• SOA Source Book
• Service-Oriented Architecture
• The Open Group Service Integration Maturity Model (OSIMM) Version 2
• SOA Reference Architecture
• Service-Oriented Cloud Computing Infrastructure (SOCCI) Framework
• Using TOGAF to Define and Govern Service-Oriented Architectures
• SOA Governance Framework
• Introduction
• Background
• SOA Governance
• SOA Governance Reference Model (SGRM)
• SOA Governance Vitality Method (SGVM)
• SOA Governance Process Activities
• SOA Governance Process Information Entities
• SOA Governance Metrics Example
• Referenced Documents
• Acknowledgements
• Legal
• Service-Oriented Architecture Ontology Version 2.0
• Legacy Evolution to SOA
• Microservices Architecture
• SOA for Business Technology
• Navigating the SOA Open Standards Landscape Around Architecture
• SOA in the Digital Age

SOA Work Group

SOA Standards Discussion Forum

SOA Work Group Members Page

SOA Governance Framework – SOA Governance Vitality Method (SGVM)

The SOA Governance Vitality Method (SGVM) is a process that utilizes the SOA Governance Reference Model (SGRM) as a baseline and then follows a number of phased activities to customize this baseline model to cater to the organization’s variants. SOA governance should be viewed as a process and not a project; therefore, the phases of the SGVM should be viewed as a continuous improvement loop, whereby progress is measured, and course-correction and updates to the SOA Governance Regimen and SOA Governance Roadmap are performed when needed.

SGVM Phases

The phases of the SGVM as illustrated in SGVM Phases are:

• Plan – Identify and analyze the core governance areas for improvement. Establish objectives/plan and specific measures for a proposed increment. Previously deployed increments are also evaluated for any necessary improvement.
• Define – Define the SOA Governance Model Transition Plans required to deliver the objectives defined in the Plan phase.
• Implement – Implement the Transition Plans including deployment of processes, organization, and technology aspects of the SOA Governance Model.
• Monitor – Monitor the effectiveness of the currently deployed SOA Governance Regimen and whether it is meeting its intended purpose. This phase may start another iteration of the SGVM.

Plan Phase

It is in the Plan phase that the needs and priorities of the business are documented, along with the role of the organization in meeting those needs. Also, the state and maturity of the current organization’s governance are assessed and gaps are identified. From all this analysis, the SOA governance vision and strategy, as well as the scope, are documented. A governance roadmap may be created to describe planned future iterations of the SGVM.

Plan Phase Activities

Understand Current Governance Structures

The purpose of this activity is to understand the current governance structures of the organization and use them to understand how the generic framework should be adapted. The structures for Business, IT, and EA governance are examined from process, organizational, and technology points of views. If any SOA governance structure or IT governance structure that would also be useful for SOA governance exists, it can be used as a starting point. Existing IT and EA control points should be analyzed for re-use and relevance in the SOA context.

The main tasks within this activity are:

• Identify SOA governance stakeholders; this will include some that are pertinent on a tactical perspective, as well as strategic (which may include a different set)
• Investigate the current governance model by reading existing documentation, interviews, and workshops with stakeholders

Assess SOA Maturity

The purpose of this activity is to create an understanding of the maturity level of SOA within the organization and its change readiness to ensure the SOA Governance Framework is defined to a level appropriate for the organization.

• When the maturity level increases, the SOA Governance Regimen needs to be modified (detected in the Monitor phase and managed in the next iteration through the SGVM).

The maturity assessment allows you to have a good understanding of where an organization is at the present time. A complementary effort is to define where they want to be. These two activities can serve as input for the formation of a governance roadmap.

The OSIMM can be used to structure this assessment. Using OSIMM, the SOA maturity of the organization is assessed across a set of perspectives:

• Business – includes how the business has structured itself for change (e.g., whether any process management efforts exist).
• Organization – includes several governance elements, including assessing the current SOA governance capabilities (organization, processes, technology).
• Methods – includes the techniques used in the current SOA processes (from inception to delivery).
• Applications – includes assessing how applications are managed as a set, and particulars regarding their assembly and maintenance.
• Architecture – includes assessing the core structures and patterns influencing the current technical direction and used as foundation for designs in the organization.
• Information – includes assessing the approaches given to data management and business intelligence.
• Infrastructure – includes assessing the current infrastructure capabilities to support the needed SOA effort.

Tasks within this activity make use of workshops and interviews to achieve their goals. Complementary to the maturity assessment, a change-readiness assessment may also be delivered using tools like Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis.

