Rethinking SOA Governance

by Quinton Wall
03/14/2007

Rethinking SOA governance comes down to understanding and addressing two primary and complementary factors: cost and profit. This article presents a discussion on recognizing the incentives for organizations to undertake an effective SOA governance model through a pragmatic approach of addressing cost and profit.

Through the definition of five levels of governance, pragmatic advice is given here in an attempt to address the incentives that drive many lines of business-funded initiatives that may undermine enterprise service adoption. The discussions provide insight into how a centralized governance process may actually be assisting in limiting the proliferation of non reusable services developed by individual lines of business that, through simple cost benefits analysis, determine it is cheaper to build their own rather than leverage an enterprise service.

Introduction

The concept of enterprise reuse is not a phenomenon new to Service Orientated Architecture (SOA) nor is the need to govern certain aspects of technology, be they hardware, software, or peopleware. As organizations have wrestled with the notions of centralized control vs. decentralized control, one simple factor exists that must be addressed. This factor has derailed the loftiest goals with unerring swiftness.

This factor is cost, or more precisely profit.

Plain and simple, if it is cheaper for a line of business to build or develop something itself rather than reuse a service/system/asset/anything, it will. In order for a business to be committed to a centralized strategy, it must make financial sense and it must get something of it.

Regarding SOA, governance has been featured prominently as that intangible necessity of control and compliance to avoid lines of business from charging forth on their own to do what they do best: run a business or, more accurately, a profitable business. To date, the analysis of how to combine profit and governance has been almost non-existent. Yes, there have been plenty of valuable discussions of cost of reuse and savings, but how do we as proponents of SOA fill in the gaps on the governance landscape with something more tangible than just reuse? This article attempts to discuss addressing cost and profit as potential reasons for governance failure. In fact, there may be a solution that prompts both IT and business to come to the table willingly to discuss a profitable solution to governance.

Spillover Costs

Before diving into a further discussion of the five levels of governance as I see them, I want to look at the notion of reuse a little differently. Typically reuse is seen as the cost saving for leveraging an existing asset rather than building it from scratch again. Although this definition is true, it is also somewhat thin in its definition.

Consider the fictitious organization, Runners Inc., an online retail store with two primary lines of business: apparel and footwear. The footwear division develops a "service" for placing orders into a central CRM system. This service is funded and maintained by footwear, which directly receives reuse value from a single order service and, going forward, no longer needs to factor such development into projects. The apparel division also has a need to place orders and was about to spend funds and development cycles to building an order service. Obviously, it makes sense for apparel to leverage footwear's service. This is what we could term pure reuse.

Taking another look at this scenario, we identify the existence of spillover costs or externalities. A spillover is the cost or benefit accruing to an individual or group external to a transaction. In the example above, the issue footwear is trying to solve is an easy approach to placing orders. Apparel may find a spillover cost of reduced sales due to a more streamlined process of placing footwear orders rather than apparel orders. Such a situation would prompt apparel to either build their own or leverage footwear's service through negotiation with IT. If apparel manages to reuse the existing service, they are, in fact, receiving a spillover benefit: the reduction in funds that would have been needed to develop a new service from scratch. Alternatively, apparel may also see an associated spillover benefit of increased sales as news of footwear's streamlined ordering process promotes more visitors to the Runner's Inc. Web site.

As you can see, there is little incentive at Runner's Inc. for apparel to build a reusable service; they can simply leverage footwear's services and benefit their business by reallocating these funds to another area of the business. This conundrum is typically where governance rears its head. Businesses agree that a service should be owned and managed by a central body that they will pay either some form of an ongoing annuity to fund such development, or the organization will develop a pay-for-us model to leverage centralized services. Unfortunately, each approach hits squarely up against a deciding factor: cost. The simple truth is if a line of business can develop something cheaper for its direct benefit, it will do so unless compelled by profit to do otherwise.

Levels of Governance

With a bit of background on the problem and the need for some form of governance process with SOA initiatives, it is helpful to identify certain levels of maturity within an organization. The table below provides a brief description of the five levels of governance defined within this article. The remainder of the article will dive deeper into the benefits and the negatives of each level identified.

Level Name Description
0 No Governance To each their own. LOBs look after their own interests.
1 Individual Bargaining Small number of LOBs negotiate a mutually acceptable solution.
2 Advisory Centralized Centralized governance group formed. Can provide guidance but cannot enforce.
3 Empowered Centralized Centralized governance group formed with authority to force compliance. Pushback/non-compliance common when compliance goes counter to profit. Governance with teeth
4 Market-based Centralized Centralized governance group provides quotas for compliance. Individual LOBs can negotiate between themselves to achieve compliance and profit at the same time.

Level 0: No Governance

Level 0 governance does not need much explaining. Lines of business operate independently and often competitively for resources to achieve individual goals. Organizations operating at this level are likely to require considerable effort from a cultural perspective before recognizing the value of sharing resources and organizational goals.

