IBM Advantage for SOA Governance Standards

The purpose of this article is to show why you should come to IBM for help with SOA Governance. IBM is leading the industry by helping to establish standards and the right way to do things for SOA and SOA Governance. IBM continues IBM's SOA industry leadership is continuing with the introduction of the SOA Governance Maturity Model. IBM can help identify what you need to be successful with SOA and SOA Governance, and has products and services to back it up.


John Falkl, Distinguished Engineer and Chief Architect, SOA Governance, IBM  

FalklJohn Falkl is an IBM Distinguished Engineer and the Chief Architect for SOA Governance within IBM’s Software Group. John’s responsibilities include driving the overall technical strategy and product requirements for SOA Governance functionality, as well as coordinating SOA Governance activities across IBM organizations. John led the Governance Incubation Project for the IBM Software Group CTO. With this project, John led the establishment of key SOA Governance processes and aligned the software product strategy against these baseline use cases. Of his 28 years with IBM, John spent 12 years in IBM Global Services where he lead a number of high impact projects, most recently the definition and development of an SOA Management service offering for IBM’s Global Business Services organization. John holds 3 industry certifications in IT Technology and has a significant background in enterprise architecture and development (including 9 years in management). John has also led many high level technology studies within IBM.

Robert Laird, Executive Architect, IBM  

Robert LairdBob is an Executive Architect with IBM in the SOA Advanced Technology group, performing worldwide consulting for IBM customers in the area of SOA Governance and SOA Architecture since May, 2006. He is a co-author of IBM's SGMM (SOA Governance & Management Method). He is a member of the industry TOGAF (The Open Group Architecture Framework) SOA Governance working group, has written two books on SOA: 'SOA Governance, Achieving and Sustaining Business and IT Agility', and 'Executing SOA, A Practical Guide for the Service Oriented Architect', and has two patents pending in the area of SOA Governance. Bob has over 20 years experience in the telecom industry at MCI and Verizon Business. He was the MCI chief architect, leading the enterprise architecture group and working across the entire order to cash suite of applications. He led the development of the SOA based single stack strategy to simplify the multiple network and applications silos. Bob has driven the strategy, planning, and execution of MCI's product development in the area of contact centers, IP/VPN, VOIP, IMS, and managed services. For OSS, he has led successful implementations to automate network provisioning, network restoration, and network management. Prior to joining MCI, Bob worked as a consultant for American Management Systems (AMS) and Ideation, Inc. He has MS and BS degrees in Computer Science from Purdue University and has been granted two patents in the area of telephony. He has spoken at various industry forums, written for The SOA Magazine and been quoted in CIO Insight, Telecommunications, Infoworld and Computerworld.

Tony Carrato (, Executive IT Architect, SOA Advanced Technology, IBM  

CarratoTony Carrato is an Executive IT Architect in the IBM SWG SOA Advanced Technology team. He is responsible for providing technical leadership on large SOA client projects, with a focus on aligning industry knowledge and IBM's technology. His previous experience includes being the IBM lead architect on large customers in telecommunications and financial services. Tony is an IBM Certified SOA Solution Designer and Sr Certified IT Architect, as well as an Open Group Master Certified IT Architect. Tony is co-chair of The Open Group's SOA Work Group and a frequent speaker at industry SOA events.

Heather Kreger (, Senior Technical Staff Member, IBM Software Group

KregerHeather Kreger is IBM’s lead architect for SOA Standards in Software Group with 15 years of standards experience. She has led the development of standards for Web services, Management and Java in W3C, OASIS, DMTF, and The Open Group. Heather is the author of numerous articles, specifications, “Java and JMX, Building Manageable Systems” book, and most recently, editor of 'Navigating the SOA Open Standards Landscape Around Architecture'.

20 August 2009

Also available in Chinese Japanese Spanish


Service Oriented Architecture Governance is now widely recognized as being one of the keys to a successful Service Oriented Architecture (SOA) for an enterprise. Governance standards have been put forth in the past by organizations such as COBIT and ITIL, but now the Open Group has created a standard for SOA Governance. This article will show how IBM is leading the establishment of SOA Governance standards. We will also show some insights into IBM’s next wave of thinking for SOA Governance, as we are continuing to enhance our abilities to aid enterprises with real SOA Governance. Finally, we’ll highlight the technologies that can help an enterprise realize SOA Governance faster.

