by asking, “What is the value this technology can bring?” As shown below, starting with how the company generates value is provides context into the decision making process.
Value enables selection of the right cloud elements for investment, taking into consideration business strategy, IT strategy, value drivers, and enabling capabilities. 
If we start from the opposite end with risk we may disqualify high-value investments without even knowing. For an action to be value-creating, it has to do one or more of the following:
  1. Increase operational efficiency with the solutions already in place
  2. Increase the return on capital—no matter how risky they are, if they have a marginal return on capital that exceeds the cost of capital, they will create value
  3. Leverage existing investments to avoid switching costs of new solution development and deployment
  4. Reduce the cost of capital that is applied to discount the cash flows (cost of financing); reducing the proportion of the costs that are fixed will make firms much less risky, and reduce their cost of capital
To execute on this, below is a basic checklist that you can use to derive to the right investments that add value. 
Value Assessment Checklist
  • Value Assessment Checklist
  • Determine value
  • Understand key company strategies
  • Identify value-generating opportunities
  • Outline focus on business capability areas
  • Define an investment priority list to map to risk factors
Here is a starting point on creating a benefits frame:
Once you have determined what benefit levers you want to apply to your company, division, or specific business unit, you can then start to do the actual analysis, which may look something like this:
Once measurable value has been established, companies determine the level of risk that will come with making that decision. By listing the ways that risk can manifest itself in each specific scenario (business, governance, technical, operational), it’s easier to ascertain that risks identified are true business risks—not fear driven by uncertainty. 
Risk Assessment Checklist
  • Clarify business intent
  • Analyze the solutions on risk value
  • Prioritize high-risk solutions with the highest business value
  • Determine acceptable risk tolerance
  • Understand impact and probability
  • Identify options to mitigate risk 
In addition, there are also concerns around regulations in general, the US Patriot Act for Europeans, and data sovereignty. Despite those concerns however, the cloud is here to stay. It is quickly becoming the de facto platform for businesses, in a large part to the value it brings back. 
By delivering on the concepts of decreased costs and increased business agility, the cloud has persuaded increasing numbers of organizations to move more IT processes and capabilities to that environment. Yes, there are still risks, but savvy CIOs are putting risk management processes in place that enable them to identify and mitigate risk prior to a cloud deployment. This approach to evaluating cloud opportunities doesn’t over compensate on value or risk, but instead takes a balanced risk-adjusted value view. 
Through this risk a risk-adjusted value view you can generate capability opportunity sheets for each capability you want to cloud enable. Below is an example of such a opportunity sheet.
At the end of this exercise, you should derive a few models that can help you balance value and risk. Below is a sample of how this initial assessment can be overlaid onto a business capability model to aid in the prioritization process. As you can see, our sample assessment indicates that the high-risk solutions with the highest business value lie within internal control functions for HR, facility, and employee event management, and in management control and reporting for planning.
As we’ve discussed, balancing risk and value is the smartest, most efficient way to identify concrete opportunities in the cloud, and set the stage for the best possible outcomes. Through this top-down, business driven method we want to ensure that we maximize our implementation efforts, reduce the risks of project failures, increase the value to the business and ensure that the right investments at the right time move into this new way of computing. 
In my next post, I want to look further into who will lead a cloud strategy effort. It takes a unique role with both business and IT savvy. Thus I will discuss the reasons why Enterprise Architects are vital roles and should step up to drive cloud strategy and planning efforts for enterprises.