> Archive > Issue XL: June 2010 > Understanding SOA Governance
Anne Thomas Manes

Anne Thomas Manes


Anne Thomas Manes is the Vice President and research director for Burton Group Application Platform Strategies. She covers service-oriented architecture (SOA), web services, XML, governance, Java, application servers, superplatforms, and application security.

Prior to joining Burton Group, Anne was former chief technology officer at Systinet, a SOA governance vendor (now part of HP) and director of market innovation in Sun Microsystems's software group. With 28 years of experience, Anne was named one of the 50 most powerful people in networking 2002 by Network World and among the "Power 100 IT Leaders," by Enterprise Systems Journal.

Anne has authored "Web Services: A Manager's Guide" (Addison-Wesley, 2003) and contributed the foreword for the new book "Next Generation SOA" (Prentice Hall, 2009). Anne has also participated in Web services standards development efforts at the W3C, OASIS, WS-I, and JCP.


rss  subscribe to this author


Understanding SOA Governance

Published: June 11, 2010 • SOA Magazine Issue XL


Effective governance is a critical element in fostering a successful SOA initiative. SOA promises to deliver a number of important business benefits, including faster time-to-market, lower costs, better consistency, and increased agility. But with great benefits come high risks. SOA requires fundamental changes to the planning, development, and operation of application systems, and it requires new levels of collaboration among project teams within the IT department and across lines of business. In fact, current IT practices, which typically focus on individual projects, time-to-market, and cost containment, frequently discourage SOA adoption.

SOA governance helps the organization succeed with SOA by mitigating these risks through established rules, processes, and decision-making authority. A SOA governance program helps people do things according to the organization's goals and best practices. An effective governance program empowers people to handle ambiguity, balance short- and long-range goals, and reduce conflict within the organization.

This following article (an excerpt from the upcoming book "SOA Governance" [REF-1] as part of the Prentice Hall Service-Oriented Computing Series from Thomas Erl) provides an introduction to governance, explains how it works, and differentiates it from management. You will find this content useful if you have not been involved in establishing a governance program before or if you would like to gain another perspective on the mechanics of governance.

Governance Basics

Governance is the organizational system that a society (such as a country, state, or city) or organization (such as a corporation, standards body, or open source community) uses to govern itself. Governance is a meta-decision system, for example, it is the means by which an organization makes decisions about decision-making. Within this context, governance will:

  • Place constraints on decisions
  • Determine who has responsibility and authority to make decisions
  • Establish parameters and constraints that control, guide, or influence decisions
  • Prescribe consequences for non-compliance
    • At the highest level, governance is established by the society's constitution or the organization's charter and by-laws. These founding documents prescribe top level authorities and constraints from which all other decision-making authorities derive. At deeper levels in the organization, governance prescribes policies, standards, and processes that guide and control day-to-day decision-making activities.

      Good governance mitigates conflict within an organization by clearly defining responsibilities and authorities. It reduces ambiguity by articulating rules, processes, and decision guidelines. It helps balance short- and long-range goals by expressing the intents and purposes of its rules. An organization establishes governance to reduce risks and to encourage its people to advance the corporation's strategy, goals, and priorities. In other words, governance is a system that helps people do what's right for the business.

      The System of SOA Governance

      SOA governance is the meta-decision system that an organization puts in place to manage and control decisions related to SOA. Executing a SOA initiative involves making many decisions that have significant ramifications for the company. For example:

      • Who approves SOA investment proposals?
      • What are the approved technologies and products developers should use to build services?
      • What's the procedure for requesting permission to use a service?
      • What testing is required before deploying a service enhancement?
        • Such important decisions require governance. Without governance, an organization has no control over decisions made by the people who design, develop, test, implement, and use services, and their efforts can quickly spiral into chaos.

          The Benefits of SOA Governance

          SOA governance establishes departmental or corporate standards that help ensure that service-oriented systems deliver the value they are intended to deliver. Governance standards ensure that service designers and developers effectively apply service-oriented principles and patterns when buildings systems. As described in the SOA Manifesto, it is only through the effective application of SOA principles that organizations can attain the promised benefits of SOA. SOA governance ensures more consistency of service-oriented systems. Consistent system design increases the likelihood that the SOA initiative will yield the following benefits:

          • Interoperability - Development standards ensure that services support common protocols and data models, enabling easier interoperability across disparate systems.
          • Composability - Development standards ensure that developers use proven design principles and patterns that enable service composition and reuse.
          • Maintainability - Development standards ensure that developers use proven design principles and patterns that reduce dependencies among system components, enabling easier maintenance of individual components.
          • Visibility - Deployment standards ensure that systems are properly instrumented, thereby enabling business analysts to monitor business processes and system analysts to monitor runtime operations so they can detect business and technical anomalies before they become incidents or issues.
          • Faster time to market - As the portfolio of interoperable, composable, and maintainable services grows, the organization will be able to deliver new solutions and enhancements more quickly.
          • Return on investment (ROI) - Funding standards ensure that organizations make wise investments. Design, development, and deployment standards ensure that the investments bear fruit.

          Why You Can't Buy Governance

          When someone says "SOA governance," many people immediately think of products, such as registries, repositories, security appliances, and SOA management suites. Although these products are useful, they are just tools, and they won't give you governance. These so-called governance products actually focus more on management than governance. They can automate some processes, but they won't help you determine who gets to make decisions, and they won't help you define the rules, processes, and decision-making guidelines that are the essence of governance.

          Governance is fundamentally about people and practices. SOA governance is something you do, not something you buy.