Level 1: Individual Bargaining

So how can apparel and footwear come to a mutually acceptable solution? If the parties involved are relatively few, they may be able to bargain and come to a decision. This approach, often called the Coase Theorem by economists, may be considered a level 1 governance model. Apparel may negotiate with footwear to allow the sharing of the order placement service in exchange for something else of tangible value to footwear. Examples may include sharing of resources for maintaining the code, hardware to support the increased usage, and annuity costs or anything else of value that footwear may use for compensation.

Individual bargaining may solve many Level 1 governance issues, but the situation becomes much more complicated when the number of parties involved increases or bargaining includes use of community property such as IT infrastructure or network bandwidth. Consider the issue of global warming as a real-life example of individual bargaining not being possible due to the large number of parties and competing interests involved. To manage such situations, an external party must be involved to broker an acceptable solution. Enter the centralized governance board.

Level 2: Advisory Centralized

As competing interests and high costs of individual bargaining increase, many organizations establish some form of governance board to act as a centralized authority. With SOA this governance board may determine enterprise services and strategies for promoting reuse across lines of business. This Level 2 governance model acts more in an advisory capacity. Organizations may have some funding to create and maintain enterprise services and may also establish blueprints for lines of business to follow going forward. Lines of business are encouraged to comply, but there is no real authority of the governance board to enforce compliance. Experience has shown that most organizations undertaking SOA initiatives fall under this category.

Advisory Centralized governance models are especially prone to lines of business determining the most cost-effective way of achieving profit (remember that factor identified at the start of this article?) and acting on it. In the long run governance boards may be considered a level of bureaucracy that impedes business activities and increases costs. The funds being apportioned to the governance board may be reallocated back to lines of business to build more non-reusable assets. If these reallocated funds increase business profit and reduce operating costs, then any centralized SOA initiative is doomed to failure.

Level 3: Empowered Centralized

To address the shortcomings of Level 2 governance, organizations with strong IT leadership may lobby for some form of governance board that has the authority to demand and enforce compliance. As indicated, an empowered centralized governance board, considered here to be a Level 3 governance model, must have senior, C-level executive buy-in to ensure that mandates are enforced.

Organizations employing an Empowered Centralized governance model may address the need to control spillover benefits (and therefore increase incentives for compliance) through a number of mechanisms, most notably:

Direct controls

Direct controls attempt to enforce compliance by limiting certain activities. Any parties who fail to comply are punished in some manner. Punishment for non-compliance may include fines, restricted quality of service, and lower or weak Service Level Agreements. The unfortunate side effect of direct controls may result in high costs of production or development. Sarbanes-Oxley is an example of direct controls placed on organizations by the government. Many companies must increase production costs or expend additional development funds to avoid being fined.

Undoubtedly, some organizations calculate the cost of being non-compliant (the amount that the company will be fined as a result of non-compliance). If this cost is less than the costs to develop compliant systems, then the incentives are not strong enough for an organization to allocate the resources and effort to the task. Keep in mind that costs do not always refer to monetary amounts when referring to direct controls and compliance. For example if non-compliance may result in prison time for executives, then this is a very strong incentive. Just ask the former WorldCom executives!

Specific taxes

Another approach that may be utilized by the governance board is to levy taxes or charges on systems or activities not approved by the board. Business units are then given the option of adhering to compliance policies or risk being taxed for non-compliance. Such a model allows business units to undertake cost-based analysis and decide which activities make sense to be compliant with and which activities do not.

Going back to Runner's Inc., assume the CTO has provided support to the formation of a Level 3 governance board that has promoted footwear's order service to an enterprise service; it is now considered the only compliant order process within the company. Apparel's business analysts undertake some analysis and decide that changing all of their 10 systems to be compliant may cost $100,000 whereas the cost for non-compliance is a tax of $2,000 per system per year—a total of $20,000 ($2,000x10) for each year of non-compliance. Apparel may decide they will pay the $20,000 per year rather than invest $100,000 of development capital upfront to become compliant. In addition, apparel may decide that the opportunity cost of the remaining $80,000 ($100,000-$20,000) is better leveraged for other system development, which will produce a higher rate of return annually than the cost of compliance. The important aspect to recognize here is that the line of business has the ability to decide what makes more business sense, or more specifically, what makes more profit for the business, unfortunately, sometimes at the detriment to the governance initiative within the organization.

Subsidies

Similar to the specific taxes approach to enforcing compliance is the idea of subsidies. The governance board may decide to subsidize certain line-of-business activities to make it more attractive (reduce the cost and therefore increase the profit) to obtain compliance. This approach may include subsidies on software purchases to promote an ESB strategy, provide access to shared or common resources such as additional network bandwidth, subsidize training on specific technologies, or simply inject funds into key projects. Quite often Level 3 governance organizations combine specific taxes and subsidies together to make the incentive to be compliant very difficult to refuse.

