Audit of Atlassian’s governance and risk management strategy

Atlassian Corporation Plc is an enterprise software company in Australia. It is a popular organization, belonging to technology sector and more specifically, from the software industry.  It is involved to develop products for content management, project managers and software developers. The organisation has been famous for its application called “Jira”. Moreover, they has been serving about more than 120,000 clients.

The governance and risk audit has continued to be a complicated challenge for businesses. As regulations and new laws are introduced, the requirements are found to be challenging regarding higher levels of transparency, professionalisms and objectivity. There are potential exposure and rise in accountability towards liabilities. This indicates direct necessity to assure that various standards of corporate governance are adhered to. Further, this also refers to the fact that efficient compliance management systems are in proper place.

In the following study, the risk audit of risk management strategy, governance, practices and commitments of Atlassian Corporation Plc is analysed. The study is a personal experience drawn from the viewpoint of managers.

Jira is a proprietary problem tracking product. This helps in agile project management and bug tracking. As per Atlassian, the software is utilised to track issues and project managers by more than 75,000 customers in over 100 nations. Conventional risk, compliance and governance tools are highly challenging, expensive and huge to integrate and manage. They have needed various people to deploy and maintain. Here, at Atlassian, the flexibility and power of JIRA confluence and software are used to control in low cost. This is done seamlessly integrating the already present teams and processes (Herbert and Efrat 2018).

To go through an audit and risk management strategy, Atlassian must implement an Audit and Risk Management Committee. Its role is to separate itself from executive management. The purpose is to give advice, and this has no power of decision making or any supervisory activity. They are liable for reviewing independently, various financial statements and additional reporting. This is done before getting approval from Atlassian (Carlson 2017). As there is an operational or technical issue related to the finalisation of reports, Atlassian audit and risk management strategy can act as an essential forum for solving those issues. A good understanding of economic necessities and fundamental principles and policies are vital. This is important for audit and risk management committee members. They should analyse the suitability of accounting policies and measures and performances. Then identification and investigating economic and operational variations and trends are to be done from the forecasts (Millar 2017). Moreover, the effect of materially adverse findings is to be reviewed. Then the financial statements are to be provided as an accurate and fair view of activities of Atlassian. This must be done for the period within review and affairs within balance date.

Atlassian has been efficiently managing risk and governance through assuring regulatory and business compliances. Their solution denotes solves problems of corporate governance, effective corporate agreements and enterprise risk management. This is done with process and technology designed for handling a complicated regulatory environment of compliance. They have been delivering matured governance, risk and compliance programs for protecting the organization (Ruff et al. 2018). The GRC or Governance Risk Compliance solution provides a competitive benefit. This helps in making decisions in confidently. This has ensured that they are aligned with strategic risks and tolerances. The various features of governance and risk management strategy of Atlassian are demonstrated hereafter.

Assuring regulatory compliances	Atlassian has been satisfied through optimally configuring regulatory agreements. This is done through real-time analysis of compliances through regulations. Atlassian has provided quick notifications at securit policy alterations. This has been affecting the security negatively. This also includes actionable recommendations regarding developments (Brown and Bourke 2017).
Maintaining robust risk management	Atlassian’s GRC solutions have assured that they comply with different security standards and international IT. They can adapt to varying frameworks as they turn to be relevant. Atlassian’s GRC has streamlined documentation of risks, controls, IT systems and resources (Kendall et al. 2016). They have also been defining and managing periodic risk analysis, accumulating incidents, breakdowns and controlling business continuity. They have also been providing extra insights with dashboards, KPI’s and reports.
Developing audit management	Atlassian is subjected to various kinds of compliances and audits. This has been taking from internal governance to different regulatory requirements towards different industry standards. Risk management has turned out to be an intricate matric, and the company has been no longer depending on necessary collaborations, emails and spreadsheets to perform relevantly (Mahroum 2016). Atlassian has delivered an automated solution that has been organising and centralising various steps of audit processes. They are risk analysis planning, testing and fieldwork, expense and time management, reporting and remediation and tracking problems.
Gaining competitive advantages	Atlassian has changed governance, risk and compliance management to understand cost savings and developed business performance. This is done through standardisation of GRC processes for producing various decision making and then avoiding unneeded expenses. This also includes inspections, audit findings with redundant, singular and costly solutions (Rempel and Mäder 2015). Atlassian’s solution has established sustainable and embedded risk management and process of compliances. This continually anticipates and then proactively manage risks at an ongoing basis. Having this proactive approach towards IT compliance, risk and governance, they have the scope to develop competitive benefits. This is done by using that as a differentiator at a marketplace.

