(Deprecated) Slicing the Gordian Knot of SOA Governance

8,566 views
8,522 views

Published on

This document has been superseded by "Dependency-Oriented Thinking: Volume 2 - Governance and Management". Please download that instead: http://slidesha.re/1fEjz7A

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
8,566
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
123
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

(Deprecated) Slicing the Gordian Knot of SOA Governance

  1. 1. “Slicing the Gordian Knot of SOA Governance”Version 0.99.1, November 2012© Ganesh PrasadThis work is licensed under Creative Commons Attribution-No Derivs 3.0 Australiahttp://creativecommons.org/licenses/by-nd/3.0/au/ Confessions of a back-to-basics SOA architect
  2. 2. Table of ContentsSynopsis.................................................................................................................................6Part I – Why The Industry Is Doing SOA Governance All Wrong..........................................7 Timidity in Asserting the All-Encompassing Scope of SOA...............................................7 Confusion between Governance and Management..........................................................9 Obesity of the Governance Function...............................................................................10Part II – Elements of a Common Sense Approach..............................................................11 Recognising “Services” as a Weasel Word.....................................................................11 Back to First Principles and the Notion of “Dependencies”.............................................12 Why are Dependencies so Important?............................................................................14 Case Study 1 – Take it or Leave it: Monopsony and Choice......................................15 Case Study 2 – Culture Shock....................................................................................16 Case Study 3 – The Weakest Link of a Supply Chain................................................17 Case Study 4 – Locked Out: Key Person Risk............................................................17 Case Study 5 – The Stress and Strain of an Engineers Life......................................18 Case Study 6 – It Goes Without Saying......................................................................19 Case Study 7 – “ASSUME” Makes an ASS of U and ME...........................................20 Case Study 8 – What Makes a Good Technology Platform?......................................21 An Architectural Framework to Analyse Dependencies..................................................24 BAIT as Layers of Dependencies................................................................................24 TOGAF Artifacts as Dependency Relationships.........................................................25Part III – A Practical Guide To Governing And Managing Dependencies............................27 Agencies and Vehicles.....................................................................................................27 Key Roles....................................................................................................................27 Key Bodies...................................................................................................................30 How Many Committees?.........................................................................................32 Functions and Processes................................................................................................35 One-time Processes....................................................................................................35 Initial Dependency Review......................................................................................37 Recurring Processes...................................................................................................37 Periodic Dependency Review ................................................................................37 Remediation Program Review................................................................................37 Remediation Program Proposal..............................................................................39 BAU Program Management....................................................................................39
  3. 3. New Initiative Appraisal ..........................................................................................39 Processes in Steady State..........................................................................................43Governance and Management Check-lists.....................................................................44 Classification of Dependencies...................................................................................44 The List of Check-Lists................................................................................................45 A Basic Governance Check-list...................................................................................45 A Basic Management Check-list..................................................................................46 Fundamental Enterprise Dependencies......................................................................47 Enterprise Dependency Check-lists........................................................................48 Business Layer Dependencies....................................................................................51 Modelling the Business with Domain-Driven Design..............................................51 Realism around Reuse............................................................................................52 Business Layer Dependency Check-lists................................................................55 Application Layer Dependencies.................................................................................58 Cohesion and Coupling...........................................................................................59 A Fun Exercise in Applying the High Cohesion Principle........................................62 Criteria for High Cohesion.......................................................................................66 Process, Product and Service.................................................................................68 Application Layer Dependency Check-lists.............................................................70 Information (Data) Layer Dependencies.....................................................................73 Data on the Outside versus Data on the Inside......................................................73 Aspects of Low Coupling.........................................................................................74 The Domain-specific Data Dictionary......................................................................75 The Internal Data Model (“Data on the Inside”)......................................................76 The Interface Data Model (“Data on the Outside”).................................................77 Message Data “on the wire”....................................................................................78 Information (Data) Layer Dependency Check-lists.................................................81 Technology Layer Dependencies................................................................................85 Implementing Products...........................................................................................86 Implementing Services............................................................................................86 Implementing the Nouns and Verbs of the Interface Data Model...........................87 The Three Core SOA Technology Components......................................................88 How Not to Use a Broker........................................................................................93 Implementing the Adverbs of an Operation............................................................94 Technology Layer Dependency Check-lists............................................................96
  4. 4. Bringing about Desired Behaviour – Velvet Glove or Iron Hand?...................................99Summary and Conclusions................................................................................................101 Contributions of this White Paper..................................................................................102 Defining Terms...........................................................................................................102 Restoring Potential....................................................................................................102 Identifying Gaps.........................................................................................................102 Simplifying Tasks.......................................................................................................103 Doubling the Pay-off..................................................................................................103 Potential Criticism of This Approach..............................................................................104 The Weight of Tradition.............................................................................................104 Making Mountains out of Molehills............................................................................104 Drawing a Long Bow.................................................................................................105 A Bridge Too Far........................................................................................................105About the Author................................................................................................................106Acknowledgements............................................................................................................106Appendix A – SOA Governance and Management – An Issue of Definition.....................107Appendix B – Lessons from Cadet Camp (or Why SOA is Like a Snakepit).....................109Appendix C – Core Entities and Dependencies in the TOGAF 9 Model...........................111Appendix D – Artifacts In the TOGAF 9 Model..................................................................112Appendix E – References..................................................................................................115