The SOA Governance Framework has been standardized by The Open Group as a result of collaboration with the industry on IBM’s SOA governance concepts. It defines governance to be a means establishing and enforcing how people and solutions work together to achieve organizational objectives. Governance helps to ensure that organizations build the right services, in the right way, at the right time, and then manage and reuse those services effectively. SOA governance does this by overseeing the processes of proactively identifying, assessing, building and managing high-value business services and solutions — those that provide the greatest return on investment. This means creating service reuse and providing agility in the ability to manage the business and IT.

Maximizing enterprise value means governance

All enterprises have some form of governance, though that governance may be weak and adhoc. In such cases, there may be no actively designed governance mechanisms such as procedures, processes, structures, Centers of Excellence, or vitality, nor is there recognition that governance will enhance the value of both the business and IT. In their seminal work on IT Governance, Professors Weill & Ross describe IT Governance as the "most important factor in generating business value from IT". Enterprises with effective governance generate "returns on their IT investments up to 40 percent greater than their competitors" and "had more than 20 percent higher profits".

So what about governance focused on services, otherwise known as SOA Governance? Inherently, SOA requires a more business focused and end to end thinking within the enterprise than typically exists with IT Governance. While it was possible for the business and IT to safely work within the silo or department in the past, the concept of shared services, reuse, and business agility require a true enterprise thinking process that facilitates change and transformation. Even though the research of Weill & Ross showed that good IT Governance has clear business benefits, still the lack of such governance did not mean game over. Those enterprises with minimal or ad hoc IT governance could muddle through with business as usual.

Research and articles have shown that’s not the case for SOA and SOA Governance. Most researchers agree that the value of governance to the success of SOA cannot be overstated – SOA must be governed in order to realize the potential of a services approach. For example, the Gartner Group states that the "lack of working governance mechanisms in midsize-to-large (greater than 50 services) post-pilot projects will be the most common reason for project failure". Sandy Carter, Vice-President of SOA Marketing at IBM, states that governance is a major determinant of the organizational, technical, and behavioral success of an SOA. Governance is so essential that it must be built into the SOA planning and deployment from day one.

So what’s going on in the real world of governance standards?

SOA Governance establishes decision rights between business and IT related to services. It includes managing the service lifecycle that builds quality in the resultant set of services that benefit the business and IT. The area of IT Governance has had a lot of focus by global corporations and government organizations. Guidance and best practices around IT Governance have been around since 1996 from the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). These organizations created something called COBIT (Control Objectives for Information and related Technology, see

SOA Governance certainly should build upon and perhaps extend existing IT and operational governance. For example, COBIT calls for IT Governance to govern information systems, domains, and owners. SOA Governance should certainly build upon any such governance in place and extend it to information services that are part of the SOA. In some cases, the corresponding IT Governance is non-existent or weak, and it is then necessary to do some of the governance work that should have already completed.

IBM provided the key concepts from SGMM (SOA Governance and Management Method), a key asset in IBM’s SOA services portfolio to The Open Group in order to accelerate and lead the establishment of much needed industry standards for SOA and SOA Governance. SGMM is a technique to define and implement SOA Governance and Management for an organization, enterprise or line of business. It is based on best practice techniques developed over years of successful client engagements. IBM has originated thinking about the SOA journey in terms of a governance capability driven by people, process, and technology.

The SOA Governance Framework has been standardized by The Open Group as a result of collaboration with the industry on IBM’s SOA governance concepts. The Open Group SOA Governance Framework consists of a SOA Governance Reference Model (SGRM) to provide a standard starting point for an enterprise’s SOA Governance and a SOA Governance Vitality Method (SGVM) to understand and implement the updates needed for that enterprise to have a governance model that works for them.