Ways Atlassian Manages Risk and Compliance

The above GRC has not only been just about compliance, risk and governance management. It has also included performance management and assurance. However, in practice the scope of GRC framework has been framework has been getting extended towards information security management.  It has also included business continuity management, ethics and values management and quality management. For understanding GRC much better, Atlassian has needed to know various dimensions of their business.

It must be reminded that Atlassian has needed to possess IT and various support functions like audit, procurement, marketing, legal, administration, HR and finance. They are illustrated below.

Resources	They are needed to conduct business that includes organisational structures, procedures, standards, policies and strategies. They also include various roles and responsibilities, processes, people, technology, information, physical, financial and intellectual; resources, third parties that include contract employees, vendors and suppliers (Andersson et al. 2017).
Business attributes	They include SLAs, profitability outcomes, targets, goals. Moreover, it involves risks that include financial risk, market risk, strategy risk, operational risk, fraud risk, reputational risk, operational risk, informational security risk, compliance risk and technology risk. This also includes compliances, regulatory risks, legal compliances, organisational compliances like standards and policies, security like information security and physical and human and ethics and values and qualities (Winkler et al. 2016).
Governance, management and operations	This also includes setting directions, optimising resources and risks, monitoring performances and compliances to gain the objectives of the company. This is widely categorised to corporate governance, business governance, legal governance and IT governance. The management has included reporting, controlling, coordinating, leading, organising and planning. The operations have involved the execution of function and processes (Johansson 2017).
Controls	For realising value from business, the resources are needed to be used effectively and efficiently. Here, business attributes are to be optimised. It is possible as proper measures are executed and implemented (Martin et al. 2018). These controls are categorised to management controls, process controls, physical controls and technical controls. These controls are then applicable to resources and attributes.
Assurances	Various independent guarantees are needed to assure that the controls have been operated and designed expertly. Here the compliance requirements are to be met consistently. This is the liability of governance for monitoring and obtaining assurances. These are done mainly through audits. Here various kinds of reviews are there that includes external and internal investigations, certification audits, financial audits, IT audits, compliance audits, process audits and security audits and many more (Claps, Svensson and Aurum 2015).

Atlassian has been committed to compliance with GDPR or Genera Data protection Regulation. This regulation consists of significant modifications towards legislation of European data privacy legislation. The tool is developed to provide EU citizens with more control over data and findings. This is to unify various existing security and privacy laws within the comprehensive proposal (Sivula 2015). Their clients have been trusting on the fact that Atlassian has turned GDPR into an critical priority. They have devoted important and strategic resources for the efforts to comply with GDPR.

Similar to various worldwide software companies, Atlassian has been involved under the process to roll out their companywide GDPR compliance strategy. They have appreciated that their clients possess the requirements within GDPR. This has been directly affecting the use of Atlassian services and products (Granlund 2016). Further, Atlassian is committed towards helping customers to fulfil that the conditions within GDPR and the local law.

