To stay competitive, today's global businesses require a higher degree of flexibility and need to use their resources more effectively than in the past. Most are growing more dependent on software to achieve these requirements -- in both the operation of internal business processes and the production of software or software-related products for external consumption.
These demands have already transformed many traditional development teams into software delivery organizations that field a broader set of responsibilities. They not only develop and maintain applications but also evaluate, acquire, and integrate software products and services into complex systems, often with stringent quality and regulatory requirements. In other words, development organizations deliver solutions; the set of processes for these solutions may include development, procurement, maintenance, transition to the user community, and integration with operations, as well as delivery processes.
These activities cover a wide range of functions within an organization and require a strong business process with effective governance -- clear chains of responsibility, authority, and communication, along with measurement, policy, and control mechanisms that enable these chains. Governance is the key to gaining control of business processes and assets across functions within an organization. The goal of good governance practices is twofold: 1) to strategically align all resources with overall business strategy; 2) to manage risks in the organization's operations and investments.
Development organizations that have instituted good governance practices are able to transform how the business perceives their contributions' value. Rather than acting as a vendor to the business (i.e., building products according to requirements from the business side), these organizations become essential partners in the business, sharing the same strategy and values, and collaborating around opportunities for improving internal processes and acquiring new business. In essence, management treats these development organizations as value centers rather than cost centers.
This paper focuses on the governance perspectives that affect development organizations, the area in which the IBM Rational organization focuses its technology and service offerings. These offerings include:
- Solutions to help govern global development and delivery. Distributed development is a consequence not only of globalization but also of seeking to use skills and resources effectively, no matter where they are located.
- Solutions to help implement compliance and risk management. Laws and regulations have become more specific, and the consequences of non-compliance are very costly.
- Solutions to help govern modular and flexible architectures. For example, service-oriented architectures require special governance and lifecycle management mechanisms that encourage their use.
I will also discuss how IBM Rational is expanding its coverage to help clients better govern other key aspects of software and systems delivery.
In addition, this paper will touch on project portfolio governance issues -- the need to strike a balance between higher-risk efforts necessary for business innovation and lower-risk investments required to maintain existing systems and products. For most companies, the challenge is to manage the latter more effectively, freeing up resources for innovative projects that produce more value and help the business stay competitive.
What is governance?
Today's companies are growing increasingly dependent on software to run their business processes. In addition, many either produce software for client consumption or incorporate software into their products. To ensure that the software they depend on is reliable and efficient, companies need to govern the business processes they use to acquire, create, and deploy it. Like any key enterprise asset -- physical inventory or a department's business intelligence, for example -- software and software-related assets must be carefully governed in order to maximize the value to the business while reducing risk.
Common industry definitions of governance include the following two components:
- Chains of responsibility, authority, and communication that empower people within an organizational structure (static or structural component of governance).
- Measurement, policy, and control mechanisms that enable people to carry out their organizational roles and responsibilities (dynamic or measurement component of governance).
Governance is different from management. It determines who has the authority to make decisions. In turn, management activities should ensure that the organization's governance approach is carried out day-to-day.
Good governance does not consist of a set of shackles and business controls that stifle creativity. Although it is based on repeatable measures, good governance should provide a context for guiding entrepreneurialism, quality achievement, and efficient execution. To be accepted by practitioners, governance measures must have demonstrable value. Employees must understand that these measures make their organization more effective and productive.
Good governance is value focused. It helps an enterprise realize its goals and reap business benefits. It also helps to mitigate risk and improve team effectiveness by enabling effective measurement and control and promoting good communication. Poorly governed organizations often fall into the trap of focusing on processes rather than outcomes. They provide incentives based solely on measurements, losing sight of strategic goals and actual results.
A primary goal of governance is to ensure that the results of an organization's business processes align with the company's strategic business requirements. Another important goal is to reduce the degree of risk for the organization's operations and investments.
Making governance operational means instituting measures and controls that explicitly work off risk -- that provide appropriate insight for making the right decisions. Typically, this requires an organizational change effort; it cannot be done overnight. Governance is best achieved incrementally, following a roadmap with well-defined milestones and measurable results. It is also important to stop along the way so that you can adjust your course based on lessons learned.
There are as many governance perspectives as there are responsibilities in an enterprise. In this paper, I will discuss those that are particularly relevant from a development perspective:
- Enterprise governance
- IT governance
- Product development governance
- Development governance
As Figure 1 shows, although these governance perspectives do not all share the same level of abstraction, they are closely related.