  5. 5. Synopsis“SOA Governance” as practised in the industry today suffers from three major problems:1. “SOA Governance” is wrongly understood to be the governance of SOA as an IT function, rather than the application of SOA principles to the governance of all levels of the enterprise. Most of the potential benefits of SOA as an organising principle for the enterprise therefore go unrealised because of this overly narrow, technology-focused interpretation.2. There is widespread confusion between the terms “governance” and “management” even among SOA practitioners. Many of the processes associated with “SOA Governance” are in fact routine management functions, and true governance tasks requiring direction are often neglected, resulting in costly yet preventable mistakes.3. The processes associated with “SOA Governance” (which are more often management than governance) are needlessly heavyweight. Given the overly limited scope of “SOA Governance” as mentioned in Point 1 above, these processes soak up a disproportionate share of an organisations resources without corresponding benefit.This white paper aims to do the following:1. Redefine both Governance and Management in simple and unambiguous terms so that there is no confusion between the two functions and both can be performed effectively.2. Raise the scope of SOA Governance and SOA Management beyond their current narrow technology focus so that SOA thinking can be applied at all levels to improve the agility, cost and risk profile of an organisation.3. Recommend a comprehensive yet lightweight approach involving a few core roles and bodies, a minimal set of processes and a manageable set of checklists to enable both SOA Governance and SOA Management to be performed cost-effectively. 6
  6. 6. Part I – Why The Industry Is Doing SOA Governance All WrongTimidity in Asserting the All-Encompassing Scope of SOA 1“SOA Governance” does not mean the governance of SOA, any more than “scientificthinking” means “thinking about science”.We know of course that “scientific thinking” means a different way of thinking abouteverything, i.e., adopting a rigorous, analytical, evidence-based approach to understandingevery aspect of the universe without exception. Scientific thinking is about applyingscience to thinking, not the other way around.In exactly analogous fashion, “SOA Governance” is about applying SOA thinking togovernance, not about applying governance to SOA.So how does one “think SOA”?We need to understand that SOA is an organising principle that impacts every aspect ofthe enterprise. It is not a set of technology products or even an approach to deployingtechnology components. The word “technology” refers to the implementation of businesslogic2, and most “SOA Governance” activities in organisations that would describethemselves as “doing SOA” relate to implementation-related activities such as settingdevelopment and environment standards, reviewing the design of SOAP-based webservices and Business Process Management (BPM), controlling versions of services,establishing policies around the use of an Enterprise Service Bus (ESB), using aregistry/repository to centralise information about services, etc. All of these are in factroutine management activities, with a narrow focus on technology to boot. These cannotbe called SOA Governance at all!The definition of SOA we propose is “the science of analysing and managingdependencies between systems”. Systems need not be computer systems, and neitherare dependencies restricted to technology. Dependencies exist at any level of business,human relations or technology, as we will show using diverse examples. The term“managing dependencies” as used above is shorthand for “eliminating needlessdependencies and formalising legitimate dependencies into readily understood contracts”.1 Service-Oriented Architecture2 “Technology” may conjure up visions of advanced computer systems, but even a manual ledger to recordtransactions is technology. Indeed, it would seem like high technology to a race without paper! 7
  7. 7. In a previous white paper published under the aegis of WSO2 (“Practical SOA for theSolution Architect”3), we showed how a solution design that is tightly coupled at the datalayer can completely negate the benefits of expensively procured SOA technology (e.g.,ESBs, registries, etc.) Such situations are unfortunately quite common becausepractitioners often take a technology-only approach to SOA and do not see thedependencies that exist between systems at different levels. The fault lies not with SOAitself but in our misunderstanding of SOA as being limited to technology. We need to startseeing SOA as a way of thinking about dependencies, not just within the technology realmor even at the level of data, but across the board. Unless we as an industry adopt“Dependency-Oriented Thinking”, the returns on our SOA investments will remainanaemic4.It would seem that industry analysts and prominent vendors have knowingly or otherwisemisled us for over a decade with the conceptual model illustrated below, and this view hasstood in the way of our ability to realise the full benefit of SOA. Every expert unfailinglyissues the standard disclaimer that SOA is not about technology, but the oppositemessage gets dog-whistled through the emphasis on products to manage web services,and ultimately prevails. In a later section, we hazard an explanation for this. Corporate Governance Corporate Resources IT Governance IT Resources SOA Governance SOA Resources Fig. 1 – The limited (and limiting) view of SOA Governance as a subset of IT Governance (itself a subset of Corporate Governance) – a view endorsed by industry thought leaders such as the Burton Group5 and IBM6.3 Downloadable from http://bit.ly/stbfiA4 In retrospect, DOT may have been a better term than SOA.5 The Burton Groups Research Director speaks on SOA and Governance: http://bit.ly/HFdF6t6 IBMs definition of SOA Governance: http://ibm.co/qm46 8
  8. 8. To repeat, SOA is not a subset of IT. The benefits of SOA thinking when applied morebroadly are: 1. An improvement in business agility because of minimal dependencies between systems and consequently minimal “friction” that can impede change 2. Sustainably lower operating costs for the same reasons 3. A significant reduction in operational risk because of better-understood dependencies and fewer surprisesClearly, we have lost out on some major benefits by defining SOA as narrowly as we have.Confusion between Governance and Management“Governance” is an over-used (and abused) term. One of the unfortunate side-effects ofthe collapse of corporations like Enron and WorldCom in 2001-2002 was the suddenpopularity of the term “governance” in popular discourse. The word “governance” hasacquired such a cachet today that it often tends to be used just for effect, even when whatis meant is just plain old “management”. So lets set these terms apart right away.Governance is ensuring that the right things are done.Management is ensuring that things are done right.In spirit, governance is about the ends, or the “What”; management is about the means, orthe “How”. This is a fundamental distinction that is key to correctly implementing what werecommend in this white paper, hence it is worth spending some effort to understand thisthoroughly.An analogy with the functions of a companys board of directors and its executivemanagement will make the distinction between corporate governance and corporatemanagement more concrete. A decision on whether the company should enter a newmarket is a decision for the board, because it pertains to the fundamentals of what thecompany wants to be and whether or not the move is in the best interests of itsshareholders. In other words, this is about doing the right thing (i.e., governance).Once the decision is taken to enter a new market, executive management is responsiblefor retooling the resources of the company to enable it to compete effectively in that 9
  9. 9. market. This is about doing things right (i.e., management).Governance and management decisions apply at lower levels of the organisation as well.Projects often have steering committees as well as working groups. Steering committeesare comprised of key stakeholders and they tend to make governance (i.e., “what”)decisions – objectives, scope, success criteria, etc. They also monitor adherence to theseparameters. Working groups are teams of hands-on people assigned to the project. Theymake the day-to-day management (i.e., “how”) decisions that will enable them to solveroutine problems and achieve the objectives that have been set by the steering committee.The steering committee is only concerned with the ends and not the means. The workinggroup is responsible for the means.In general, one can tell whether a given decision is about governance or aboutmanagement by thinking about how those decisions could be judged in hindsight. If theverdict is likely to be “right” or “wrong”, then its a governance decision. If the assessmentis likely to be one of a spectrum (e.g., “excellent”, “good”, “fair” or “poor”), then its amanagement decision.Obesity of the Governance FunctionOrganisations that have embraced the requirement for “SOA Governance” generally havecommittees, processes and tools to bring discipline to the way services are designed, built,deployed and managed. After all, this is how the governance of SOA is commonlyinterpreted. Some organisations have an “Integration Centre of Competence” that istasked with defining standards and controlling the introduction of new services into theecosystem.While these are sensible measures, they impose a rather high overhead especially giventheir limited technology-only focus. A centralised approving authority is an overworkedbottleneck, and so agility and operational cost are the first casualties. Many organisationsconsequently see very modest improvements in their operational cost and efficiency as aresult of moving to SOA. The economies and dis-economies largely neutralise each other,and the heavyweight governance processes shoulder a large portion of the blame.If projects in your organisation are constantly trying to find short-cuts around a centralisedauthority and a large part of this latter groups efforts are around reigning in such rogueprojects, it could be a sign that the organisation is chafing under heavyweight governance. 10
