Discovery & risk assessment: Start your cloud journey here
From blind spots to breakthroughs: How discovery and risk assessment can transform your cloud strategy
This blog is a part of the Cloud Strategy Unboxed blog series and it looks at the first step on the journey to successful cloud adoption: discovery and risk assessment. This includes establishing a firm understanding of the current state, determining the target state, performing a gap analysis that will drive the roadmap, and identifying and determining the mitigation for risks that might occur along the way.
The organization’s cloud states
There are three cloud states that an organization must uncover before embarking on (or resetting) a cloud adoption journey. Together, these states will provide the organization with a roadmap and north star to guide the journey.
Organizations should first understand the ideal state of managing a cloud environment. This ideal state can include many components, such as organizational structure, cloud account design, security and compliance requirements, and development and operational frameworks. It is constantly evolving based on new technology and cloud developments, identified risks, and new types of cyber attacks.
The ideal state can be determined from multiple sources: research, guidance from cloud service providers, or by engaging Amdocs/Sourced. Importantly, it can and has been defined by organizations experienced in the cloud, and it includes many identified risks and their mitigations in the form of a particular strategy or approach.
For many organizations, the ideal state is an aspiration and not necessary for most organizations – certainly not in the early days of cloud adoption. As such, the next step is to adapt the ideal state to one that is realistically achievable within the budget limits, timeline, resource availability, and other organizational constraints that need to be considered, all of which should be assessed during the discovery phase. The resulting target state for the organization we call the adapted ideal state. A future step will define this target state in detail in a Cloud Operating Model. For the discovery phase, a high-level understanding of the state will be sufficient.
The concern with the adapted ideal state is that the further an organization deviates from the ideal state with its defined strategies optimized to reduce or mitigate risks, the higher the number of unknown risks the organization may be exposed to. And so, these risks must be continuously identified and assessed, and new mitigations designed and implemented accordingly.
Current state discovery
Having established the adapted ideal state, the organization can now look inward and document the current state. Understanding the current state will typically start at a high level and steadily get more into the details. For example:
- What is the organization’s vision for its use of the cloud?
- Is it starting fresh, or is there an extensive on-premises footprint that needs to be migrated?
- What are the teams’ technical capabilities, and how relevant are they for the cloud?
- What are our current security and data policies, and do they need to be refreshed for the cloud?
- Which application will be the first to migrate to the cloud, and how will we go about that?
Knowing the target state will help uncover relevant and important current state details. For example, establishing a Cloud Centre of Excellence is a common strategy for mitigating many cloud adoption risks. During discovery, potential candidates can be identified for leading this team and other key roles. The discovery team should also make an effort to present the target state to the teams they speak to. Help them understand the intent, get feedback, and gauge their level of interest in being part of this journey.
With a clear view of the current and target states, a gap analysis can be performed to start creating the cloud adoption roadmap for the organization, also known as the cloud blueprint.
Cloud adoption risk assessment
An important tool in the cloud adoption toolbox is a cloud adoption risk assessment. This provides an approach to identify risks and determine and prioritize their mitigations. Note that these should be risks specific to cloud adoption. Compliance and regulatory risk assessments will likely already exist within the organization or be mandated by a regulator.
Cloud adoption risks can be divided into five categories.
- Organization looks at the organizational structure, vision, and culture.
- People is about cloud knowledge and their ability to adapt and change.
- Processes & operations considers their current state and how they might work in the cloud.
- Technology & applications is all about the workloads that will run in the cloud and the organization’s ability to manage a cloud environment.
- Security & compliance considers how the current policies will impact cloud adoption and operation
As noted, ideal states will include known risks and their mitigations which can be a good starting point for a risk framework. However, where the adapted ideal state strays from the ideal state, unknown risks should be expected that need to be identified and mitigated in the organization’s risk framework. While trial and error is certainly an option, this approach can be costly and make timelines unpredictable.
Known on-premises risks can be considered, but these need to be assessed for relevance in the cloud. Internal risk teams can support, but without cloud knowledge, they will run into the challenge of unknown unknowns, or “you don’t know what you don’t know”. As a mitigating strategy, experienced cloud subject matter experts (SMEs) or consultants can be hired to provide experienced input.
More forward-thinking regulators may be able to provide at least some guidance on cloud adoption. Public content about risks is also available, but it must be critically reviewed with the source and any references assessed. Cloud service providers can share risks, though these are typically more relevant to their most numerous customer base (small to medium businesses) and tend to be more technology focused.
Either way, a risk framework for the cloud needs to be driven by knowledge and experience with the cloud, ideally with a similar industry and size of organization.
Risk examples
Under the category of Organization, an example risk would be that the organization is unable to articulate the benefits of cloud adoption effectively to obtain buy-in from the various teams.
For People, a risk could be that the team’s agility is insufficient to productively use the cloud. Agility is a foundational skill that must be in place before broad adoption of the cloud.
A common risk with Processes & Operations is that existing policies and processes become blockers or bottlenecks for cloud adoption. Especially those with little to no automation.
A Technology & Applications risk could be that the organization is unable to select a primary cloud service provider. This can happen to organizations that have not explored the cloud at all and those with different teams working with different cloud providers. Starting a cloud strategy with multiple cloud providers adds significant risk, so it is best to start with one and add additional ones later once the organization has achieved a degree of cloud maturity.
And lastly, a potential Security & Compliance risk is that the access to cloud environments is not appropriately controlled. This is commonly seen at start-ups and small businesses, where it is more convenient to give all the developers admin access to minimize blockers.
Besides these one-line risk titles, each risk in the framework should include the following:
- A description that explains what it is and sets context without talking about the impact
- The impact, describing the potential fallout of this risk occurring. There may be multiple of these, depending on the risk. These should be relevant to the organization.
