Integrating the agility of DevOps with ITSM governance is a key problem to solve for businesses that want to fully embrace the speed of the DevOps transformation but also want to make sure the business is protected from unintended failures and outages.
The key is to allow for the quick and more frequent delivery of updates, while making sure the change process is enforced.
Providing a smart Risk Calculation service that feeds into this process is a great way to achieve this result. If its low risk - let it go through auto approval and deploy immediately, if it is medium or high risk, configure your approvals accordingly.
Question is - how accurately can we calculate the risk ? How can we make it more intelligent ?
An application like BMC Helix Multi-cloud Service Management is in the perfect space to provide this service as it can consume inputs from various sources and provide intelligent risk analysis. It has visibility to the development side with integrations to Agile tools like Jira and Rally and the ITSM side with integrations to Change, Incident and Work Order. This allows for collecting data from all these sources and put in place rules to calculate risk of rolling out a change more accurately.
The idea is to allow developers to continue working in Agile tools like Jira or Rally to complete their work and push changes through the CI/CD pipeline. However behind the scenes provide a channel to seamlessly create a change for each deployment so that there is tracking and governance. BMC Helix Multi-Cloud Service Management already automates the process of creating a change request from Agile tools like Jira based on completion of a user story or a feature. Now add to this a process to calculate the 'Risk Profile' of this change.
How can we calculate the Risk Profile? Here are some inputs to this service:
- Technology Service Profile
- Extend the technology service class in CMDB to include risk metrics based on impact of the service
- Using impact as part of the calculation. For example, for a bank services that would impact key banking services such as ATMs would have higher risk.?
- Risk Profile of the Development Group
- Assign a risk score to development teams based on historical status of deployed changes
- Automatically increment and decrement the risk score with each successful or failed change
- High impact incidents related to a change would also impact this score
- Inputs such as automation results, code coverage, SecOps results etc.
- Integrations with these tools can provide input to determine the risk profile
Configure Change Management approvals to auto approve based on Risk and provide immediate feedback from Change back to the DevOps process to allow for it to complete and continue with code deployment.
Stay tuned for more on this.