A case for SOA governance

Tilak Mitra August 16, 2005

Help your enterprise reap its true benefits by strengthening your awareness to the importance
of SOA governance for an enterprise which has IT as one of its key organizations. The author
illustrates some key responsibilities of a governance body and concludes by showing you how
you can effectively implement SOA governance.

Introduction
In the business world, what is it that needs to be governed? Any key asset, be it a physical
inventory, the business intelligence of a department, or anything in between, needs to be carefully
managed in order to harvest its maximum business benefit. Today's businesses need to be
dynamic and responsive in order to survive in this fiercely competitive and demanding world. One
of the foundational pillars of most businesses today is information technology (IT). The average
enterprise's IT investment is greater than 4.2 percent of annual revenue (and rising). As a result,
businesses measure the success of IT not only by how well it is being leveraged for business-
as-usual (BAU) activities, but also by how it is utilized to facilitate the enterprise to be a key
differentiator in the market.

Nowadays, business and information technology can be viewed as two cogs of the same wheel.
A change in motion of one mandates that the other respond in kind. Hence enterprise IT needs
to be flexible, extensible, responsive, resilient, and dynamically reconfigurable. This type of IT
management and execution requires very efficient governance. The importance of governance
is compounded by the introduction of service building blocks -- the notion of software as a set of
services, including the services provided by infrastructure (supporting or enabling applications).
This concept of software as a set of services is the theme behind Service-Oriented Architecture
(SOA). SOA is a significant step forward in aligning information technology with business goals. It
is of paramount importance that an enterprise that is strategizing around SOA needs an efficient
governance mechanism. SOA governance is more than just providing governance for SOA efforts
-- it is how IT governance should operate within an enterprise that has adopted SOA as its primary
approach to enterprise architecture.

What is governance?
The definition of the word governance implies the action or manner of governing. Further, IT
governance, as defined by Peter Weill and Joanne Ross in their wonderful work on IT governance
(see Resources), is a decision and accountability framework to encourage desirable behavior in IT.
Participants of the governance body lay down policies around different categories of decisions that

© Copyright IBM Corporation 2005 Trademarks

A case for SOA governance Page 1 of 10
developerWorks® ibm.com/developerWorks/

need to be made. That body also decides upon the people in the enterprise who are empowered
to make those decisions; that is, it carries out role identification. The members of the governance
council also identify subject matter experts who are expected to provide input to firm up the
decisions and also identify the group of people who may be held accountable for exercising their
responsibilities (based on their roles). An effective IT governance council must address three
questions:

1. What decisions must be made to ensure effective management and use of IT?
2. Who should make these decisions?
3. How will these decisions be made and monitored?
Although governance addresses the three questions, management actually implements that
governance.

The importance of IT and SOA governance

IT today is the most pervasive of organizations within an enterprise, having a horizontal presence
across most, if not all, lines of business (LOBs). An organization which holds such an important
key to business growth and success must be viewed as one of the enterprise's key assets. An
asset so important must be fully understood not only to maximize the benefits obtained from it, but
also to properly manage and, consequently, to mitigate the risks associated with it. This brings up
the need for a governance body to formulate, control, and oversee the proper maintenance and
growth of the business asset -- the need for IT governance.

SOA is like old wine in a new bottle. SOA concepts have been around for quite a long time in the
IT industry. But it is only recently that it has gained attention as a way of aligning the business
strategy and imperatives of an enterprise with its IT initiatives. What makes an enterprise that
embraces SOA need to take governance more seriously is the distributed nature of services
across various LOBs. The proliferation of more moving parts (that is, building blocks in the form
of services) that need to be maintained by different organizations both within and outside the
enterprise makes governance more challenging. This cross-organizational nature of business
services and the potential composition of services across organizational boundaries can function
properly and efficiently if, and only if, the services are effectively governed for compliance to
requirements dictated by a service level agreement (SLA) for factors such as security, reliability,
performance, and so on. Identifying, specifying, creating, and then deploying enterprise services
thus needs SOA governance through a very strong, efficient body to oversee the entire life cycle of
an enterprise's service portfolio.

