The \u201ccitizen developer\u201d revolution sounds very promising. After all, what enterprise wouldn\u2019t want to be more agile while reducing costs and accelerating their ability to bring solutions to market.\nBut the wide array of platforms that enable end users to create workflows, automations, or even entire applications without the skills of professional developers invite the same kinds of problems caused by shadow IT if companies aren\u2019t careful about how they are adopted.\n[ Beware the 14 reasons why software projects fail and the leadership practices that could sink your software project. | Get the latest CIO insights direct, with our CIO Daily newsletter. ]\nThat includes not just security and business risks but also IT problems due to difficulty of maintaining projects, technical debt, and manageability issues, says Jason Wong, an analyst at Gartner, which predicts that low-code and no-code users, aka \u201ccitizen developers,\u201d will outnumber professional developers at large organizations four-to-one by 2023.\nDigital disruption and hyperautomation will only see adoption of low-code and no-code tools accelerating, according to Gartner analyst Fabrizio Biscotti. If IT leaders don\u2019t get out in front of the downsides of increasing reliance on citizen developers, significant problems await.\nHere\u2019s how several adopters of low-code and workflow-automation platforms are paving the way for more productive, risk-free use of these user-empowering tools.\nCentralized oversight at Schneider Electric\nSchneider Electric is one such organization leveraging citizen developers to streamline and automate processes. The company, which started with OutSystems\u2019 low-code platform four years ago and recently added Microsoft\u2019s process automation tool Power Apps to its mix, has established a strategy for overseeing citizen development that includes centralized oversight, training, and code and security reviews.\nJamie Locks, vice president of integration and middleware, says Schneider Electric\u2019s approach to citizen development begins with the company\u2019s professional development team.\n\u201cWe make sure we understand it,\u201d he says. \u201cWe\u2019ve got this tool, how do we make sure we master it, understand all the ins and outs, integrations, capabilities, the road map of the product itself. We might lean on third parties to bring it up to speed.\u201d\nIn some cases, integrations might be complicated, or there might be nuances related to security, he says. \u201cWe build our own competence first. Then we find use cases, proof of concepts that we can put into production and not just throw away, to build our own comfort level. Then we start to build a road map and reusable components.\u201d\nOnly once that foundation has been established does the team begin to recruit citizen developers. Non-developer employees interested in leveraging the tools must first go through training. Today, there are 150 people trained on OutSystems, Locks says, with 95 different projects already deployed.\nThese include employees from a range of backgrounds, including some with the most basic technology skills, he says. \u201cAnd some are as good as our developers, and some are IT guys in a regional organization that really take this and run with it,\u201d he says. \u201cThe people we\u2019re hiring today are more tech-savvy, they\u2019re digital citizens. And I don\u2019t want to have a big central team doing everything, and I don\u2019t want to pay the vendors to do everything.\u201d\nAs for Power Apps, Schneider Electric has 100 people trained up on the platform. \u201cSome were quite technical, and others were businesspeople with technical savvy,\u201d he says. Because Power Apps is new to the company, there are only two apps up.\n\u201cIt\u2019s DIY IT; not shadow, but governed,\u201d Locks adds. \u201cDIY resonates with a lot of people because they see IT as a barrier, roadblock, bureaucracy slowing them down.\u201d\nNext, RPA will be added to the menu. \u201cWe have the intention to allow robotic process automation for citizen developers, but we\u2019re just not there yet. You can do so much with it,\u201d he says.\nOnce a citizen developer is trained, the development team works with the citizen developer to create their first project. The citizen then takes the project over, running it on their own. With later projects, vetted citizen developers do the work, but the professional development team is still involved at multiple steps along the way.\n\u201cSome of the advanced folks say, \u2018Hey, give it to me,\u2019 but I\u2019m not ready to let people go on their own without any oversight and control,\u201d Locks says.\nFirst, there\u2019s an initial solutions checkpoint. \u201cWhat\u2019s the architecture, what\u2019s the database, where are the APIs?\u201d he says. \u201cThen it\u2019s about performance, making sure they\u2019re using the snippets we\u2019ve got, that they\u2019re using SSO, that they\u2019re not capturing GDPR private data, that they\u2019re not breaking any policies.\u201d\nBefore anything is pushed into production, detailed code and security reviews are conducted. And once the tool is up and running, the citizen developer becomes the first line of support for the app, not IT.\n\u201cThere might be issues on the network or somewhere else on the back end and clearly that would be my team and we would manage that, but we would not take on support for the application,\u201d Locks says.\nDespite the overhead involved in overseeing citizen development, Locks sees advantages to allowing non-developers to create their own tools. \u201cOne is speed to market,\u201d he says. \u201cWhen development is doing it, or you have developers in India, it stretches out so long.\u201d\nPlus, the new tools get better adoption because the business units are building what they themselves need. \u201cPeople feel more satisfied and more autonomous,\u201d he says. \u201cAnd it avoids IT being caught in the middle for small, low-hanging fruit. It lets IT focus on things that add value.