Is Corporate Governance Headed for a Mashup?

The role and importance of governance is growing. As enterprises embrace governance, risk and compliance (GRC) platforms, as well SOA (service-oriented architecture) governance approaches, are these capabilities headed for a mashup, if not technically than at least operationally? Do they lead to an uber-governance that eventually includes how the business itself is run?

Our analysts have some unconventional and startling conclusions, as well as thoughtful insights. Join noted IT analysts Steve Garone, Joe McKendrick, Neil Macehiter and Jim Kobielus for our discussion, hosted and moderated by myself, Dana Gardner.

We also look into the recent announcement of the SOA Consortium, a group of both vendors and enterprises, was created in February to promote the adoption of SOA. We examine the agenda and consider the outcomes.

Listen to the discussion (38:59 minutes).

Here are some excerpts:

On Governance Convergence

Dana Gardner: We’ve seen over the years on the management side governance platforms, dashboards, approaches and methodologies along the lines of a Balanced Scorecard approach, or process re-engineering. Also, we have parallel and yet still disparate tracks for IT governance. They’re trying to automate and to provide control for those managing the IT life cycle. As we get more toward a mixed environment of services, perhaps from a variety of different sources, SOA governance plays a larger role. Alongside that on a parallel track are governance, risk and compliance (GRC) platforms and a number of prominent vendors.

Jim Kobielus: You see business intelligence, corporate performance and management, business process management, identity management, document management, all these things, all these existing technologies, being lumped under this GRC heading. Vendors are building products or platforms into which they’re able to plug in, and are plugging in, various tools specifically geared towards GRC. In other words, a legitimate new niche of GRC vendors is growing up.

SAP has begun to roll out a GRC platform that includes a repository of policies and rules, a process modeling tool geared towards building business controls as structured workflows and also testing and monitoring those controls. They rolled out a performance management dashboard environment under which you can roll up a unified view of your compliance and your corporate risks across all governance categories. The categories include SOA governance, IT governance and operational business governance and so forth.

Computer Associates has its Clarity family of products, and there are some smaller but just as important vendors like OpenPages and MEGA International, BWise and several others that have similar product architectures and similar modular approaches to plug-ins. For example, you can plug in to most of these environments a module to do IT governance in compliance to say, CobiT or ITIL.

To some degree, the GRC vendors are all pretty much SOA-enabled in the sense that they have native implementation of Web services, but I’m not yet seeing the vendors in that camp, other than SAP, with a strong SOA story or SOA partnerships. To what extent do you all see a convergence between business governance a la GRC and SOA governance?

Neil Macehiter: There is a need for this convergence to occur. For example, the services that are actually supporting your business processes are capable of enforcing the policies that allow you to monitor the controls and enforce the controls that you need to demonstrate compliance. That extends across things like identity management solutions, which have also come up with their own compliance solutions focused on their particular bit of the overall IT architectures. In their case it’s around authentication and authorization and things like separation of roles and segregation of duties. It needs to become systemic, and it’s not just SOA governance that needs to be tied into this. It’s also the work that’s going on in the IT service management.

SOA governance specifically has evolved very much from a bottom-up perspective, in terms of initially addressing design time governance, and then gradually extending into the more run-time governance. Meanwhile, we’ve got things like the GRC solutions from the likes of SAP with Versa coming at it very much from the top-down perspective. The problem is they are not meeting in the middle yet.

Steve Garone: One of the interesting nuances here is that both approaches eventually need to focus on the business processes within the company, and optimize them for various reasons. SOA tends more, at least right now, to focus on making business processes work more efficiently. How those services are segmented and designed functionally ideally should reflect that; whereas, for the enterprise architectural approach and the GRC approach, we’re looking more at being able to meet compliance needs.

The question becomes how do you develop a services-oriented approach that meets both of those needs, optimizes compliance on one end, and optimizes customer satisfaction and performance and business agility on the other hand. Those could ultimately be in conflict, as these two worlds come together, and that’s an interesting new answer that organizations are going to have to look at.

On the SOA Consortium

Gardner: On Feb. 12, the SOA Consortium, a group of both vendors and enterprises — they are calling themselves Global 1000 end-user Organizations, formed to bridge some of these gaps and promote the best interests of different constituencies within organizations, as well as within vendors and types of vendors.

The declared goal of this organization is to promote the adoption of SOA, and they’ve given themselves a deadline of 2010. So, in the next three or four years they want to get more people aware of SOA as a key enabler, as an element of any modern 21st century architecture and enterprise. They want to achieve benefits of SOA to change both IT and business, bridging the gaps and silos, both technically as well as culturally. They want to help the perception of SOA by business executives, they say, as an IT integration and productivity story, rather than a business agility story.

It seems to me to be saying that the story around business agility is a systems integrator business and organizational management topic. I think that the underlying agenda between the lines here is to help create a level of some standardization, perhaps around governance, perhaps around SOA interoperability. But, clearly there’s going to be a set of standards that’s going to evolve from this, not just from the perspective of the vendors, but also the end-users. And, that in itself strikes me as somewhat positive.

Click here for more podcasts.