The Tragedy of the Commons

So where does this leave us with regard to SOA governance? Even more mature organizations that adopt Level 3 may face issues ensuring commitment by line-of-business representatives. The natural evolution is for the governance board to seek additional sponsorship and funding and begin to build common resources that are mandated upon lines of business. These mandates are often hard to deny as they come without a price tag and with high visibility (the CTO may be funding many of the initiatives).

Consider the often precarious position that IT infrastructure teams are faced with. These teams often are formed as a way of providing common assets to be leveraged in a consistent manner by all business units in an effort to drive down costs. This situation sounds strikingly similar to what SOA governance proposes, doesn't it? What begins as a noble idea soon becomes polluted by misuse and typically overuse. Lines of business will ensure their business functions and IT operations are maintained because they see value in doing so; they receive a profit from it. Common infrastructure assets, on the other hand, are often abused as each individual or business unit sees their individual contribution to misuse or overuse as small and of little or no overall consequence. But as any infrastructure support engineer knows, these actions when multiplied over time result in a degradation of overall effectiveness of the resources. This degradation is often termed The Tragedy of the Commons. The overall effect is greatly reduced incentive to opt in at any cost to the governance initiatives due to direct costs and the fact that these costs may be able to be transferred to another business unit such as the Infrastructure team.

Although Levels 1 to 3 of our governance models can provide some effectiveness, the question still remains whether there is a more substantial governance model that organizations may adopt to assist in their SOA initiatives.

The answer, I believe is yes, but we need to start thinking differently!

Level 4: Market-based Centralized

Enter the market-based centralized or Level 4 governance model—a model, I believe, that has been sorely overlooked in relation to SOA governance. The basic tenet is that the governance board can create a market for those spillover benefits and costs identified early in the article. In a market-based approach, the governance board would determine the amount of compliance while maintaining an acceptable level of profit for the business. Runner's Inc. has established a governance board that has determined the demand for reusable services is in the range of five services per year. Both footwear and apparel are awarded five credits for subsidies for compliance in year 1.

How does such an approach differ from the direct controls of a Level 3 governance model? Suppose it costs footwear $1,000 per service to make it compliant and reusable, while it costs apparel $5,000 per service. However, apparel is losing sales to a new competitor and, as a result, has an increased incentive to update its aging systems. Without a market for compliant services, apparel would have to spend $5,000 developing a service, but with a market-based system, apparel could negotiate with footwear to buy a service from $2,000 (perhaps the order processing service mentioned previously). Apparel reduces its non-compliant systems by 1 at a cheaper rate than building its own ($5,000-$2,000 = $3,000), and footwear makes a profit ($2,000-$1,000=$1,000). The net result is the reduction in non-compliant systems, and profit is achieved by all parties. Our inhibiting factors of cost and profit are both obtained!

The Law of Diminishing Returns

So why wouldn't footwear want to use up all of its "credits" of compliance to achieve greater subsidies from the governance board? The answer lies in an economic principle called The Law of Diminishing Returns. This law assumes that with technology fixed, as successive units of a variable resource (say, labor) are added to a fixed resource (say, capital) beyond some point the extra, or marginal, product that can be attributed to each additional unit of the variable resource will decline. Put simply, beyond some point, the same amount of resources such as capital or costs will return less benefit. For example, footwear may see 10% improvement for making the first two compliant services, but only 5% improvement on the third service. By the fourth or fifth service, this improvement may have dropped further and cost more to achieve. We have all heard of the 80/20 rule where 80% of the effort is spent on 20% of the problem. This is the Law of Diminishing Returns at work. At some stage it is just not worth the investment for footwear to produce compliant services.

Without a market-based system, the additional subsidies would be wasted. Under the market-based system, footwear makes a profit and apparel can continue to improve their systems through compliance initiatives.

Conclusion

Successful governance initiatives to support SOA adoption are often detailed through two primary and complementary factors: cost and profit. Both factors form strong incentives for business leads to counter any governance recommendations and must be addressed early with the SOA initiative. Many organizations, through individual bargaining, already have established ad-hoc processes of governance. Care must be taken when centralizing this function to ensure both cost and profit remain on the charter of more mature governance models.

Even as organizations centralize these governance processes, it is very difficult to sustain efficiency until a market of demand is established to promote organic growth of shared services and reuse. As the Law of Diminishing Returns identifies, there will always be a portion of IT or business functions that will not be cost-effective to transform into shared services. However, as long as the market-based demand exists, all lines of business will strive for reuse to increase profit and reduce costs.

In the end that's what it is all about!

References

Quinton Wall is a Sr. Product Marketing Manager for Integration at BEA where he is responsible for articulating the strategic vision and direction of the products such as WebLogic Integration and AquaLogic Integration.