The Open Group SOA Governance Framework defines a SOA Governance framework which is intended to be customized into a SOA Governance Regimen specific for your company. The framework covers the three aspects of SOA governance:

  • Processes – including governing and Governed Processes
  • Organizational Structures – including roles and responsibilities
  • Enabling technologies – including tools and infrastructure

The framework consists of:

  • SOA Governance Reference Model (SGRM) to provide a standard set of concepts with sample starting points for an organization’s SOA Governance
  • SOA Governance Vitality Method (SGVM) to understand and implement the updates needed for the enterprise to have a governance model that works
Figure 1. SOA Governance Vitality Method (SGVM)
SOA Governance Vitality Method (SGVM)

The reference model defines the following concepts so that a common understanding of governance can be achieved across the industry. The samples of each concept should be selected and modified based on an organizations maturity and goals:

  • SOA Governance Guiding Principles are the principles that assist in prioritization and decision making for SOA Governance design, deployment, and execution of the SOA solution and SOA Governance Regimen. This includes aspects of people/roles, processes, and technology, and can be used to get stakeholder commitment to the SOA Governance Regimen.
  • Governed SOA Processes are the actual SOA planning, design and operational processes being controlled, monitored, and measured. These SOA processes are categorized into Service and Solution Portfolio Management processes and Service and Solution Lifecycle processes.
  • SOA Governing Processes are the processes that a governance regimen uses to govern any particular process. The SGRM defines three Governing Processes: Compliance, Dispensation, and Communication, which are performed on an ongoing basis. It is expected that organizations will customize and extend the processes as appropriate for the business and SOA solution.
  • SOA Governance Roles and Responsibilities are part of an organization’s governance regimen, for example, SOA Steering Boards, SOA Center of Excellence, and SOA Governance Boards. A sample set has been provided, but which ones apply will be a function of the SOA governance principles and maturity.
  • SOA Governance Process Artifacts are new artifacts created explicitly to support governance processes, like roadmaps, plans, and policies. These artifacts should be kept current and available to governance stakeholders.
  • SOA Governance Technology is technology used to enable governance and the whole or partial automation of the governing processes. Technology capabilities, like store and access capability, policy enforcement capability, or monitoring capability, may be satisfied by manual or software.

The SOA Governance Vitality Model is meant to be executed continuously to guide the initial deployment of the governance regimen and to ensure and adjust the governance regimen to stay in line with changes in the SOA solution and organization. It defines the following steps:

  1. Plan phase identifies and analyzes the core governance areas for improvement. It establishes objectives/plan and specific measures for a proposed increment. Previously deployed increments are also evaluated for any necessary improvement.
  2. Define phase defines the SOA Governance Model Transition Plans required to deliver the objectives defined in the Plan phase.
  3. Implement phase implements the Transition Plans including deployment of processes, organization, and technology aspects of the SOA Governance Model.
  4. Monitor phase monitors the effectiveness of the currently deployed SOA Governance Regimen and whether it is meeting its intended purpose. This phase may start another iteration of the SGVM.

Getting to a real Solution using SOA and SOA Governance

IBM’s SGMM focuses on people (including governance organizational structures and the concept of a Center of Excellence), process (the governance processes used to govern the SOA) and technology, just like the Open Group SOA Governance Framework standard. SGMM and the SOA Governance Framework standard also share the basic understandings in the SOA governance reference model, specifically around principles, organization roles and responsibilities, infrastructure and tools, governing and governed processes. SGMM also includes a methodology with plan, define, enable, and measure cycles which are much like the SGVM in the SOA Governance standard.

Continuing IBM’s track-record in industry leading thinking around governance, IBM has recently extended its SOA Governance & Management Method (SGMM) to add a SOA Governance Maturity Model. The maturity model includes defining specific SOA Governance domains and capabilities that enable us to assess an enterprise’s current governance maturity. The SGMM Planning Assessment measures the SOA Governance Maturity of an enterprise so it would fall into the Plan phase of the TOG SOA Governance Framework Vitality Method.

What are Maturity Models for? In general, Maturity Models represent a means of and scale for both evaluating and assessing the current state of maturity. They also provide a means for developing a transformation roadmap to achieve a target state of maturity from a given current state of maturity. The Open Group has standardized a maturity model for service adoption: Open Service Integration Maturity Model (OSIMM) ( The SOA governance maturity model provides the next level of detail in assessing the OSIMM, particularly in the Governance and Organization dimension.