Enterprise governance is the overarching perspective. IT governance is a subset of enterprise governance. Product development governance is also a subset of enterprise governance and a sibling to IT governance, with many similarities and overlaps. It is relevant for organizations that develop products in addition to IT systems, such as those in the auto and electronics industries. Development governance is a subset of both IT governance and product development governance. IBM Rational has deep expertise in this discipline, which has long been the target for many of Rational's products and services.
Although one might expect development governance to look about the same in the IT world as in the product development world, it does not. For historical reasons, the focus, priorities, and even the terminology are different.
Figure 1: Governance perspectives
As development organizations mature, there is more crossover between the two perspectives (see Figure 2). IT organizations start treating their assets as products, and product development organizations become more business focused. At IBM Rational, we have begun using the term software & systems delivery governance to cover these twin perspectives. However, in this paper, I will continue to use the more familiar term, development governance to refer to Rational's deepest area of expertise.
Figure 2: Software & systems delivery governance.In a mature organization, all of these perspectives are closely aligned; you cannot have good enterprise governance without effective and strategically aligned IT governance and/or product development governance.
This level of governance is mostly the concern of an enterprise's accountants and executives. The Information Systems Audit and Control Foundation defines it as:
...the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the organization's resources are used responsibly.
The two dimensions of enterprise governance -- conformance and performance -- need to be in balance.
- The conformance dimension is also called "corporate governance." It covers issues such as board structures, roles, and responsibilities, especially at the executive level. It may also encompass compliance with codes and/or standards; for example, many organizations are audited against the regulatory framework of the 2002 Sarbanes-Oxley Act. However, conformance and compliance are not synonymous. Compliance requires specific documentation proving how decisions were executed.
- The performance dimension of enterprise compliance focuses on strategy and value creation. This dimension does not lend itself easily to a regime of standards and audits. Instead, the organization works to define value and how it can be measured and monitored at various organizational levels.
Enterprise security policies might be considered part of the conformance dimension, but security is often a complex cultural issue. Many companies choose to restrict information about how decisions are made and what measures they were based on; such policies restrict how governance policies can be implemented. If certain governance measures cannot be made public because of security policies, then outsiders may perceive that decisions based on those measures lack a rationale or seem threatening.
Good corporate governance alone cannot make a company successful. Businesses must always strike a balance between conformance and performance -- with security concerns providing boundary conditions.
For more background on enterprise governance, see .
IT governance relates to an organization's information technology processes and the way they support business goals. As Figure 3 shows, the IT governance landscape can be divided into several focus areas representing various responsibilities in an IT organization. We refer to these areas as governance disciplines.
IBM Rational solutions support clients in the IT strategy governance and IT portfolio governance disciplines with project and portfolio management and process tools and expertise. In combination with Tivoli, we also provide support for operations governance and risk and compliance governance.
Figure 3: The IT governance landscape
Many IT organizations use standard governance frameworks to assign decision rights and institute process measures. Among the most popular are ITIL and CobiT.
- The IT Infrastructure Library (ITIL) is an internationally recognized and constantly evolving collection of IT best practices designed to help organizations overcome current and future technology challenges. ITIL is mainly about execution; it addresses controls as part of its activities. IT departments around the world use ITIL as a roadmap to help guide efficient and effective implementation of current technology, including the realization of an IT service management strategy. For more information, see the official ITIL Web site: http://www.itil.co.uk/
- Also widely used is the IT Governance Institute (ITGI) version 4.0 of Control Objectives for Information and related Technology (CobiT). CobiT is an IT governance framework and supporting toolset that allows managers to bridge the gaps between control requirements, technical issues, and business risks. For more information about CobiT, see http://www.isaca.org/cobit.
The IBM® Tivoli® Unified Process (ITUP) strongly aligns with the ITIL. For additional information, see http://www.ibm.com/software/tivoli/features/it-serv-mgmt/itup/index.html.
Product development governance
Product development governance is the sibling of IT governance for organizations that develop products (e.g., cell phones or airplanes) rather than IT systems for internal use (e.g., an automated payroll system). From an abstract perspective, IT and product development governance are very similar -- but because of differences in their history and development and deployment technologies, there are differences in practice. For example, product development governance encompasses practices around product strategy, product lifecycle management, and product marketing (see Figure 4).
Product development governance has some things in common with IT governance when it comes to managing the economics of the development and delivery processes. For products that are software intensive, there is the same need to focus on managing the project's risk curve and ensuring that activities focus on delivering value to both the business and to end customers.
