This work is licensed under CC BY 4.0 - Read how use or adaptation requires attribution

Cloud Policy & Governance

Framework / Domains / Manage the FinOps Practice / Cloud Policy & Governance

Establishing and evolving policies, controls and governance mechanisms to ensure that cloud use aligns with business objectives, complies with regulatory requirements, and optimizes cloud resources efficiently.

Establish Cloud Policy

  • Specify preferred, required and restricted cloud services and technologies
  • Define data storage lifecycle and retention policies
  • Define technology modernization lifecycle policies
  • Define technology and spend based commitment policies

Establish Cloud Governance

  • Specify requirements for governance tools
  • Define governance procedures


Policy and Governance can be thought of as a set of statements of intent, with associated assurances of adherence.

A Cloud Policy is a clear statement of intent, describing the execution of specific cloud-related activities in accordance with a standard model designed to deliver some improvement of business value.

Cloud Governance is a set of processes, tooling or other guardrail solution that aims to control the activity as described by the Cloud Policy to promote the desired behavior and outcomes.

Combining good Policy and Governance provides us with a mechanism to orchestrate and direct our Cloud FinOps activities.

It’s possible to imagine a world in which good things happen naturally, without any attention or control being applied to them. In most business situations though, the right things will only happen if people are directed or inspired to do them, the actions and their outcomes are monitored, and there are some (positive or negative) consequences arising from their actions.

A FinOps Culture is a set of attitudes and behaviors oriented to drive business value from cloud technology. Transitioning to this from a data center culture is one of the key challenges of FinOps. Policy and Governance is how we establish and sustain a FinOps culture. In fact, it is the way in which all culture is established and sustained. Think of any organization with a recognizable culture and you will see an effective Policy & Governance framework.

So the simple answer to why Policy & Governance frameworks are important is that organizations cannot sustainably deliver business value from cloud without them.

Cloud policy and Governance are key components of successful cloud FinOps practice. They work to align activities within the Cloud to the business overall goals and strategies, control the deployment and usage of Cloud resources in order to maximize ROI. We are able to ensure our cloud costs are predictable and manageable, and we can use Cloud Policy & Governance to support the consistent adoption of best practices across the organization, and support defense-in-depth against known threats and risks.

Governance includes both the mechanisms to enforce and enact policy, and KPIs to measure that compliance, defined and agreed to by stakeholders. KPI aligned with FinOps objectives (for example: 80% of compute costs covered by a commitment, 70% of teams trained…) are shared with all personas transparently to drive the behavior that will be most valuable to the organization. This visibility ensures that the organization is on the right track and if not, identifies areas for corrective actions.

It is important to avoid tracking too many indicators creating noise that creates inaction. A few strong indicators to start might be a better option to take actions. Compliance KPIs will evolve over time to adapt to FinOps objectives.

Cloud Policy & Governance has many interactions with other Capabilities, providing guardrails for good behavior that can be reported upon in Reporting & Analytics, identifying opportunities for improvement that might require work in FinOps Education & Enablement, or in one of the capabilities in the Optimize Cloud Usage & Cost domain. There will also be a strong interaction with other operational policy and governance drivers in the organization, such as IT Security, IT Asset Management, Cloud Centers of Excellence, or DevOps platform and shared service teams. All of these groups strive for consistent good behavior in cloud and beyond.

Maturity Assessment


  • Cloud Policy & Governance exists as part of overall business policy. Policies aim to control most significant risks to business value
  • Basic usage & rate optimization, etc as they apply to individual engineering teams and products
  • Manually, ad-hoc, largely reactive policy creation is sufficient
  • Static, manually distributed content and training on policies
  • Manual analysis & reporting is sufficient


  • Cloud Policy & Governance measures are broadened and standardized. Best practices are now being distributed and adopted across the business
  • Cross-functional collaboration. Integration with existing organizational policies and standards
  • Regular review cadence, proactive FinOps policies
  • Training on policies is integrated into routine training received by appropriate personas
  • Vendor-provided automated analytics tooling is used to automate governance


  • Cloud Policy & Governance is now closely integrated with overall business strategy
  • All levels of business now operate in a way that is aligned with the organization’s strategy and goals
  • Ongoing automated policy compliance review, with trending
  • Integration with new architectural concepts to ensure currency
  • Multi-cloud/enriched normalized insights & automation solution

Functional Activities

FinOps Practitioner

As someone in the FinOps team role, I will…

  • Ensure visibility and education on cloud policies to all persona stakeholders
  • Coordinate implementation of governance to support policy compliance when required
  • Support policies and governance put in place in my areas of control
  • Promote collaboration across persona groups, and access to other FinOps Capability outputs


As someone in an Engineering role, I will…

  • Implement Cloud policies and recommend improvements as systems evolve
  • Implement corrective actions plan when required
  • Support policies and governance put in place in my areas of control


As someone in a Finance role, I will…

  • Participate to elaboration of KPIs when related to Finance
  • Support policies and governance put in place in my areas of control


As someone in a Procurement role, I will…

  • Support policies and governance put in place in my areas of control


As someone in a Product role, I will…

  • Support policies and governance put in place in my areas of control


As someone in a Leadership role, I will…

  • Thoughtfully direct cloud policy in accordance with organizational value
  • Enforce and encourage compliance with policy
  • Support governance put in place to enforce and encourage policy compliance

Measures of Success & KPIs

  • Cloud Policy adherence: cost of resources compliant with Cloud Policies / Total Resource cost

Inputs & Outputs


Governance implements Policy through:

  • Guidelines – that set out best practice for policy implementation and how it can be achieved. These are advisory, rather than mandatory
  • Guardrails – formal processes and structures that define mandatory pathways for policy-compliant action, possibly with consequences for non-compliance
  • Automation – processes that automate policy implementation and which therefore control how compliant actions are carried out.

An example of a good cloud governance measure might be:

“At the end of each month, we will notify you of the cloud resources with zero utilization. These will be decommissioned by us the following Tuesday, unless you opt out of this process by providing a reason for retention.”


If a policy is poorly conceived or expressed, of dubious authority, too broad or general to be useful in practice, or imposes a cost on the organization that is out of proportion to its benefit, it is a bad policy.
Some examples of good policy statements might be:

  • “Our policy is to cover more than 80% of our optimized cloud usage with discounted pricing plans”
  • “Our policy is to reduce wasted spend by decommissioning cloud resources that deliver no business value”