The governance maturity assessment results in the creation of an SOA Governance heat map that guides the usage of SGMM services assets, including checklists, guidance, best practices, processes, and procedures for the definition of a transition plan that creates good SOA Governance for the enterprise on an iterative roadmap.

IBM brings extensive customer experience using SGMM, the governance maturity model, and SOA Governance structure to the table. Customers see IBM taking on an increased partnership role with focus on solutions that work for them. IBM uses our experience with SGMM to guide our customers on the SOA journey with SOA Governance in the right amount and at the right time.

The SGMM maturity model domains and capabilities are an extension of the previous SGMM work already provided to the Open Group and forming the foundation of the industry standard SOA Governance framework. SGMM addresses four domains:

Figure 2. SGMM maturity model domains and capabilities
SGMM maturity model domains and capabilities
  • PLAN AND ORGANIZE – Addresses governance of the strategy, tactics, and organization for planning and governing an SOA
  • PROGRAM MANAGEMENT CONTROLS – Addresses governance of the ability to consistently manage for quality of service across the enterprise.
  • SERVICE DEVELOPMENT LIFECYCLE – Addresses governance of the service development lifecycle and the ability to create or modify services with high quality of service.
  • SERVICE OPERATIONS- Addresses governance of the operational environment for services.

IBM Support of SOA Governance


As already discussed, the SOA Governance and Management Method (SGMM) describes, in detail, best practices for implementing SOA governance and its supporting mechanisms and processes. SGMM is available as a plug-in with IBM Rational Method Composer. SGMM is also a service offering from IBM Global Business Services (GBS) (see and follows a Model, Assemble, Deploy, Manage SOA governance lifecycle, as follows:

Figure 3. Model, Assemble, Deploy, Manage SOA governance lifecycle
SGMM maturity model domains and capabilities

IBM offers the following key products that enable the service lifecycle within SOA Governance.

For SOA Governance enabling tools:

  1. WebSphere Service Registry & Repository (WSRR) and Repository Advanced Lifecycle Edition (ALE) – Operational management and resilience within the SOA is enhanced by sharing the service metadata that exists in WSRR with operational data stores, allowing management and monitoring dashboards to present a more comprehensive view of the managed service environment. Summary information about service performance can be fed back into WSRR and used by the execution environment to affect the selection of the best-fit provider. The ALE governs service lifecycle from creation to consumption.
  2. Rational Asset Manager (RAM) – provides the architectural standards and policies that must be followed for development. RAM helps ensure compliance by centralizing patterns and/or transformation that can be used when developing the solution through specification, design and build. In addition, RAM hosts a selection of implementation patterns and existing services that can be used during the build process. Allows the build team to analyze these implementation patterns to find which one meets its specifications. When the service build is submitted back to RAM, the policy governor plug-in validates the implementation against architectural and coding standards. RAM uses a policy based rules checking capability to automate certification before the service is allowed to be deployed.
  3. Tivoli Change and Configuration Management Database (CCMDB) - Acquire and manage detailed information about the environment and topology in which service endpoints execute. CCMDB ensures compliance with internal and regulatory requirements by enforcing policies and tracking changes throughout your organization.

Service lifecycle management is a service-oriented lifecycle framework that establishes the service as the focal point of SOA governance, informing software development, deployment at each phase.

IBM offers the following solutions for each phase of the service lifecycle.


  1. Rational Team Concert (RTC) – the first in a family of products that provides a collaborative portal for automating, integrating and governing the activities in a team based software delivery environment. It add a significant degree of collaborative value to programs using Rational ClearCase, ClearQuest, and RSA, as well as many Eclipse based tools.
  2. Rational System Architect – the best tool for automating and governing Enterprise Architecture. It helps empower organizations to fully deploy, visualize, collaborate on, and scale their Enterprise Architecture and IT Planning initiatives.
  3. Rational Method Composer (RMC) - document and communicate governance processes and information. RMC helps to author, configure, view, and publish processes, in this case, all of your SOA Governance processes. RMC is a content management system that provides a common management structure and look and feel for all process content. All content managed in RMC can be published to HTML and deployed to Web servers for distributed usage by all governance stakeholders. The documented governance processes created with RMC can be published and deployed as Web sites via the corporate intranet.


