This blog is a part of the Cloud Strategy Unboxed blog series and it looks at the first step on the journey to successful cloud adoption: discovery and risk assessment. This includes establishing a firm understanding of the current state, determining the target state, performing a gap analysis that will drive the roadmap, and identifying and determining the mitigation for risks that might occur along the way.
The organization’s cloud states
There are three cloud states that an organization must uncover before embarking on (or resetting) a cloud adoption journey. Together, these states will provide the organization with a roadmap and north star to guide the journey.
Organizations should first understand the ideal state of managing a cloud environment. This ideal state can include many components, such as organizational structure, cloud account design, security and compliance requirements, and development and operational frameworks. It is constantly evolving based on new technology and cloud developments, identified risks, and new types of cyber attacks.
The ideal state can be determined from multiple sources: research, guidance from cloud service providers, or by engaging Amdocs/Sourced. Importantly, it can and has been defined by organizations experienced in the cloud, and it includes many identified risks and their mitigations in the form of a particular strategy or approach.
For many organizations, the ideal state is an aspiration and not necessary for most organizations – certainly not in the early days of cloud adoption. As such, the next step is to adapt the ideal state to one that is realistically achievable within the budget limits, timeline, resource availability, and other organizational constraints that need to be considered, all of which should be assessed during the discovery phase. The resulting target state for the organization we call the adapted ideal state. A future step will define this target state in detail in a Cloud Operating Model. For the discovery phase, a high-level understanding of the state will be sufficient.
The concern with the adapted ideal state is that the further an organization deviates from the ideal state with its defined strategies optimized to reduce or mitigate risks, the higher the number of unknown risks the organization may be exposed to. And so, these risks must be continuously identified and assessed, and new mitigations designed and implemented accordingly.
Current state discovery
Having established the adapted ideal state, the organization can now look inward and document the current state. Understanding the current state will typically start at a high level and steadily get more into the details. For example:
- What is the organization’s vision for its use of the cloud?
- Is it starting fresh, or is there an extensive on-premises footprint that needs to be migrated?
- What are the teams’ technical capabilities, and how relevant are they for the cloud?
- What are our current security and data policies, and do they need to be refreshed for the cloud?
- Which application will be the first to migrate to the cloud, and how will we go about that?
Knowing the target state will help uncover relevant and important current state details. For example, establishing a Cloud Centre of Excellence is a common strategy for mitigating many cloud adoption risks. During discovery, potential candidates can be identified for leading this team and other key roles. The discovery team should also make an effort to present the target state to the teams they speak to. Help them understand the intent, get feedback, and gauge their level of interest in being part of this journey.
With a clear view of the current and target states, a gap analysis can be performed to start creating the cloud adoption roadmap for the organization, also known as the cloud blueprint.
Cloud adoption risk assessment
An important tool in the cloud adoption toolbox is a cloud adoption risk assessment. This provides an approach to identify risks and determine and prioritize their mitigations. Note that these should be risks specific to cloud adoption. Compliance and regulatory risk assessments will likely already exist within the organization or be mandated by a regulator.
Cloud adoption risks can be divided into five categories.
- Organization looks at the organizational structure, vision, and culture.
- People is about cloud knowledge and their ability to adapt and change.
- Processes & operations considers their current state and how they might work in the cloud.
- Technology & applications is all about the workloads that will run in the cloud and the organization’s ability to manage a cloud environment.
- Security & compliance considers how the current policies will impact cloud adoption and operation
As noted, ideal states will include known risks and their mitigations which can be a good starting point for a risk framework. However, where the adapted ideal state strays from the ideal state, unknown risks should be expected that need to be identified and mitigated in the organization’s risk framework. While trial and error is certainly an option, this approach can be costly and make timelines unpredictable.
Known on-premises risks can be considered, but these need to be assessed for relevance in the cloud. Internal risk teams can support, but without cloud knowledge, they will run into the challenge of unknown unknowns, or “you don’t know what you don’t know”. As a mitigating strategy, experienced cloud subject matter experts (SMEs) or consultants can be hired to provide experienced input.
More forward-thinking regulators may be able to provide at least some guidance on cloud adoption. Public content about risks is also available, but it must be critically reviewed with the source and any references assessed. Cloud service providers can share risks, though these are typically more relevant to their most numerous customer base (small to medium businesses) and tend to be more technology focused.