Some of the commitments made by Atlassian to satisfy the GDPR requirements applicable to Atlassian and customers are provided below:

• Assuring that the products are designed according to standards of ISO27018, ISO27002 and ISO27001. Here, the measure has mirrored various privacy and security requirements of GDPR. This has been helping customers a transparent platform to calculate software development and practices of data management. They are under the process to certify various cloud products such as Jira Core, Jira Service Desk, Jira Software and confluence cloud for ISO. Moreover, they have been pursuing certifications of different products very fast (Moolenburgh 2016).
• Besides, Atlassian is committed in learning about existing commitments and certifications that includes recent SOC2 certification for various cloud products.
• Commitment in following extra privacy and security measures needed within GDPR.
• Place where this data is transferred outside the European Union and committed towards proper data transfer mechanisms as needed by GDPR. It has also included privacy shield certification.
• Assisting concerning privacy and security of processing, promptly communicating breaches to users and customers and notifying breach regulations.
• Assuring that staffs of Atlassian have accessing and processing that personal data of customers are trained. This is to handle the data and bound to maintain security and confidentiality of the data.
• Holding vendors handling personal data to similar data management, privacy and security practices and standards (Biener and Crawford 2018).
• Commitment to carry out data, affecting the analysis and consulting with EU regulators.

The organisation has aimed to provide clients with reliable, quick and secured services. Atlassian, being a provider of global services, has been running services with various standard features and operational practices around different jurisdictions. At present, Atlassian has been storing data within its AWS data centres situated in Ireland and the US (Guðnason, Jónsson and Garðarsson 2015). The information is saved from a data centre close to the location where most of the users have been able to assess. Moreover, they have been allowing contractors and employees situated in the Philippines, Australia, Europe and the US. This is to fetch specific data coming from technical support, customers and product development. As one prioritise hosting information in a place close to most significant user base for various reasons for performance, different product and service features of Atlassian can be transferred to Australia and US. Additionally, Atlassian personnel has needed to access the data stored in EU from a non-EU country for support and technical related reasons.

The mission of Atlassian has been unleashing potentials of each team of various kinds of industries and sizes. This, in turn, has been helpful for advancing humanity through the efficiency of software. This has been like a vital mission for them. This is because data is the core of every lives and business (Radevski, Hata and Matsumoto 2016).

Their security management program has been considering all the requirements of customer security. This is to discuss and arrive at the various set of conditions and initiatives. These are unique to them their environment. Moreover, they have not looked at safety as the ultimate destination to reach. This has been an ongoing journey for them. They have been continuously striving to develop their services and software. Here, the most secure method has been the easy way. This is the reason why security is built to that the fabric of infrastructure. Some of the innovative means through which they have developed protection is demonstrated below. This is the part on what they have been working on a daily basis.

Architecture	Here security is at the front of mind while developing business, network and application processes. The security architecture of Atlassian cloud has been designed through keeping a wide range of industry frameworks and standards in mind. This is also intended to balance the necessity of flexibility and the necessity for effective controls for assuring availability, integrity and confidentiality of the data of customers.
Applications	It applies to information lifecycle management, data security and app dev security.
Security	Regarding security, there are threat and vulnerability management, crypto and encryption and security incident management.
Infrastructure	Communications security, operations, access controls and asset managements.
Data centers and offices	Environment and physical security.
Corporate	This includes privacy, compliance and audit, business continuity, mobile security, personal security, an organisation of protection, security governance and third-party and supplier data management.
Hosts	They have hosted Bitbucket, Confluence and Jira with their cloud hosting partners.
Resiliency practices	ISO 22301, ISO 27002, SOC2.
Primary guidelines to guide DR or Disaster Recovery programs	This consists of constant development, assurance through testing and dedicated resources (Quadrant 2015).

Role of the Audit and Risk Management Committee

Conclusion:

The study shows that the extent with which the Board of Directors of Atlassian has been abiding by their stated risk management and governance commitments. This is implicit to the philosophy and is vital for sound corporate governance. This is the responsibility of the board of directors to service prudent fiduciary for shareholders and oversee the management strategy of business of Atlassian. To fulfil their liabilities and discharge their duty, their board of directors has followed standards and procedures that have been outlined in those guidelines.  However, various risks must not be overlooked that are related to business and industry. Firstly, their fast growth has made it complicated to evaluate the prospects. Moreover, this has been rising the risk that must not continue to grow at nearby historic rates. Besides, they are unable to sustain revenue growth rate and maintain profitability for the future. However, Atlassian has comprised of a distribution model of deploying and offering products through cloud and on-premises rising their expenses. This has been affecting the time to calculate revenue and posing different challenges to their business. Their business has depended on customers that have been renewing their maintenance and subscription plans. Additionally, it is also involved in purchasing extra licenses and subscriptions. They should also keep in mind, that decline in their customer retention or expansion has been harming their future outcomes of operations.