- One or more mitigations that provide strategies to avoid or mitigate the risk. Again, these need to be relevant to the organization.
Let’s look at the example People risk in more detail.
Risk
The team’s agility is insufficient to productively use the cloud.
Description
Besides technical ability, the organization must be proficient in an agile mindset and project management for successful cloud adoption. organizations that have traditionally been more waterfall-oriented may struggle to adapt to the cloud operating model.
Impact
An organization that does not adapt to being more agile will not achieve the perceived agility benefits that the cloud can offer. This will lead to frustration and delays to the migration timelines as blockers and bottlenecks regularly pop up.
Mitigation
- Training: Agile training should start as early as possible in the cloud adoption initiative. This teaches foundational project management and team mindset, so it should start before cloud fluency training.
- Clear KPIs and success metrics: KPIs to award an agile mindset and success metrics to provide an aspiration target will help drive the organization towards self-improvement. Having goals can provide teams with a clear direction.
Risk rating
Once all potential risks are identified and documented, the next step is to rate them. Each risk will have three ratings.
- Likelihood rating
What is the chance of this risk actually happening in the organization? - Impact rating
Should this risk occur, will it have little effect on cloud adoption, or will it significantly disrupt or block the initiative? - Mitigation effort
The effort (time/cost/resources) to implement the most suitable mitigation.
One approach is to use a 1–5 scale rating, as per the examples below. Some organizations might choose a rating system already used with other internal risk assessments, such as a 1–10 scale or a simple low/medium/high.
The last step is prioritizing the risks; there are two approaches to this.
The first option is to separate the short-term and long-term risks. Short-term risks could disrupt the early stages of cloud adoption and need to be more urgently mitigated. Long-term risks can be addressed after the urgent ones. Within each of those groups, we prioritize by the risk rating. We calculate the risk rating by multiplying the likelihood by the impact rating. Using a 1 to 5 scale results in a risk rating between 1 and 25 for each risk.
Another approach is based on the mitigation effort. Here we create a two-by-two matrix with a low-to-high risk rating on the vertical and a low-to-high mitigation effort on the horizontal.
Risks with a low rating and high effort should be avoided if possible. Those with a high rating and low effort are the low-hanging fruit that can be addressed quickly in phase 1. A high rating and high effort can be addressed in phase 2 because we usually want to prioritize high-impact items. Lastly, a low rating and low effort can be addressed in phase 3.
Key mitigation strategies
Many risk mitigations will overlap and can often be linked to these four key cloud adoption strategies.
The cloud blueprint is the roadmap to achieving the adapted cloud management state. The operating model describes how you will manage and operate the adapted state after achieving it. The Cloud Centre of Excellence is an organizational structure optimized for managing the cloud. A cloud platform is the technology to manage the cloud in a scalable and compliant manner. Lastly, education will be critical to help everyone understand how to effectively use the cloud and the organization’s cloud strategies
Readiness and other assessments
The discovery phase is also an excellent point to run other assessments to help gain a deeper understanding of specific areas in the current state. For example, foundational capability assessments such as security, agility, or DevOps readiness assessments. Another common area to look at is architectural readiness assessments for container or serverless capabilities that may exist within the organization.
Existing compliance and other assessment reports can also be useful to summarize as part of the discovery phase, and any existing application migration plans and target architecture proposals.
Discovery report
All the information collected during discovery should be noted in a detailed discovery report. The first part of this report will be the collected data. Without venturing any opinions or insights, it simply records what was collected or assessed.
The 2nd part of the report is split into three key sections:
- Insights
Opinions on the information that was collected. This is where opportunities could be highlighted, such as teams within the organization with existing cloud experience. This section should generally focus on the positive aspects of the current state and collected data. - Risks
The expected challenges and potential blockers to cloud adoption. Risks from the assessment with a high likelihood score are obvious items to include here. Additional risks might be uncovered from the discovery sessions or related to specific applications that have been shortlisted for early migration. - Recommendations
This key section will include the high-level initiatives the organization should consider for successful cloud adoption, the mitigations required to address any identified risks, and the immediate next steps on the cloud adoption journey.
Besides the detailed discovery report, it can be helpful to create a summarized presentation deck of the discovery phase. This can be easier for others in the organization to get a high-level understanding of the cloud adoption journey. The presentation deck keeps the summary of the collected data to a minimum and focuses more on the insights, risks, and recommendations.
Cloud maturity
As organizations start on the cloud adoption journey, a common question is how to measure progress or success.
Cloud adoption is a journey; there is no end to continuously improving how the cloud is used within the organization and keeping up with the evolving cloud itself. A common approach to measuring progress is establishing milestones, which will typically be unique to the organization based on what is achievable on a realistic timeline.
A baseline can be the NIST industry benchmark shown below. NIST is an American standards institute, but its maturity benchmark is widely referenced around the world. This benchmark can provide a way to measure an organization’s cloud adoption progress. The stated capabilities and levels can help when deciding on internal cloud adoption milestones to track. We have added some capabilities based on our experiences helping large organizations adopt the cloud.
Conclusion
The first step towards a successful cloud adoption journey is conducting a thorough discovery and risk assessment. This involves understanding the current and target states of the organization, performing a gap analysis, and identifying and mitigating potential risks. Through this approach, organizations can establish their desired to-be state and create a roadmap for their cloud adoption journey. Establishing milestones and measuring progress using established benchmarks, such as the maturity benchmark provided by NIST, will help organizations track their cloud adoption success and continuously improve their cloud strategy.
Don't miss out on unlocking the full power of the cloud. for a personalized consultation or to learn more.