Either way, a risk framework for the cloud needs to be driven by knowledge and experience with the cloud, ideally with a similar industry and size of organization.
The last step is prioritizing the risks; there are two approaches to this.
The first option is to separate the short-term and long-term risks. Short-term risks could disrupt the early stages of cloud adoption and need to be more urgently mitigated. Long-term risks can be addressed after the urgent ones. Within each of those groups, we prioritize by the risk rating. We calculate the risk rating by multiplying the likelihood by the impact rating. Using a 1 to 5 scale results in a risk rating between 1 and 25 for each risk.
Another approach is based on the mitigation effort. Here we create a two-by-two matrix with a low-to-high risk rating on the vertical and a low-to-high mitigation effort on the horizontal.
Risks with a low rating and high effort should be avoided if possible. Those with a high rating and low effort are the low-hanging fruit that can be addressed quickly in phase 1. A high rating and high effort can be addressed in phase 2 because we usually want to prioritize high-impact items. Lastly, a low rating and low effort can be addressed in phase 3.
Key mitigation strategies
Many risk mitigations will overlap and can often be linked to these four key cloud adoption strategies.
The cloud blueprint is the roadmap to achieving the adapted cloud management state. The operating model describes how you will manage and operate the adapted state after achieving it. The Cloud Centre of Excellence is an organizational structure optimized for managing the cloud. A cloud platform is the technology to manage the cloud in a scalable and compliant manner. Lastly, education will be critical to help everyone understand how to effectively use the cloud and the organization’s cloud strategies
Readiness and other assessments
The discovery phase is also an excellent point to run other assessments to help gain a deeper understanding of specific areas in the current state. For example, foundational capability assessments such as security, agility, or DevOps readiness assessments. Another common area to look at is architectural readiness assessments for container or serverless capabilities that may exist within the organization.
Existing compliance and other assessment reports can also be useful to summarize as part of the discovery phase, and any existing application migration plans and target architecture proposals.
All the information collected during discovery should be noted in a detailed discovery report. The first part of this report will be the collected data. Without venturing any opinions or insights, it simply records what was collected or assessed.
The 2nd part of the report is split into three key sections:
Opinions on the information that was collected. This is where opportunities could be highlighted, such as teams within the organization with existing cloud experience. This section should generally focus on the positive aspects of the current state and collected data.
The expected challenges and potential blockers to cloud adoption. Risks from the assessment with a high likelihood score are obvious items to include here. Additional risks might be uncovered from the discovery sessions or related to specific applications that have been shortlisted for early migration.
This key section will include the high-level initiatives the organization should consider for successful cloud adoption, the mitigations required to address any identified risks, and the immediate next steps on the cloud adoption journey.
Besides the detailed discovery report, it can be helpful to create a summarized presentation deck of the discovery phase. This can be easier for others in the organization to get a high-level understanding of the cloud adoption journey. The presentation deck keeps the summary of the collected data to a minimum and focuses more on the insights, risks, and recommendations.
As organizations start on the cloud adoption journey, a common question is how to measure progress or success.
Cloud adoption is a journey; there is no end to continuously improving how the cloud is used within the organization and keeping up with the evolving cloud itself. A common approach to measuring progress is establishing milestones, which will typically be unique to the organization based on what is achievable on a realistic timeline.
A baseline can be the NIST industry benchmark shown below. NIST is an American standards institute, but its maturity benchmark is widely referenced around the world. This benchmark can provide a way to measure an organization’s cloud adoption progress. The stated capabilities and levels can help when deciding on internal cloud adoption milestones to track. We have added some capabilities based on our experiences helping large organizations adopt the cloud.
The first step towards a successful cloud adoption journey is conducting a thorough discovery and risk assessment. This involves understanding the current and target states of the organization, performing a gap analysis, and identifying and mitigating potential risks. Through this approach, organizations can establish their desired to-be state and create a roadmap for their cloud adoption journey. Establishing milestones and measuring progress using established benchmarks, such as the maturity benchmark provided by NIST, will help organizations track their cloud adoption success and continuously improve their cloud strategy.
Don't miss out on unlocking the full power of the cloud.for a personalized consultation or to learn more.