References:

Andersson, R., Bargalló, E., Emås, L., Harborn, J., Lundgren, A., Odén, U., Ringnér, J. and Sjögreen, K., 2017, May. Machine Protection Risk Management of the ESS Target System. In 8th Int. Particle Accelerator Conf.(IPAC’17), Copenhagen, Denmark, 14â 19 May, 2017 (pp. 1876-1879). JACOW, Geneva, Switzerland.

Biener, A.S. and Crawford, A.C., 2018, July. DevOps for Containerized Applications. In International Conference on Applied Human Factors and Ergonomics (pp. 35-44). Springer, Cham.

Brown, D. and Bourke, J., 2017. Risk management: Leadership, disrupted. Governance Directions, 69(4), p.212.

Carlson, R.M., 2017. Atlassian: Analysis and strategic recommendation.

Claps, G.G., Svensson, R.B. and Aurum, A., 2015. On the journey to continuous deployment: Technical and social challenges along the way. Information and Software technology, 57, pp.21-31.

Granlund, T., 2016. Implementing a Medical Device Software Risk Management Process by ISO 14971 in compliance with Agile Principles (Master’s thesis).

Guðnason, F., Jónsson, J.A. and Garðarsson, S.F., 2015. Tempo for Bitbucket (Doctoral dissertation).

Herbert, G. and Efrat, Z., 2018. Interview-Guy Herbert: Getting Agile at Atlassian. Governance Directions, 70(4), p.165.

Johansson, A., 2017. How can Atlassian products be modified to reduce the average time usage for common tasks.

Kendall, R.P., Votta, L.G., Post, D.E., Atwood, C.A., Hariharan, N., Morton, S.A., Gilbert, M., Moyer, E.T., McNally, R.P. and Wilson, A.J., 2016. Risk-Based Software Development Practices for CREATE Multiphysics HPC Software Applications. Computing in Science & Engineering, 18(6), pp.35-46.

Mahroum, S., 2016. Atlassian in Sydney: Beating the Tyranny of Distance. In Black Swan Start-ups (pp. 215-231). Palgrave Macmillan, London.

Martin, M., Fraga, E., Cuní, G., Colldelram, C., Fernández-Carreiras, D., Salvat, D., GarcÃa López, G., Burgos, A. and Matilla, O., 2018. Streamlining Support and Development Activities Across the Distinct Support Groups of the ALBA Synchrotron with the Implementation of a New Service Management System.

Millar, G., 2017. Measuring the Success of Incident Management at Atlassian.

Moolenburgh, E., 2016. Learning strategy: More than. Training & Development, 43(6), p.16.

Quadrant, M., 2015. Magic quadrant for social software in the workplace. Analyst (s), 501, p.G00270286.

Radevski, S., Hata, H. and Matsumoto, K., 2016, March. Towards building api usage example metrics. In 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER) (pp. 619-623). IEEE.

Rempel, P. and Mäder, P., 2015, March. Estimating the implementation risk of requirements in agile software development projects with traceability metrics. In International Working Conference on Requirements Engineering: Foundation for Software Quality (pp. 81-97). Springer, Cham.

Ruff, J.C., Herndon, J.B., Horton, R.A., Lynch, J., Mathwig, D.C., Leonard, A. and Aravamudhan, K., 2018. Developing a caries risk registry to support caries risk assessment and management for children: A quality improvement initiative. Journal of public health dentistry, 78(2), pp.134-143.

Sivula, A., 2015. Security Risk and Threat Models for Health Care Product Development Processes.

Winkler, D., Musil, J., Musil, A. and Biffl, S., 2016, September. Collective intelligence-based quality assurance: combining inspection and risk assessment to support process improvement in multi-disciplinary engineering. In European Conference on Software Process Improvement (pp. 163-175). Springer, Cham.