Todd Biske: Outside the Box

Archive for October, 2008

I recently was asked about the proper size for a competency center/Center of Excellence. While many might immediately try to base the size of the group on size of the organization as a whole, my recommendation was based on two key factors:

1. The engagement model of the group
2. The current IT organizational structure and paths of information flow

The engagement model is important, because it has a direct impact on the ability of the group to fulfill its mission. Will your centralized team strictly be responsible for establishing policies and perhaps play a role in reviews and approvals? Or, will your team take a more hands-on role, either as a resource center for projects building or consuming services or as an outsourcing center for service development efforts? The first variety is almost completely divorced from the projects being executed in the organization, and as a result, its size should not be influenced by the number of concurrent projects. The latter two varieties, however, are directly involved with projects. Choose too small, and you’ll have projects executing without your involvement, potentially running down different paths. Choose too large, and you’ll have people sitting idle or doing other non-service related work on projects. Personally, I’m not a big fan of the outsourcing model, but that’s a subject for another blog.

The second factor, and certainly the more important one from a governance perspective, is the way information flows through your organization. If you are establishing a Center of Excellence or Competency Center as part of your SOA governance efforts, the first two processes of governance are establishing policy and then educating and communicating those policies outward. Every organization is different. In an organization where information does not flow easily, and collaborative sessions quickly become fruitless due to the multitude of personalities and opinions that exist, a small group of people may work better, but that group will need to do a lot more of the work to communicate and educate, ranging from IT-wide conversations to more intimate conversations with the small teams at the bottom of the organization chart. In an organization where information does flow more freely, it may be easier to bring in a broader set of people to ensure the full organization is represented, but push the burden off to each individual member to cascade the message throughout their respective areas.

In the context of governance, a feeling of representation tends to be very important. When someone doesn’t feel they have a voice, they’re less apt to comply with the policies. While there will always be some who won’t budge unless the policy is what they want, many more are content with the policy direction, even if it is different from their own views, so long as they feel their concerns have been heard. Keep these things in mind when structuring your Center of Excellence/Competency Center, and hopefully it will help you find the right size for a successful effort.

I recently heard a story from a colleague about an EA group that created some work products with the sole purpose of meeting a stated goal. It didn’t matter whether or not those work products were used by the rest of the organization, only that the work products were produced. I suspect that these work products didn’t do much to change the state of the organization.

This story reminded me of a key point in regards to SOA Governance. This blog and my book emphasize the role of policies in SOA Governance. There’s a risk, however. If we focus to much on policy compliance and lose sight of the desired behavior, we may be no better than the EA group. Yes, we achieved 100% compliance, but if we haven’t achieved the desired behavior, such as a specific percentage reduction in the time to deliver solutions, we’re no better than the EA team at the beginning of this blog.

The other factor that must be kept in mind with policies is that they are normally a contributor to the desired outcome, but may not have a direct cause-and-effect relationship. Think about the current economic crisis. There are so many factors that influence the economy, many of them outside of the control of governmental policies, that policy compliance alone may not get us all the way to success.

The takeaway from this is that governance must be an active effort, and we can’t forget the fourth process of governance: measurement and feedback. If you are not achieving the desired behavior, you need to understand why and make adjustments as needed. These adjustments may be new policies, modifications to existing policies, different people, more education, more enforcement, or maybe a reset of expectations because some external factors have changed. Simply put, never assume that your first pass at policies for SOA governance will be both complete and accurate from the beginning. Put them in place, but also put in place efforts to measure their impact in achieving the desired behavior. After all, 100% compliance is not the goal, the goal is a quantifiable change in the way IT delivers business solutions.

Loraine Lawson of IT Business Edge asked the question, “Is there a right time for SOA Governance?” and offered her thoughts on the answer. In it, she quoted her interview with me, when she asked me about starting with buying a tool. But the meat of the article was a discussion around a recent Aberdeen report on SOA Governance. Key points she calls out:

“Truly effective SOA governance infects itself into the organizations’ DNA…”

This is absolutely true. My view on governance is that it is about guiding an organization to a desired behavior. If the organization is behaving that way, no one even realizes that governance is there, simply because the desired behavior has become second nature. Interestingly, at least one group I’ve spoken with that is closer to that path had to go through a heavy-handded phase first. I’m interested to know whether that is typically the case or not.

