What's not to like about Governance? Traditionally, rather a lot. It is all about "the management of management" so it usually involves information more of interest to the managers than the workers. It has usually been heavy-handed, involving a lot of work, often with very little in return for those doing most of the work. It often gets in the way of the good guys doing their job but doesn't inconvenience the bad guys that much.
Automation of governance looks attractive but it often doesn't do everything you want it to, even though it usually costs far too much for small players to take on. So, governance gets done manually, with the consequent risk of of human error. The usual attitude is that governance is just a cost of doing business, you do as little of it as possible and concentrate on "compliance" (which is a subset of governance), you concentrate on meeting the letter of any regulations (without thinking of their spirit over-much), whilst making sure, as far as possible, that governance doesn't get in the way of doing business. If you keep your head down and can point to some visible governance initiatives, hopefully there's a good chance the regulators—or the press—will look elsewhere anyway...
With this approach, governance represents a continuing cost, which doesn't deliver much in the way of effective risk management. There must be a better way.
Good governance is about ensuring good management. It reduces the risk of doing business and provides real business benefits—money is easier to raise, because investors like well-governed companies; new business is easier because the associated risks are better defined and easier to manage; company morale and effectiveness are higher, because effort and resources are directed towards strategic and obviously useful business investments.
But, how many practical governance initiatives actually achieve much of that? Are some governance initiatives purely about governance for it's own sake? Are people ever working in a governance silo, with few links to the needs of the business proper (beyond, possibly, broad regulatory compliance)?
It seems to me that there are certain prerequisites for a "better way" of implementing governance. First, you need a governance-focused culture—which places people, culture, good management and business benefit above (but not instead of) good process, tools and "compliance". Then, you need some sort of governance community in a company, so that governance is institutionalised and belongs to the people doing business, not bolted onto the outside of business process.
However, to facilitate this, you need sensible governance automation tools—which can automate the routine, so people can concentrate on the hard bits and on the spirit of good governance. This automation must be flexible, so that it copes with different needs, different platforms, different cultures, without getting in the way.
So, what would such agile governance tools look like? Well, in my opinion:
- They'd be policy-driven, so that business-level governance requirements can be transparently linked to their physical implementation in technology.
- They'd enable visualisation of governance, so that a state of good governance can be clearly communicated to interested third-parties and other stakeholders; and the governance model and its benefits communicated to developers and operational staff.
- They'd be built on a federated architecture, so that the generic governance policies for an entire organisation can be specialised for the individual needs of particular departments and so that existing information repositories can be used to supply information needed for governance, if appropriate.
- They'd be firmly built on top of strong identity- and asset-management systems (good governance involves, at basis, knowing what you have and who is using it).
- They'd reuse rather than duplicate information already existing in a company; and, in exchange for maintaining the information needed for governance, stakeholders should get back useful information—e.g., on performance against policy targets, thus enabling proactive performance management by systems developers.
- They'd abstract the logical governance model from its physical implementation, so that virtualisation, SaaS and cloud computing can be supported if appropriate in future; and so that physical regulatory requirements (such as a need for certain information to be stored on an organisation's premises) can be implemented without compromising the logical governance model.
- They'd provide an API and an SDK, so that the tools can be customised to interface with existing systems, even in-house ones.
- They'd be platform agnostic—accommodating both Java and .NET, at least.
- They'd be scalable and without a single point of failure (since a successful governance system will soon become business-critical).
- And, most importantly, any governance tools must be affordable (commensurate with the size of the business being governed), with low cost-of-entry.
Are there, or will there be, any such tools? Well, I have been quite impressed by what AmberPoint is doing with AGS—AmberPoint Governance System—partly because AmberPoint has considerable experience with the respected AmberPoint Management System (which covers a lot of what would be needed for managing governance) and partly because AmberPoint appears to be learning from what other tools do and from customer feedback. And, AGS does seem to address the points above.
However, I think that IT or technology governance is merely a subset of corporate governance generally. This implies that it should be a business initiative, which makes me think about about all the word processing documents that most companies maintain for, amongst other people, the regulators.
AGS, for example, claims to "automate much of the manual effort typically associated with cataloguing the application environment and ensuring policy compliance across the lifecycle... [it] brings an application-centric view to policy enforcement, allowing validation of all parts of a distributed application". That's good and seems a necessary part of good governance, but only a part of it, and there are other complementary initiatives which address the wider picture.
For example, despite the use of UML modelling and formal requirements management tools by technicians, the requirements for business automation are usually communicated between the business and the technicians in word processor documents. It is necessary to analyse and QA these in order to achieve "good governance" in full—but even if a company has standards for these documents and corresponding templates, how can it enforce their use (or find problems in existing documents)? Well, automated discovery tools can determine coverage at a high level and, if the documents can be converted to policies, these can be enforced with automation technology—but that is likely to cover only a subset of the problem, since sometimes documents have regulatory significance in themselves and the business is likely to rely on documents beyond those handled by any automated system anyway. And, even if you do adopt some automated governance system, there is likely to be a backlog of legacy documentation which hasn't been captured yet.
Here, we have another tool to look at: VisibleThread from the team which originally developed the SteelTrace requirements management tool (now Compuware's Optimal Trace). VisibleThread isn't a requirements management tool, nor a document management tool but a bit of both—and more. VisibleThread enables documentation reviews that can QA document structure (to make sure that what should be present is present); highlight ambiguous language in poor quality documents; and promote process improvement through real-time visibility and objective metrics.
It's probably a case of "horses for courses". Nevertheless, that doesn't mean that I think that governance is just about buying good tools, although once you have a good governance culture in place, they'll help. One might also ask, since technology governance has been important as long as business automation has been possible, why these initiatives are appearing now? Well, perhaps because there is going to be a premium on good governance and compliance reporting for a while—not just because the consequence of poor governance (e.g. in the banking industry) are becoming obvious to the general (voting) public; but also because governments have invested heavily in bailing out banks and will now expect banks, at least, to demonstrate that they are managing things properly and this may come to affect expectations for governance generally.