Figure 4: The product development governance landscape
Development governance is the governance discipline in which IBM Rational has the deepest expertise, extensive product and service offerings, and a long record of success. Development governance is the application of governance to development organizations and the business processes they use to conduct development programs. Good development governance implies:
- Clearly defined ownership in the organization for applications/products, for the overall portfolio of applications/products, and for the architecture on which applications/products are based.
- An organization-wide measurement program whose purpose is to drive consistent progress assessment across development programs, as well as the use of consistent steering mechanisms.
Good development governance practices enable organizations to determine the extent to which development investments deliver on their expected value. That expectation is always at risk; the extent of the risk varies according to project characteristics. How well known is the problem to be solved? Have you done similar things before? And so forth. Figure 5 shows a representation of the risk curve in relation to a project portfolio.
- At the low end of the risk curve typically are projects that address problems associated with maintenance or transition. The development process for solutions is usually transactional and the outcome relatively predictable. Development governance practices and process improvement efforts typically focus on cost efficiency.
- Projects that introduce new technologies, platforms, or general unknowns fall into the middle of the risk curve. There is greater focus on application/product architecture and project management, since the problems to be solved are more complex. The development process can still be characterized as transactional, but the outcome is not as predictable as it is for projects in the previous category. A typical goal of process improvement efforts and governance practices is to create an environment that allows for agile execution of the development and delivery processes. Iterative development techniques are important to avoid wasting resources on problems that can't be resolved.
- Projects that explore innovative concepts are the riskiest. However, they are also most likely to give the enterprise a competitive edge. These are important investments that create new options for the future of the enterprise.
Figure 5: Degree of risk (probable estimation variance) for various project types
If an enterprise wants to stay competitive, it must engage in projects along all three portions of the curve. Low risk projects are necessary to stay alive; medium risk projects enable the enterprise to adapt to and capitalize on changing technology; high risk projects are required for growth.
Plotting a single project along this curve can also help organizations understand how risk changes during project execution -- as project characteristics undergo change during the delivery lifecycle. Well-governed software delivery organizations and delivery programs do track their projects in this way, and they understand how to handle varying degrees of risk.
Using governance practices to manage risk, whether from an organizational or project perspective, requires knowing who makes decisions and where responsibilities lie. Otherwise, investments can take on a life of their own and veer out of alignment with enterprise goals and strategy. Governance also means having measures in place to track results and then limit investments if the results are not as expected.
Governance starting points
Organizations embark on efforts to introduce better governance practices for many reasons. I'll discuss just a few of them. IBM and IBM Rational frequently support efforts to build a Service-Oriented Architecture (SOA), IT support for compliance, or solutions for Geographically Distributed Development (GDD), and we provide governance support for those areas as well. Below I will also discuss governance practices for organizations that take a more holistic view of transforming their development organization and its processes to become more effective.
SOA governance is an extension of IT governance that specifically focuses on the lifecycle of services, metadata, and composite applications in an organization's Service Oriented Architecture.
SOA governance involves setting decision rights and measures for those who execute SOA processes and maintain and use services within the architecture. For example, it must be clear who "owns" each service and makes decisions on how the service should evolve over time. Also, for each project, it must be clear who gets to decide whether to use a service or not -- and what criteria they should use. Many service-oriented architectures are underutilized because the product development/IT organization did not put the right measures in place and clarify decisions rights that would guide employees in making good use of the architecture.
Governance for compliance
Governance for compliance is an extension of enterprise governance. Compliance involves documenting and proving that governance measures are being executed to reinforce a particular regulatory framework: it ensures that decisions related to the framework are documented and carried out. Compliance frameworks vary by industry and product. Many companies must comply with Sarbanes-Oxley, but they may also observe domain-specific standards -- such as 21-CFR-11 for the pharmaceutical industry or Basel II for banking.
Governance of geographically distributed development
In our globalized business environment, companies want the ability to develop and deliver software anywhere, anytime, using the best resources available -- regardless of where they are geographically located. This phenomenon has many names: outsourcing, off-shoring, right-sourcing. To accomplish it, companies need a development environment that supports collaboration across continents, time zones, and cultures, along with well-defined and agreed-upon development practices. Governance should focus on:
- Clarifying responsibilities and ownership of assets across the distributed development organization.
- Measures and control of service levels among constituents of the distributed development organization.