          Governance is Not Management

          Although the two are closely related, governance is separate and distinct from management.

          • Governance establishes the rules that control decision-making.
          • Management makes decisions and ensures that underlings make decisions according to the rules.

          Governance does not dictate when or how to make a decision. It determines who should make the decisions and establishes limits for them. Management directs day-to-day activities and is responsible for ensuring that daily decisions made adhere to the governance rules. No matter how great, governance cannot replace management, nor can it compensate for poor management. Likewise, management cannot be a replacement for governance, nor compensate for poor governance. Furthermore, poor governance inevitably hampers the ability of good management to make decisions by clouding authority and priorities.

          Governance Styles

          Governance must reflect and compliment an organization's culture and management style.

          • What's the norm within the organization?
          • How much autonomy does each division, business unit, or department have?
          • How comfortable are managers with delegating responsibilities to their staff?
          • How free are decision-makers to use their own judgment when making decisions?

          Figure 1 - A demonstration of how an organization's culture determines its governance style

          The horizontal axis in Figure 3.1 represents the degree of autonomy given to separate groups in the organizations. At one end of the spectrum, all decision-making is centralized (comparable to a monarchy). At the other end of the spectrum, each group establishes its own policies and procedures (comparable to a feudal society). Many organizations opt for a federated model, which permits each business unit a degree of independence while increasing consistency and reducing contention between fiefdoms.

          The vertical axis in Figure 3.1 represents the degree of control imposed on decision-makers. At one end of the spectrum, rigid policies dictate required actions, and decision-makers have little freedom to apply their own judgment. Too much rigidity feels like a totalitarian society and often generates a great deal of resentment. At the other end of the spectrum, flexible policies provide suggestive guidance, leaving much to the discretion of the decision-maker. Too much flexibility can lead to anarchy.

          The Goldilocks Principle

          Most organizations strive to find a balance between centralization and decentralization; between rigidity and flexibility. They look for a model that's just right. But no single governance style is correct for all organizations. An organization must adopt a governance style that aligns with its culture and management style.

          Empowering People

          Good governance empowers people to do what's right for the business. Poor governance unnecessarily constrains or inhibits decisions, or it fails to provide enough decision-making guidance. All governance "whether good or bad" places limits on the decisions and behaviors of the people being governed. It also prescribes consequences for those choosing not to abide by limits imposed.

          The Mechanics of Governance

          Governance provides a systematic way for organizations to make decisions. Governance is implemented using:

          • Precepts - define the rules that govern decision-making
          • People - make decisions
          • Processes - coordinate decision-making activities
          • Metrics - measure compliance


          Precepts are the essence of governance. A precept is an authoritative rule of action. Precepts determine who has authority to make decisions; they establish constraints for those decisions; and they prescribe consequences for non-compliance. Precepts codify decision-making rules using:

          • Principles - broadly define a precept and establishes responsibility and authority for the precept
          • Policies - define specific aspects of the precept and establish decision-making constraints and consequences
          • Standards - specify the required formats, technologies, processes, actions, and metrics people should use to implement a policy
          • Guidelines - non-mandatory recommendations and best practices

          NOTE: Many people use the term "policy" in place of "precept", and if that terminology works better in your organization, then use it when talking to others about governance. However, keep in mind that as you develop your governance rules, a policy is just one aspect of a precept.


          People make decisions in accordance to and within the constraints stipulated by the governance precepts. For a governance program to be successful, people must understand the intents and purposes of the precepts. They must understand and accept the responsibilities and authorities established by the precepts. Governance is closely associated with the organization's incentive systems. The organization must foster a culture that supports and rewards good behavior and deters and punishes poor behavior.


          Processes provide the means and opportunities to control decisions, enforce policies, and take corrective action. Technically, processes are management activities rather than governance, but a governance system is dependent on processes to ensure compliance with its precepts

          An organization is likely to use a variety of processes to support its precepts. Some processes are automatic and system-driven; others require human effort. Automatic processes often perform mundane work, such as validating artifacts to ensure they comply with required formats or templates. Many organizations also rely on workflow systems to coordinate approval processes, but rely on people to make important decisions.

          The processes that support these decisions typically cannot be automated:

          • Review and assess investment proposals
          • Review system and service designs
          • Select products and technologies


          Metrics provide the means to measure and verify compliance with precepts. Metrics also provide visibility into the progress and effectiveness of the governance system. They provide insight into the efficacy of the governance system and can indicate if a particular policy or process is too onerous. Metrics also measure trends, such as the number of violations and requests for waivers. A large number of waiver requests may indicate that a policy might not be appropriate.


          • Governance is something you do, not something you buy.
          • Governance determines who has responsibility and authority to make decisions, it establishes parameters and constraints that influence, guide, or control decisions, and it prescribes consequences for non-compliance.
          • Governance is separate and distinct from management. Governance defines the rules. Management makes decisions according to those rules.
          • Governance must reflect and be compatible with an organization's culture and management style.
          • Governance should empower people to do what's right for the business.
          • Governance is implemented using precepts, people, processes, and metrics.
          • Precepts define the governance rules. They establish decision-making authority, define constraints for decisions, and prescribe consequences for noncompliance.
          • People make decisions in accordance with the governance precepts.
          • Processes provide the means and opportunities to control decisions, enforce precepts, and take corrective action.
          • Metrics provide the means to measure and verify compliance.


          REF-1] "SOA Governance" by Toufic Boubez, Clive Gee, Thomas Erl, Anne Thomas Manes, Robert Moores, Robert Schneider, Leo Shuster, Andre Tost, Chris Venable,