  10. 10. Part II – Elements of a Common Sense ApproachRecognising “Services” as a Weasel WordNo matter how often we parrot the mantra “SOA is not about technology”, we end up with atechnology-only view of SOA while were looking elsewhere. How does this happen?Our opinion is that there is a slippery slope that we embark on once we agree to talk about“services”. From “services” to “web services”, and from web services to a technology-onlyview of SOA and SOA Governance is then just a natural progression, as illustrated below: “SOA is not about technology” “Service-Oriented Architecture is a view of the organisation as a collection of reusable services” “We should expose all business functionality through Web Services” “Its good practice to proxy all Web Services through an ESB and use a registry/repository to manage them, especially as their numbers start to grow.” “We need some governance around the use of all this technology” “SOA assets are owned by IT, so SOA Governance is an IT function” Fig. 2 – The slippery slope that leads to the view of SOA as a part of ITThere is a place for the concept of “services” in what we lightly call “Service-Oriented”Architecture. But the wide-angle lens of dependencies shows us that theres much more toSOA. We need to derive our view of “services” much more systematically and rigorouslythan we have been used to doing. So lets look at this process more closely. 11
  11. 11. Back to First Principles and the Notion of “Dependencies”The four most important principles of SOA are dependencies, dependencies,dependencies and dependencies7. Were not being entirely flippant in saying this, becausethere are four distinct “layers” in an organisation where dependencies need to bemanaged. These layers, as we will explain shortly with the help of a formal framework, areBusiness, Applications, Information (Data) and Technology 8. SOA Principles (Eliminate needless dependencies between systems, formalise legitimate dependencies into well-understood “contracts”) Manage dependencies Business Layer Manage dependencies Manage dependencies Application Layer Manage dependencies Manage dependencies Information (Data) Layer Manage dependencies Manage dependencies Technology Layer Fig. 3 – The True Scope and Concerns of SOA - More than just a few Web Services managed by a section of IT!We believe that for an organisation to be effective in achieving its goals, an acceptance ofthis dependency-based view of SOA is essential. Any discussion of SOA Governance andSOA Management has to start from this basis.Since SOA is all about the management of dependencies, SOA Governance should beseen as deciding what dependencies are legitimate and SOA Management as decidinghow to manage dependencies. Both these aspects are important, so even though SOA7 To paraphrase the 3 rules of real estate: “Location, location, location”.8 This is commonly referred to as the “BAIT Model”. 12
  12. 12. Governance seems to have all the mind-share, this white paper will talk about SOAManagement9 with equal emphasis. Ironically, traditional approaches to “SOAGovernance” are usually about SOA Management (i.e., the “How”).So here are our simple and readily-understandable definitions: • SOA Governance is determining what dependencies are legitimate at every layer of the organisation and identifying what existing dependencies fall outside this set. • SOA Management deals with how to remediate illegitimate dependencies at every layer of the organisation, how to formally document and communicate legitimate dependencies and how to prevent recurring violations.We will break these down into specific tasks in Part III, but for now, the following high-levelillustration will summarise how we arrive at these definitions. SOA (The science of analysing and managing dependencies) Governance SOA Governance (What are the right What dependencies are legitimate? things to do?) What existing dependencies fall outside this set? SOA Management Management How do we remediate illegitimate dependencies? (How do we do How do we formalise legitimate dependencies? things right?) How do we prevent recurring violations? Fig. 4 – SOA Governance and SOA Management at a glanceThis is the core philosophy behind our approach to SOA Governance and SOAManagement in this white paper.9 In the literature, we often come across the term Service Management. This term derives from the view of SOA as a subset of IT rather than as a set of organising principles for the entire enterprise. Our term “SOA Management” is more comprehensive. 13
  13. 13. Why are Dependencies so Important?We believe that a deep understanding of dependencies makes all the difference betweena successful organisation and one that is less so. Sun Tzu said 10 many centuries ago,“Know thyself, know thy enemy – a thousand battles, a thousand victories.” By “knowing”oneself and ones enemy, he was really talking about dependencies, because strengths aswell as weaknesses are dependencies. What is it that makes you and the other guy tick?Fast cavalry? Long range artillery? What are the things that can trip you up? Lack ofsupplies (logistics)? Troops weakened by dysentery? What buttons can be pushed tomake you or the other guy behave in a predictable way? Siege of a prestigious fort?Abduction of a corps commanders son? All of these are dependencies. All of these relateto “knowing thyself” or “knowing thy enemy”.In that classic marketing strategy book of the 80s, “Marketing Warfare”, authors Al Riesand Jack Trout offer this nugget of wisdom to their clients who are looking for the mosteffective way to compete against their rivals - “Dont attack a weakness that is a weakness.Attack the weakness inherent in a strength.” Their idea is that weaknesses that are purelyweaknesses can be fixed, but weaknesses that are an inherent part of a competitorsstrength cannot be fixed without compromising that strength. As an example, they suggestthat any company trying to compete against a giant like Campbell Soup should attack notthe price of the soup (since a larger company can easily drop its prices long enough todrive a smaller competitor out of business), but something peripheral like the metal cans inwhich the giant corporation packages its products. The enormous investment in metal canpackaging is a weakness inherent in the strength of Campbell Soups scale of operations,and this investment cannot easily be thrown away. A competitor positioning themselves asusing either environmentally friendlier packaging or packaging that is less suspect from ahealth perspective would have a better chance than one competing on price.In other words, Trout and Ries suggest attacking dependencies that a competitor cannoteasily rid themselves of. Thats how important dependencies are to the life-and-deathstruggle of companies in the marketplace.To further reinforce the importance of dependencies to an organisation, we provide a fewreal-life case studies11 which clearly demonstrate two things – one, that dependencies are10 The Art of War11 The examples are authentic but have been anonymised, not so much to protect the guilty as to protect the authors and their associates from accusations of breach of confidentiality. 14
  14. 14. not restricted to information technology, and two, that a lack of understanding ofdependencies can cost an organisation dearly.Case Study 1 – Take it or Leave it: Monopsony 12 and ChoiceA medium-sized commercial organisation in a developing country was experiencing stronggrowth, and began hiring more staff to meet the demands of its expanding business. Oneof its hires was a seasoned manager from another industry, and his eyes immediatelypicked up an aspect of his new employers business that its owners had been oblivious to.He was shocked to discover that although the volume of growth was strong, profits werenot growing at all. On the contrary, many of the projects were actually losing money. It tookhim very little time to home in on the problem. Almost all of the companys business wascoming from government contracts, which had been its traditional mainstay. Governmentcontracts had two features that were both very unfavourable to suppliers. One was thepolicy of always awarding contracts to the lowest bidder, which squeezed margins to thebone. The second was the one-sided payment policy, under which the bulk of the paymentfor a project would only be released on completion of the work, with a significant amountwithheld for a 12 month warranty period, leaving the supplier with a huge financing gapwhile the project was being executed and potential liability for months after completion.The newly hired manager immediately began to implement a strategy to diversify thecompanys client base. As he moved to other markets, he was able to trade in on thecompanys reputation and credibility to command higher premiums from clients in theprivate sector, generally bypassing the tender process altogether. He also concentrated onshort delivery cycles and 100% payment on completion. In four years, 30% of thecompanys business was from the non-government segment. More dramatically, 85% of itsprofits came from this segment too.Moral of the story: The company had a legitimate dependency on its reputation for qualityand reliability because it was impossible to win contracts without a good track record.However, it had developed an unnecessary dependency on government contracts throughsheer history or habit. The new manager, coming from outside the company, had no suchmental blinkers and could see this dependency that the owners werent even aware of. Hethen leveraged the companys legitimate dependency as an explicit marketing tool to win12 http://en.wikipedia.org/wiki/Monopsony 15
