Escolar Documentos
Profissional Documentos
Cultura Documentos
Help your enterprise reap its true benefits by strengthening your awareness to the importance
of SOA governance for an enterprise which has IT as one of its key organizations. The author
illustrates some key responsibilities of a governance body and concludes by showing you how
you can effectively implement SOA governance.
Introduction
In the business world, what is it that needs to be governed? Any key asset, be it a physical
inventory, the business intelligence of a department, or anything in between, needs to be carefully
managed in order to harvest its maximum business benefit. Today's businesses need to be
dynamic and responsive in order to survive in this fiercely competitive and demanding world. One
of the foundational pillars of most businesses today is information technology (IT). The average
enterprise's IT investment is greater than 4.2 percent of annual revenue (and rising). As a result,
businesses measure the success of IT not only by how well it is being leveraged for business-
as-usual (BAU) activities, but also by how it is utilized to facilitate the enterprise to be a key
differentiator in the market.
Nowadays, business and information technology can be viewed as two cogs of the same wheel.
A change in motion of one mandates that the other respond in kind. Hence enterprise IT needs
to be flexible, extensible, responsive, resilient, and dynamically reconfigurable. This type of IT
management and execution requires very efficient governance. The importance of governance
is compounded by the introduction of service building blocks -- the notion of software as a set of
services, including the services provided by infrastructure (supporting or enabling applications).
This concept of software as a set of services is the theme behind Service-Oriented Architecture
(SOA). SOA is a significant step forward in aligning information technology with business goals. It
is of paramount importance that an enterprise that is strategizing around SOA needs an efficient
governance mechanism. SOA governance is more than just providing governance for SOA efforts
-- it is how IT governance should operate within an enterprise that has adopted SOA as its primary
approach to enterprise architecture.
What is governance?
The definition of the word governance implies the action or manner of governing. Further, IT
governance, as defined by Peter Weill and Joanne Ross in their wonderful work on IT governance
(see Resources), is a decision and accountability framework to encourage desirable behavior in IT.
Participants of the governance body lay down policies around different categories of decisions that
need to be made. That body also decides upon the people in the enterprise who are empowered
to make those decisions; that is, it carries out role identification. The members of the governance
council also identify subject matter experts who are expected to provide input to firm up the
decisions and also identify the group of people who may be held accountable for exercising their
responsibilities (based on their roles). An effective IT governance council must address three
questions:
1. What decisions must be made to ensure effective management and use of IT?
2. Who should make these decisions?
3. How will these decisions be made and monitored?
Although governance addresses the three questions, management actually implements that
governance.
SOA is like old wine in a new bottle. SOA concepts have been around for quite a long time in the
IT industry. But it is only recently that it has gained attention as a way of aligning the business
strategy and imperatives of an enterprise with its IT initiatives. What makes an enterprise that
embraces SOA need to take governance more seriously is the distributed nature of services
across various LOBs. The proliferation of more moving parts (that is, building blocks in the form
of services) that need to be maintained by different organizations both within and outside the
enterprise makes governance more challenging. This cross-organizational nature of business
services and the potential composition of services across organizational boundaries can function
properly and efficiently if, and only if, the services are effectively governed for compliance to
requirements dictated by a service level agreement (SLA) for factors such as security, reliability,
performance, and so on. Identifying, specifying, creating, and then deploying enterprise services
thus needs SOA governance through a very strong, efficient body to oversee the entire life cycle of
an enterprise's service portfolio.
also reveal that firms with a well exercised IT governance have had 20 percent greater profit
margins than their counterparts who make very little or no investment in IT governance, as Peter
Weill and Jeanne Ross state in their book on IT governance (see Resources). It is quite evident
that the investment in strict governance standards has a direct impact to the bottom line of any IT-
centric enterprise.
Governance responsibilities
The role of IT in the enterprise must be fully understood and carefully monitored. Investments in
an asset so important must be carefully managed and hence the company stakeholders need to
ensure that their organizations' IT investments support the overall business strategy and mitigate
its potential risks. The essential responsibilities of a governance body are captured in Figure 1. I
describe the pieces of this illustration more fully below.
1. Strategic alignment focuses on the imperative to align the business vision, goals and needs
with the IT efforts.
2. Value delivery focuses on how the value of IT can be proved through results like profitability,
expense reduction, error reduction, improved company image, branding, and so on.
3. Risk management focuses on business continuity and measures to be taken to protect the IT
assets.
4. Resource management focuses on optimizing infrastructure services that are a part of the On
Demand Operating Environment (ODOE -- see Resources) or other environment supporting
the application services.
5. Performance management focuses mainly on monitoring the services that run in a
enterprise's ODOE or other environment.
A governance meta model that illustrates the five major interrelated IT decisions can address the
above areas of governance, as Figure 2 shows.