It should be noted that not all assessments need to include all the categories listed above. There may be situations in which a focus solely on the organizational perspective, including governance, would be preferred.

Develop SOA Governance Vision and Strategy

The purpose of this activity is to develop the long-term vision for SOA governance for the organization and the strategy to realize it.

The main tasks within this activity are:

• Use the SOA governance principles and SOA strategy to create the long-term SOA governance vision for the processes, organization, and technology for the organization
• Develop a high-level strategy for achieving that vision

The high-level strategy should include:

• Definition of the return-on-investment of governance activities
• Definition of the metrics necessary to be able to measure the value of the governance activities; see the SOA Governance Metrics Example
• Execution of an analysis of the organization strategic initiatives and their relation to possible SOA efforts; this will help clarify prioritization within the SOA governance strategy

Develop SOA Governance Scope

The purpose of this activity is to set the scope of the SOA governance effort including identifying the people and processes in the organization that will be affected and the level of control that will be applied. This is important because there could be a seemingly infinite number of governance mechanisms (e.g., control points, policies, etc.) that could be put in place. This activity focuses on making sure that only the needed governance elements, as scoped by particular SOA maturity, needs, and risks, are defined. The scope is defined using the principles, the current governance, and the maturity level.

Develop SOA Governance Principles

The purpose of this activity is to adapt the generic SOA governance principles from SOA Governance Guiding Principles to the specific organization.

The main tasks within this activity are:

• Validate the generic SOA governance principles against the organization’s SOA strategy, its SOA maturity, and its organization, business, and IT principles
• Add appropriate SOA governance principles unique to the organization
• Create an SOA governance principle list with descriptions, motivations, and implications
• Get approval of SOA governance principles from the proper stakeholders (including program sponsors)

Develop SOA Governance Roadmap

The purpose of this activity is to develop an SOA Governance Roadmap which will define a number of iterations of the SGVM cycle. The first SGVM cycle should provide for the practical initial deployment of the SOA Governance Regimen. Additional iterations are defined to eventually realize the SOA governance vision. As SOA maturity increases, this SOA Governance Roadmap will need to evolve. In addition, the SOA Governance Roadmap will need to be in synch with the SOA Roadmap as it is deployed and adjusted.

Define Phase

The generic SGRM is used with the results from the Plan phase to create the target SOA governance architectures for the organization, processes, and technology.

The gap between the current SOA governance and the target is analyzed and used to create a set of transition roadmaps. These transition roadmaps contain transformation initiatives for organizational, process, and technology areas for this iteration of the SGVM.

Define Phase Activities shows a set of activities to be performed during the Define phase, not necessarily in this exact order.

Define Phase Activities

Define Governed SOA Processes

The purpose of this activity is to identify the SOA processes used by the organization to be modified or have checkpoints added to enable SOA governance. The processes from Governed SOA Processes are:

• SOA Solution Portfolio Management
• SOA Solution Lifecycle
• Service Portfolio Management
• Service Lifecycle

SOA Governance Process Activities provides a set of exemplar SOA processes and suggested SOA governance opportunities and checkpoints. The main task of this activity is to review the existing SOA process together with the example processes and checkpoint and describe the target SOA processes and checkpoints according to the SOA governance scope, vision, and strategy.

Define Governing SOA Processes

The purpose of this activity is to adjust the SGRM governing processes to the organization. The governing processes are defined in SOA Governing Processes. They are: Compliance, Dispensation, and Communication.

• Compliance – The purpose of this activity is to define a method to ensure that the SOA guidelines and standards are adhered to. Roles and organizational aspects should also be identified for execution of the Compliance process. A suggested method is to use the SOA Governance Checkpoints inserted into the SOA processes in the previous step. A set of possible checkpoints can be found in SOA Governance Process Activities.
• Dispensation – The purpose of this activity is to define the method to initiate Exception processes from Compliance processes. Define the detailed processes for the organization and the roles within the organization for carrying them out.
• Communication – The purpose of this activity is to educate, communicate, and support both the architecture and the SOA guidelines and standards across the organization. This activity should also identify communications mechanisms and technologies for making governance policies available.

Collect SOA Guidelines and Standards

The purpose of this activity is to collect existing SOA guidelines.

Define SOA Governance Organization, Roles, and Responsibilities

The purpose of this activity is to define the SOA governance organization and the associated roles and responsibilities.

The main tasks within this activity are:

• Adapt the generic organizations from the SGRM to the needs of the business
• Create additional specific, custom organizations which may be unique to the business
• Adapt the generic roles and responsibilities from the SGRM to the needs of the business
• Create additional custom roles and responsibilities for the organization which may be unique to the business

RACI diagrams may be used to document this.