  15. 15. new business, simultaneously reducing its unnecessary dependency on governmentcontracts with their unfavourable commercial terms. The results were spectacular.Case Study 2 – Culture ShockWhen a new General Manager took over at a company specialising in turnkey engineeringprojects, he was immediately struck by the lack of standardised process in his neworganisation. No two projects, however similar, followed the same process. Projectexecution was ad hoc and freewheeling, with lower level managers and engineers makinginformal decisions in oral negotiations with their counterparts in their client and supplierorganisations. True, the business seemed to be running smoothly, but the lack of processseemed to be a ticking time-bomb.The GM came down hard on this laidback culture. He began to insist on standardisedprocesses and timetables for all projects. Instead of informal agreements betweenoperating staff, the company began to send out formal communications of intent, spellingout what was going to be done and when, and what the other party was expected to do.Suppliers were kept on a tight leash and offered little room to negotiate on terms.Within months, dramatic results began to be seen. Project schedules began to slip. Clientsbegan to complain loudly. Suppliers were less accommodating when plans had to change.Things became bad so rapidly that the manager was fired and replaced with one of hissenior direct reports who was familiar with the old way of doing things. It took many moremonths to bring the situation back to normal.It turned out that in the turnkey engineering business, every client and every site isdifferent and requires a different approach. Flexibility is key, because there are lots ofunknowns and unexpected developments during the course of a projects execution. Twoimportant aspects of managing these changes are sufficient autonomy for local staff andmaintenance of good working relationships between key people, on the client side as wellas on the supplier side. A one-size-fits-all approach to process does not work. Neitherdoes a rigid and formal approach to managing external relationships.Moral of the story: The company had a unavoidable dependency on local and individualconditions for every project. The impacts of this dependency could only be mitigatedthrough flexibility, and this was achieved through a conscious culture of autonomy to staff“at the coalface”, mutual respect and adjustment between business partners, and regular 16
  16. 16. and informal communication between key people. The new general manager wrongly sawthe informal agreements between people as a failure to formalise dependencies intocontracts, and he then tried to replace these with more standardised processes and rigidcontractual agreements, but these measures removed the cushion that the company haddeveloped to shield it from its fundamental dependency on local conditions.This case study provides a useful contrast with the previous one because what looks likean unnecessary dependency may not in fact be so. It takes astute observation tounderstand dependencies and to leverage or manage the legitimate ones while eliminatingthose that are truly unnecessary.Case Study 3 – The Weakest Link of a Supply ChainAn Australian construction company based in Sydney fabricated aluminium and timberwindows for the building industry. The company was careful to hedge against currencyfluctuations as well as the price of aluminium. But no such arrangements were in place fortimber which was sourced from a supplier based in the neighbouring state of Victoria.What the construction company didnt realise was that Chile and Malaysia are the twomajor sources of timber in the world, and that the Victorian supplier imported timberexclusively from Chile.In February 2010, a major earthquake in Chile disrupted the supply of timber, resulting inworldwide timber shortages and a steep rise in prices. Since the supplier could no longersource timber in a timely or cost-effective manner, the Windows fabricator in turn could notdeliver windows to its builders, resulting in delays, losses and unhappy customers.Moral of the story: If the construction company had looked beyond its immediateAustralian supplier and studied the entire supply chain for its products, it would haverealised the critical dependency it had on Chilean timber. Once formally recognised, itcould then have done a number of things to mitigate that dependency, such as hedgeagainst the price of timber, force its supplier to hold sufficient inventory, or diversify itssupplies across Chile and Malaysia. Since it neglected to understand and mitigate theeffects of this dependency, it paid a heavy price.Case Study 4 – Locked Out: Key Person RiskA small value-added, niche-market IT distributor had a sales team of 6 to 7 people headed 17
  17. 17. by a national manager. The company had recently changed owners, and the new ownerhad not had enough time to familiarise himself with the companys customers.The national manager was suddenly poached by a competitor. He not only took his entiresales team with him, but also destroyed all records at his old company before leaving,wiping computers clean and removing all business documents.The owner was faced with the closure of his new business, since he had no records of anyof his customers. Although his national managers betrayal could have been criminallyprosecuted, he did not have the time or the resources to pursue litigation.This story did however end happily. The owner put together a fresh team under a new anddynamic national manager, and they painstakingly won back all their customers over thenext five years. The predatory competitor went bust.Moral of the story: The business had a critical dependency on its customer relationships,physically manifested as its database of customers and records of interactions with them.This dependency was not recognised and formalised as a contract, e.g., a customerdatabase that was regularly backed up and protected against loss or damage. The ownersfailure to formalise and manage this dependency cost him heavily.Case Study 5 – The Stress and Strain of an Engineers LifeA company supplying and installing power generators in buildings encountered a problemthat had not been anticipated or designed for.A generator installed in the basement of a twelve storey building was hooked up to anexhaust pipe to transport hot fumes to the outside through a shaft in the core of thebuilding. The metal exhaust pipe ran horizontally for 6 metres along the ceiling of thebasement and then turned upwards in a 90-degree L-joint to run a further 40 metres to thetop of the building through the central shaft. This was the first time the companysengineers had deployed a generator in this configuration, since all their previousengagements involved ground-level generators with short exhaust pipes.The engineers noticed a problem after installation. Whenever the generator was inoperation and began to push out hot exhaust fumes, the 40 metre column would expandwith the heat, pushing down on the L-joint and forcing the horizontal section to archdownwards almost half a metre. The pipe would return to its position once the generator 18
  18. 18. stopped and the pipe cooled, but this repeated movement due to expansion andcontraction was a certain recipe for failure of the pipe due to fatigue.Ultimately, the engineers came up with a solution to replace the rigid L-joint with a muchlooser (though still airtight) bell-shaped container into which both the horizontal andvertical sections of the pipe could extend. A system of rollers allowed both sections of thepipe to expand smoothly into the “bell” and contract equally smoothly out of it, with neithersections movement impacting the other. Although the company had to spend extra timeand money to implement this solution (which they could have built into the initial designhad they anticipated the problem), they managed to avert a future, potentially moreexpensive accident.Moral of the story: The two sections of the generators exhaust pipe had an unnecessarydependency on each others thermal expansion due to the rigid L-joint between them.Once this dependency was eliminated through a more loosely-coupled expansionmechanism, the problem disappeared.Case Study 6 – It Goes Without SayingAt a large bank in the Middle East, a sincere and hard-working British expat BusinessAnalyst was put in charge of a major branch automation project. The banks tellers wereusing mainframe “green screen” terminals, and these were overdue for replacement with amore modern interface.The BA worked hard for many months, interviewing bank staff and management, gatheringrequirements, creating questionnaires for vendors, issuing RFIs and RFPs, conductingevaluations and negotiations, etc., and finally selected a vendor that seemed superior inevery respect. Although he made presentations from time to time to management to keepthem informed of his progress, he was doing everything virtually single-handed.Finally, after about a year of hard work, and just before the contract was to be awarded tothe successful vendor, the BA organised a demonstration of the branch automation systemfor the banks senior management and branch heads.Partway through the impressive demonstration, one of the managers asked, “Does thesystem support Arabic?”The BA was stunned. He turned to the vendor representative, who looked embarrassed. 19
  19. 19. No, the system did not support Arabic. The commotion and head-shaking that greeted thisadmission made it abundantly clear that the deal was dead. The poor BA was later spottedsitting at his desk with his head in his hands.The search for a branch automation system had to resume almost from scratch, at a hugecost in time and money.Moral of the story: Although the BA had taken great pains to gather detailed requirementsfrom a wide cross-section of bank staff, Arabic language support was considered to besuch an obvious requirement that no one had actually spelt it out. Being a recently-arrivedexpat, the BA didnt consider it either. And so the most obvious and important requirementfor the system went unmet and ruined a years worth of work. In other words, a legitimatedependency was not formalised in the form of a contract (i.e., the requirements document).Its absence was therefore not noticed until too late and resulted in a nasty surprise.Case Study 7 – “ASSUME” Makes an ASS of U and MEA multinational systems integrator was engaged to deliver a comprehensive CorporateInternet Banking solution to a major Australian bank. Most of the functionality of theapplication would leverage the banks mainframe-based product systems, and these wouldbe exposed as services through middleware. What remained to be sourced was a suitableweb-friendly front-end product with the required rich user interface. The SI evaluated a fewpackaged products and selected one for its client.The overall project was a multi-million dollar undertaking with about a hundred peopleworking on the program. There were business analysts, project managers and a largenumber of technical staff working on the mainframe and middleware, along with a smallerteam of front-end designers and developers.It was known that the selected product had been originally designed to work against datain a relational database, but the product vendors architects had assured the SI that it wasrelatively easy to graft the front-end onto the middleware services that were being built.A few months into the project, the SIs front-end designers got their first look at the sourcecode of the front-end product, and one of them noticed references to a “Row ID” sprinkledthroughout the code. The vendors front-end developers innocently explained that thisreferred to the row number in the database. The SI team was aghast. “But theres nodatabase! You know this has to work against services talking to a mainframe!” 20
