An increasing amount of companies is transforming their IT departments towards cross-functional teams which are responsible for both development and operation of software and use automation to speed up their delivery process. This novel approach, which is commonly known as “DevOps”, promises many benefits such as increased speed and frequency of deployment. However, companies using DevOps are often struggling with demonstrating control of their software delivery processes to IT auditing parties, due to the decentralized decision-making structures and high degree of automation in DevOps teams. The research at hand presents a framework which aims to provide guidance to organizations in mitigating and governing risks in IT teams and departments that make use of the DevOps paradigm. We have adopted a design science research approach, building on a literature review and semi-structured interviews with seventeen employees from nine Dutch companies that are in different stages of their DevOps transition. The results suggest that two main factors which influence how departments design their DevOps environment are risk appetite and the DevOps maturity. We furthermore find that companies in practice often use a mixture of traditional, manual IT controls and the automated controls suggested in literature. Based on these insights, a situational control framework is designed which suggests suitable risk mitigation practices.

越来越多的公司正在将其 IT 部门转变为跨职能团队，这些团队负责软件的开发和运营，并使用自动化来加快交付过程。这种新颖的方法，通常称为“DevOps”，承诺许多好处，例如提高部署速度和频率。然而，由于 DevOps 团队的分散决策结构和高度自动化，使用 DevOps 的公司经常难以向 IT 审计方展示对其软件交付流程的控制。手头的研究提出了一个框架，旨在为组织提供指导，以减轻和管理利用 DevOps 范式的 IT 团队和部门的风险。我们采用了设计科学研究方法，在文献回顾和半结构化访谈的基础上，对来自九家处于 DevOps 过渡不同阶段的荷兰公司的 17 名员工进行了采访。结果表明，影响部门如何设计 DevOps 环境的两个主要因素是风险偏好和DevOps 成熟度。我们进一步发现，公司在实践中经常混合使用传统的手动 IT 控制和文献中建议的自动化控制。基于这些见解，设计了一个情境控制框架，该框架提出了适当的风险缓解实践。