A Lean Enterprise Governance Manifesto Improving Business Performance with Event-Driven Governance

2012 A Lean Enterprise Governance Manifesto Improving Business Performance with Event-Driven Governance Author: Eric A. Marks President and CEO AgilePath Corporation Microsoft

2 P a g e Executive Summary Governance is a persistent challenge for commercial and public sector enterprises. The virtues of enterprise governance are established and documented, especially in the areas of Corporate Governance and IT Governance. A capable corporate and IT governance capability not only correlates with greater shareholder value, but is proven to directly enable business and IT strategic execution and business performance. Enterprise governance, when implemented correctly, creates value for the enterprise. This paper develops a new approach to enterprise governance called Event-Driven Governance, which emphasizes the performance-based value of enterprise governance over the compliance-centric policing functions typically associated with Governance. That governance is best that governs best with least Eric Marks, CEO, AgilePath Corporation. However, governance is a challenging topic, given its poor image. The term governance typically evokes one of two reactions. One reaction is of political opportunism, where a governance initiative might be leveraged by individuals to gain political clout or enhance visibility. The more common reaction, however, is fear and loathing. Governance is often perceived as a control mechanism, rather than an enabler of IT and business performance. Governance requirements in many cases are reduced to implementation of an oversight committee, which convenes monthly to focus on a particular governance challenge. However, this approach is not only insufficient, but it is not scalable and is in some respects dangerous. This approach sends a message that good governance is the equivalent of adding a new oversight committee and layers of management and overhead. Often, these governance boards become institutionalized and tend to outlast their value to the organization. It is not unusual during governance assessments to discover several ineffective orphaned governance boards that dutifully conduct monthly meetings without a clear reason for doing so. Needless to say, governance does not generally cause joyous celebration in organizations trying to improve or strengthen governance processes. In general, governance models provide an enterprise framework to guide decision making processes, allocate investments and resources toward enterprise priorities, and achieve decision transparency for shareholders and enterprise stakeholders. Governance remains an elusive target due to absence and immaturity of scientific approaches to governance, which is further complicated by a lack of a universal framework and taxonomy of enterprise governance. While many governance programs are triggered by compliance and risk challenges, poor IT performance or other corporate needs, the fact is that all governance requirements share common characteristics and attributes.

3 P a g e This whitepaper develops a model for an efficient, effective, scalable and friction-free enterprise governance framework, which we call Event-Driven Governance. Event-Driven Governance is a framework for governance based on principles of just-in-time, event-based policy enforcement, and virtual governance organizations that are triggered by governance necessities (as opposed to creating oversight committees or duplicate governance organizations). Event-Driven Governance is a performance-based model, driven by metrics and processes, as opposed to a compliance-based model centered on policing conformance. Our motto for this approach is simple and compelling: Don t finetune your current Governance model. Tear it down, and replace it with Event-Driven Governance. Introduction Governance as a discipline is either hated or tolerated, depending on the organization you talk with. Some organizations do not allow the word governance in their corporate discourse because it is so overloaded with negative perceptions of overhead, over-control and compliance. Mere mention of the word sends IT executives running for their offices with their hands over their ears, muttering to nobody in particular I know nothing. Enterprise Governance earned its poor reputation because of a variety of factors. A few are explored below: Governance is most often mistaken for compliance and risk management, as opposed to ensuring enterprise performance Governance is often viewed as overhead due to large number of oversight committees, policies, regulations, etc. Inability to enforce governance policies due to lack of control or influence over business, funding or both Poor governance design; focus on the wrong issues or requirements Poor governance capabilities, immaturity, general governance malaise However, we believe the image of Enterprise Governance needs a makeover. All of these negative perceptions of Governance detract from its potential to become a strategic capability that can dramatically improve business and IT performance. We believe that enterprise governance is a strategic, performance-based capability that drives execution, performance and behavior based on strategic goals and objectives, operationalized through metrics. Implementing Enterprise Governance as a performance enabler is realized by focusing on key priorities and ensuring transparent decision making through explicit governance processes and trust-based governance principles. Enterprise Governance Defined Enterprise governance is defined as the design, implementation and ongoing execution of a enterprise stakeholder representation model and supporting decision and accountability framework, that ensures an entity or organization is pursuing an appropriate strategy or course of action, aligned with

