In the business world, what is it that needs to be governed? Any key asset, be it a physical inventory, the business intelligence of a department, or anything in between, needs to be carefully managed in order to harvest its maximum business benefit. Today's businesses need to be dynamic and responsive in order to survive in this fiercely competitive and demanding world. One of the foundational pillars of most businesses today is information technology (IT). The average enterprise's IT investment is greater than 4.2 percent of annual revenue (and rising). As a result, businesses measure the success of IT not only by how well it is being leveraged for business-as-usual (BAU) activities, but also by how it is utilized to facilitate the enterprise to be a key differentiator in the market.
Nowadays, business and information technology can be viewed as two cogs of the same wheel. A change in motion of one mandates that the other respond in kind. Hence enterprise IT needs to be flexible, extensible, responsive, resilient, and dynamically reconfigurable. This type of IT management and execution requires very efficient governance. The importance of governance is compounded by the introduction of service building blocks -- the notion of software as a set of services, including the services provided by infrastructure (supporting or enabling applications). This concept of software as a set of services is the theme behind Service-Oriented Architecture (SOA). SOA is a significant step forward in aligning information technology with business goals. It is of paramount importance that an enterprise that is strategizing around SOA needs an efficient governance mechanism. SOA governance is more than just providing governance for SOA efforts -- it is how IT governance should operate within an enterprise that has adopted SOA as its primary approach to enterprise architecture.
What is governance?
The definition of the word governance implies the action or manner of governing. Further, IT governance, as defined by Peter Weill and Joanne Ross in their wonderful work on IT governance (see Resources), is a decision and accountability framework to encourage desirable behavior in IT. Participants of the governance body lay down policies around different categories of decisions that need to be made. That body also decides upon the people in the enterprise who are empowered to make those decisions; that is, it carries out role identification. The members of the governance council also identify subject matter experts who are expected to provide input to firm up the decisions and also identify the group of people who may be held accountable for exercising their responsibilities (based on their roles). An effective IT governance council must address three questions:
- What decisions must be made to ensure effective management and use of IT?
- Who should make these decisions?
- How will these decisions be made and monitored?
Although governance addresses the three questions, management actually implements that governance.
The importance of IT and SOA governance
IT today is the most pervasive of organizations within an enterprise, having a horizontal presence across most, if not all, lines of business (LOBs). An organization which holds such an important key to business growth and success must be viewed as one of the enterprise's key assets. An asset so important must be fully understood not only to maximize the benefits obtained from it, but also to properly manage and, consequently, to mitigate the risks associated with it. This brings up the need for a governance body to formulate, control, and oversee the proper maintenance and growth of the business asset -- the need for IT governance.
SOA is like old wine in a new bottle. SOA concepts have been around for quite a long time in the IT industry. But it is only recently that it has gained attention as a way of aligning the business strategy and imperatives of an enterprise with its IT initiatives. What makes an enterprise that embraces SOA need to take governance more seriously is the distributed nature of services across various LOBs. The proliferation of more moving parts (that is, building blocks in the form of services) that need to be maintained by different organizations both within and outside the enterprise makes governance more challenging. This cross-organizational nature of business services and the potential composition of services across organizational boundaries can function properly and efficiently if, and only if, the services are effectively governed for compliance to requirements dictated by a service level agreement (SLA) for factors such as security, reliability, performance, and so on. Identifying, specifying, creating, and then deploying enterprise services thus needs SOA governance through a very strong, efficient body to oversee the entire life cycle of an enterprise's service portfolio.
In the wake of several corporate standards disasters, compliance to regulatory standards like Sarbanes Oxley (SOX -- see Resources) has become more important, as evidenced by the current inclination of investors to put their money behind companies that enforce high governance standards. These regulatory acts stress the need to establish and maintain corporate accountability as well as periodically assess its effectiveness. Good and efficient practice of corporate and IT governance is attracting investors as they attach more credibility and faith to the success and stability of companies that take governance seriously. Investors are more inclined to invest in companies that implement strict standards, and the general (and aptly justified) feeling is that adherence to standards can only be achieved through a governance mechanism. Statistics also reveal that firms with a well exercised IT governance have had 20 percent greater profit margins than their counterparts who make very little or no investment in IT governance, as Peter Weill and Jeanne Ross state in their book on IT governance (see Resources). It is quite evident that the investment in strict governance standards has a direct impact to the bottom line of any IT-centric enterprise.
The role of IT in the enterprise must be fully understood and carefully monitored. Investments in an asset so important must be carefully managed and hence the company stakeholders need to ensure that their organizations' IT investments support the overall business strategy and mitigate its potential risks. The essential responsibilities of a governance body are captured in Figure 1. I describe the pieces of this illustration more fully below.