  20. 20. A meeting of the SIs senior architects and project managers was hastily called. Thevendors senior architects were summoned from overseas. Not having a detailedknowledge of the code, they had not realised that the relational database assumptionwould be so deeply rooted in their products design, and they estimated that it would take afurther 3 months to fix. All knew that a 3 month delay was unacceptable to the client.Ultimately, the vendor relationship was terminated, the SIs project manager was fired, andthe SI barely salvaged the contract after demonstrating a custom-built working prototype tothe client. The fiasco threatened to derail a prestigious project and came perilously closeto rupturing a highly visible, multi-million dollar relationship between a multinationalsystems integrator and one of its biggest Australian clients.Moral of the story: The front-end application had hard-coded its dependency on arelational database into every element of its user interface. The vendors architects had notadequately documented how this dependency should have been isolated, and those whodocumented the implementation had not adequately recorded the extent of thedependency. Either of these “contracts” would have alerted people to the extent of thedependency. No wonder even the vendors architects were blind-sided.Case Study 8 – What Makes a Good Technology Platform?To round out this section, lets end with a generic example from the realm of technology –the notion of a “platform”.A platform is a technology environment that provides all the necessary run-time support forapplications. These could be virtual machines, interpreters, dynamically linkable libraries,etc. Lets look at five platforms that have been popular over the last decade and a half. i. The Windows operating system is a platform for native Windows applications. While its ubiquity was attractive to Independent Software Vendors (ISVs), there were a few problems with this platform. One was the shift from 16-bit to 32-bit around 1995, which rendered quite a few third-party applications unable to run on the newer version. Another persistent problem was known as “DLL hell”, because of the dependencies of applications on versions of dynamically linked libraries. An upgrade to an underlying system library could and often did break dozens of third-party apps. A third issue was that Microsoft exploited “undocumented Windows 21
  21. 21. APIs” in its own applications that rival app vendors could not use, and so it was not a level playing field. ii. Linux (like any Unix variant) has the notion of symbolic links that it uses to advantage to manage its dynamically linked libraries (called “shared object files”). Shared object files have major version numbers and minor version numbers. Changes in minor version numbers represent changes that do not break the API. Changes in major version numbers represent changes that do break the API. Symbolic links are used to hide changes in minor version numbers but not in major version numbers, so applications that declare their dependencies in terms of the symbolic links will be shielded from irrelevant changes but rightly impacted when the API changes. Also, old and new versions of files can simultaneously exist to support old and new versions of applications.Shared Object Symbolic link Description versionlibxxx.so.2.1 libxxx.so.2 Original version that applications are dependent on.libxxx.so.2.2 libxxx.so.2 Change in shared objects minor version number is not reflected in the symbolic link, so dependent applications are (correctly) not impacted. Both shared objects can exist simultaneously, but only one is “active”.libxxx.so.3.1 libxxx.so.3 Change in shared objects major version number is reflected in the symbolic link, so dependent applications are impacted, as they should be. Both symbolic links can exist simultaneously, supporting old and new versions of applications. Table 1 – Linux and the use of symbolic links to abstract insignificant version changes iii. The Java Virtual Machine is a platform that runs Java bytecode. The Java language has undergone numerous version revisions, but the JVM has hardly changed in 15 years. Compiled bytecode from 15 years ago runs on the JVM just as well as compiled bytecode from the latest version of Java. iv. The browser is a platform too. In the mid- to late-nineties, developers were discouraged from writing applications that relied on Javascript running on the browser, because there were at least two broad variants of browser platforms – 22
  22. 22. Netscapes and Microsofts – and even the versions of each browser implemented different versions of the HTML and JavaScript standards (if there were standards at all). It is only since very recently that the browser can be relied upon as a platform that will run applications in a predictable and consistent way, independent of browser vendor. v. Apples products have a reputation for ease of use, but they are also highly closed. Standard input/output mechanisms like USB ports are not supported, and very little can be achieved by a device without integration to iTunes, iCloud or both. For users who dont mind the restrictions that the Apple platform places, everything “just works”. The competing Android platform is more open, but also a bit more chaotic in terms of multiple versions and multiple implementations by device vendors.Moral of the story: For a platform to be considered a good one, applications must, aboveall, be able to rely on consistent and stable behaviour. Irrelevant changes must not beallowed to impact applications. There must be considerable latitude in the definition ofwhat constitutes a change, so that the bulk of changes within the platform can be“absorbed” without exposing applications to them. The five examples above showedvarious approaches to the construction of a stable platform, with varying degrees ofsuccess. We can see that the notion of “dependencies” underlies all of them.SummaryWe have now seen several dramatic examples of how unappreciated dependenciescaused, or threatened to cause, problems of reduced agility, increased cost and increasedrisk to organisations. Not all of these have to do with technology, much less with “SOAtechnology”, and the choice of examples has been deliberate in that regard. Yet the failureto understand the potential impact of dependencies is the common thread in all thesestories. A basic level of dependency-oriented analysis would have highlighted the costsand risks in each of these cases, saving the concerned organisations significant amountsof time, money and risk.Having therefore established the crucial importance of dependencies to an organisationsviability and success, let us see how we can approach the analysis of dependencies in asystematic way. This is what SOA Governance and SOA Management are really about. 23
  23. 23. An Architectural Framework to Analyse DependenciesWe need a framework to analyse dependencies before we determine how to govern andmanage them. Rather than reinvent the wheel, lets look at some existing andwell-understood models to see if they suit our requirements.BAIT as Layers of DependenciesThe BAIT model is a popular architectural framework that decomposes an organisationinto four layers – Business, Applications, Information (Data) and Technology.BAIT has the right idea about layers, but it is traditionally focused on identifying the entitiesthat exist at each layer and the relationships between those entities. There is no strongemphasis on the aspect of dependencies, even when dealing with relationships. When weadopt the BAIT model to aid us in SOA Governance and Management, we have to adapt itto focus on dependencies, as follows: Traditional concerns of The BAIT Model applied to the BAIT Model SOA concerns Business Layer Business-Level Business Entities (Intent) Dependencies Application Layer Domain Dependencies Applications and Systems (Internal Cohesion) (High Cohesion Principle) Information (Data) Layer Interface Dependencies Domain Data Models (Interfaces/Integration) (Low Coupling Principle) Technology Standards, Technology Layer Technology Dependencies Software and Hardware (Implementation) Fig. 5 – Adapting the BAIT Model to address SOA concernsIn other words, we prefer to think of BAITs four layers as representing four “I”s, referring tothe (1) Intent, (2) Internal Cohesion (grouping of business functions into highly cohesive“applications”), (3) Interfaces/Integration between logical functions with low coupling, and(4) physical Implementation of all the components of the logical business organisation.The emphasis on cohesion and coupling is particularly relevant, as we will see in latersections. 24
  24. 24. TOGAF13 Artifacts as Dependency RelationshipsThe TOGAF framework of Enterprise Architecture builds on the BAIT model and describesgeneric entities in each layer along with their inter-relationships. This is extremely valuableto us when embarking on SOA Governance and SOA Management because the hard workof understanding the components of an organisation and how they fit together has alreadybeen done.However, just like with BAIT itself, TOGAF as it stands is not a perfect framework that canbe used without adaptation to our treatment of SOA Governance and SOA Management. Itdoes not inherently support the dependency-oriented organisational transformation that wewould like to model and plan for. SOA is a single isolated chapter in The Open Groups780-page TOGAF 9 book, which betrays a traditionalist view of SOA as a subset of ITrather than as the science of analysing and managing dependencies across the board.However, nothing prevents us from using a dependency lens to view the detailed set ofentity relationships identified by TOGAF and derive a more applicable model for ourrequirements. Well show how to do that in Part III of this document.TOGAF defines some core concepts at the four layers and lists out some important andstandardised documents (“viewpoints” in the TOGAF terminology) that provide usefulinformation about these concepts and their interactions. TOGAF uses the term “catalog” torefer to any list. Similarly, it uses the term “matrix” for tables that show the relationshipbetween exactly two concepts, and “diagram” for any depiction of how more than twoconcepts are related. (a) (b) (c) Fig. 6 – (a) a TOGAF “catalog”, or list of entities; (b) a TOGAF “matrix”, or table of two-entity relationships; (c) a TOGAF “diagram”, or a depiction of multi-entity relationships.If we interpret “relationships” as “dependencies”, matrices become two-entitydependencies and diagrams become multi-entity dependencies. The set ofTOGAF-defined matrices and diagrams at each of the four BAIT layers then gives us aready-made check-list of the dependencies we need to be mindful of within those layers aswell as between layers.13 The Open Group Architecture Framework: http://www.opengroup.org/togaf/ 25