4 P a g e stakeholder goals and expectations, and is executing that strategy in accordance with guidelines and constraints defined by a body of principles and policies. Enterprise principles and policies are enforced through an integrated policy enforcement model comprised of various policy enforcement mechanisms (governance boards and committees), governance processes (including checkpoints and reviews), and governance enabling technology and tools. Enterprise governance includes both the overarching framework used to govern an enterprise, as well as the ability to define, sustain and scale governance requirements at an enterprise level. An important point to make here is that Enterprise Governance refers equally to business and IT governance, not solely to IT governance. Traditionally, IT governance processes are designed and implemented to better control IT on behalf of business stakeholders. However, there are no corresponding accountability frameworks that ensure the business is behaving appropriately in its use of IT resources. Enterprise Governance operates at the intersection of business and IT governance, where business and IT leadership collaborate on the use of IT to drive competitive advantage. Why Consider Event-Driven Governance? Event-Driven Governance is an Enterprise Governance design philosophy that, when implemented, ensures an effective governance model that drives enterprise performance and strategic execution, while avoiding layers of overhead and organizational complexity. Event-Driven Governance is an approach that is counter to most enterprise governance approaches in the industry, which involve bloated organizational models, overhead and friction, and stilted decision making. In 2009, AgilePath released a whitepaper that focused on how to eliminate IT and Service-Oriented Architecture (SOA) Governance bloat i. This paper highlighted four areas where governance inefficiencies and waste are common: Avoid Policy Bloat focus on key policies that enable performance objectives in alignment with IT and business strategy. Do not go Over Board - Avoid excessive governance organizations and boards, and never implement governance organizations before the policies and processes are understood and documented. Focus on critical processes and process gaps that will impact performance - you cannot govern everything well, so you must prioritize areas of governance emphasis, based on the business and IT strategies, while maintaining competence in all other governance domains. Rules before tools - Do not implement governance tools first, ever. This creates a false dependency on a technology that cannot work well until you define processes and polices. This paper also highlighted another governance best practice, which urges organizations to focus on governance policies and processes before defining governance organizations and acquiring governance tools. This concept can be expressed in the following equation:

5 P a g e [(P+P)/(O+T)] = Policies and Processes over Organizations and Tools. This formula translates the need to Emphasize Policies and Processes over Organization and Tools. Event-Driven Governance builds on these best practices by ensuring a lean, rightsized and effective governance model that enables enterprise strategic execution and performance. The remainder of this paper will explain how. Introduction to Event-Driven Governance (EDG) Event-Driven Governance is based on a simple premise that a governance model, with its associated principles and policies, governance processes and policy enforcement mechanisms, should be a virtual framework that is triggered by governance events associated with business or IT processes. Once pre-defined governance triggers or events occur, the governance process comes to life, performs its duties, and then goes dormant again. Event-Driven Governance is also enabled by self-governance and community-governance concepts, which are scalable and enable a more collaborative and trustbased approach to governance. Event-Driven Governance is intended to be light weight, lean and virtual, bolstered by explicit policies and processes, and deployed using trust-based designs. Event-Driven Governance is contrasted with traditional governance model designs, which in many cases are established by creating permanent governance oversight committees or boards, staffed by mid-level and senior management personnel who attend scheduled meetings to perform their governance duties. These traditional governance model designs are characterized by policing functions and compliancecentric focus, where prescriptive policies are enforced, poorly or well, via manual oversight by the governance committees. These governance models are manually-intensive and meeting-intensive, paper-based, and tend to be very ineffective. They add friction to the enterprise and delay decisionmaking due to the coordinating meeting schedules of business management personnel. The difference between these two approaches is striking. With Event-Driven Governance, the emphasis is on a light weight, virtual organizational model, which is only invoked when necessary governance events trigger pre-defined governance processes and policy enforcement activities and mechanisms. In a traditional governance model, the governance process is always on, and is dominated by permanent governance boards, manual enforcement of principles and policies, and adds friction, overhead and delays to decision making processes. Figure 1 below illustrates the concept of Event-Driven Governance.