The real thing that I want to call out were her conclusions at the end though, which I feel are very consistent with the approach I espouse in my book. She states:

This suggests to me that there are more important questions to consider with SOA governance than when you should start. For instance, ask who’s driving SOA governance (you or the technology tool)? Where should you begin (the report provides a hint that it should be with securing executive business support)? And what steps should you take now to support long-term success?

My definition of SOA governance is the people, policies, and processes that an organization leverages to achieve the desired behavior associated with SOA adoption. Who is driving SOA governance? That’s the people involved. Where should you begin? The Aberdeen report suggests securing executive business support. I suggest that it begins with articulating the desired behavior. Who does that? The stakeholders of the effort which very well may be your key business sponsors. How do you achieve long-term success? By having your “governors” establish the policies that will lead to the desired behavior, and by not forgetting the fourth process of governance (see my four processes of governance post), measurement and feedback. If you just establish policies and then focus on enforcement, but never stop to look and see if complying with the policies actually results in the desired behavior, you may not achieve the intended success.

Go figure, just as I post an update on articles, etc., I have another one published. I wrote an article titled, “Implementing SOA Governance” for InfoQ and it has now been published. It’s not a direct extract from my book, more of a short overview of a few of the key points from it. I hope you enjoy it, and if you want to read more, please consider the full book.

A couple of items that I thought I’d call attention to:

1. I wrote an article for the latest issue of Architecture and Governance magazine titled, “Does SOA Really Matter?” My opinion, not surprisingly, is yes. This article requires registration to read.
2. Jordan Haberfield, Senior VP of IT Client Services for System One Holdings, interviewed me for his Agile Elephant blog regarding my book on SOA Governance.
3. Thank you to the people who purchased the book from Amazon today and allowed me to watch my Amazon sales rank go up from somewhere in the 200,000’s to 32,042. While my target audience is a bit more narrow than that of Brisngr, it would be really cool to see the sales rank make it to the four figure barrier.
4. Speaking of Amazon, consider adding to your order the latest book from Patrick Lencioni, “The 3 Big Questions for a Frantic Family.” While this book has nothing to do with IT, Patrick’s leadership fables gave me the inspiration for the style of my book. I can only aspire to become as good an author as he is. I heard him speak at a Gartner summit, and he’s an excellent speaker on top of it.

Keep an eye out for an interview with Loraine Lawson of IT Business Edge. I also plan on doing a few podcasts in the near future to talk about the book, as well. I’ll post information about them here as they come online. Thanks for being a reader of the blog, and please let me know your comments and questions about the book at soagovbook at biske dot com.

I just read David Linthicum’s “Governance Monday” post, Can SOA governance technology be distracting? In it, he discussed some of his conversation with Anne Thomas Manes of The Burton Group. He states that SOA governance technology can “muddy up the water in the early stages” of the effort. I certainly agree with this. These technologies can be complicated, especially when striving for a highly integrated, automated approach. There is a risk that the reason for using the technology can be forgotten as the focus shifts toward getting the technology implemented.

There is another question I would like to address: can governance itself be distracting? While Dave covered the technology angle, what about the governance processes? I did an interview with Loraine Lawson of IT Business Edge last week, and in that interview, I stressed that organizations must avoid starting too late with their governance efforts. If you are adopting SOA to change the way you approach solution development, you need to make the desired behavior known early and often. If you wait until a team “misbehaves” before making them aware of the correct behavior, it will create animosity. If you wait until the situation is critical before embarking on the change associated with SOA, you’ll be forced to take a heavy-handed approach, much as world governments were forced to take heavy-handed actions with current financial crisis. It was necessary, but no one is happy about it.

Want to know more? Check out my book, SOA Governance.

This was too good not to share. Word of my new book on SOA Governance made its way to the Yahoo SOA group this week and Steve Jones had a great comment:

Now as it’s a governance book it should be big, it should be heavy and you should be able to hit people with it. I’m a bit concerned that this one looks a bit fragile and quite frankly a PDF goes against the whole principle of Governance enforcement.
Wait…I’m meant to READ the things?

Yes, the book is paperback, and at just over 200 pages, it won’t do much damage if you beat people over the head with it. Thanks for the laugh, Steve!

