‘Citizen developer’ success requires strong IT oversight

The “citizen developer” revolution sounds very promising. After all, what enterprise wouldn’t want to be more agile while reducing costs and accelerating their ability to bring solutions to market.

But the wide array of platforms that enable end users to create workflows, automations, or even entire applications without the skills of professional developers invite the same kinds of problems caused by shadow IT if companies aren’t careful about how they are adopted.

That includes not just security and business risks but also IT problems due to difficulty of maintaining projects, technical debt, and manageability issues, says Jason Wong, an analyst at Gartner, which predicts that low-code and no-code users, aka “citizen developers,” will outnumber professional developers at large organizations four-to-one by 2023.

Digital disruption and hyperautomation will only see adoption of low-code and no-code tools accelerating, according to Gartner analyst Fabrizio Biscotti. If IT leaders don’t get out in front of the downsides of increasing reliance on citizen developers, significant problems await.

Here’s how several adopters of low-code and workflow-automation platforms are paving the way for more productive, risk-free use of these user-empowering tools.

Centralized oversight at Schneider Electric

Schneider Electric is one such organization leveraging citizen developers to streamline and automate processes. The company, which started with OutSystems’ low-code platform four years ago and recently added Microsoft’s process automation tool Power Apps to its mix, has established a strategy for overseeing citizen development that includes centralized oversight, training, and code and security reviews.

Jamie Locks, vice president of integration and middleware, says Schneider Electric’s approach to citizen development begins with the company’s professional development team.

“We make sure we understand it,” he says. “We’ve got this tool, how do we make sure we master it, understand all the ins and outs, integrations, capabilities, the road map of the product itself. We might lean on third parties to bring it up to speed.”

In some cases, integrations might be complicated, or there might be nuances related to security, he says. “We build our own competence first. Then we find use cases, proof of concepts that we can put into production and not just throw away, to build our own comfort level. Then we start to build a road map and reusable components.”

Only once that foundation has been established does the team begin to recruit citizen developers. Non-developer employees interested in leveraging the tools must first go through training. Today, there are 150 people trained on OutSystems, Locks says, with 95 different projects already deployed.

These include employees from a range of backgrounds, including some with the most basic technology skills, he says. “And some are as good as our developers, and some are IT guys in a regional organization that really take this and run with it,” he says. “The people we’re hiring today are more tech-savvy, they’re digital citizens. And I don’t want to have a big central team doing everything, and I don’t want to pay the vendors to do everything.”

As for Power Apps, Schneider Electric has 100 people trained up on the platform. “Some were quite technical, and others were businesspeople with technical savvy,” he says. Because Power Apps is new to the company, there are only two apps up.

“It’s DIY IT; not shadow, but governed,” Locks adds. “DIY resonates with a lot of people because they see IT as a barrier, roadblock, bureaucracy slowing them down.”

Next, RPA will be added to the menu. “We have the intention to allow robotic process automation for citizen developers, but we’re just not there yet. You can do so much with it,” he says.

Once a citizen developer is trained, the development team works with the citizen developer to create their first project. The citizen then takes the project over, running it on their own. With later projects, vetted citizen developers do the work, but the professional development team is still involved at multiple steps along the way.

“Some of the advanced folks say, ‘Hey, give it to me,’ but I’m not ready to let people go on their own without any oversight and control,” Locks says.

First, there’s an initial solutions checkpoint. “What’s the architecture, what’s the database, where are the APIs?” he says. “Then it’s about performance, making sure they’re using the snippets we’ve got, that they’re using SSO, that they’re not capturing GDPR private data, that they’re not breaking any policies.”

Before anything is pushed into production, detailed code and security reviews are conducted. And once the tool is up and running, the citizen developer becomes the first line of support for the app, not IT.

“There might be issues on the network or somewhere else on the back end and clearly that would be my team and we would manage that, but we would not take on support for the application,” Locks says.

Despite the overhead involved in overseeing citizen development, Locks sees advantages to allowing non-developers to create their own tools. “One is speed to market,” he says. “When development is doing it, or you have developers in India, it stretches out so long.”

Plus, the new tools get better adoption because the business units are building what they themselves need. “People feel more satisfied and more autonomous,” he says. “And it avoids IT being caught in the middle for small, low-hanging fruit. It lets IT focus on things that add value.”