6 P a g e Event-Driven Governance is predicated on governance events, which trigger appropriate and necessary governance processes and policy enforcement mechanism, but only when they are needed. It is a justin-time governance concept, where only the governance that is needed is triggered, and no more than that. The Event-Driven Governance Foundation The foundation of Event-Driven Governance is based on simplification, standardization and consolidation of Enterprise Governance requirements. The following concepts form the foundation of Event-Driven Governance. Focusing and prioritize your governance efforts on things that really matter to the execution of your business and IT strategy. This is the essential alignment requirement for successful enterprise governance focusing on critical enterprise priorities, and establishing principles and policies to dive the desired behaviors. Standardization via a Common Governance Reference Model: Additionally, Event-Driven Governance is predicated on a standardized model of Enterprise Governance. This means that regardless of the governance/policy domain, they must all define, implement and enforce policies using a consistent governance framework and reference model. Centralized Coordination of Enterprise Governance via a centralized, persistent Governance performance management function that ensures governance processes are sustained, matured and measured to drive goals and objectives. Elimination of Governance Silos through consolidation, aggregation, and coordinated management of all Enterprise Governance requirements.

7 P a g e Identification of common governance events and policy threads that allow coordinated policy enforcement of multiple governance domains/policy domains simultaneously. This will enable a streamlined approach to comprehensive governance without the overhead and friction associated with it. Ensure transparent communication and feedback of governance across the enterprise through a communications and feedback process, outreach, education and awareness. This ensures broad stakeholder involvement, kind of like get out the vote movements in politics. Implement Trust-based Models such as Self-Governance and Community-Governance: Ensure design of trust-based mechanisms into the enterprise governance model, which will help drive enterprise adoption and participation through self-governance, community-governance and other open source approaches. These scale very well in large, complex enterprises. In order to begin the process of Enterprise-Driven Governance transformation, we must first understand the Enterprise Governance Lifecycle. The Enterprise Governance Lifecycle is explained below. The Enterprise Governance Lifecycle Event-Driven Governance as a design strategy must be integrated into an enterprise governance framework. Enterprise governance is best characterized as a lifecycle model with five broad phases. It is in the context of these governance lifecycle phases that event-driven governance is designed, implemented and operationalized. The Enterprise Governance lifecycle is illustrated below.

8 P a g e The five key phases of the Enterprise Governance Lifecycle are as follows: 1. Enterprise Strategic Governance (Strategic Planning and Investment Planning (IT and Business): Performance of the annual strategic business and IT planning process, including investment planning. 2. Enterprise Governance Process Management: Design, Implementation and Sustainment of Enterprise Governance Frameworks, Processes and Policies. 3. Enterprise Exo-Project IT Governance: Enterprise Governance requirements that are not directly associated with execution of individual programs or projects, but provide supporting governance support to all projects in the aggregate. 4. Project Governance and Process Execution Governance: Execution of Programs, Projects and using a standard project delivery methodology or SDLC. 5. IT Operations and Sustainment: IT Service Management, IT and Business Operations, ITIL) These five phases of the Enterprise Governance Lifecycle are described in detail below. Enterprise Strategic Governance: This governance lifecycle phase focuses on the annual and ongoing strategic planning processes, which determine enterprises priorities, what programs/projects will be continued, and what new programs/projects will be executed, and allocates resources to them. This enterprise governance

9 P a g e lifecycle phase involves both business and IT strategic planning processes. Governance requirements associated with enterprise strategic planning should include the following: Business Engagement and Interaction: When, where and how to engage with business leadership shareholders and stakeholders to achieve IT-Business alignment (requirements, priorities, funding and budgeting, and IT services needed to support business goals). Requirements Analysis and Project Prioritization & Planning: What do we need to support the business strategy? What are our priorities this year? IT Portfolio Management Alignment: Do our portfolios already support the business and IT strategy? Do we have capabilities already? Do we need to buy or implement a new capability? Does our IT portfolio support current and future business requirements? Enterprise Architecture Alignment: Does our Enterprise Architecture support the business and IT strategy? How does it need to evolve to enable business objectives? PMO/Program Management Alignment: Do current programs already support business objectives? What new programs do we need? Do we have the skills? Budgeting for new projects and programs: What resources do we need to execute the business plan? What skills, resources, financing, infrastructure are necessary? During this phase of the Enterprise Governance Lifecycle, there are structured interactions with key business stakeholders to gain their requirements and inputs into IT priorities, their support for IT budgets and IT investments, and overall alignment of IT to the business. Enterprise Governance Design, Implementation, Operation and Sustainment: This phase of the Enterprise Governance Lifecycle ensures that you are doing what you planned according to best practices, internal policies, and compliance requirements. These activities focus on the definition of Enterprise Governance requirements, implementation of governance frameworks, processes, policies, and enforcement models, and the maintenance and sustainment of governance, e.g. refresh, education, communication, etc. Typical enterprise governance requirements include the following: Enterprise Governance Definition and Performance Management Governance Reference Model Standardization and Alignment Engagement with Stakeholders and shareholders Implementation of critical governance domains, processes and policies Exceptions and Escalation Management Annual and quarterly renewal activities. Performance Metrics, Dashboards and Reporting Communications and Feedback