  1. Rational ClearQuest – provide comprehensive software change management with change tracking, process automation, reporting and lifecycle traceability for better visibility and control of the software development lifecycle.
  2. Rational ClearCase – centralizes software configuration management. User authentication and audit features help provide security and enforce governance policies on when, what, and by who services can be changed.
  3. Rational Build Forge – allows development teams to standardize and automate repetitive build, test and release tasks.
  4. Rational Software Architect (RSA) – creates and communicates requirements using the industry standard Unified Modeling Language (UML) so that team members are developing against a common set of project blueprints. RSA matches the resultant models to the requirements maintained in Rational RequisitePro.
  5. Rational RequisitePro - traces business requirements back to business goals and to steps in the service development lifecycle. This traceability enables organizations to document that all business goals are being addressed.


  1. Rational Tester for SOA Quality and Rational Performance Tester Extension for SOA Quality – help validate that the functional and non-functional requirements are satisfied and that the service will meet SLAs.
  2. Rational Quality Manager - provides quality assurance teams with means to collaborate and share all aspects of the quality assurance effort.
  3. Rational Policy Tester - online compliance solution to assess quality, privacy, and accessibility compliance issues across corporate web properties.
  4. WebSphere ESB - delivers a standards-based connectivity and integration solution that allows the creation and deployment of interactions quickly and easily between applications and services.


  1. WebSphereDataPower SOA Appliances – These appliances are purpose-built, easy-to-deploy network devices to simplify, help secure, and accelerate your XML and Web services deployments.
  2. Tivoli Composite Application Manager for SOA - This SOA infrastructure management software offers integrated management tools that speed and simplify identification and resolution of SOA problems. A services topology view displays actual service-to-service relationships, including drill down to service status and metrics, so that you can keep track of your service flow. ITCAM for SOA provides automated SOA management and SOA monitoring software to help meet established service levels with built-in alerts, message mediations, situations and workflows.
  3. Tivoli Security Policy Manager - Provides a uniform point of administration of users, federation of user information, and privilege management.

SOA Customer stories

IBM has many customer references testifying to our expertise with SOA and SOA Governance. The following is quick snapshot of our customer success stories:

  • Atlas Air, the world’s largest cargo airline, started their SOA journey with IBM by addressing their need for integrated messaging capability across the enterprise. This allowed the integration of real time information with process workflows, improving efficiencies, reducing costs, and decreasing the time needed to respond to business partner and new customer opportunities. As an added benefit, security and ability to audit were greatly improved. Success with this initial step allowed Atlas Air the flexibility to consider and commence process management improvements in their purchase to pay business process.
  • Spotlight Proprietary, Ltd. is an Australian retailer with stores across Asia-Pacific. The IT infrastructure was in danger of imminent failure with no strategic vision as to where they were going. Sales information was lacking, or at best old and incomplete, and the legacy systems were unable to support products and pricing. Spotlight focused on understanding and documenting the business processes it needed to support. By prioritizing the needs of the business and creating services, Spotlight started to rationalize its application portfolio. The added benefit is that the business now receives the information it needs to operate efficiently, and can be imaginative in how it will optimize that business.
  • The Texas Health and Human Services Commission (HHSC) provide oversight and administration of the state’s health and human services for about 2 million people annually. Face to face meetings with case workers were the only means of interaction and this was time consuming and expensive. A multi channel capability adding self-service, mail, call center and partners was desired to off load the case workers and process customer needs in a timely fashion. This business process outsourcing strategy was bold and a big change. The key to success lay in determining where to start the transformation process while keeping all moving parts aligned to strategic and tactical goals. A critical success factor for the IT transformation was establishing a project management office (PMO) function and having it work with all stakeholders. The dynamic governance model aligned all IT management activities with the services provided to the business.


Getting to an acceptable governance maturity level doesn’t happen by accident. An effective and evolving governance framework must be intentional and focused. It requires leadership. It must define clear roles and responsibilities. It must enable well-thought-out and consistently implemented policies and procedures. No one has the breath of governance experience, appliances and software tooling that IBM has to help you achieve SOA success.



developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into SOA and web services on developerWorks

Zone=SOA and web services
ArticleTitle=IBM Advantage for SOA Governance Standards