API Governance Part 1 - It’s Time to Rethink Governance

03/13/2017 by Pete Clare

Does the term “governance” make you cringe? For many people the term governance calls to mind process gates, bureaucracy and glacial progress. This is an unfortunate side effect of years of widespread misguided, ineffective or flat-out failed technology governance practices across the corporate technology landscape.

Truth #1 - Technology governance largely deserves its tarnished reputation

Truth #2 - Governance is needed more than ever and is currently being disrupted

Disruption? This 3-part series will walk you through how its being disrupted and what you need to know.


The Governance Dilemma

Typical promises made by traditional technology governance practices include risk management, data protection, legal compliance, standards compliance, access management, reusability, etc. In today’s world, it remains hard to argue with this value promise. The challenge is that typical governance practices are inherently at odds with the direction of the business world.

simple flow chart displaying corporate pressures into technology directions with traditional governance


Traditional
 approaches to governance simply cannot keep up with the rapid evolution being forced on companies by unprecedented pressure from:

  • Small companies repeatedly disrupting entire industries by unbundling value streams
  • IoT, conversational UIs, & AI fundamentally changing customer expectations and corporate customer interaction models
  • Consumers holding incredible power over brands & companies

As companies scramble to remain relevant digital transformation has become essential, the lines between business and IT are vanishing, and APIs are now the primary means of leveraging productized business capabilities. This movement is one of the drivers behind technology governance disruption.


New Governance Challenges

Today’s business challenges continue to lead us toward more, smaller, cross-functional and largely autonomous teams… each focused on independent delivery and innovation. Add to this the adoption of cloud (platforms & infrastructure), APIs, & continuous delivery tooling and a few realities emerge:

  • Pervasive & gated governance processes cost far more in business reaction time than the value they typically deliver
  • Changes come from more places within the business than ever before
  • Changes are delivered at a dramatically faster pace

The result… the risks of irrelevancy & disruption frequently lead businesses to abandon governance in favor of pace. However, the risks associated with ungoverned change are amplified significantly by the increase in internal change agents and speed.

Where does this leave us?


Governance Redefined

Today’s emerging governance practices are based on a different set of fundamentals:

table chart API Governance - traditional to emerging

Let’s take a closer look at a few key distinctions:


1 - Value & Transparency Driven

Transparency is the cornerstone of the new governance paradigm. As business capabilities are digitized and exposed via APIs, the API Gateway becomes a massive enabler for “free”, consistent and credible performance data collection.

  • What are the business performance measures for this API?
  • Who uses this digital product and how?
  • How well is the product performing against expectations?
  • What is the consumption trend?
  • How is our sensitive data being consumed and by who?

In many ways, the emerging governance paradigm is simply another manifestation of the build - measure - learn cycle described by the Lean Startup Method.


2 - Data-centric

The movement towards API gateway-based integration and microservice architectures dramatically reduces the number of pathways available for sensitive data to flow across systems and in and out of organizations. This trend has the potential to create remarkable transparency around how sensitive data flows and is consumed thereby reducing risk as well as the effort associated with data governance. Closer oversight may still be needed in certain business contexts but transparency will be dramatically improved which will translate into decreased effort and increased agility.


3 - Community-based

To draw a parallel, the quality and value of retail products are now largely defined by the consumers of those products (ever buy a product on Amazon rated 1 star with 300 reviews?). In many cases, an embrace of your API consumer community can create a similar effect via your API portal. Taking steps to create an internal economy for digital products can further the impact of community governance.

Community of practice… guidance via portal how to, security etc.


4 - Risk-based

One size fits all governance practices are being rejected in favor of a risk-based approach using a sliding scale.

An example might be:

High risk changes (PCI, PHI Data usage) - gated pre-release inspections

Mid-risk (PII data usage, API portal taxonomy impacts) - just-in-time community of practice guidance

Low-risk (Anything else) - post-change measurement

Obviously, team leader accountability & trust plays a crucial role in success.


Wrapping Up

To be clear, I am not at all suggesting that there is no place for traditional governance practices. I am saying that unless you are dealing with very high levels of risk (e.g. space travel) or certain legal / compliance contexts you should be transforming your technology governance practices from an impediment to a business decision amplification engine.


Check out part 2 - Driving Business Value through API Governance


To learn more, explore our own capabilities
 and thought leadership or contact us directly today!

Author_Thumbnail
Pete Clare
API & Digital Transformation Strategist