Governance of development organization transformation
IBM Rational's vision is to help enterprises transform the internal view of development organizations from cost centers to business value generators. This is not just about introducing new best practices and tools but also about changing attitudes and culture. It requires organizational change encompassing components from many solution areas, including SOA, compliance, and geographically distributed development. Typically, mature development organizations regularly change their development practices to continuously optimize the value they provide to the business.
Good governance principles are needed to oversee these organizational change efforts -- to ensure that they achieve their expected results over time.
- Change initiatives should have defined milestones, or decision points, that set expectations for measurable results. Then, based on the results and the degree to which risks have been mitigated, the development organization can determine whether and how the project should move forward.
- Change initiatives should also have measures to control the degree of disruption to business processes and assess the change's positive impact. These measures should focus on the most visible factors: predictability of project costs, length of delivery cycles, and so forth. However, more subjective measures can be used in the early stages of an initiative to assess perceived impact within the development organization. These might include a survey of project managers or measures to determine how many projects are using certain new practices.
For more information on development organization transformation, refer to .
The governance lifecycle
Governance is about setting decision rights, control mechanisms, and measures for those who execute a company's processes, and then monitoring compliance with business strategy or other imperatives. Governance is also a process; it requires a sequence of events to specify rights and measures, control mechanisms, and compliance and effectiveness monitoring. In a development organization, a governance process enables managers to make considered decisions about the structure and rigor of executing business processes within the governance disciplines described above -- to better align development activities with business strategy.
As Figure 6 shows, a governance process has its own lifecycle; it is distinct from the lifecycle of the business processes that needs to be governed.
Figure 6: The governance lifecycle (as presented in the IBM Rational Unified Process® (RUP® SOA Governance Plug-In)
The goal of a governance lifecycle is to strengthen and mature the organization's governance practices over time. Although it may be useful to assess your own governance model against existing governance maturity models, none of them completely reflects everything that a software organization requires. The CobiT framework includes a maturity model that allows an organization to make judgments about how well it controls the CobiT canonical process set. However, as CobiT focuses mainly on control objectives, the model does not assess other governance measures and mechanisms.
Forrester Research recommends a four-stage IT governance maturity model:
- Stage 1: Ad hoc. There is no formal IT governance process in place, and it is not recognized as a necessity.
- Stage 2: Fragmented. There are attempts to formalize the IT governance process in parts of the organization but no enterprise level effort.
- Stage 3: Consistent. IT governance processes are consistently applied across the enterprise.
- Stage 4: Optimization. IT governance processes are optimized across the enterprise, and a strong IT portfolio management process is in place to ensure that both current and future IT investments are also optimized.
Understanding the nature and purpose of software-related governance is a first step toward achieving good governance. With its deep roots in process expertise and its long record of success in supporting organizational transformation, IBM offers a strong and comprehensive platform for helping clients introduce and evolve effective governance for the business process of software and systems delivery. A later paper will explore this platform in detail.
This paper is based on discussions with IBM Rational Distinguished Engineer Murray Cantor and Principal Consultant David Lubanko, who created many of the figures. I also had valuable input from IBM Rational experts Walker Royce, Darrel Rader, John Smith, Mary Ellen McElroy, and Geoffrey Bessin.
 Rational Unified Process, SOA Governance Plug-In.
 "Governing the Business Process of Software and Systems Development," Lin Barnett and Murray Cantor. IBM whitepaper, posted on DeveloperWorks.
 "Understanding IT Governance: Definitions, Contexts, and Concerns," Sunita Chulani, Clay Williams, Avi Yaeli, Mark N Wegman, and Murray Cantor, May 2006. IBM whitepaper, posted at http://domino.research.ibm.com/library/cyberdig.nsf/1e4115aea78b6e7c85256b360066f0d4/38905eea124cddfb852571fe00569cce?OpenDocument
 "Estimation variance and governance," Murray Cantor, March 2006. Article published in The Rational Edge.
 "Making Governance Operational," Murray Cantor, October 2006. IBM whitepaper. To be published.
 "Assessing the economic value of software projects," Patrick McKenna, November 2005. IBM whitepaper, posted on DeveloperWorks.
 "IT Governance Framework," Craig Symons, March 2005. Forrester report.
 "Transforming your software development capabilities: A framework for organizational change," Zoe Eason, Maria Ericsson, Lynn Mueller. September 2005. Article published in The Rational Edge.
 "Enterprise Governance: Getting the Balance Right," Professional Accountants in Business Committee (PAIB) of IFAC, Feb 2004.
 Applied Risk Analysis: Moving Beyond Uncertainty in Business, Jonathan Mun, Wiley 2005.