API Governance: It’s Time to Rethink Governance
Truth #1 – Technology governance largely deserves its tarnished reputation
Truth #2 – Governance is needed more than ever and is currently being disrupted
Disruption? This article will start to walk you through how its being disrupted and what you need to know.
The Governance Dilemma
Typical promises made by traditional technology governance practices include risk management, data protection, legal compliance, standards compliance, access management, reusability, etc. In today’s world, it remains hard to argue with this value promise. The challenge is that typical governance practices are inherently at odds with the direction of the business world.
Traditional approaches to governance simply cannot keep up with the rapid evolution being forced on companies by unprecedented pressure from:
- Small companies repeatedly disrupting entire industries by unbundling value streams
- IoT, conversational UIs, & AI fundamentally changing customer expectations and corporate customer interaction models
- Consumers holding incredible power over brands & companies
As companies scramble to remain relevant digital transformation has become essential, the lines between business and IT are vanishing, and APIs are now the primary means of leveraging productized business capabilities. This movement is one of the drivers behind technology governance disruption.
New Governance Challenges
Today’s business challenges continue to lead us toward more, smaller, cross-functional and largely autonomous teams… each focused on independent delivery and innovation. Add to this the adoption of cloud (platforms & infrastructure), APIs, & continuous delivery tooling and a few realities emerge:
- Pervasive & gated governance processes cost far more in business reaction time than the value they typically deliver
- Changes come from more places within the business than ever before
- Changes are delivered at a dramatically faster pace
The result… the risks of irrelevancy & disruption frequently lead businesses to abandon governance in favor of pace. However, the risks associated with ungoverned change are amplified significantly by the increase in internal change agents and speed.
Where does this leave us?
Today’s emerging governance practices are based on a different set of fundamentals:
Let’s take a closer look at a few key distinctions:
1 – Value & Transparency Driven
Transparency is the cornerstone of the new governance paradigm. As business capabilities are digitized and exposed via APIs, the API Gateway becomes a massive enabler for “free”, consistent and credible performance data collection.
- What are the business performance measures for this API?
- Who uses this digital product and how?
- How well is the product performing against expectations?
- What is the consumption trend?
- How is our sensitive data being consumed and by who?
In many ways, the emerging governance paradigm is simply another manifestation of the build – measure – learn cycle described by the Lean Startup Method.
2 – Data-centric
The movement towards API gateway-based integration and microservice architectures dramatically reduces the number of pathways available for sensitive data to flow across systems and in and out of organizations. This trend has the potential to create remarkable transparency around how sensitive data flows and is consumed thereby reducing risk as well as the effort associated with data governance. Closer oversight may still be needed in certain business contexts but transparency will be dramatically improved which will translate into decreased effort and increased agility.
3 – Community-based
To draw a parallel, the quality and value of retail products are now largely defined by the consumers of those products (ever buy a product on Amazon rated 1 star with 300 reviews?). In many cases, an embrace of your API consumer community can create a similar effect via your API portal. Taking steps to create an internal economy for digital products can further the impact of community governance.
Community of practice… guidance via portal how to, security etc.
4 – Risk-based
One size fits all governance practices are being rejected in favor of a risk-based approach using a sliding scale.
An example might be:
High risk changes (PCI, PHI Data usage) – gated pre-release inspections
Mid-risk (PII data usage, API portal taxonomy impacts) – just-in-time community of practice guidance
Low-risk (Anything else) – post-change measurement
Obviously, team leader accountability & trust plays a crucial role in success.
To be clear, I am not at all suggesting that there is no place for traditional governance practices. I am saying that unless you are dealing with very high levels of risk (e.g. space travel) or certain legal / compliance contexts you should be transforming your technology governance practices from an impediment to a business decision amplification engine.