In the wake of several corporate standards disasters, compliance to regulatory standards

like Sarbanes Oxley (SOX -- see Resources) has become more important, as evidenced by
the current inclination of investors to put their money behind companies that enforce high
governance standards. These regulatory acts stress the need to establish and maintain corporate
accountability as well as periodically assess its effectiveness. Good and efficient practice of
corporate and IT governance is attracting investors as they attach more credibility and faith to the
success and stability of companies that take governance seriously. Investors are more inclined to
invest in companies that implement strict standards, and the general (and aptly justified) feeling is
that adherence to standards can only be achieved through a governance mechanism. Statistics

A case for SOA governance Page 2 of 10

ibm.com/developerWorks/ developerWorks®

also reveal that firms with a well exercised IT governance have had 20 percent greater profit
margins than their counterparts who make very little or no investment in IT governance, as Peter
Weill and Jeanne Ross state in their book on IT governance (see Resources). It is quite evident
that the investment in strict governance standards has a direct impact to the bottom line of any IT-
centric enterprise.

Governance responsibilities
The role of IT in the enterprise must be fully understood and carefully monitored. Investments in
an asset so important must be carefully managed and hence the company stakeholders need to
ensure that their organizations' IT investments support the overall business strategy and mitigate
its potential risks. The essential responsibilities of a governance body are captured in Figure 1. I
describe the pieces of this illustration more fully below.

Figure 1. Governance responsibilities

The main areas of governance include the following:

1. Strategic alignment focuses on the imperative to align the business vision, goals and needs
with the IT efforts.
2. Value delivery focuses on how the value of IT can be proved through results like profitability,
expense reduction, error reduction, improved company image, branding, and so on.
3. Risk management focuses on business continuity and measures to be taken to protect the IT
assets.
4. Resource management focuses on optimizing infrastructure services that are a part of the On
Demand Operating Environment (ODOE -- see Resources) or other environment supporting
the application services.
5. Performance management focuses mainly on monitoring the services that run in a
enterprise's ODOE or other environment.
A governance meta model that illustrates the five major interrelated IT decisions can address the
above areas of governance, as Figure 2 shows.

A case for SOA governance Page 3 of 10

developerWorks® ibm.com/developerWorks/

Figure 2. Governance meta model

Figure 2 depicts the various elements of governance and their relationships. Broadly stated, IT
and SOA principles that are laid out at the enterprise level as guiding principles drive the IT
architecture and the service model, which in turn dictate how the enterprise IT infrastructure
services may be defined. The required business application needs can be evaluated based on
the capability of the IT infrastructure framework. The maturity of the IT architecture and service
model and the IT infrastructure services drive which parts of the required business application
can be prioritized for IT investment.

IT and SOA principles

While IT principles are a related set of high-level statements about how IT should be used in the
business, SOA principles define the general guiding principles to be followed while coming up
with an enterprise SOA. The IT principles should be derived from a higher-level set of business
principles that management owns. For example, the following is a sample list of business
principles:

1. Standardize processes and technologies wherever possible.

2. Alignment and responsiveness to negotiated business principles.
The following could be derived from those IT principles:

1. Architectural integrity
2. Responsive, flexible, and extendible infrastructure
3. Rapid and efficient deployment of applications
The IT principles can be mapped to the business principles as follows: Architectural integrity
(the first IT principle) provides for standardized processes and technologies (the first business
principle) while rapid and efficient deployment of applications (the third IT principle) promotes
alignment and responsiveness to negotiated business principles (the second business principle).