Define SOA Governance Information Artifacts

The purpose of this activity is to define the information entities used in both the governing and governed SOA governance processes.

The main tasks within this activity are:

• Identify the governing processes information entities to maintain
• Identify the governed processes information entities to govern (ensure correctness)

The nature of the governed process informationartifacts will depend on the governed processes defined in the previous steps.

A set of possible SOA information entities can be found in SOA Governance Process Information Entities.

Define SOA Governance Environment

The purpose of this activity is to define the target SOA Governance Technology solution.

The main tasks within this activity are:

• Derive the SOA technology needs from the SOA principles, SOA strategy, SOA maturity, SOA governing/governed processes, information artifacts, and information usage.
• Ensure that the technology can support the current maturity level of the organization.
• Identify technologies which could include tools, such as registries and repositories. Some of these technologies may be used by both governed and governing processes. Tools may also include tools to manage architectural assets, policy, and knowledge.

Create Transition Plans

The purpose of this activity is to create a set of Transition Plans using defined organizational, roles, and processes using the SOA governance principles, the SOA governance strategy, and information about the organization.

There are three different transitions plans produced.

Organization Transition Plan

This plan contains the organizational roles and responsibility changes needed. The Organization Transition Plan includes an organizational assessment, future organizational design, identification of roles and responsibilities within these new organizations, a change readiness assessment, and transition processes which outline the impact on the organization. Organizational changes are made in parallel with the Process and Technology Transition Plans. Different organization changes may be needed as different tasks of the Implement and Monitor phases of the technology transition are executed. Appropriate linkage to the IT Transition Plans should be identified.

Some tasks that may be part of the Organization Transition Plan include:

• Identifying the stakeholders
• Identifying the organizations relevant to SOA governance, and defining how they interact with each other
• Identifying changes in the specific roles and responsibilities of the personnel within the organizations defined
• Identifying development and governance teams
• Identifying plans to address resource or talent gaps identified during the Define phase
• Scheduling training and education on the governance process

Process Transition Plan

The Process Transition Plan contains the processes changes necessary to implement SOA governance. The SOA Governance Process Transition Plan includes the set of detailed activities necessary to migrate the current governance processes, if any, to the newly defined ones. This may mean defining changes to implement in current processes and education on those new processes. A Program Manager should be assigned to provide overall management and standard project management of the SOA Governance Process Transition Plan.

Each step in the Transition Plan will address a governance deficit that was identified in the governance planning and definition steps. Each step will be created as a result of a Work Breakdown Structure which specifies the set of activities that must be performed in order to rectify the governance deficit. Each step in the Transition Plan can be expected to:

• Make use of governance “assets” that provide information on best practices, examples, process diagrams, or other assets as defined by those knowledgeable in governance state-of-the-art
• Have specified roles and responsibilities
• Have a schedule associated with the Transition Plan implementation

Technology Transition Plan

This plan contains the technology transition needed to implement SOA governance. The SOA Governance Technology Transition Plan includes the set of detailed implementation and deployment plans for the necessary governance supporting application and IT infrastructure. This includes identifying supporting infrastructure like repositories, registries, policy evaluation engines, and tools. Any missing technologies will need plans to acquire them. The Technology Transition Plan will need to include:

• Technology gap analysis and proposals
• Technology funding and acquisition plans
• Technology deployment plans
• Guidelines for each implementation project
• Architecture contract to govern the overall implementation and deployment process

Implement Phase

The Implement phase is responsible for enabling and realizing the governance solution determined in the Plan and Define phases. This phase implements the Transition Plans including deployment of processes, organization, and technology aspects of the SOA Governance Model. At the end of this phase, the SOA solution will be ready to be managed and governed.

Implement Phase Activities

The Define phase provides the SOA Governance Organization Transition Plans, SOA Governance Process Transition Plan, and SOA Governance Technology Transition Plan. The Organization Transition Plan includes plans for implementing organizational changes and possibly identifying either an organization change lead or a responsible governing body like an Enterprise Review Board which consists of business and IT executives. The Process Transition Plan includes the set of detailed activities necessary to migrate the current governance processes, if any, to the newly defined ones. The Technology Transition Plan includes selection of SOA governance tools, SOA governance infrastructure, SOA governance process, and organization metrics. Most importantly, from an execute perspective, it includes the detailed Migration and Implementation Plans which must now be implemented.

