The benefits of moving at least some business processes to some form of cloud infrastructure are well understood. However, the potential risks have often been understated and underestimated. Enterprise leaders should, therefore, develop a strategic plan for evaluating the possible pitfalls of shifting business processes to the cloud.
For a midsized enterprise, the decision to evaluate any cloud footprint should begin with the constitution of a risk evaluation and contingency planning board. The board should include the relevant business process owners, risk management specialists, vendor coordination managers, legal professionals, and members of the corporate strategy team, besides the heads of IT operations and strategy.
Its mandate should be to evaluate the following risks:
1. Access to Private Data
In today's fiercely competitive business world, the enterprise must do everything to protect the confidentiality and availability of its data. While planning a transition to the cloud, the board must identify a detailed plan to ensure confidentiality of the transactional and master data during and after the migration. The research before deciding on a cloud presence should list key evaluation metrics for potential vendors on security infrastructures, and the final report should outline policies to govern user access and segregation of duties (SoD), both in the new cloud applications as well as at the points of interface between the new cloud system and the existing on-premise application systems. This is more critical if the plan is to rent facilities in a multi-tenanted environment.
2. Availability of Platform
The board, rather than the IT operations team, should be responsible for formulating a business continuity plan and executing it, should the cloud environment availability be critical to business operations. For all customer-facing processes with revenue implications, every possible cause of non-availability should be identified. A fallback option, either in conjunction with the cloud vendor or with capabilities developed by internal IT, must be put in place before the decision to migrate is sealed. The availability definition for external, user-facing processes should include acceptable response benchmarks for key transaction flows, as often a poor experience with a website effectively turns users prematurely and permanently away from an offering. The second aspect of availability considerations refers to the choices open in the future. The board must ensure that the company always owns all master and transactional data in the cloud environment, and that the contract allows it to migrate the content out at a later date at a minimal financial and operational cost if the enterprise needs to sever ties with the current vendor.
3. Alignment of Processes
Returns from any business software rollout depend on carefully mapping the current business processes with data and user interaction flows in the application used. The cloud infrastructure makes the transition more challenging, as there is no opportunity to customise the application beyond some personalisations. The board must map all the processes it is taking to the cloud to the flows of the vendor application and make necessary modifications in the way things are done before the transition is decided on--not when facing challenges after the migration. The board must clearly outline the business processes that are going to the cloud, fix the integration points with the existing on-premises infrastructure, and ensure none of the existing investment in on-premises and other application infrastructure are undermined. It is, of course, easier to tackle this challenge if some part of the existing business application is already being supported by the vendor being considered.
4. Acceptance of Personnel
The success of any IT project is dependent on how the user community accepts the rolled out application. The board must finalise the incremental training effort to ensure the rollouts are a success. Moving to the cloud for the first time also needs additional setting of expectations for the IT operations team, which has thus far been used to owning the entire infrastructure. Finally, when internal-facing applications are moved to the cloud, the extent of benefit realisation often depends on the eventual streamlining of jobs. Many users of the system may see their jobs and tasks realigned over time. The board must prepare the affected users and address their apprehensions in time so that the transition to the cloud does not cast a pall upon the workforce.
For far too long, companies have left the ownership of business processes in IT applications to the in-house IT team. Moving IT processes to a capable and responsible risk evaluation and contingency planning board, and adopting the "four As" framework outlined above, should help ease the inevitable adoption of the cloud in an enterprise.