Some guiding SOA principles that drive the service model could be:

1. Compliance to standards that are industry-specific as well as cross organizational

2. Service identification and categorization
3. Service provisioning
4. Service monitoring and tracking

A case for SOA governance Page 4 of 10

ibm.com/developerWorks/ developerWorks®

5. Capability of services to be composed in order to realize different business services

The SOA principles also influence the IT principles. While creating the IT and SOA principles,
the members of the governance council should align them with how IT proposes to support the
enterprise's desired operating model. Above and beyond creating the IT and SOA principles, it is
also the council's responsibility to see to it that they are properly exercised across the enterprise.

IT architecture and service model

IT architecture and the service model identify the organization of enterprise data, applications, and
infrastructure and how they are interrelated both statically as well as during run-time execution. It
also determines the enterprise business services portfolio (exposed both externally and internally)
and its subsequent categorization. It may be noted that the service model (according to the IBM
Service-oriented modeling and architecture (SOMA) methodology -- see Resources) can be at a
project level, line of business level, enterprise level, or ecosystem level. (The service ecosystem
model has been further described in Ali Arsanjani's work, "Toward a Pattern Language for Service-
oriented Architecture and Integration, Part 1: Build a Service Eco-system," listed in the Resources
section of this paper.)

While creating and owning the IT architecture and the service model is an essential responsibility
of the governance team, it is also the team's responsibility to create and agree upon a set of
architecture decisions upon which the IT architecture and the service model should be built. The
involved parties in the governance council should be also responsible for process standardization
across the enterprise. Process standardization, which defines how things are done in an
enterprise, is a necessary input to process integration and the key to process integration is a
standardization of data across the enterprise, that is, a single view of the business entity that
represents a customer.

IT infrastructure
IT infrastructure defines the foundation of the IT capabilities available throughout the enterprise to
be shared across multiple applications. It is the responsibility of the members of the governance
council to define the architecture of the enterprise IT infrastructure as a set of services, if that
organization has adopted SOA. The services can be either technical in nature or can be human
services and skill sets that are built around physical corporate assets, such as printers, scanners,
and so on. It is commonplace for enterprises to use some software applications as infrastructure
services or capabilities. These software applications can be in the form of customer relationship
management (CRM), enterprise resource planning (ERP), supply chain management (SCM),
and other systems. The architects in the governance council are also responsible for creating the
infrastructure architecture around such standard, well-accepted software packaged applications.
Given that IT infrastructure requires long lead times between implementation cycles, a lot of
emphasis needs to be devoted to this discipline so that it can be used as a source of competitive
advantage and a key differentiator.

Business needs
Business needs drive the requirements for specific business applications. Business needs
are identified primarily based on market opportunities that can help an enterprise to seize

A case for SOA governance Page 5 of 10

developerWorks® ibm.com/developerWorks/

a competitive advantage. Specific business imperatives are identified by stakeholders and

conveyed to the IT disciplinarians in the governance council. It is the responsibility of the IT wing
of the governance consortium to address the business needs creatively and innovatively by
conceptualizing new business applications. A keen eye needs to be kept on the compliance of the
new business applications to the existing enterprise IT architecture. This can very well be viewed
as a conflicting objective to the creativity that is required to come up with new applications, which
often does not follow any constraints.

It is the responsibility of the enterprise architects to see to it that the new applications follow
the enterprise IT architecture. New business applications can also lead to identification of
new candidate services. These services need to abide by the SOA principles laid down by the
governance body before they make their way into the enterprise service portfolio. It is also the
responsibility of the enterprise architects to address the exceptions that may arise. Exceptions can
be dealt with in two ways: The architects can impose limitations and constraints on the architecture
of the new application so that it follows the existing architectural constructs. Or, they can use the
new applications as a mechanism to evaluate whether the architecture has become outdated and
needs to incorporate new constructs. With the proper representation of both business and IT in the
governance council, new architectural constructs can be directly traceable to compelling business
needs.

IT investment
The IT investment decision is the most important of the five decisions that traditionally interests the
company stakeholders. IT decisions revolve around three main questions:

• How much to spend?