\u201d\nAutomation guardrails at Guidant Global\nStaffing company Guidant Global has 2,600 employees managing more than 200,000 engagements in more than 80 countries. Some of that work is ripe for automation, but not at the scale where formal application development makes sense.\nFor example, a process in which an employee verifies certificates of insurance every month might take about six to eight hours, with the employee manually looking up individual supplier records in an application, checking whether their certificates are up for renewal, verifying they\u2019ve submitted the renewal, and then following up to track down the renewed insurance certificate.\nA Guidant employee involved in that process used a workflow automation tool to automate the process, which now takes only 10 or 15 minutes each month to complete. Plus, there is now less chance of accidentally missing one of the suppliers, says Pamela Beard, senior vice president of technology and project management at the company.\nGuidant currently uses the Catalytic no-code workflow automation tool and Microsoft\u2019s Power Automate to complete such work. Like Schneider Electric, Guidant Global has oversight in place.\n\u201cBefore any of our citizen developers even gain access to Catalytic as a platform, we have set up a very structured training program that anyone who will have access to Catalytic will go through,\u201d she says. \u201cWe also use Catalytic from a governance perspective.\u201d\nFor example, that includes using testing environments within Catalytic so that apps can be tested and approved before they go into production \u2014 and be reviewed for privacy and other requirements.\n\u201cWe\u2019re also doing ongoing maintenance of processes that have been automated to make sure they\u2019re functioning as designed,\u201d she says. \u201cAnd if they\u2019re no longer needed, moving them off the platform.\u201d\nGuidant also has a governance board composed of both business and IT representatives to oversee the work of citizen developers. The company just finished training its fourth cohort, with 46 people now certified on Catalytic and 35 processes automated so far.\nAs part of the training, citizen developers are required to work with their line management to identify a couple of business processes they want to work with. Then, together with the automation center, they develop the automation and deploy it. \u201cSo we are walking them through every step,\u201d says Beard. \u201cThe training isn\u2019t just theoretical but very hands-on.\u201d\nSometimes, an automation can help create new business opportunities. For example, a Guidant client launches a major recruitment drive each year, screening a large number of candidates in a very short time frame. Previously, the job would have been too resource intensive for Guidant to tackle.\n\u201cWith Catalytics and some chatbot technology we were able to do some initial conversations with potential candidates to do the initial screening,\u201d she says.\nFor this particular client, candidates must meet some specific requirements and submit an essay of a particular length. The chatbot asks questions to make sure the candidates have the required qualifications, and the essays are automatically checked for length, grammar, and profanity.\nAs a result, Guidant Global was able to reduce an initial pool of 7,500 candidates down to fewer than 1,800 for human review. \u201cWe could not have done that project if we had to do a human review of all 7,500 in the turnaround time we had,\u201d she says.\nThe risks of empowerment\nLow-code and no-code tools are continually getting more powerful, and they\u2019re getting increasingly easy to use. On the surface, that sounds like a good thing, but it also ups the risks.\n\u201cThe tools themselves are not the problem,\u201d says Tamim Saleh, senior partner at McKinsey & Co. \u201cThe problem is the people and rules within the organization. If organizations allow uncontrolled development of algorithms and AIs and aren\u2019t clear about how they\u2019re going to be used, then they will end up not being compliant with regulations. Almost all responsible organizations understand this risk and have clear protocols \u2014 but nobody is really good at this.\u201d\nThe area is in the early stages of development, he says. \u201cBut the risk is real, and my advice for any CIOs, or heads of digital analytics, is to take model management and governance extremely seriously and build this capability early on.\u201d\nLow-code and no-code tools are also increasingly being built into most of the major enterprise software platforms and SaaS applications, says Gartner\u2019s Wong, making their use particularly difficult to identify and control.\n\u201cIn previous generations of rapid application development tools, they led to the creation of shadow IT, resulting in lots of technical debt and maintenance and long-term manageability nightmares,\u201d he says. \u201cAnd some of it grew into important, business-critical apps. Today, the technology is a little different, the architecture is a little better, and a lot of it is cloud and SaaS.\u201d\nThe pandemic has accelerated adoption, he says.\n\u201cWe talk to lots of clients who say, \u2018We need to do this now, we need this form now, we need to automate now,\u2019\u201d he says. \u201cAnd they came across a vendor and said, 'We\u2019re going to use this.\u2019 They\u2019re looking at it as an immediate pain point. We saw this a lot in the pandemic.\u201d\nBut some of the tools don\u2019t even have testing or staging environments, he adds.\nNext, AI will be very significant in low-code and no-code products of the future, and that can compound the risks.\n\u201cThey will use AI to automate what\u2019s happening behind the scenes,\u201d Wong says. \u201cAnd if you\u2019re a citizen developer business user, you might just trust that the tool is giving you the right models.\u201d\nWithout strong governance processes in place, it will be a challenge for companies.\n\u201cThe worst that can happen is IT and the business are not on the same page about how their low-code and no-code tools are being used,\u201d he says.