Figure 1. Governance responsibilities
The main areas of governance include the following:
- Strategic alignment focuses on the imperative to align the business vision, goals and needs with the IT efforts.
- Value delivery focuses on how the value of IT can be proved through results like profitability, expense reduction, error reduction, improved company image, branding, and so on.
- Risk management focuses on business continuity and measures to be taken to protect the IT assets.
- Resource management focuses on optimizing infrastructure services that are a part of the On Demand Operating Environment (ODOE -- see Resources) or other environment supporting the application services.
- Performance management focuses mainly on monitoring the services that run in a enterprise's ODOE or other environment.
A governance meta model that illustrates the five major interrelated IT decisions can address the above areas of governance, as Figure 2 shows.
Figure 2. Governance meta model
Figure 2 depicts the various elements of governance and their relationships. Broadly stated, IT and SOA principles that are laid out at the enterprise level as guiding principles drive the IT architecture and the service model, which in turn dictate how the enterprise IT infrastructure services may be defined. The required business application needs can be evaluated based on the capability of the IT infrastructure framework. The maturity of the IT architecture and service model and the IT infrastructure services drive which parts of the required business application can be prioritized for IT investment.
IT and SOA principles
While IT principles are a related set of high-level statements about how IT should be used in the business, SOA principles define the general guiding principles to be followed while coming up with an enterprise SOA. The IT principles should be derived from a higher-level set of business principles that management owns. For example, the following is a sample list of business principles:
- Standardize processes and technologies wherever possible.
- Alignment and responsiveness to negotiated business principles.
The following could be derived from those IT principles:
- Architectural integrity
- Responsive, flexible, and extendible infrastructure
- Rapid and efficient deployment of applications
The IT principles can be mapped to the business principles as follows: Architectural integrity (the first IT principle) provides for standardized processes and technologies (the first business principle) while rapid and efficient deployment of applications (the third IT principle) promotes alignment and responsiveness to negotiated business principles (the second business principle).
Some guiding SOA principles that drive the service model could be:
- Compliance to standards that are industry-specific as well as cross organizational
- Service identification and categorization
- Service provisioning
- Service monitoring and tracking
- Capability of services to be composed in order to realize different business services
The SOA principles also influence the IT principles. While creating the IT and SOA principles, the members of the governance council should align them with how IT proposes to support the enterprise's desired operating model. Above and beyond creating the IT and SOA principles, it is also the council's responsibility to see to it that they are properly exercised across the enterprise.
IT architecture and service model
IT architecture and the service model identify the organization of enterprise data, applications, and infrastructure and how they are interrelated both statically as well as during run-time execution. It also determines the enterprise business services portfolio (exposed both externally and internally) and its subsequent categorization. It may be noted that the service model (according to the IBM Service-oriented modeling and architecture (SOMA) methodology -- see Resources) can be at a project level, line of business level, enterprise level, or ecosystem level. (The service ecosystem model has been further described in Ali Arsanjani's work, "Toward a Pattern Language for Service-oriented Architecture and Integration, Part 1: Build a Service Eco-system," listed in the Resources section of this paper.)
While creating and owning the IT architecture and the service model is an essential responsibility of the governance team, it is also the team's responsibility to create and agree upon a set of architecture decisions upon which the IT architecture and the service model should be built. The involved parties in the governance council should be also responsible for process standardization across the enterprise. Process standardization, which defines how things are done in an enterprise, is a necessary input to process integration and the key to process integration is a standardization of data across the enterprise, that is, a single view of the business entity that represents a customer.
IT infrastructure defines the foundation of the IT capabilities available throughout the enterprise to be shared across multiple applications. It is the responsibility of the members of the governance council to define the architecture of the enterprise IT infrastructure as a set of services, if that organization has adopted SOA. The services can be either technical in nature or can be human services and skill sets that are built around physical corporate assets, such as printers, scanners, and so on. It is commonplace for enterprises to use some software applications as infrastructure services or capabilities. These software applications can be in the form of customer relationship management (CRM), enterprise resource planning (ERP), supply chain management (SCM), and other systems. The architects in the governance council are also responsible for creating the infrastructure architecture around such standard, well-accepted software packaged applications. Given that IT infrastructure requires long lead times between implementation cycles, a lot of emphasis needs to be devoted to this discipline so that it can be used as a source of competitive advantage and a key differentiator.