• What to spend it on?
• How to create a balance between the needs different LOBs?

proposed way to make intelligent decisions is to have the designated members of the governance
council obtain responsibility and ownership that is aligned with the following management
objectives:

1. Competitive advantage and core differentiation

2. Cost reduction through better transactional throughput
3. Iterative maturing of IT infrastructure architecture
4. Providing information in digital form

It is the responsibility of the governance body to collectively make IT decisions based on

the market trend, the financial direction of the company, and historical data pertaining to the
relationship between IT spending and revenue generation.

Additional significant responsibilities

SOA governance enforces the use of discipline to maintain consistency and relevance within the
SOA life cycle. By following a SOA methodology like SOMA, SOA governance tries to bridge the

A case for SOA governance Page 6 of 10

ibm.com/developerWorks/ developerWorks®

gap between business and IT by allowing traceability from business goals down to services and
key performance indicators (KPIs) for measuring the results of those services. SOA governance
also needs to keep a constant connection between business and IT through the concept of
domain ownership. It is the responsibility of the members of the SOA governance council to
logically partition the enterprise into a set of managed business services that share a common
business context. Business owners and IT owners of a business domain are responsible for
maintaining the applications that support the business domain's exposed business services. They
are also responsible for maintaining and monitoring the SLAs of their existing business services as
well as negotiating SLAs between different domains. The provisioning of metadata for enterprise
business services is critical to both business and IT users. The metadata can provide information
like WS-* compliance, business criticality, and so on. Based on the metadata, the business
services can be monitored and managed. This is also a key responsibility of the members of the
SOA governance council.

To ensure that services are not redundant and that they are relevant to business goals across the
organization, the governance body should enforce coordination between new services and the
existing services across the organization. This can be done by conducting periodic workshops with
the LOB stakeholders to identify business application needs; after proper analysis, the governance
body can add the business needs to the candidate business requirement portfolio. This can be
followed by a series of business value assessment workshops wherein the identified candidates
are passed through a business value indicator (BVI) litmus test to qualify a candidate business
requirement as a service to be subsequently implemented and maintained.

The governance body is empowered with the responsibility of developing IT policies and oversees
its compliance in the business applications that are designed and implemented. It should be a
continuous exercise for the governance body to identify business processes that are critical either
from a strategic differentiator perspective or for business process consolidation and optimization,
or even just to stay competitive in the market.

The sheer volume of data regulations that are mandated by various regulatory acts such as SOX,
Health Insurance Portability and Accountability Act (HIPAA), and the likes has made it a significant
challenge for the enterprise to remain in compliance. It rests on the shoulders of the members
of the governance council to evaluate the regulation requirements and come to a justifiable
conclusion on how to implement them.

It is somewhat impractical to have the governance body make every single decision. Rather, the
governance council must make an effort to decentralize the decision-making process among the
business domains, but at the same time ensure that the following take place:

• The policies mandated by the governance body are well understood and abided.
• The business domain owners are made aware of the business strategic directions so that any
decisions made at the business domain level are already aligned with the corporate vision.

Finally, it is the responsibility of the governance council to share the business and IT developments
with the members of the c-suite (chief executive, chief finance officer, chief information officer, and
so on) as well as with the LOB owners. This fosters awareness as well as reusability of business

A case for SOA governance Page 7 of 10

developerWorks® ibm.com/developerWorks/

services that are developed by different business domains. The governance body should also
consider creating a single information portal through which it can make information pervasive
across the enterprise.

Governance implementation
Any implementation of governance should be centered on the four pillars of an enterprise
architecture: people, processes, technology, and services. One mechanism to implement an
enterprise IT and SOA governance is by establishing a center of excellence (CoE) for IT and SOA
governance that would enable a shared resource and capability center to function as a resource
pool as new business application needs arise.

A governance implementation needs to be supported by a hierarchical organizational reporting

structure. As shown in Figure 3, the such a reporting structure can be categorized into the four
following hierarchies.