  25. 25. We consciously adapt TOGAFs set of artifacts to align them with a SOA view of theenterprise because TOGAF is not inherently dependency-oriented. In other words, theentity dependencies we study will correspond to our SOA version of the BAIT Model ratherthan the traditional one. SOA Version of BAIT Model TOGAF Artifacts Business Layer Business-Level (Intent) Dependencies Application Layer Domain Dependencies Core entities, (Internal Cohesion) (High Cohesion Principle) Two-entity dependencies and Information (Data) Layer Interface Dependencies Multi-entity (Interfaces/Integration) (Low Coupling Principle) dependencies Technology Layer Technology Dependencies (Implementation) Fig. 7 – TOGAF artifacts classified by BAIT levelWe can now begin to see why the traditional view of “SOA Governance” is so limited. SOA Governance SOA Management (“What dependencies are (“How do we manage legitimate?”) dependencies?”) Business Traditional “SOA Governance” concerns Application Development and environment Information (Data) standards, reuse metrics, Web Service version management, repository structures to store Technology WSDL, schema and policy files, etc. Fig. 8 – Traditional “SOA Governance” concerns are more correctly SOA Management, and a subset at that. Little effort is focused on the governance question, “What dependencies are legitimate?”Clearly, our entire approach needs nothing less than an overhaul. Its time to look at howSOA Governance and SOA Management should in fact be done. 26
  26. 26. Part III – A Practical Guide To Governing And Managing DependenciesIn the previous two parts of this white paper, we critiqued the industrys approach to SOAGovernance and suggested how we could do it better by considering the elements of amore rational approach based on the analysis of dependencies.In this part of the white paper, we will show how to put these elements together into alightweight method. Well recommend some key roles and bodies that will be responsiblefor the functions of SOA Governance and SOA Management, the minimal set of processesthey need to carry out, and a manageable set of check-lists that they should use for thesepurposes.Agencies and VehiclesKey RolesWe believe that the primary agency to apply dependency-oriented thinking at every level ofan organisation is the Enterprise Architecture function. In organisations with an EnterpriseArchitecture group, there are usually architects with specialised skills who are tasked withdefining the business architecture, application architecture, data architecture andtechnology architecture, so the BAIT Model is already an operational tool. Thesespecialised architects are the people who need to spearhead a new way of approachingSOA Governance and SOA Management.The role of Enterprise Architecture under this model is to analyse the four layers of theorganisation specifically from a dependency focus, first to determine the “what” (thelegitimate dependencies that should exist at each level as well as the unnecessary onesthat do currently exist) and then to guide the “how” (the programs of work required to alignthe organisation to the set of legitimate dependencies that were identified).One of the suggestions we have for the Enterprise Architecture function to assist them intransitioning to this world-view is to include professionals from certain other disciplines,even if on a part-time basis. Project Managers, Risk Managers and Contract Lawyers areall used to looking for dependencies in their own areas, and they can inject some of thefresh blood that the traditional Enterprise Architecture group needs to make them effectivein a SOA sense. 27
  27. 27. In organisations with a reasonably effective architecture function, heres how businessintent is transformed into working systems today: Fig. 9 – Key roles and their traditional concernsHeres the subtle but important change we would like to see: Fig. 10 – Key roles and their recommended concernsIts not as if architects dont already think about dependencies. Its just that dependenciesneed to be promoted to be a primary, top-of-mind item in all discussions and decisions, 28
  28. 28. especially where the business and IT are involved. Every individual who is part of thedecision chain from business objective to implementation, no matter what their level,needs to be sensitised to the importance of dependencies. Thats what it means toinculcate “SOA Thinking” within an organisation, and architects need to don the mantle ofevangelists to spread this philosophy.The perspectives of project managers, risk managers and contract lawyers could be veryuseful additions to their skill set, since these give them a “fresh pair of eyes” with which torecognise the diverse set of dependencies impacting the enterprise.SOA Governance and SOA Management become far easier to execute when theorganisational culture understands the importance of dependencies. 29
  29. 29. Key BodiesWhile the Enterprise Architecture function is key to our recommended approach, SOAGovernance and SOA Management require the active participation of many different rolesand functions to be effective. The business and IT are crucial stakeholders, as we saw. It isessential to involve multiple roles in the SOA Governance and SOA Managementfunctions, and this calls for new organisational structures. We are all too aware of thereputation of committees as inefficient bureaucracies 14, but the multi-disciplinary nature ofthe tasks at hand, together with the fact that these are ongoing responsibilities, dictate theneed for one or more standing bodies rather than ad hoc teams. Broadly, two groups ofpeople are required to carry out the required functions: • a “Dependency Governance Committee” • a “Dependency Management Committee”Now this is a functional classification, and these two logical groups could be realised asseveral physical committees, e.g., one or more at each level of the BAIT model plus one atthe Enterprise level. Some committees could also take responsibility for more than oneBAIT layer, as long as they are clear which layer they are dealing with at any given time.The decision on how many physical committees to have is entirely up to the organisationin question, but we would strongly recommend against combining governance andmanagement functions within any single committee. That would defeat one of our primarygoals, which is to perform both functions effectively and without confusion.Additionally, although its the committees functions that are important and not their names,we would recommend that the term “dependency” be explicitly used in their names inorder to inculcate a dependency focus within every person in the organisation. Weve losta decades worth of benefits thanks to poor naming (“Service-Oriented” as opposed to“Dependency-Oriented”), so lets call a spade a spade this time, however corny it maysound. A committee should either be a “Dependency Governance Committee” or a“Dependency Management Committee”, with prefixes as appropriate to the BAIT leveland/or business unit.14 Two of our personal favourites are “A camel is a horse designed by a committee” and “A committee is a group of people who individually can do nothing, but who get together to decide that nothing can be done.” 30
  30. 30. In a nutshell,• The Dependency Governance Committee is responsible for defining which of the dependencies at the level they are responsible for are legitimate and which are not. They are also responsible for prioritising the programs of work to remediate dependencies.• The Dependency Management Committee is responsible for costing, planning and initiating the programs of work that will bring and keep the organisation in line with the model validated by the Dependency Governance Committee and according to the priority decided by that committee.The Dependency Governance Committee should have a fair representation ofEnterprise Architects, with specialists in each of the BAIT layers. At least some of themembers of the Dependency Governance Committee should have a background in one ofthe non-IT professions listed earlier 15, because these professionals are trained to look fordependencies. Depending on the layer of the BAIT model that the committee isresponsible for, there should be representation from senior executives, businessmanagers, functional heads and technology specialists. This may mean separatecommittees, or a single committee with some fixed members and a number of others whoattend only the sessions that are relevant to them.Importantly, the Dependency Governance Committee must have authority and access tofunding to be able to approve programs of work, otherwise the organisation will be unableto remediate the dependencies identified as invalid. One of the reasons why we expendedso much ink in Part II to present 8 separate case studies was to hammer home the ideathat attention to dependencies saves real money. Business unit heads should therefore notbe churlish about funding dependency remediation tasks, and their representation onGovernance committees serves more than just a decorative function!The Dependency Management Committee should comprise people skilled in costing andplanning, typically project managers and functional heads. They may need representationfrom Enterprise Architecture to keep them focused on the dependency aspect while theyattend to their more familiar roles of costing and planning programs of work. Again, therewill be a need to have different people engaged for different layers of the BAIT model, sothere could be considerable variety in the structure and/or composition of thecommittee(s).15 Project managers, risk managers and contract lawyers. 31
