Biske also makes a strong argument for reference architectures as part of the review process. “Architectural reviews tie the project back to the reference architecture, but if there’s no documentation that projects can be judged against, the architectural review won’t have much impact.
Investing in the right tools
Some organizations put off buying registry and WSM tools in the interest of cost, hoping they can show value first and ask for the tools budget later. The problem with that strategy is that you give up some of the most effective incentives you have to establish governance early in the game.
Registries are used for managing and communicating governance artifacts as well as automating key governance activities. Registries are also important for enforcing policies. By setting up a registry for production-level services and writing policies to achieve that status, you can control the properties of services that are used inside your organization. For example, you might require that production-level services meet certain security, identity, and even financial standards. Reviews of the service before it’s promoted to production can enforce those policies effectively.
Where registries provide the leverage you need to enforce design-time and deploy-time policies, WSM systems — such as those that Actional, AmberPoint, and SOA Software provide — help enforce runtime policies. Because WSM tools proxy deployed services, they can ensure that authentication happens in a certain way or that service levels are met.
For policies they can’t enforce directly, WSM systems provide a single point for auditing and logging service interactions. In addition to being a critical part of SOA governance, WSM tools also save developers from building features such as security, logging, and exception handling into their code, thus increasing reuse and code correctness.
Evangelism and expertise
Governance works best when it’s built into the organization. One of the organizational support structures that practitioners mention time and again is the COE (center of excellence). A COE can showcase best practices, evangelize SOA, and answer questions. “Creating a center of excellence helps communicate the tough lessons learned about SOA to the rest of the organization,” says Bob Laird, an IT architect in IBM’s SOA practice. “The center of excellence spreads expertise, develops standards, and communicates best practices.”
In many cases, PMOs (project management offices) already control how and when projects happen, so they’re a great place to set up unintrusive enforcement. Laird says, “A strong project management office organization is critical if projects are spread across multiple development silos. Without the PMO, you get integration gridlock. The PMO governs the project portfolio and works with the center of excellence, which provide enforcement and adherence to standards for those projects, thus increasing interoperability.”
Along the way, the funding process can be your best friend or your worst enemy. As MomentumSI’s Biske notes, “Scope gets defined early, but when you get into the project, you find out that the scope has changed.” If it’s difficult or impossible to scale funding levels accordingly — probably because the project was defined in a naïve fashion — you can end up in big trouble. “Figure out how it all ties back to the IT governance and funding process,” he says, “or service development will fall by the wayside when project pressure builds.”