Effective project management is important for the Implement phase of SOA governance, just as one would do for any strategic project. As this will consist of implementation of the defined Transition Plans, it is important to consider the best manner in which this plan should be considered for implementation; that is, “governance of the governance implementation”. This should include at a minimum:

• Before starting implementation of these Transition Plans, develop guidelines for each implementation project.
• Create a project plan to govern the overall implementation and deployment process. Throughout this phase it is important to perform the appropriate governance functions while the system is being implemented and deployed. This includes identifying and contracting appropriate skills to execute the Transition Plan, including development, test, deployment, and executives.
• Be sure to review the Transition Plan and update it to reflect interim lessons learned, new initiatives, and approaches.

SOA Governance Organization Transition Plan Implementation

The Organization Transition Plan is executed over time and in a coordinated fashion with the Process Transition Plan and the Technology Transition Plan.

SOA Governance Process Transition Plan Implementation

The Process Transition Plan is executed to actually implement the governance checkpoints in the governed processes and to implement the governing processes.

SOA Governance Technology Transition Plan Implementation

Implementing the SOA Governance Technology Transition Plan includes doing gap analysis between available technology and the target technology. An acquisition and change to the current system may need to be made to fill the gap according to the Technology Transition Plan. During implementation this plan must perform appropriate governance functions while the system is being implemented and deployed. It must also ensure conformance with the defined architecture by implementation projects and other projects.

The following tasks are part of the implementation of any of these Transition Plans:

• Implementation of SOA Governance Framework Assets – Implement and/or acquire tools and mechanisms needed to support SOA governance. This includes instrumentation of existing SOA services, processes, and assets to enable their governance. Tools may require acquisition, installation, and configuration of hardware and software. Like any other development project, during detailed design and development milestones can be set to periodically check continued adherence to governance requirements and policies. Development tools doing model analysis and policy-based rules to support ongoing governance monitoring.
• Assemble the Governance Solution – Ideally the governance solutions should follow predefined rules and processes based upon defined SOA governance architectural principles and standards. In addition, techniques defined to implement and assemble SOA solutions in general should be used. This includes implementing flows, automated orchestrations, and business rules to drive governance. Ensure that these solutions adhere to the governance policies and requirements.
• System Verification – After the governance framework is built, conformance with the governance solution architecture, principles, design, and policies should be verified. Testing should include stress testing the governance framework for appropriate Quality of Service (QoS) and performance compliance.
• Deploy – Deploy governance mechanisms, governance IT infrastructure, and governance policies into different staging environments (e.g., testing, pre-production, production). This includes deploying governance policies into a repository for ongoing use during the Monitor phase. It also includes managing the deploy information, registration, configuration, and versioning of the SOA governance solution and release into production using service contracts and service policies that are deployed with the solution.
• Conformance Verification – Check for compliance at the end of the Implement phase to ensure conformance with the defined SOA governance architecture by implementation projects and other projects. Certify services and solutions as being compliant with the IT and Business Transition and Migration Plans.

Implementation concludes with initial verification of the deployed governance solution framework. Ongoing testing and verification of conformance of the SOA governance solution to the governance principles and policies and the furtherance of SOA governance vitality will be done in the Monitor phase.

Monitor Phase

The Plan and Define phases defined previously have created the governance solution and the Implement phase has implemented the governance Transition Plans including deployment of processes, organization, and technology. The Compliance processes are now running to govern the SOA processes, organization, and technology. The Monitor phase is responsible for monitoring the governing and governed processes to determine whether the SOA Governance Regimen needs to be adjusted. If they do need to be adjusted, a new iteration of the SGVM cycle is initiated.

Monitor Phase Activities

Specifically, the Monitor phase must consider and evolve the governance policies, procedures, organizations, roles, and responsibilities. While the basic need for governance has not changed, the organization will acquire additional maturity that will require a proportional increase in governance maturity. Metrics will show what aspects of governance are working and what aspects require change. No matter how good a job has been performed in the previous phase of Plan, Define, and Implement of SOA governance, that governance needs to stay current and vital in its job of producing quality for services.

Monitor and Evaluate SOA Governed Processes

As governance events take place, various metrics should be gathered that provide information on the quality of the tasks that SOA governance is governing. Management and measurements of goals help an organization to judge the effectiveness of the SOA governance effort and where additional discipline is needed. SOA governance like any other discipline needs to first define a set of goals that it strives to achieve. A corresponding set of metrics should be defined to measure the goals that the governance framework strives to achieve. SOA governance is responsible for periodically reviewing these metrics and making the needed changes to governance policies, standards, and processes through iterations of the SGVM cycle.