10 P a g e Enterprise Exo-Project Governance Exo-Project Enterprise Governance processes focus on defining, implementing and enforcing governance requirements for key policy domains at the enterprise level, outside of individual project execution and project delivery processes. Exo-Project governance activities focus on programs and projects in the aggregate, not at the individual project execution level. These enterprise governance activities support strategic planning and execution, but they are also performed in an ongoing fashion independent of specific program or project execution activities. These Exo-Project Governance domains include the following: Enterprise Architecture (EA) and EA Domain Architecture (including IT security) Enterprise Portfolio Management Program Management Office (PMO)/ Program Portfolio Management IT Acquisition and Procurement Vendor Management and Sourcing Compliance and Risk Enterprise Security and Privacy Typically, these governance domains or policy domains are under the leadership of different IT management teams, and are therefore differentially defined, implemented and enforced without coordination or standardization in the context of an overarching Enterprise Governance Framework. Or, in many cases, an IT leader is assigned IT Governance oversight, Portfolio management and the PMO functions, and perhaps Compliance and Risk are added in. Project-Centric/Execution Governance Project-Centric/Execution governance ensures that you execute what you planned via repeatable, transparent delivery processes. These governance domains focus on execution of programs, projects and initiatives that were planned, prioritized and funded during the strategic planning process. In addition, project delivery processes fall within this phase of the Enterprise Governance Lifecycle, such as the IT Software development lifecycle (SDLC), agile development processes, program management methodologies, and other enterprise project delivery methodologies for both business and IT. Governance requirements here are all about executing programs and projects, in the context of project management and IT delivery lifecycle processes, e.g. Software Development Lifecycle (SDLC). The governance requirements are two-fold: Perform Intra-project or project-centric governance internal to the execution of project, and execute the project in accordance with pre-defined delivery processes and program management processes. The following types of governance activities occur in this phase: Intra-Program/Project reviews Project Management Lifecycle or Software Development Lifecycle (SDLC) Gate reviews Project Delivery Process or SDLC Process Governance

11 P a g e In addition, other Project-Centric/Execution governance processes may be applied here, such as the following: PMO Portfolio Reviews Customer Sign-off and Acceptance Review It is important to understand that many of the Exo-Project Governance processes come into play during project execution as well, specifically Enterprise Architecture (and EA domains), PMO/Program Management, portfolio management, compliance and risk, and possibly others. When Exo-Project Governance requirements and Program-Centric Governance requirements intersect, there is not only an opportunity to consolidate and streamline Enterprise Governance processes, but also to optimize them into best-in-class capabilities. Business Operations and IT Operations/IT Service Management (itsm) This phase of the Enterprise Governance Lifecycle focuses on Post-Project governance and operations processes necessary to manage and operate business processes and the enabling IT environments. Technically, IT operations and IT service management processes are not governance processes at all. However, they do provide feedback into the upstream Enterprise Governance processes, and thus become critical checkpoints into how well various governance processes and delivery processes are performing. The following processes are included in the IT operations phase of the Enterprise Governance Lifecycle: Business Operations and Support Application Maintenance and Support Service Desk and IT operations processes Feedback to upstream governance and IT delivery processes Summary: The Enterprise Governance Lifecycle provides the end-to-end context within which Event- Driven Governance can be envisioned, designed and implemented. The sections below will detail the principles of EDG, the foundation for EDG, and how to implement it. Principles of Event-Driven Governance In order to distinguish attributes of poor governance from those of good governance, we must establish a set of principles that best characterize Event-Driven Governance. The following principles will help clarify what we mean by EDG: Do not create standing governance bodies, boards or committees. All governance boards should be virtual boards whenever possible. Enforce critical enterprise policies when policy events trigger the governance model and the associated governance and policy enforcement mechanisms