Figure 2 depicts the various elements of governance and their relationships. Broadly stated, IT
and SOA principles that are laid out at the enterprise level as guiding principles drive the IT
architecture and the service model, which in turn dictate how the enterprise IT infrastructure
services may be defined. The required business application needs can be evaluated based on
the capability of the IT infrastructure framework. The maturity of the IT architecture and service
model and the IT infrastructure services drive which parts of the required business application
can be prioritized for IT investment.
1. Architectural integrity
2. Responsive, flexible, and extendible infrastructure
3. Rapid and efficient deployment of applications
The IT principles can be mapped to the business principles as follows: Architectural integrity
(the first IT principle) provides for standardized processes and technologies (the first business
principle) while rapid and efficient deployment of applications (the third IT principle) promotes
alignment and responsiveness to negotiated business principles (the second business principle).
Some guiding SOA principles that drive the service model could be:
While creating and owning the IT architecture and the service model is an essential responsibility
of the governance team, it is also the team's responsibility to create and agree upon a set of
architecture decisions upon which the IT architecture and the service model should be built. The
involved parties in the governance council should be also responsible for process standardization
across the enterprise. Process standardization, which defines how things are done in an
enterprise, is a necessary input to process integration and the key to process integration is a
standardization of data across the enterprise, that is, a single view of the business entity that
represents a customer.
IT infrastructure
IT infrastructure defines the foundation of the IT capabilities available throughout the enterprise to
be shared across multiple applications. It is the responsibility of the members of the governance
council to define the architecture of the enterprise IT infrastructure as a set of services, if that
organization has adopted SOA. The services can be either technical in nature or can be human
services and skill sets that are built around physical corporate assets, such as printers, scanners,
and so on. It is commonplace for enterprises to use some software applications as infrastructure
services or capabilities. These software applications can be in the form of customer relationship
management (CRM), enterprise resource planning (ERP), supply chain management (SCM),
and other systems. The architects in the governance council are also responsible for creating the
infrastructure architecture around such standard, well-accepted software packaged applications.
Given that IT infrastructure requires long lead times between implementation cycles, a lot of
emphasis needs to be devoted to this discipline so that it can be used as a source of competitive
advantage and a key differentiator.
Business needs
Business needs drive the requirements for specific business applications. Business needs
are identified primarily based on market opportunities that can help an enterprise to seize
It is the responsibility of the enterprise architects to see to it that the new applications follow
the enterprise IT architecture. New business applications can also lead to identification of
new candidate services. These services need to abide by the SOA principles laid down by the
governance body before they make their way into the enterprise service portfolio. It is also the
responsibility of the enterprise architects to address the exceptions that may arise. Exceptions can
be dealt with in two ways: The architects can impose limitations and constraints on the architecture
of the new application so that it follows the existing architectural constructs. Or, they can use the
new applications as a mechanism to evaluate whether the architecture has become outdated and
needs to incorporate new constructs. With the proper representation of both business and IT in the
governance council, new architectural constructs can be directly traceable to compelling business
needs.
IT investment
The IT investment decision is the most important of the five decisions that traditionally interests the
company stakeholders. IT decisions revolve around three main questions:
proposed way to make intelligent decisions is to have the designated members of the governance
council obtain responsibility and ownership that is aligned with the following management
objectives:
gap between business and IT by allowing traceability from business goals down to services and
key performance indicators (KPIs) for measuring the results of those services. SOA governance
also needs to keep a constant connection between business and IT through the concept of
domain ownership. It is the responsibility of the members of the SOA governance council to
logically partition the enterprise into a set of managed business services that share a common
business context. Business owners and IT owners of a business domain are responsible for
maintaining the applications that support the business domain's exposed business services. They
are also responsible for maintaining and monitoring the SLAs of their existing business services as
well as negotiating SLAs between different domains. The provisioning of metadata for enterprise
business services is critical to both business and IT users. The metadata can provide information
like WS-* compliance, business criticality, and so on. Based on the metadata, the business
services can be monitored and managed. This is also a key responsibility of the members of the
SOA governance council.
To ensure that services are not redundant and that they are relevant to business goals across the
organization, the governance body should enforce coordination between new services and the
existing services across the organization. This can be done by conducting periodic workshops with
the LOB stakeholders to identify business application needs; after proper analysis, the governance
body can add the business needs to the candidate business requirement portfolio. This can be
followed by a series of business value assessment workshops wherein the identified candidates
are passed through a business value indicator (BVI) litmus test to qualify a candidate business
requirement as a service to be subsequently implemented and maintained.
The governance body is empowered with the responsibility of developing IT policies and oversees
its compliance in the business applications that are designed and implemented. It should be a
continuous exercise for the governance body to identify business processes that are critical either
from a strategic differentiator perspective or for business process consolidation and optimization,
or even just to stay competitive in the market.