The monitoring of metrics of the governed processes, Service Portfolio and Lifecycle Management as well as Solution Portfolio and Lifecycle Management, happens constantly. Evaluation may happen in real-time or periodically; i.e., weekly, monthly, quarterly, or yearly. Some real-time monitoring metrics could be provided by SOA business activity monitoring tools.

Monitor and Evaluate SOA Governing Processes

As a result of the gathering of such governance metrics, ongoing events may force changes to SOA governance. For example, metrics may notice that the percentage of rejections for service design is trending upward and it is necessary to find out why and take action. An investigation in this case may show that a particular policy is causing this rejection. The governance team would then need to consider whether the policy is too restrictive or if further education needs to take place. In any case, such periodic reviews will identify areas of concern and follow-up action.

Monitoring the governing processes (Compliance, Dispensation, and Communication) also happens constantly. However, evaluation happens periodically; i.e., weekly, monthly, quarterly, or even annually.

Monitor External Changes

External “shocks” may trigger a review of the SOA journey and the corresponding SOA governance. These triggers may cause an adjustment of the SOA Governance Regimen and another iteration of the SGVM to implement them. Overall, a monitor review should take place for:

• Business strategy changes: Any change in business strategy will likely cause an update of the business vision and perhaps changes to business processes. While the existing SOA governance processes will probably not change, care must be taken to ensure that the service portfolio planning is updated correctly. There may be some new governance planning and definition that needs to happen to accommodate the change in business strategy.
• Organizational changes: Decision rights will undoubtedly change as the result of significant organizational changes. An organization change should trigger a review of the governance processes and the corresponding decision rights.
• Legal or regulatory changes: SOA governance should already have a process to assess and process legislative and policy changes. Such a change may have such a huge impact, however, that it is necessary to review the current SOA governance processes for increased control reviews. For example, Sarbanes-Oxley (US Public Company Accounting Reform and Investor Protection Act 2002) required more stringent audit procedures on financial systems. In some cases, these audits may have been new for the governance process and would have required a vitality review and subsequent insertion of new governance processes.
• On board and change guidelines and standards: New or updated significant industry standards should trigger a review of current standards used by SOA. The SOA governance function, as the leader of this review, should be able to identify where the new guidelines and standards are relevant and should drive the discussion and subsequent implantation of the changes.
• Technology improvements: As for standards, a significant technology change may result in a better technique for creating service quality. For example, better tooling may help in automating the governance control points, thereby providing earlier and better feedback on service quality.
• Consistent or repeated non-compliance of the SOA governance policies and standards: When the SOA governance function sees a pattern of non-compliance with the relevant policies and standards, then a vitality review should be triggered. Are the policies and standards too tight? Unrealistic? Is the compliance function too weak? Is leadership lacking and management support non-existent? While SOA governance cannot necessarily change these by itself, its duty is to call these out for notice and action.
• Repeated requests for policy and standard exceptions: Granting exceptions to the governance rules is a normal situation and, if used in a judicious manner, is no cause for concern. If a repeated pattern of exceptions is detected, however, then a vitality review is called for to ask similar questions as noted above for non-compliance.

Monitor and Evaluate SOA Guidelines Development

SOA guidelines development includes the articulation of and update of policies, principles, standards, and guidelines. This process needs to be monitored and governed just like the other SOA processes. Metrics should be established that can be monitored and evaluated periodically: weekly, monthly, quarterly, or yearly. Sufficient changes to these guidelines may cause an iteration of the SGVM cycle to bring the governance regimen into alignment with the new guidelines.

SGVM Use of SOA Governance Artifacts

The SGVM cycle produces and uses SOA governance artifacts. SGVM Cycle Artifacts summarizes which SGVM phases create which artifacts.

SGVM Cycle Artifacts

The Plan phase produces the SOA governance principles, guidelines, vision, and scope. This phase also produces SOA and SOA governance maturity assessments for current and desired maturity levels.

In the Define phase, the governed processes are identified and documented and the governing processes for compliance and dispensations are documented. SOA governance roles and responsibilities are defined and assigned and SOA Governance Roadmaps and Transition Plans for organization, process, and technology are documented.

During the Implement phase, the Transition Plans are translated to Implementation Plans and executed.

During the Monitor phase, the Compliance processes are running and being monitored via policies on metrics and checkpoints. Policies on triggers for re-evaluating the current SOA Governance Regimen are identified and monitored. Re-evaluation may result in a decision to do another iteration of the SGVM.