CNet ran this story yesterday on Pizza Hut’s new Facebook application. They generally panned the application, but I, for one, was glad to see a corporation trying to leverage this platform. Think about it. Pizza and college students go hand-in-hand. Facebook was originally designed for college students, so if a pizza company wants to target a key demographic, why not build a Facebook application? If it is simply an embedded version of their web page, as long as it makes it even easier for those college students to order pizza, they’ve accomplished their goal. Don’t get me wrong, if it has poor usability it will fail. But the fact that it simply allowed Facebook users to order pizza and did not include “additional social features … to enhance the experience” isn’t a problem, in my opinion. I do agree that the forced friend notification is bad, but an optional one could be good. Once again, if the target demographic is college students, the intent is to tell friends that “pizza is available at my place, head on over!” All in all, however, it is the goal of Pizza Hut to sell pizza. Let Facebook provide the social aspects, let Pizza Hut provide the pizza.

What really interests me, however, is the notion of Facebook as a platform for reaching desired demographics. Previously, companies tried to “build communities” via their Internet presence. This is problematic because the company’s primary goal is to sell product, not build community. It simply makes sense to leverage these web properties whose primary purpose is to build communities and augment them with apps/widgets/whatever that can fulfill the primary purpose of your company, like selling more pizza. As a result, if you have a demographic that is likely to leverage these online communities, you need to be thinking about your architecture and how you can easily support the new “channel” of online communities like Facebook.

Today is blog action day for 2008 and the subject is poverty. Like many of the bloggers have posted, I am very thankful for all of my blessings. I still remember traveling outside of the U.S. for the time in 1995 and seeing the poverty in some areas of Jamaica, which is certainly nothing in comparison to many other areas of the world, but was still far worse than what we would consider poor in the United States. There are many excellent organizations out there. The one I will call out is the Christian Foundation for Children and Aging. My wife and I have been sponsoring a young girl in Guatemala since 1997, and I am very glad that this is enabling her to have proper clothing, care, and education, and to share her learnings with her family. With every letter we receive from her, it reminds me to be thankful for what I have, and thankful that I can help a family get on the path of a better life with each generation. Please considering helping out.

Unless you’re completely disconnected from mainstream media, you’ve certainly heard the word “policy” in the news recently. It’s been frequently prefaced with two additional words: “failed economic” as in “the failed economic policies of this administration.” With this, there should be no doubt that there is a connection between policy and governance. Policies are the rules that, if followed, should lead to the desired behavior for an organization. In the case of the current financial crisis, economic policies are ones that should lead to the desired behavior of the economy.

The current situation actually serves as a very good example for a discussion on policy and governance. First off, I’ve yet to hear any of the candidates call out the specific policies that they believe were wrong. The closest that they have come is to attack the deregulation that went on the 90’s. Now, you can argue that deregulation is a policy. In effect, it’s a policy that says, “We’re going to make this domain someone else’s responsibility” and that’s perfectly all right. If your view of governance is that it’s all about decision rights, this is in line with that approach. The policies don’t end there, however. The next policy that could be examined is the lending policies of the institutions that gave mortgages to people who had no hope of ever paying them off. My personal opinion is that this is the failed policy, which wasn’t a policy put in place by democrats or republicans, but by the lending institutions.

Now that the candidates are now trying to offer solutions for the situation, it shows that there are many ways of addressing the fact that the desired economic behavior is not being achieved. We can certainly change the people involved, and I think there’s an underlying assumption that with a change in people, the policies will change too. Second, we can change the policies. In this example, there are two areas for change, however. Changing the policies around regulation only changes who can set the policies around lending. It could be just as easy for a different set of people to keep the same bad lending policies in place. The second area is the lending policies used by the banks. Clearly, changes here would certainly stop the bleeding, so to speak. Finally, we can change the processes. Perhaps the lending policies on paper were fine, but were routinely ignored. Putting more rigid enforcement and auditing in place would be one way of addressing this.