Figure 3. A sample governance organizational structure

• Sponsorship level. This essentially consists of the stakeholders in the steering committee
and is adequately represented by the members of the c-suite along with the LOB owners
and executives. The steering committee articulates the business strategy, goal, and vision
for the enterprise. Members of this level are the key decision makers on how IT investment
needs to be made and channeled to specific areas of the business that either need business
process improvement or need to implement new applications that can be competitive market
differentiators.
• Leadership level. This is composed of the leader(s) of the governance CoE and two
representatives (one business and one IT) from each business domain. (Note: Business
domains as mentioned in the previous section represent a logical grouping of business
services that share a common business context). The leadership team learns the business
strategies and visions from the sponsorship members and also obtains directives from and
reports to the steering committee. The leadership team creates enterprise IT architecture

A case for SOA governance Page 8 of 10

ibm.com/developerWorks/ developerWorks®

and SOA principles that stand as over-arching rules which any application architecture needs
to conform to. The team also prioritizes which application architecture needs to be created
and ensures that the IT priorities are aligned with the business needs. The governance body
(represented by the leadership team) also documents the architecture standards and the
compliance requirements to regulatory acts. The enterprise architecture constraints are also
documented by this team, and the team is empowered with overseeing the overall compliance
to the architecture standards, guidelines, principles, and constraints when any new application
needs to be designed and implemented (by teams at the next tier going down).
• Opportunity management level. Separate teams are formed at this level each focusing on
one or more (related) business needs and are responsible to come up with clear definitions of
business applications that cater to a given enterprise business need. Each initiative team has
a business team lead responsible for gathering and formalizing the business requirements.
Corresponding IT team leads are responsible for creating the overall application architecture
and the solution that adheres to the IT and SOA principles mandated by the governance
leadership team.
• Project Management level. Teams at this level manage the entire life cycle of a typical
application design and development through the phases of solution definition, solution outline,
macro design, micro design, build, test, and deploy. Each project team is aligned with a given
initiative team. It is very common to have multiple simultaneous projects being run under a
given initiative team.
While you can find many other flavors of governance in today's enterprise, the essential ingredient
is a hierarchical reporting and organizational structure. Customization of the structure is inevitable,
because enterprises have a wide spectrum of variance in their organizational structure and culture.

Conclusion
This paper stressed the importance of implementing an effective SOA and IT governance in
any enterprise which considers IT to be one of its key assets to generating revenue and staying
competitive in the market. The importance of not only having a governance body but also
maintaining a high standard in its execution is further compounded with the recent introduction
of various compliance acts like Sarbanes Oxley that must be adhered to by any enterprise.
It has also been noted that investors put more faith behind companies that maintain a high
standard of governance, the effects of which are directly reflected through better profit margins.
Responsibilities of the governance body have been articulated with the hope that they provide
a good platform to enterprises that are planning on implementing a governance mechanism.
Finally, a proposed implementation of SOA and IT governance has been recommended that can
be customized to suit the corporate culture and structure of a given enterprise.

The reasons for efficient enterprise SOA governance can only be compounded by the pervasive
nature of enterprise services in the industry today. Enterprise services can be viewed so differently
by different contributors within the industry, which leads to different and often misunderstood views
about how an enterprise should govern its services portfolio in order to gain maximum benefit
from its investment in the portfolio. The initial investment in a new service can be more easily
amortized when it is created under the strict guidance of governance and additional services can
more effectively be added to the SOA system.

A case for SOA governance Page 9 of 10

developerWorks® ibm.com/developerWorks/

Acknowledgments
The author would like to thank Dr. Ali Arsanjani and Sankar Singha for their contributions to the
success of this paper.

© Copyright IBM Corporation 2005

(www.ibm.com/legal/copytrade.shtml)
Trademarks
(www.ibm.com/developerworks/ibm/trademarks/)

A case for SOA governance Page 10 of 10