The collision avoidance technologies in modern automobiles are remarkable. Peripheral radar alerts you to nearby vehicles and obstacles. Backup video shows you what’s happening behind you. Cruise control nudges the steering wheel when you start to change lanes to confirm that your maneuver is intentional.
Collision avoidance technologies guide you to avoid accidents as you make driving decisions. An organization’s technology governance framework does much the same thing for decision-makers. It provides guardrails that help decision makers avoid compromised systems and data, cost overruns, and business disruptions. Simply put, the governance framework reduces risk.
BMC Customer Success has gained considerable expertise in working with BMC customers to maximize the effectiveness of their governance frameworks. In this blog, I share some of our experiences to help you strengthen governance in your organization. In particular, I focus on decisions related to acquiring software-as-a-service (SaaS) apps.
What Is Governance?
There are countless definitions of governance. So I’ll begin with our definition here in the BMC Customer Success organization. Governance is a collaborative, fact-based decision-making framework within IT that supports IT’s constituents and key stakeholders. It’s a formal framework of guidelines that helps ensure that consistent processes, execution, and full consideration of business interests are all represented when decisions are made. The governance framework is codified in the form of policies such as security and operating policies.
With respect to SaaS, governance is a key factor in minimizing risk, especially security risk. In my previous blog on security, I emphasized the importance of vetting SaaS providers with respect to security and cited the security questionnaire as a key element of that vetting process. The security questionnaire is just one example of a governance framework component.
Another example is a list of SaaS applications that the central IT organization has evaluated and authorized. The list serves two purposes:
- It mitigates security risk by allowing business units and departments to acquire applications only from vetted providers.
- It keeps costs in check by avoiding the proliferation of multiple products with overlapping functionality, foregoing volume discounts and necessitating additional technical support.
Building Your Framework
In building a governance framework, it’s imperative to involve the people who are stewards of capability and stakeholder interests, both internal and external to IT. This includes the people with technology expertise, including security specialists, enterprise architects (EAs), IT managers, and other thought leaders. It also includes, of course, the businesspeople who benefit from the SaaS apps and use them day to day.
Security people offer insight into the corporate policies that protect systems and data. They typically have developed detailed security questionnaires for vetting SaaS providers to ensure that their solutions comply with the organization’s security policies.
EAs help determine if the SaaS solution aligns with the organization’s operating policies, that is, does it plug into the organization’s operating model. For example, some organizations have adopted the IT4IT Reference Architecture, a standard of the Open Group. This umbrella framework focuses on information needed to manage IT and the flow of data among IT management systems.
Business people bring insights into their business needs and how the SaaS apps help them address those needs.
Encouraging Adoption of Your Framework
A governance framework is ineffective unless it’s integral to the decision-making process. The framework must remain top of mind among decision makers as they make technology choices. This includes the business people who bring SaaS apps into the organization.
Shadow IT has long been a concern for IT because of the security risks and cost inefficiencies that arise when IT is unaware of apps brought into the enterprise. In many organizations, SaaS is a significant contributor to shadow IT. Consequently, it’s important that IT be aware of all SaaS apps so they can be brought under the governance framework.
IT often has only limited visibility into the SaaS apps that business units are acquiring. Discovery tools that identify SaaS apps and indicate whether or not they are authorized can identify all SaaS apps across the enterprise. Tracking tools such as RSA Archer GRC can serve as systems of record for security and compliance. Sharing data captured by these tools can be an eye-opener for business unit decision makers.
To bring SaaS under the governance umbrella, however, IT must rethink how it communicates and collaborates with business units. Experience teaches us that persuasion is preferable to heavy-handed mandates. Here are some ways to persuade business units to adhere to the governance framework:
- Help them understand the downside of uncontrolled SaaS proliferation.
- Emphasize that governance is a value-add.
- Have strong policies in place and communicate them clearly.
- Ensure a clear understanding of decision criteria.
- Have a system of record and operating model as a reference.
In working with business people, it’s essential to position IT as an enabler of the business , not an obstacle. IT should be responsive to their needs while also demonstrating how adherence to the governance framework increases their SaaS visibility so they can make informed decisions related to cost and compliance.
Making Quality Decisions within Your Framework
The governance framework provides the guardrails for decision making. However, it doesn’t ensure quality decision making within those guardrails. You need to ensure that line of business managers ask the right questions as they go through their decision-making process. Here are six questions they can ask to evaluate the effectiveness of their decision-making.
1. Do we understand the context of the decision?
- What is the business case?
- What problem are we addressing?
- What background information is available?
2. Do we understand the options?
- What options are available?
- What is the feasibility of each option?
3. Do we have the information we need to make a fact-based decision?
- What information is available?
- Is the information current, complete, and reliable?
4. Do we understand the trade-offs?
- What is the big picture, that is, what do we want to achieve overall?
- What are the trade-offs across the various options?
- What are the value implications?
5. Is our reasoning valid?
- Is the reasoning logically sound?
- Are we keeping the big picture in mind?
- Are we using the information we have effectively?
- Are we taking full advantage of available tools?
- Can we clearly and succinctly communicate the reasons for our decision?
6. Will we commit to action?
- Are we ready to make the decision and initiate action?
- Are we ready to commit the necessary resources to support that action?
A Formula for Business Success
The combination of a solid governance framework and effective decision-making practices is a formula for business success. This winning combination enables your organization to enjoy the many advantages of SaaS—seamless scalability, no upfront capital costs, unparalleled agility, lower costs, and more—all while minimizing risk.
If you need assistance with your transition to SaaS, please fill out our form and a BMC Customer Success expert will reach out to get started.
Five Strategies for a Smooth Transition to BMC Helix
These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.
See an error or have a suggestion? Please let us know by emailing [email protected].