12 P a g e Implement trust-based governance via self-governance and community governance designs to enforce policies in a more collaborative and trust-based fashion. Focus on the vital few principles and policies that will drive desired business and IT performance in alignment with IT and Business strategy. Governing with a few core policies that really matter will have a greater impact than governing via a large number of distinct policies. Use policy enforcement event models (governance processes and events) to define where, when and how policies will be enforced, how governance events will be triggered, and what will happen as a result. Define core policy threads that connect oversight processes, policy enforcement points and policy events into a policy enforcement model. Design of policy threads around core policies will ensure clarity of processes. Explicitly design in self-governance, community governance and trust-based capabilities into your governance model. These must be built into the to-be model, not bolted on afterward. Leverage a common Governance Reference Model to define, model, implement and operate your governance model using a common framework for policy definition and enforcement, and a streamlined policy enforcement model. Collapse key IT governance processes and mechanisms into a the fewest number of policy events that will meet Enterprise Governance requirements, and implement Event-Driven Governance to replace legacy governance processes. Design the governance model to be Just-In-Time and Just Enough, and no more than that. Governance Events in the IT Governance Lifecycle What are governance or policy events? Policy events are triggers for the visibility and enforcement of enterprise policies that have been defined in the governance model. Policy events can take the form of the following examples: Strategic planning and IT investment planning events IT project phase gate reviews SDLC governance gates or check points Program reviews for budget, scope and delivery performance Enterprise Architecture reviews Requirements and scope reviews Acquisition, procurement or vendor management events Customer feedback reviews and checkpoints Others Central to the Event-Driven Governance approach is the definition of key governance events, which will trigger the associated governance processes into action, thus enforcing policies via appropriate policy

13 P a g e enforcement mechanisms. This exemplifies the just-in-time, just enough governance approach of Event- Driven Governance. Figure 2 below illustrates, using red stars, the areas where Governance or policy events can occur in the Enterprise Governance Lifecycle: EDG requires an understanding of key events that will trigger the appropriate governance processes into action, based on Enterprise Governance Lifecycle phases. Once governance trigger events are understood and documented, an Event-Driven governance model can be designed that invokes the necessary governance processes and associated policy enforcement mechanisms, only when they are needed, and only as necessary. This is the beauty of Event-Driven Governance Just-in-time, just enough, and no more. Governance Principles and Policies Critical to an Event-Driven Governance approach is the recognition that enforcing a few critical core policies, and doing so consistently and effectively, is more effective than enforcing a host of fine-grained policies inconsistently in an ad hoc fashion. Event-Driven Governance must focus on those core policies that directly relate to defined performance objectives.

14 P a g e A policy is defined as a definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions. 1 A principle, on the other hand, is a comprehensive and fundamental law, doctrine, or assumption; a rule or code of conduct. Generally, an enterprise governance model is realized through a body of enterprise principles and policies, which are mapped and aligned to strategic goals and objectives. Based on these strategic goals and objectives, a core set of guiding principles are defined, which serve as the governance model foundation, and provide overarching guidance for definition and implementation of enforceable policies. Principles in this approach do not change very often, while specific policies mapped to principles may evolve and change, be updated, removed and eventually retired multiple times per year, or at least annually. In this approach, high-level principles are decomposed into coarse-grained policies, which are then decomposed into governance domain-specific fine-grained policies, e.g. Enterprise Architecture policies, security policies, portfolio management policies, SDLC policies, etc. Governing Principles: Principles are high-level statements of intent that inform and guide decision making, and enable enforceable policies to be developed consistent with those principles. Principles themselves are enforceable based on alignment to the intent and spirit of the body of principles. Coarse-grained policies: Coarse-grained policies are defined based on the two key inputs: strategic goals and objectives, and the governing principles. Coarse-grained policies are typically defined outside of specific governance domains, where they provide enforceable direction and guidance, specific policy definition, and have consequences when policies are not followed. However, coarse-grained policies are also defined within governance domains, but are subsequently decomposed into fine-grained, detailed policies. Fine-grained policies: Fine-grained policies are typically defined within specific governance domains, and involve the definition of detailed, domain-specific requirements that are unique to a particular governance domain. For example, Enterprise Architecture (EA) governance is characterized by a body of both coarse-grained and fine-grained policies, which may then be further broken down into EA Domain Architecture policies, e.g. Service-Oriented Architecture (SOA) policies, Data Architecture policies, J2EE architecture and development policies, etc. Thus, the key for IT Governance is to translate business and IT strategic objectives into abstracted principles and coarse-grained policies, which become inputs into the specific governance domains. Within those specific governance domains, domain-specific policies are defined, maintained and enforced as necessary. In some cases, fine-grained domain-specific policies are enforced at design-time, during software development, during quality assurance and testing processes, and then at run-time, where policy enforcement is automated via tools and technologies. Figure 3 below shows the relationship of business/it goals and objectives to governing principles, coarse-grained policies and fine-grained policies. 1 Merriam Webster Dictionary Online