Business needs drive the requirements for specific business applications. Business needs are identified primarily based on market opportunities that can help an enterprise to seize a competitive advantage. Specific business imperatives are identified by stakeholders and conveyed to the IT disciplinarians in the governance council. It is the responsibility of the IT wing of the governance consortium to address the business needs creatively and innovatively by conceptualizing new business applications. A keen eye needs to be kept on the compliance of the new business applications to the existing enterprise IT architecture. This can very well be viewed as a conflicting objective to the creativity that is required to come up with new applications, which often does not follow any constraints.
It is the responsibility of the enterprise architects to see to it that the new applications follow the enterprise IT architecture. New business applications can also lead to identification of new candidate services. These services need to abide by the SOA principles laid down by the governance body before they make their way into the enterprise service portfolio. It is also the responsibility of the enterprise architects to address the exceptions that may arise. Exceptions can be dealt with in two ways: The architects can impose limitations and constraints on the architecture of the new application so that it follows the existing architectural constructs. Or, they can use the new applications as a mechanism to evaluate whether the architecture has become outdated and needs to incorporate new constructs. With the proper representation of both business and IT in the governance council, new architectural constructs can be directly traceable to compelling business needs.
The IT investment decision is the most important of the five decisions that traditionally interests the company stakeholders. IT decisions revolve around three main questions:
- How much to spend?
- What to spend it on?
- How to create a balance between the needs different LOBs?
proposed way to make intelligent decisions is to have the designated members of the governance council obtain responsibility and ownership that is aligned with the following management objectives:
- Competitive advantage and core differentiation
- Cost reduction through better transactional throughput
- Iterative maturing of IT infrastructure architecture
- Providing information in digital form
It is the responsibility of the governance body to collectively make IT decisions based on the market trend, the financial direction of the company, and historical data pertaining to the relationship between IT spending and revenue generation.
Additional significant responsibilities
SOA governance enforces the use of discipline to maintain consistency and relevance within the SOA life cycle. By following a SOA methodology like SOMA, SOA governance tries to bridge the gap between business and IT by allowing traceability from business goals down to services and key performance indicators (KPIs) for measuring the results of those services. SOA governance also needs to keep a constant connection between business and IT through the concept of domain ownership. It is the responsibility of the members of the SOA governance council to logically partition the enterprise into a set of managed business services that share a common business context. Business owners and IT owners of a business domain are responsible for maintaining the applications that support the business domain's exposed business services. They are also responsible for maintaining and monitoring the SLAs of their existing business services as well as negotiating SLAs between different domains. The provisioning of metadata for enterprise business services is critical to both business and IT users. The metadata can provide information like WS-* compliance, business criticality, and so on. Based on the metadata, the business services can be monitored and managed. This is also a key responsibility of the members of the SOA governance council.
To ensure that services are not redundant and that they are relevant to business goals across the organization, the governance body should enforce coordination between new services and the existing services across the organization. This can be done by conducting periodic workshops with the LOB stakeholders to identify business application needs; after proper analysis, the governance body can add the business needs to the candidate business requirement portfolio. This can be followed by a series of business value assessment workshops wherein the identified candidates are passed through a business value indicator (BVI) litmus test to qualify a candidate business requirement as a service to be subsequently implemented and maintained.
The governance body is empowered with the responsibility of developing IT policies and oversees its compliance in the business applications that are designed and implemented. It should be a continuous exercise for the governance body to identify business processes that are critical either from a strategic differentiator perspective or for business process consolidation and optimization, or even just to stay competitive in the market.
The sheer volume of data regulations that are mandated by various regulatory acts such as SOX, Health Insurance Portability and Accountability Act (HIPAA), and the likes has made it a significant challenge for the enterprise to remain in compliance. It rests on the shoulders of the members of the governance council to evaluate the regulation requirements and come to a justifiable conclusion on how to implement them.
It is somewhat impractical to have the governance body make every single decision. Rather, the governance council must make an effort to decentralize the decision-making process among the business domains, but at the same time ensure that the following take place:
- The policies mandated by the governance body are well understood and abided.
- The business domain owners are made aware of the business strategic directions so that any decisions made at the business domain level are already aligned with the corporate vision.
Finally, it is the responsibility of the governance council to share the business and IT developments with the members of the c-suite (chief executive, chief finance officer, chief information officer, and so on) as well as with the LOB owners. This fosters awareness as well as reusability of business services that are developed by different business domains. The governance body should also consider creating a single information portal through which it can make information pervasive across the enterprise.
Any implementation of governance should be centered on the four pillars of an enterprise architecture: people, processes, technology, and services. One mechanism to implement an enterprise IT and SOA governance is by establishing a center of excellence (CoE) for IT and SOA governance that would enable a shared resource and capability center to function as a resource pool as new business application needs arise.
A governance implementation needs to be supported by a hierarchical organizational reporting structure. As shown in Figure 3, the such a reporting structure can be categorized into the four following hierarchies.