The sheer volume of data regulations that are mandated by various regulatory acts such as SOX,
Health Insurance Portability and Accountability Act (HIPAA), and the likes has made it a significant
challenge for the enterprise to remain in compliance. It rests on the shoulders of the members
of the governance council to evaluate the regulation requirements and come to a justifiable
conclusion on how to implement them.
It is somewhat impractical to have the governance body make every single decision. Rather, the
governance council must make an effort to decentralize the decision-making process among the
business domains, but at the same time ensure that the following take place:
• The policies mandated by the governance body are well understood and abided.
• The business domain owners are made aware of the business strategic directions so that any
decisions made at the business domain level are already aligned with the corporate vision.
Finally, it is the responsibility of the governance council to share the business and IT developments
with the members of the c-suite (chief executive, chief finance officer, chief information officer, and
so on) as well as with the LOB owners. This fosters awareness as well as reusability of business
services that are developed by different business domains. The governance body should also
consider creating a single information portal through which it can make information pervasive
across the enterprise.
Governance implementation
Any implementation of governance should be centered on the four pillars of an enterprise
architecture: people, processes, technology, and services. One mechanism to implement an
enterprise IT and SOA governance is by establishing a center of excellence (CoE) for IT and SOA
governance that would enable a shared resource and capability center to function as a resource
pool as new business application needs arise.
• Sponsorship level. This essentially consists of the stakeholders in the steering committee
and is adequately represented by the members of the c-suite along with the LOB owners
and executives. The steering committee articulates the business strategy, goal, and vision
for the enterprise. Members of this level are the key decision makers on how IT investment
needs to be made and channeled to specific areas of the business that either need business
process improvement or need to implement new applications that can be competitive market
differentiators.
• Leadership level. This is composed of the leader(s) of the governance CoE and two
representatives (one business and one IT) from each business domain. (Note: Business
domains as mentioned in the previous section represent a logical grouping of business
services that share a common business context). The leadership team learns the business
strategies and visions from the sponsorship members and also obtains directives from and
reports to the steering committee. The leadership team creates enterprise IT architecture
and SOA principles that stand as over-arching rules which any application architecture needs
to conform to. The team also prioritizes which application architecture needs to be created
and ensures that the IT priorities are aligned with the business needs. The governance body
(represented by the leadership team) also documents the architecture standards and the
compliance requirements to regulatory acts. The enterprise architecture constraints are also
documented by this team, and the team is empowered with overseeing the overall compliance
to the architecture standards, guidelines, principles, and constraints when any new application
needs to be designed and implemented (by teams at the next tier going down).
• Opportunity management level. Separate teams are formed at this level each focusing on
one or more (related) business needs and are responsible to come up with clear definitions of
business applications that cater to a given enterprise business need. Each initiative team has
a business team lead responsible for gathering and formalizing the business requirements.
Corresponding IT team leads are responsible for creating the overall application architecture
and the solution that adheres to the IT and SOA principles mandated by the governance
leadership team.
• Project Management level. Teams at this level manage the entire life cycle of a typical
application design and development through the phases of solution definition, solution outline,
macro design, micro design, build, test, and deploy. Each project team is aligned with a given
initiative team. It is very common to have multiple simultaneous projects being run under a
given initiative team.
While you can find many other flavors of governance in today's enterprise, the essential ingredient
is a hierarchical reporting and organizational structure. Customization of the structure is inevitable,
because enterprises have a wide spectrum of variance in their organizational structure and culture.
Conclusion
This paper stressed the importance of implementing an effective SOA and IT governance in
any enterprise which considers IT to be one of its key assets to generating revenue and staying
competitive in the market. The importance of not only having a governance body but also
maintaining a high standard in its execution is further compounded with the recent introduction
of various compliance acts like Sarbanes Oxley that must be adhered to by any enterprise.
It has also been noted that investors put more faith behind companies that maintain a high
standard of governance, the effects of which are directly reflected through better profit margins.
Responsibilities of the governance body have been articulated with the hope that they provide
a good platform to enterprises that are planning on implementing a governance mechanism.
Finally, a proposed implementation of SOA and IT governance has been recommended that can
be customized to suit the corporate culture and structure of a given enterprise.
The reasons for efficient enterprise SOA governance can only be compounded by the pervasive
nature of enterprise services in the industry today. Enterprise services can be viewed so differently
by different contributors within the industry, which leads to different and often misunderstood views
about how an enterprise should govern its services portfolio in order to gain maximum benefit
from its investment in the portfolio. The initial investment in a new service can be more easily
amortized when it is created under the strict guidance of governance and additional services can
more effectively be added to the SOA system.
Acknowledgments
The author would like to thank Dr. Ali Arsanjani and Sankar Singha for their contributions to the
success of this paper.