15 P a g e Figure 3 depicts how business strategic goals and objectives are translated into IT strategic goals and objectives, which lead to new IT Governance requirements. Business and IT Strategic planning processes, performed annually, provide the opportunity to update, refine, and enhance the Enterprise governance model. The annual planning process results in the following sequence of events: Strategic planning processes provide inputs into the Enterprise Governance Process This initiates the development/updating of guiding governing principles, which provide overarching statements of governance intent in alignment with strategic goals and objectives. From these governing principles, big coarse-grained enterprise policies are defined outside of specific enterprise governance domains; these will guide the development/updating of domain-specific policies. Updates to enterprise governance principles and coarse-grained policies will initiate the definition, updating and refreshing of existing domain-specific policies. In some cases, a policy versioning model will be necessary to keep track of policies. This overall process helps establish coarse-grained policies for enterprise enforcement, while leaving fine-grained policy enforcement within specific governance domains, where the experts can focus on them. This model enables a key policy enforcement best practice: Always enforce policies at the coarsest level of granularity, preferably at the governing principle level, then at the coarse-grained policy level, and finally at the fine-grained policy level as needed. This enables rapid enforcement of policies, as well as identification of exceptions to policies, by all governance stakeholders and shareholders.

16 P a g e The key for Event-Driven Governance is to ensure that critical policy events are visible and managed outside of governance domains, so that all governance domains are subservient to a particular enterprise policy. Governance Events and Policy Threads: Event-Driven Governance depends on the identification and enablement of a governance event model, in which key policy events trigger the governance processes and appropriate policy enforcement mechanisms. Policy Events are the scheduled and/or ad hoc checkpoints, reviews, phase gates or other events that provide visibility and transparency of governance, and the opportunity to ensure and validate alignment to principles and policies. For example, in IT Governance there are a few key events that should trigger governance model invocations. Some examples of these are listed below: IT Strategic planning and investment planning processes IT Acquisition and procurement activities Vendor management and contracting activities: Any new vendor relationship must be triggered by appropriate project authorization. A new vendor request, for example, would trigger IT portfolio reviews (Do we have one of these widgets? Do we already have a vendor who provides this service? Program or project reviews: Periodic program/project reviews will be performed to examine cost, schedule and requirements performance of a given program. Many organizations put thresholds in place to ensure that these reviews are only performed on projects of a certain size, cost, complexity, risk or criticality. SDLC phase gate reviews Funding/re-funding gate reviews In IT Governance, there are a few naturally-occurring events that can be used as triggers for enforcing Enterprise IT Policies in the aggregate, such that governing is a simple, consolidated and streamlined process. All of these governance events provide natural opportunities or triggers to enforce enterprise IT policy in accordance with enterprise objectives, but in a way that spans specific IT governance domain oversight and management authority. For example, during the annual strategic planning process, when new programs and projects are being considered, there are potential governance events that should trigger the following Enterprise Governance processes: IT Requirements and Prioritization (Does the business really want this?) Portfolio Management (Do we have one already?) Enterprise Architecture (Does it align with our EA?)