Automation guardrails at Guidant Global

Staffing company Guidant Global has 2,600 employees managing more than 200,000 engagements in more than 80 countries. Some of that work is ripe for automation, but not at the scale where formal application development makes sense.

For example, a process in which an employee verifies certificates of insurance every month might take about six to eight hours, with the employee manually looking up individual supplier records in an application, checking whether their certificates are up for renewal, verifying they’ve submitted the renewal, and then following up to track down the renewed insurance certificate.

A Guidant employee involved in that process used a workflow automation tool to automate the process, which now takes only 10 or 15 minutes each month to complete. Plus, there is now less chance of accidentally missing one of the suppliers, says Pamela Beard, senior vice president of technology and project management at the company.

Guidant currently uses the Catalytic no-code workflow automation tool and Microsoft’s Power Automate to complete such work. Like Schneider Electric, Guidant Global has oversight in place.

“Before any of our citizen developers even gain access to Catalytic as a platform, we have set up a very structured training program that anyone who will have access to Catalytic will go through,” she says. “We also use Catalytic from a governance perspective.”

For example, that includes using testing environments within Catalytic so that apps can be tested and approved before they go into production — and be reviewed for privacy and other requirements.

“We’re also doing ongoing maintenance of processes that have been automated to make sure they’re functioning as designed,” she says. “And if they’re no longer needed, moving them off the platform.”

Guidant also has a governance board composed of both business and IT representatives to oversee the work of citizen developers. The company just finished training its fourth cohort, with 46 people now certified on Catalytic and 35 processes automated so far.

As part of the training, citizen developers are required to work with their line management to identify a couple of business processes they want to work with. Then, together with the automation center, they develop the automation and deploy it. “So we are walking them through every step,” says Beard. “The training isn’t just theoretical but very hands-on.”

Sometimes, an automation can help create new business opportunities. For example, a Guidant client launches a major recruitment drive each year, screening a large number of candidates in a very short time frame. Previously, the job would have been too resource intensive for Guidant to tackle.

“With Catalytics and some chatbot technology we were able to do some initial conversations with potential candidates to do the initial screening,” she says.

For this particular client, candidates must meet some specific requirements and submit an essay of a particular length. The chatbot asks questions to make sure the candidates have the required qualifications, and the essays are automatically checked for length, grammar, and profanity.

As a result, Guidant Global was able to reduce an initial pool of 7,500 candidates down to fewer than 1,800 for human review. “We could not have done that project if we had to do a human review of all 7,500 in the turnaround time we had,” she says.

The risks of empowerment

Low-code and no-code tools are continually getting more powerful, and they’re getting increasingly easy to use. On the surface, that sounds like a good thing, but it also ups the risks.

“The tools themselves are not the problem,” says Tamim Saleh, senior partner at McKinsey & Co. “The problem is the people and rules within the organization. If organizations allow uncontrolled development of algorithms and AIs and aren’t clear about how they’re going to be used, then they will end up not being compliant with regulations. Almost all responsible organizations understand this risk and have clear protocols — but nobody is really good at this.”

The area is in the early stages of development, he says. “But the risk is real, and my advice for any CIOs, or heads of digital analytics, is to take model management and governance extremely seriously and build this capability early on.”

Low-code and no-code tools are also increasingly being built into most of the major enterprise software platforms and SaaS applications, says Gartner’s Wong, making their use particularly difficult to identify and control.

“In previous generations of rapid application development tools, they led to the creation of shadow IT, resulting in lots of technical debt and maintenance and long-term manageability nightmares,” he says. “And some of it grew into important, business-critical apps. Today, the technology is a little different, the architecture is a little better, and a lot of it is cloud and SaaS.”

The pandemic has accelerated adoption, he says.

“We talk to lots of clients who say, ‘We need to do this now, we need this form now, we need to automate now,’” he says. “And they came across a vendor and said, ‘We’re going to use this.’ They’re looking at it as an immediate pain point. We saw this a lot in the pandemic.”

But some of the tools don’t even have testing or staging environments, he adds.

Next, AI will be very significant in low-code and no-code products of the future, and that can compound the risks.

“They will use AI to automate what’s happening behind the scenes,” Wong says. “And if you’re a citizen developer business user, you might just trust that the tool is giving you the right models.”

Without strong governance processes in place, it will be a challenge for companies.

“The worst that can happen is IT and the business are not on the same page about how their low-code and no-code tools are being used,” he says.