Governance is something of a dirty word. It often generates a visceral reaction in people, conjuring up images of red tape, bureaucracy and time-consuming audits. These are seen as roadblocks to progress, innovation and adoption of new ways of working. This is especially true when we are looking to accelerate the rate of change or delivery speed, such as commonly occurs when adopting DevOps or Agile practices.
Below, I will discuss why we have governance, how it gets applied and some immediate approaches you can look at to help change your ways of working.
Let’s start with the purpose of governance. Governance practices intend to manage risk. I sometimes hear that “this doesn’t apply to me. I’m in a small start-up,” but all organizations, whatever their size, need to manage risk. In one form or another, we are all subjected to governance. In larger organizations, we have added complexity to deal with in creating and managing risk. It is also true that heavily regulated industries like finance and healthcare have additional external regulatory concerns to take into account. Whatever size of organization you are in, there is still a need to consider governing different risks, such as security and operational.
A common way to talk about collective risk management practices is Governance Risk Compliance (GRC):
Governance: Cost-effectively govern the organization’s risk landscape
Risk: Identifying and mitigating risks
Compliance: Documenting and reporting on how we address risk
This is critical. In recent years, poor governance practices can be traced to security breaches that have cost companies millions and millions of dollars
Great! So governance has a purpose! Maybe it isn’t all bad…
Although governance is needed, there is a balance to be struck. Too much and everything grinds to a halt, and too little, and it could cost you considerable amounts of money.
When we map the flow of value through an organization with value stream mapping, we also look at mapping dependencies. Often these dependencies are to external groups that perform a governance function to support the value stream. For example, to release a new product, I may need to get:
approval from legal for the terms and conditions
security to validate my changes to the system
architecture to validate my technology choices
Traditionally, we can consider these activities as governing the software delivery process and indeed, they all play a role in managing risk. Problems occur because the team delivering the value stream (working on the product) has to ensure they check-in with each of these areas then wait on a response. Often the areas they are checking in with have no idea of the context of the team. At best, this results in more back-and-forth as each group tries to understand the other and, overall, more frustration.
Two of the biggest problems we see are:
Using a ticketing system to manage communication between the delivery team and the governing body
Having committees you need to run the gauntlet of every time you want to make a change or try something new
Both of these are a sure-fire way to kill your delivery team’s flow, usually at the price of adding little or no value. Indeed, they rarely result in improving safety, which is, after all, our goal. So consider burning your ticketing system down and, what I call, Kill The Committee (to replace it with a more collaborative approach). Both have their place but require a long hard look when examining your value streams.
How can we find a balance between speed and safety? Satisfying the need for governance while allowing teams to continue to make more frequent changes?
The most significant factor we’ve seen in helping organizations overcome this hurdle is to automate governance into the delivery pipeline. By incorporating governance checks into the platform responsible for running the pipelines, we can check our controls with every change. However, the lack of communication between different areas often gets in the way of making this happen.
We have found building a roadmap for the automation of governance practices helps create the necessary clarity. Having this roadmap is valuable for several reasons:
It allows us to show progress towards simplifying our governance practices
It helps guide you as to whether you are going in the right direction
It creates visibility into what we will be looking to automate
We go through a generative process in creating the roadmap, creating more value for customers in the process. Xodiac’s approach to creating powerful, dynamic roadmaps takes a risk-based approach to prioritize activities. A roadmap is not a static object. It is a generative tool we can use to create discussion and, ultimately, alignment across those responsible for governance and those responsible for delivery. By creating conversation around the purpose of the controls and how they are to be satisfied, we create a common understanding of what needs to happen to ensure safety in our pipelines.
We use another tool to clarify conversation across different areas: package the controls into an easy to remember mnemonic. I use the acronym TACO for this, standing for Traceability, Access, Compliance and Operations. This can become a useful reminder to teams to check they’ve taken care of all the necessary controls.
These actions will help alleviate some of the immediate pain as you look to accelerate your delivery practices. To make further progress, look at realigning your governance teams to your delivery teams as an effective way of moving forward. Value Stream Mapping can be useful in identifying how this is best accomplished.
Understanding the purpose of governance, where it comes from and how to manage it effectively is critical to increasing the flow of value in your organization. Whether you are looking to provide higher quality service to constituents or ensure that your core banking system’s latest version is secure, understanding governance is vital.
Xodiac’s road mapping and metrics practices represent the first steps of Xodiac’s 12-step Focus, Improve, Thrive program. Together they represent a way to help you drive even more success from your organizational change.