17 P a g e Program Management Office (Do we have a similar or duplicate program already? Can we add these programs into our capacity?) IT Finance and Budgeting (Can we afford it based on our budget?) The Event-Driven Governance approach would invoke all of these different governance process domains from one shared policy event trigger, which enables a more simple approach to enforcing enterprise policies. Without an event-driven approach, these various governance process domains would potentially not be involved in the decision process, or they would be scheduled or performed separately, or on their own schedules, in a disconnected incoherent fashion. Policy events enable the coordinated invocation of related and connected governance domains in a concurrent fashion, which will enable an organization to consolidate and simplify its Enterprise Governance model. Policy Threads involve the coordinated enforcement of a principle or a coarse-grained policy across multiple connected and interrelated governance process domains. Policy threads, or governance threads, describe the concept of a policy being enforced through the coordinated linkage of multiple governance processes or policy enforcement activities, which may be enforced across multiple functional governance domains. For example, an enterprise policy emphasizing Reuse from a SOA governance perspective would be implemented by driving a principle of IT asset reuse, and specific policies of Service reuse, within and across the following governance domains: Ensuring reuse across all IT Portfolios, via the Portfolio Management process, e.g. application portfolio rationalization, SOA Service Portfolio, server consolidations, etc. Reuse within Enterprise Architecture, eliminating duplicate technologies and avoiding overlapping solutions Program Management Office (PMO), rationalizing overlapping or redundant programs and projects that are not central to business and IT strategy IT Acquisition, ensuring no duplicate technologies are being acquired Vendor Management/Sourcing, ensuring support vendors are leveraged while ensuring competition, while reducing too many redundant vendors for similar services or products. A Reuse policy thread would be triggered by a predefined policy event, and would invoke all IT portfolio management processes, Enterprise Architecture governance processes, PMO processes, and appropriate business inputs in order to ensure optimal reuse of corporate assets is being achieved. Below, in Figure 4, a conceptual reuse policy thread of is illustrated.

18 P a g e In this example, the policy event is a trigger from the IT Strategic Planning Process, which invokes the Reuse Policy Thread, which enforces the enterprise reuse policy across the governance domains we discussed above. The various governance process domains can coordinate their interactions such that fewer personnel, fewer meetings, less time and more importantly, cross-domain issues are resolved simultaneously. This orchestrated policy thread approach will simplify enterprise governance and help bring your Event- Driven Governance model to life. The benefit of the policy event and policy thread approach is that a single policy event can be used to orchestrate the connected and coordinated enforcement of related governance process and policy enforcement mechanisms, in a structured and assured manner. Without this approach, three outcomes would have typically occurred: 1. Governance processes would not be performed at all; 2. Governance processes would be performed in an ad hoc manner without benefit of formal frameworks, processes and enforcement mechanisms 3. Governance processes would be performed separately from one another, with great potential for more friction, causing more follow-up meetings, reviews and sign-offs. Policy events and policy threads provide the means to drive accountable compliance to policies in meaningful, high impact ways, while supporting a coordinated and streamlined approach to policy enforcement and governance.

19 P a g e Benefits of Event-Driven Governance Event-Driven Governance, defined through policy events and policy threads, offers the means to eliminate governance silos and consolidate governance processes by integrating the enforcement of multiple governance domains in an integrated Enterprise Governance model. As illustrated above, a single event can trigger multiple governance process domains, which can be coordinated as to how they enforce enterprise policies. This enables an organization to streamline and collapse its enterprise governance complexity, and to effectively implement a just-in-time and just enough governance strategy. The benefits of the Event-Driven Governance philosophy are summarized below: Eliminates Governance Silos: Event-Driven Governance enables coordinated and orchestrated governance via policy events and policy threads, which will prevent governance domains from creating their own individual governance silos separate from other governance domains. Nothing adds more friction or overhead to an enterprise governance model than creating silos of governance oversight boards dedicated to one governance process. Employs a standard Governance Reference Model: A typical roadblock to this type of governance approach is the lack of a standard Governance Reference Model to document and implement governance for all governance/policy domains via common governance processes, policy models, and policy enforcement mechanisms. If all governance domains are consistently described and implemented, they can be aggregated, centralized, consolidated, and more importantly, mapped into an Event-Driven Governance Framework. Defines governing principles and a few critical core coarse-grained policies that cross-cut multiple governance domains, e.g. Reuse. Event-Driven Governance enables the definition of a comprehensive principle and policy framework, and more importantly, the definition of critical, coarse-grained policies that invoke multiple governance domains via a policy event model and policy threads. Critical core policies are more easily aligned with key business and IT strategy goals and objectives, and therefore lend themselves to Event-Driven Governance. More importantly, focusing on these big core policies means enforcing fewer policies, which will enable a simplification and collapsing of governance complexity. Orchestrating and coordinating Governance via Policy Events and Policy Threads: Event- Driven Governance enables streamlined orchestration and coordination of Enterprise Governance while allowing the collapsing and simplification of enterprise governance models. Policy events and policy threads enable the decoupling of big policies from specific governance domains such that governance silos are reduced, and you can aggregate IT governance around a few core principles and policies. Once big policies are defined through policy events and policy