So how does all of this apply to SOA Governance? The same general approach is applicable to the world of SOA governance. If you’re not getting the desired outcome from your SOA efforts, then perhaps you need to look at the policies you have that govern your SOA efforts. Have you “deregulated” your SOA and simply expect your projects to do the right thing? Do those projects care about the greater corporate economy, or are they simply concerned about the project “shareholders” and focused on delivering on-time and on-budget and nothing else? Perhaps the problem isn’t that critical, but the efforts are disjointed. A centralization of policy administration into a Center of Excellence may be in order. Or, perhaps the policies are there, but aren’t being followed, so a change in processes is needed. Finally, it could be in such dire straits that a complete change in leadership is needed. In my opinion, however, it all begins with policies. If you’re not getting the results you want, take a look at the policies you have (or the lack thereof). Either the policies are not yielding the results desired, or the policies are not being followed. If the latter, look at your processes and make changes there. If the former, you need a policy change. Your current SOA leadership can change the policies, or if they are blind to the problems in front of them, then make a change to the leadership to people that will put new policies in place. A change in personnel with no corresponding change to policies or processes is no change, and a change in personnel without an analysis of the policies they will put in place to determine if they will yield the desired behavior will also fail.

Want to learn more about governance as people, policies, and process? Check out my book on SOA Governance available now from Packt Publishing, and from other online book stores soon!

I’m now officially a published author. All of the final edits are done, and my book on SOA Governance is now available via the store at Packt Publishing. It will also be available through amazon.com and other online bookstores. Please consider it as part of your effort to learn about SOA Governance and don’t hesitate to contact me if you have further questions or comments.

Nick Malik posted this response to my previous post on governance and decision rights. In it, Nick claims that what I posted was a workable set of decision rights, which I partially agree with. He made three comments on quotes from my post, and it is the third where I disagree. He stated:

“If we focus on creating policies” — And here really is the confusion. What are those policies called? They are called “decision rights.”

While a policy can be statement of decision rights, such as “All solution architectures for projects costing more than $X must be approved by Enterprise Architecture,” they don’t have to be and I argue that the majority shouldn’t be. A policy like “All services must be entered into the registry/repository at the time they are identified.” is not a decision right, rather, it is a statement of expected behavior. If followed (in conjunction with other policies), the expectation is that the goals will be achieved, such as reduced redundant implementations of business logic. If goals aren’t reached, you need to revisit policies and processes, or even the people involved.

Decision rights are certainly part of governance, but a view that makes them the defining part is wrong, in my opinion. If we focus too much on decision rights and not enough on decisions, we are at risk of creating fiefdoms of power that perpetuate the negative, command and control view of governance. If we focus on policies that enable anyone to make the correct decisions, I think that is a better position for success.

Shameless plug: Want to learn more on SOA Governance? Check out my book by the same name, available now for pre-order and generally available in late October 2008.

At the SOA Consortium meeting, Fill Bowen of IBM asked me a question after my soapbox on SOA Governance that I thought would make a great post. He was surprised that I didn’t mention the words “decision rights” a single time in my post. It’s a great question, especially because the IT Governance book from Jeanne Ross and Peter Weill of MIT’s CISR defines IT governance as “specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT.”

In all of my posts on SOA Governance, and in my SOA Governance book, I don’t think I’ve talked about decision rights once. While this was certainly unintentional at first, I’ve now given it some thought and I’m happy that I didn’t include it or emphasize this viewpoint. The closest I’ve come is in my discussions around the people component, and stating that the people do need to be a recognized authority. Obviously, recognized authority does imply some amount of decision rights. At the same time, I think that’s emphasizing the wrong thing. There is a negative view around the term governance because people associate it with authorities flaunting their power. The emphasis needs to be moved away from the people, and instead focus on the policies. As I stated in my “Governance does not imply Command and Control” post, if you focus on education, you can allow individual teams to make decisions, because you’ve given them the necessary information to make the right decisions. If they don’t have the information to make decisions that will lead toward the desired behavior, it turns into a guessing game. Not only can there be confusion in what the correct decisions are, there can also be confusion on what decisions should be escalated up the chain. If we instead focus on creating policies and making those policies known so that anyone in the organization can make the right decision, we’re in a much better state. Yes, you will run into some situations with conflicting policies, or the absence of a policy, but if those are the exception, it should be far easier to know that those decisions require escalation or inclusion of others.

