Re: [soa-rm-ra] Comments on the nature of governance

[Francis McCabe <frankmccabe@mac.com>]

Ken:
  Two things stand out for me (which was one of the reasons I picked  
the term organs of control)
1. Giving specific guidance for the kinds of groups that would offer  
control seems to 'technology-specific' to me. I think something like  
a 'policy originating' entity is more to the core of the matter then  
governance standards setting groups/people. Whatever the shape of  
that organ is, they will need means of recording policy choices,  
promulgating them, enforcing them etc. etc.
2. On the other hand, I think that something needs to be recorded  
about the relationships between the different policy setting  
elements. I think that the concept of provenance is critical to the  
smooth functioning of any governance mechanism. (E.g., I am deciding  
that we shall use SOAP 3.0 because I am the CTO and because deciding  
this kind of technical standard is both within my competence and  
authority.)

Frank

On Aug 21, 2007, at 9:00 PM, Ken Laskey wrote:

> Some comments inline and a suggestion for a simplified diagram.
>
>
>
> Ken
>
> On Aug 15, 2007, at 4:24 PM, Francis McCabe wrote:
>
>> I think that the governance section needs to be more architectural  
>> in nature.
>>
>> I suggest the folowing outline:
>>
>> 1. A short intro on what governance is:
>>    What is governance, what are the issues, who are the stakeholders.
>>    Why is it important?
>>    What is the relationship to management
>>    How multi-ownership domains affects those pieces and maybe puts
>> natural limits on authority
>       specifically point out differences (at least in our opinion)  
> vs. single standalone system
>>
>> 2. What are the key pieces that need to be put into place:
>>    Structure of explicit rules/constitution, the idea of there  
>> being organs of control.
>       Rather than "organs of control", think in terms of well known  
> entities through which globally applicable governance framework is  
> established and then more locally how use of framework is kept in  
> compliance.  (See more a few lines down on enforcement.)
>
>> What are the levers of those organs (policies, roles, powers,  
>> authorities and responsibilities)
>    Policies for versioning and CM.
>    Monitoring, i.e. you can't govern what you can't measure.
>    Governance standards, e.g. pieces of a framework developed by  
> larger and for which there is wide buy-in (i.e. deriving their just  
> power from the consent of the governed)
>
>>    Measurement infrastructure analytics, policy violations, policy  
>> conflicts
>>    Enforcement infrastructure: policy enforcement points, meta- 
>> policies
>       The only real enforcement mechanism is locally restriction on  
> whether external service can be accessed, e.g. blocking message to  
> a restricted service.  Eventually have accepted (across ownership  
> domains) on principles by which a service can be blocked.   
> Eventually, a representative governance body may be formed to  
> codify such principles/policies but it is unlikely an effective  
> body can be formed before there is an explicit problem for which  
> there is no better response.
>
>>    The inputs to the organs of control
>        More challenging is decisions about processes through which  
> specifics established.
>
>
>> : decisions about Standards and other regulatory influences,  
>> conflicts between participants.
>>    What kind of cross-organizational entities are important in the
>> context of a multi-domain SOA-based system. What kind of entities  
>> exist within an organization.
>    Previous comments touch on these.
>
>>
>> 3. More elaboration on the relationship to management as one of
>> enforcement (and hence implementation of governance) This is where
>> material on policies and contracts as descriptions of governance
>> intentions could link things together nicely.
>    This will be tough to write about architecture and not have a  
> treatise on governance because so little has really been  
> established.  To what extent is a treatise justified and needed?
>
>>
>> 4. The specific features of the relationship between regulatory
>> authorities and any governance structure. Something that draws out  
>> the links between internal authority within the realm and external
>> authority. (e.g., I have to ask you to follow these processes  
>> because of my obligations under SOX).
>>
>> Also, we need to base the model on a diagram. This was my diagram:
>> <Governance Model.png>
>
> ---------------------------------------------------------------------- 
> -------
> Ken Laskey
> MITRE Corporation, M/S H305      phone: 703-983-7934
> 7151 Colshire Drive                         fax:       703-983-1379
> McLean VA 22102-7508
>
>
>
>