20 P a g e threads, governance model orchestration and coordination can be realized, and efficient, rightsized governance can be implemented. Ensures an Agile, Lean and Right-sized governance organization with little overhead and reduced enterprise friction. Event-Driven Governance (EDG) will help rationalize and streamline your Enterprise Governance model, and realize more effective oversight and governance without slowing decision making processes. Focuses on critical performance-based governance criteria, based on explicit alignment to business and IT strategic goals and objectives as expressed by governance principles and policies. This allows governance to take on a performance-based role rather than a compliancecentric policing function in your enterprise. Enables Self-Governance, Community- and Collaboration-based governance approaches through simplified policy models, policy events and policy thread orchestration. EDG frees you to design in self-governance and community-governance frameworks, which help engage the entire organization in the governance process and establish trust of governance stakeholders. Implementing an Event-Driven Governance model focused on the critical governance requirements allows you to design self-governance and community-based governance models for the other less-critical governance domains and governance requirements. Event-Driven Governance will change the way you govern your Enterprise. This approach offers an alternative to Enterprise governance that will improve the performance of your enterprise, while streamlining the way you manage and govern key business and IT processes. Things to Do Tomorrow Event-Driven Governance is a cutting edge approach for the design and implementation of Enterprise Governance. Developed from years of research, bolstered by the design and implementation of Enterprise Governance models in Commercial and Public Sector organizations, this approach offers a way to simplify and enable effective, rightsized and lean Enterprise Governance that will improve performance of business and IT. Analyze and Assess Your Current Enterprise Governance Model. Perform an assessment of the governance processes, organizations, policies and tools in your enterprise, and then ask yourself, How effective are we at our business and IT process performance? If your performance for key processes is poor despite your investments in the current Governance approach, perhaps it s time for a change. Look at Enterprise Governance from both a Business and IT perspective. Don t focus solely on IT governance, or a specific domain within IT. Look at the intersection of business and IT

21 P a g e strategy that will make a dramatic impact on business and IT performance. Those are the governance processes that will matter in the end. Define a Few Big Core Policies that Will Make a Clear Performance Difference. While Event- Driven Governance helps focus and streamline governance and policy via policy events and policy threads, the real value of EDG is to help focus on important policy domains that help improve business and IT performance based on the respective strategic goals and objectives. Focus on these critical policy areas via big, coarse-grained policies that really matter. The others can be addressed using self-governance and community-governance approaches. Identify key Policy Events and Policy Threads that can be Orchestrated to Simplify Governance Processes and Integrate Policy Enforcement Mechanisms. This will help you streamline and collapse your governance model into a more lean, rightsized approach. Coarse-grained policies lend themselves to Event-Driven Governance, where they invoke multiple governance domains via policy threads. Fine-grained policies within governance domains can be best dealt with via self-governance and community-based approaches. Explore ways to consolidate, centralize, coordinate and collapse your current Enterprise Governance Model using Event-Driven Governance Design. Do not settle. Look for ways to brutally standardize your Enterprise Governance processes and approach, and then to consolidate and collapse it into a more streamlined approach. Do not perform continuous improvement of your current governance model, tear it down and replace it with an Even- Driven Governance design. Measure Governance Performance via Metrics and a Dashboard (Because You will see improvement). Event-Driven Governance will enable improved business and IT performance, but only if you measure it. Be sure to define and implement metrics that will capture the improvements in decision making, effective governance, and improved business and IT performance. What gets measured gets done. Enterprise-Driven governance ensures you will get what you plan to measure done. i Avoiding Governance Bloat: Rightsizing and Refactoring SOA Governance. AgilePath Corporation, 2009.