Figure 3. A sample governance organizational structure
- Sponsorship level. This essentially consists of the stakeholders in the steering committee and is adequately represented by the members of the c-suite along with the LOB owners and executives. The steering committee articulates the business strategy, goal, and vision for the enterprise. Members of this level are the key decision makers on how IT investment needs to be made and channeled to specific areas of the business that either need business process improvement or need to implement new applications that can be competitive market differentiators.
- Leadership level. This is composed of the leader(s) of the governance CoE and two representatives (one business and one IT) from each business domain. (Note: Business domains as mentioned in the previous section represent a logical grouping of business services that share a common business context). The leadership team learns the business strategies and visions from the sponsorship members and also obtains directives from and reports to the steering committee. The leadership team creates enterprise IT architecture and SOA principles that stand as over-arching rules which any application architecture needs to conform to. The team also prioritizes which application architecture needs to be created and ensures that the IT priorities are aligned with the business needs. The governance body (represented by the leadership team) also documents the architecture standards and the compliance requirements to regulatory acts. The enterprise architecture constraints are also documented by this team, and the team is empowered with overseeing the overall compliance to the architecture standards, guidelines, principles, and constraints when any new application needs to be designed and implemented (by teams at the next tier going down).
- Opportunity management level. Separate teams are formed at this level each focusing on one or more (related) business needs and are responsible to come up with clear definitions of business applications that cater to a given enterprise business need. Each initiative team has a business team lead responsible for gathering and formalizing the business requirements. Corresponding IT team leads are responsible for creating the overall application architecture and the solution that adheres to the IT and SOA principles mandated by the governance leadership team.
- Project Management level. Teams at this level manage the entire life cycle of a typical application design and development through the phases of solution definition, solution outline, macro design, micro design, build, test, and deploy. Each project team is aligned with a given initiative team. It is very common to have multiple simultaneous projects being run under a given initiative team.
While you can find many other flavors of governance in today's enterprise, the essential ingredient is a hierarchical reporting and organizational structure. Customization of the structure is inevitable, because enterprises have a wide spectrum of variance in their organizational structure and culture.
This paper stressed the importance of implementing an effective SOA and IT governance in any enterprise which considers IT to be one of its key assets to generating revenue and staying competitive in the market. The importance of not only having a governance body but also maintaining a high standard in its execution is further compounded with the recent introduction of various compliance acts like Sarbanes Oxley that must be adhered to by any enterprise. It has also been noted that investors put more faith behind companies that maintain a high standard of governance, the effects of which are directly reflected through better profit margins. Responsibilities of the governance body have been articulated with the hope that they provide a good platform to enterprises that are planning on implementing a governance mechanism. Finally, a proposed implementation of SOA and IT governance has been recommended that can be customized to suit the corporate culture and structure of a given enterprise.
The reasons for efficient enterprise SOA governance can only be compounded by the pervasive nature of enterprise services in the industry today. Enterprise services can be viewed so differently by different contributors within the industry, which leads to different and often misunderstood views about how an enterprise should govern its services portfolio in order to gain maximum benefit from its investment in the portfolio. The initial investment in a new service can be more easily amortized when it is created under the strict guidance of governance and additional services can more effectively be added to the SOA system.
The author would like to thank Dr. Ali Arsanjani and Sankar Singha for their contributions to the success of this paper.
- Architecting on demand solutions, Part 1: Best practices for using the thirteen capabilities of the IBM On Demand Operating Environment: Learn more about implementing IT based solutions to address business goals and challenges with the On Demand Operating Environment (developerworks, July 2004).
- IT Governance Institute: Find research on how an enterprise can ensure that its IT is aligned with the business and delivers value.
- IT Governance: How Top Performers Manage IT Decision Rights for Superior Results: This book by Peter Weill and Jeanne Ross is one of the best consolidated works on IT Governance.
- Sarbanes Oxley Act of 2002
- New to SOA and Web services: Learn about the benefits of SOA and how to implement it.
- Toward a Pattern Language for Service-oriented Architecture and Integration, Part 1: Build a Service Eco-system: Ali Arsanjani's excellent discussion on SOA Patterns (developerWorks, July 2005).
- Service-oriented modeling and architecture: Learn about the foundation of SOMA -- IBM's methodology for SOA enablement (developerWorks, November 2004).
- Standards roadmap -- understand the impact and importance of standards and specifications for the development of SOA and Web services.
- SOA and Web services -- hosts hundreds of informative articles and introductory, intermediate, and advanced tutorials on how to develop Web services applications.
- developerWorks blogs: Get involved in the developerWorks community.