Since I first learned a bit about virtualization, there’s been one question that I’ve had that still keeps nagging me: isn’t this what operating systems were originally supposed to do? Back in my undergraduate days in the Computer Science department at the University of Illinois at Urbana-Champaign, I took a course in operating systems, and I seem to recall it being all about the allocation of memory, I/O, storage, and processor cycles among processes. This seems to be the exact same problem that virtualization is trying to achieve. About the only differences I can see is that virtualization, at least on the server side, does try to go across physical boundaries with things like VMWare’s VMotion, and it also allows us to avoid having to add physical resources just because one system requires Windows Server while another requires SuSE Linux.

So, back to the question. Did we simply screw up our operating systems so badly with so much bloat that they couldn’t effectively allocate resources? If so, you could argue that a new approach that removes all the bloat may be needed. That doesn’t necessarily require virtualization, however. There’s no reason why better resource management couldn’t be placed directly into the operating system. Either way, this path at least has the potential to provide benefits, because the potential value is more heavily based on the technology capabilities, rather than on how we leverage that technology.

In contrast, if the current state has nothing to do with the operating systems capabilities, and more about how we choose to allocate systems to those resources, then will virtualization make things any better? Put another way, how much of the potential value in applying virtualization is dependent on our ability to properly configure the VMs? If that number is significant, we may be in trouble.

This is also a key point of discussion as people look into cloud computing. The arguments are again based on economies of scale, but the value is heavily dependent on the ability to efficiently allocate the resources. If the fundamental problem is in the technology capabilities, then we should eventually see solutions that allow for both public-cloud computing as well as private-cloud computing (treat your internal data center as you own private cloud). If the problem is not the technology, then we’re at risk of taking our problems and making them someone else’s problem, which may not actually lead to a better situation.

What are your thoughts on this? Virtualization isn’t something I think about a lot, so I’m open to input on this. So far, the most interesting thing for me has been hearing about products that are designed to run on a hypervisor directly, which removes all of the OS bloat. The risk is that 15 years from now, we’ll repeat this cycle again.

In a post on his Fast Forward blog, Joe McKendrick asked the question, “Does Enterprise 2.0 Need to be Governed?” This title brought to mind a common misconception about governance. It’s not an optional activity. While there may be people that aren’t aware of it, it’s there. Even in the smallest organization, governance is there, it’s just that it’s completely manageable because everyone can talk to everyone else and there’s a small number of goals that everyone is aware of. In a startup, there needs to be desired behaviors and policies that guide the business strategy of the company. For example, what will be the balance between funding for marketing and funding for engineering? Both are needed, and failure of either one can doom the startup, yet competing startups will often take very different approaches.

In the writing of my SOA Governance Book, the reviewers both asked about connections between SOA Governance and IT Governance, or even the overall corporate governance. In my post about the four processes of governance, Rob Eamon asked why the processes couldn’t apply to architecture governance in general. The truth is, the fundamentals of governance- desired behavior, people, policies, and processes- apply regardless of the domain being governed. If you reach a point where there are enough variables involved with the efforts of your organization, whether that be the number of people employed, the number of projects executed, or many other factors, that there is now risk of people going off in a variety of directions due to unclear or competing priorities, you need governance. Anne Thomas Manes pointed this in out in the context of REST in Joe’s post. From Joe’s post:

Anne Thomas Manes says a lot of REST advocates she speaks with feel that governance isnít required for REST-based services. ìAt which point I respond saying, are you kidding? Think about how many people have created really, really bad POX applications that they claim to be rest and actually have almost no representation of the REST principles involved. They donít follow any of the constraints, and theyíre basically just tunneling RPCs to URLs.î

Put simply, we need to ensure that rather than just building things, we are building the right things, the right way. Good governance that can make that happen. Poor governance results in teams doing whether they deem as important in their corner of the world, or more likely, whatever the easiest path is for them, by first focusing on things completely within their control.

As a side note, it was disappointing to see that ebizQ’s SOA Governance Panel didn’t include any practitioners. They had 2 analysts and 4 vendors. While I’m not campaigning for future panelist slots, and I know and respect all of the panelists, governance is one of those topics that shouldn’t be discussed without at least one practitioner, preferably a corporate practioner. Some of the big federal consulting practices would also have a lot to offer, since they effectively are the corporate IT for the government agencies. There are plenty of ways to get anaylst and vendor views on it, let’s here from the people that are dealing with it on a day to day basis on what works and what doesn’t.