  31. 31. How Many Committees?The dependency governance and management functions can be performed by just twocommittees in a small organisation, since they can do justice to the complexity of the entireorganisation themselves. As organisations become larger, the committees will need tobecome more specialised, as the following examples illustrate. Dependency Governance Dependency Management Committee Committee Fig. 11 – Committees for a small organisation Enterprise Dependency Enterprise Dependency Governance Committee Management Committee Business Dependency Business Dependency Governance Committee Management Committee Application & Information Application & Information Dependency Governance Dependency Management Committee Committee Technology Dependency Technology Dependency Governance Committee Management Committee Fig. 12 – Committees for a medium-sized organisation Enterprise Dependency Enterprise Dependency Governance Committee Management Committee Business Dependency Business Dependency Governance Committee Management Committee Application Dependency Application Dependency Governance Committee Management Committee Information Dependency Information Dependency Governance Committee Management Committee Technology Dependency Technology Dependency Business Governance Committee Management Committee Units / Geographies Fig. 13 – Committees for a large organisation 32
  32. 32. If this set of committees is beginning to look too bloated, our audacious claim is that theseare the only governance and management structures that an organisation will ever need,so this could in fact represent a drastic simplification to the plethora of managementbodies that currently exist in a given organisation.Lets look at a few special cases to support this claim.Security dependencies: Security is an important aspect of business operations, andinformation security traditionally tends to be treated as an IT concern. However, securityconcerns are relevant at different levels of the BAIT model. Perimeter security, forexample, may be relevant only at the level of technology, since it is completely opaque tohigher layers. Data Leakage Protection applies at all levels from the business layer down,since it is impacted by business processes, application design, data interchange as well astechnology-related aspects like USB device control and disk encryption. PCI-DSS 16compliance requirements may or may not impact business processes but will certainlyimpact application design, data storage and encryption/tokenisation technology. Thedependency governance and management committees at these various levels will addressand manage the security concerns listed above, as well as any others that arise from timeto time.Non-technology domains that are not line-of-business, such as Human Resources,Accounting, Finance or Legal, also fit into this dependency-oriented model.Human Resources dependencies: Clearly, an organisation that employs many morecontractors than permanent employees has a very different dependency profile than onewith the opposite composition. The contractor-based organisation can downsize morereadily in an economic downturn and re-hire when required, but it has a more tenuous holdon IP due to the less “sticky” nature of employee knowledge. The contractor-basedorganisation will have to invest more heavily into knowledge-management systems tomitigate against their risk of losing critical business and operations knowledge. Theorganisation with a higher proportion of permanent employees will have to be morecautious about hiring in an economic upturn because of their larger financial exposurearising from retrenchment benefits they may have to pay out when downsizing. A businessdependency governance committee and business dependency management committeefocused on the HR business unit will be able to formalise these concerns and evolvemitigating strategies.16 Payment Card Industry Data Security Standard 33
  33. 33. Finance dependencies: An organisation that is funded mainly by debt has a differentdependency profile to one funded mainly by equity. A debtor and a creditor representdependencies of different kinds, and every financial instrument that is issued or purchasedimposes a different flavour of dependency on the enterprise. Financial controllers makedecisions based on such dependencies all the time, whether or not they use the word“dependency”. Regardless, the business dependency governance and managementcommittees for the Finance business unit will standardise these functions in a consistentcorporate style.In short, these varied examples support our claim that SOA, being all about dependencies,is not about technology but is an organising principle for the enterprise and lends itself to asimple and consistent form of governance and management. Form follows function, andthe structure of the required governance and management committees follows thediscipline of dependency-oriented thinking.[It may be argued that the bulk of a modern enterprises business logic tends to be codedinto software-based systems with very little residual manual processing, so “its all ITanyway”. Let us refute this argument with a simple analogy. Just because all legaldocuments in a country are in the English language does not imply that a mastery ofEnglish is all that is required to understand or to draft legal documents. One needs tounderstand law. In similar fashion, even if every piece of business logic in an organisationis implemented within a technology platform, understanding how to govern and managetechnology alone is not sufficient. The principles behind how business logic and businessdata are identified and organised need to be understood, and the analysis ofdependencies is a crucial tool to achieve this understanding.] 34
  34. 34. Functions and ProcessesBroadly speaking, the processes required for SOA Governance and SOA Management areeither one-time or recurring.To keep an otherwise dry topic light and readable, we will illustrate what occurs duringeach of these processes through imaginary conversations between various parties. Theplayers in all these scenarios are the following:G – Dependency Governance CommitteeM – Dependency Management CommitteeB – Any Business UnitOne-time ProcessesWhen an organisation embarks on doing SOA Governance and Management the way thiswhite paper recommends, there will be a one-time activity (which could of course bebroken up into phases for manageability) on the part of the Dependency GovernanceCommittee to do two things:1. Agree on the set of approved dependencies at each level of the organisation as suggested by the BAIT model;2. Identify the dependencies that actually exist, specifically the ones that fall outside the set of approved dependencies above.The latter list (the set of actual dependencies that are not approved) is the input to theDependency Management Committee to plan a program of work to remediate. 35
  35. 35. Governance Functions Management Functions Publication: List of Approved Dependencies One-Time Dependency List of Dependencies to be remediated Review Update: List of Approved Dependencies Need not Periodic Remediation align toReview Dependency Program Business cycle Review Proposal Project List of cycle Dependencies to be remediated List of programs, Remediation grouped and costed Program Review Business Business Requirements Driver (Objective) Initiative Details New New Business Initiative Initiative Project Review Proposal cycle Non-approval: List of Dependencies in violation Update: List of Approved Dependencies Approval BAU Program Management Approval: Prioritised list of programs, with funding Report: Dependencies remediated Dependency-related Process Existing Business Process Fig. 14 – Dependency Governance and Management Processes 36
  36. 36. Initial Dependency ReviewScenario 1:G: “Weve done a review and decided that the only legitimate dependencies are these.There are many actual dependencies weve found in our systems that are not in thisapproved set. They need to be eliminated.”M: “OK, well come back with a proposal for a program of work to remediate them.”Recurring ProcessesThere are recurring processes within both the governance and management functions.Recurring governance processes are reviews to re-validate the set of legitimatedependencies at any level and to identify afresh the set of existing dependencies that falloutside of this approved set. The latter set (which is expected to shrink with each iteration)is then an input to management committees to initiate programs of work to remediate.Prioritisation and approval of these proposed programs of work is also a governancefunction.Periodic Dependency ReviewScenario 1:G: “Given the changing nature of our business since the last review, some newdependencies are now deemed legitimate and some old ones no longer are.”M: “OK, well make a note of the new set of approved dependencies and come back to youwith a proposal for a program of work to eliminate the ones that are no longer approved.”Scenario 2:G: “Some new dependencies that are not in the approved list seem to have “snuck into”our systems since our last review. These need to be eliminated ASAP.”M: “We dont understand how that could have happened. Well come back to you with aproposal for a program of work to remediate them.”Remediation Program ReviewM: “Weve put together a proposal for a set of programs that will remediate the unapproved 37
  37. 37. dependencies that you identified. Weve worked out the costs and benefits of each ofthem. Please tell us how you would like to prioritise them for execution, and pleaseapprove funding for the ones you want done in the current period.”G: “We think you should initiate the following subset of programs in the current reportingperiod and defer the remaining for a future period. The funding for the programs in thecurrent period is hereby approved.”M: “Well initiate these programs right away.” 38
  38. 38. Recurring management processes are intended to identify programs of work to remediatethe invalid dependencies identified by the governance committee(s) and to manage theseprograms once approved by them.Remediation Program ProposalScenario 1:M (internal conversation): “Given the set of existing dependencies that were identified bythe Dependency Governance Committee as not being on the approved list, lets work outthe costs and benefits of eliminating them, and group these tasks into cohesive programsof work for them to prioritise and approve.”BAU Program ManagementOnce a Dependency Remediation Program is approved, it is managed in exactly identicalfashion to regular business projects. These are not to be treated as projects of secondaryimportance or nice-to-haves because of a mistaken characterisation of SOA as technology.On the contrary, the involvement of business and technology representatives and properpositioning of the benefits of these initiatives by Enterprise Architecture should ensure thatthey are taken equally seriously as programs initiated by the business. After all, unfixeddependencies mean significant amounts of real money, as we have seen earlier.The business initiatives detailed in the next section also feed into Business-As Usual(BAU) program management alongside dependency remediation programs.The standard discipline of conducting Post-Implementation Reviews (PIRs) to evaluate thesuccess of a program should be conducted for dependency remediation initiatives as well.Granted, the benefits are not always immediate but recurring, but it should be possible toassess if the dependencies slated to be eliminated were in fact removed, and a freshassessment of the costs and benefits of the initiative should be conducted to report back tothe Dependency Governance Committee.New Initiative AppraisalAn event that could trigger a fresh governance activity is when there is a business driver(objective) necessitating a program of work, the proposal is put forward, and thegovernance committee evaluates if this introduces any fresh dependencies that are not onthe approved list. (Of course, any additional dependencies may be justified, in which case 39
  39. 39. the approved list is updated, or may even make some existing dependencies unnecessary,which again results in updates to the approved list). The proposal may need to beamended to avoid introducing dependencies that are not approved.A new initiative could be on the business side (e.g., entering a new market, introducing anew product, acquiring a company, outsourcing or re-insourcing a business function,changing a business process, signing up a new partnership, etc.)The initiative could also be on the technology side (e.g., buying and installing a newproduct system, developing a new system in-house, outsourcing or re-insourcing atechnology function, changing the technology implementation of a function or process,decommissioning a system or application, undertaking a turnkey project, etc.)All of these changes have dependency implications that have to be reviewed before theinitiatives concerned can be approved. A large part of the technical and business “debt”that is incurred by organisations is due to a failure to assess new initiatives for theirdependency implications.The following process is meant to plug that loophole.Scenario 1:B: “Heres our proposal for a new project.”G: “It appears that your project is about to eliminate some dependencies. Thats good.Project approved.”B: “Thanks, well initiate the project.”M: “Well make a note that the set of approved (and existing) dependencies will shrink afterthis project.”Scenario 2:B: “Heres our proposal for a new project.”G: “Your project introduces a new set of dependencies, but they do seem to be valid, sowell expand the set of approved dependencies. Project approved.”B: “Thanks, well initiate the project.”M: “Well make a note of the expanded set of approved dependencies.” 40
  40. 40. Scenario 3:B: “Heres our proposal for a new project.”G: “Your project will introduce new dependencies that are not valid. Were afraid we cantapprove it. Go back and re-think your processes and/or designs so that they stay withinthe set of approved dependencies.”B: “OK, well get back to you with a reworked proposal.”M: (“Nothing for us to do.”)Incorporating a Dependency Focus into New Initiative AppraisalThe business case for any program of work should include its impact on dependencies(positive or negative), in addition to the standard calculations of cost-to-implement andbusiness benefit. Dependencies carry a hidden yet heavy cost in terms of business agility,operating cost and operational risk, so we would like to have these made explicit andbrought to the notice of approving authorities. Introducing dependencies (legitimate or not)incurs cost and risk, and removing them has the opposite effect. This is where the workdone by governance committees in identifying dependencies will form a useful input. Thefollowing page has a simplified form that illustrates this. 41
  41. 41. New Initiative Appraisal Form Cost Business Benefit Dependency impacts (+/-) Description of proposed project CapEx OpEx (3 Yrs) Business agility Operating costs Operational risk (3 Yrs) (3 Yrs) (3 Yrs) assessment Remove replication of customer (200,000) (25,000) 90,000 50,000 80,000 Changes from address data by consolidating it (25,000) 90,000 50,000 80,000 medium to low within system X where it belongs (25,000) 90,000 50,000 80,000Approved by:Approval date: Fig. 15 – An indicative format for a “New Initiative Appraisal Form”The form above illustrates how the hidden benefits from the removal of dependencies (or conversely, the hidden costs of introducingfresh dependencies), once quantified, could sway the business case for a project either way. In this example, the business case for aproposed project doesnt by itself stack up because the total business benefit over a 3 year ROI horizon ($270,000) is less than the costincurred ($275,000). However, the benefit goes up enormously once the improvements to the organisations agility, cost and risk profileare taken into account. A dependency focus therefore drives behaviour that is desirable over the longer term.This is the kind of change we would like to see in the way organisations evaluate programs of work. It represents a “least-dependency”model of doing business which keeps them lean and low-risk.
  42. 42. Processes in Steady StateThe recurring processes around dependency review followed by remediation are expectedto wind down as the culture of dependency-sensitivity begins to take hold and the numberof exceptions correspondingly reduces.In steady state, the only processes that we are likely to see are New Initiative Proposal,New Initiative Review and BAU Program Management, since these processes willsubsume the dependency-related activities that are the sole focus of the other processes.Periodic Dependency Reviews will still take place, but with any luck, no deviations willhave occurred and hence no remediation programs will need to be initiated. Governance Functions Management Functions Business Business Requirements Driver (Objective) Initiative Details New New Business Initiative Initiative Project Review Proposal cycle Non-approval: List of Dependencies in violation Update: List of Approved Dependencies Approval BAU Program Management Dependency-related Process Existing Business Process Fig. 16 – Ideal Dependency Governance and Management Processes in “Steady State” 43
  43. 43. Governance and Management Check-listsWith our governance/management bodies and processes in place, its time to look at whatthey will actually do. Here is a recommended approach based on a detailed analysis oforganisational layers along with a sample check-list of questions for the committees to ask.Classification of DependenciesConsider a set of dependencies between entities within a BAIT layer (or across layers). Entity 1 dependency 1 dependency 3 dependency 2 Entity 4 Entity 3 Entity 2 dependency 4 Entity 5 Fig. 17 – An unclassified set of dependenciesThese dependencies may be further categorised into (say) two broad groups because theyare themselves related in some way. A governance or management committee may thenassign responsibility for these two dependency groups to two separate teams. Dependency Group 1 (covers dependencies 1 and 2) Entity 1 dependency 1 dependency 3 dependency 2 Entity 4 Entity 3 Entity 2 dependency 4 Entity 5 Dependency Group 2 (covers dependencies 3 and 4) Fig. 18 – Dependency Groups containing cohesive sets of dependencies 44
  44. 44. The Dependency Governance Committee(s) and Dependency Management Committee(s)may want to organise themselves into specialised teams to study and monitor smaller,cohesive sets of dependencies. We will call this intermediate level of granularity (i.e.,somewhere between a single dependency and all the dependencies that may exist at aBAIT layer) a “Dependency Group”. Although not identified in TOGAF, a DependencyGroup helps to provide a “system” view of related dependencies.In the following sections, we will document not just the set of dependencies suggested byTOGAF at each BAIT layer, but also our suggested classification of these dependenciesinto Dependency Groups that can be assigned to specialised teams as their responsibility.The List of Check-ListsOur check-lists will be numbered according to the following scheme: G(overnance) M(anagement) Basic G-00 M-00 E(nterprise) EG-00 EM-00 B(usiness) BG-00 BM-00 A(pplication) AG-00 AM-00 I(nformation) IG-00 IM-00 T(echnology) TG-00 TM-00A Basic Governance Check-listRegardless of the level of the BAIT model at which governance is sought to be applied,there are some standard questions that will need to be asked:G-01 What are the core entities involved?G-02 What are the legitimate dependencies between them?G-03 What dependencies can we identify in the current situation that fall outside this set of legitimate dependencies?There will of course be more specialised governance questions depending on the BAITlayer concerned, and we will cover them under the appropriate sections. 45
  45. 45. A Basic Management Check-listIn similar fashion, there are some standard management questions that need to be askedat every level of the BAIT model:M-01 How do we express the dependencies between entities as suitable contracts?M-02 How will we enforce contracts?M-03 How will we monitor adherence to contracts?M-04 How do we re-engineer our existing systems to align them with the target model?Every BAIT layer will add its own specialised management questions to this list, and wewill examine each under its corresponding section.When an organisations governance and management committees are staffed withappropriate experts and when they adapt to the dependency-oriented way of thinking, theywill be able to formulate more relevant questions to add to these check-lists. 46

×