Traditional industry ecosystems are changing and restructuring in response to continuous business model disruption. New, non-traditional competitors are leveraging digital technology to power flexible business models to rapidly enter existing markets and disrupt the ecosystem as competitor or partner to existing participants.

To compete in this new world, businesses need to rapidly deliver high quality change to transform their business services and continuously:

• Innovate their business model
• Adapt their business capabilities
• Optimize and transform their business services, and
• Maximize the value of change investments

Digital-native organizations such as Amazon, Google and Netflix are able to deploy releases to production multiple times per day, while many traditional organizations are still deploying a major update once or twice a year, at best. The need for business innovation, translated into rapidly delivering new product and service to market is driving many organizations to look at adopting DevOps and Agile approaches.

The balancing act between innovation and compliance

All businesses, especially those operating in regulated industries, have to balance the need for rapid change with the need to manage and mitigate business risks - reputational, financial, legal, or regulatory. Amongst the risks to be managed is the risk of failure of complex and increasingly business-critical IT system change.

One of the traditional roles of Enterprise Architecture has been to govern solution design to ensure viability and manage the total cost of ownership. However, design of the solution is just one of the many control points that must be addressed; security, business information risk, operational acceptance, vendor/partner management, etc are some of the others.

In many organizations, the distinction between these different control points can become blurred as the governance of these additional control points is layered onto the solution design governance process and its stage gates. This is done to ensure that all control point requirements are satisfied before a solution change can be released into production. To deliver rapid change while ensuring compliance with the business controls framework requires a significant rethink of the design process and controls governance. 

Rethinking governance with architectural decision driven approach

Traditional stage gate and design document-centric governance approaches have been successfully applied to waterfall projects. However, these traditional approaches significantly constrain the pace at which Agile development practices can proceed. This either frustrates the objective to deliver rapid change or leads to abandonment of the governance process. If a business wants to deliver rapid change, and is looking to adopt Agile, then it needs to rethink its approach to governance.

One option is to switch the focus to architectural decisions rather than architectural documents. Traditionally, solution architects craft large design documents, which are taken to some governance body for a design review. These design review sessions typically focus on asking questions about the key architecturally-significant decisions within the design. These key design decisions are aligned to the architectural control points, which the organization considers valuable to manage, i.e. these will reduce risk or cost, or increase compliance, or provide future agility, etc. This list of control points tends to be reasonably consistent over time and therefore, it can be captured as a well-known list of potentially significant decision points.

With an approach driven by architectural decisions, the traditional process is flipped around, and the relevant architectural decisions are identified quickly upfront. This enables the solution architect to prepare just enough documentation to support the rationale behind each key architectural decision as it occurs. These are reviewed without waiting for a scheduled design review forum. Given the smaller scope of an iterative release, there are typically only a small number of architectural decisions per release and with a ‘just enough’ documentation approach, these can be reviewed much more quickly, with minimal impact on the rapidity of Agile delivery. This seemingly subtle change of focus from design document to design decision, and from stage gates to just in-time review, enables businesses to achieve rapid change while still retaining business control framework veracity.

To be successful in the shift to architectural decisions based approach to governance, the focus needs to be within the context of an integrated approach that incorporates organizational change, cultural change, design process change, change in how control points are articulated, change in compliance evidence requirements, and re-purposing of design artefacts (See Figure 1).

• Organizational change is essential to establish local control point SMEs who will work with the Agile teams on a day-to-day basis, building deep knowledge of the Agile team and its solution. They will also help to quickly identify the key decision points for each release, provide decision guidance and verification.
• Cultural change is important to empower the solution architect and developers. Trust them to create good designs as long as their design decisions comply with the relevant control points. Empower the control point SME to undertake individual compliance sign-off as early as appropriate, rather than wait on document reviews at pre-scheduled forums.
• Design process change is necessary to create an Agile native process with ‘shift left’ to enable early and continuous decisions review and verification, without the need for stage gates. The design process should
  • Provide commonality of engagement between the Agile team and each of the control point owners and their SMEs (apps, data, infra, APIs, etc.)
    
  • Be founded on trust and verification
    
  • Be supported by automation within the tools already being used by the Agile team such as Agile activity/backlog management

• Control point articulation standardization is required so that there is a common mechanism for expressing control point requirements that is used by all control point owners. This will ensure that the tasks to achieve and evidence control compliance are expressed in a form that is familiar to an Agile team and that the tasks can be incorporated into the standard work backlog for a release. This common mechanism must also provide the vehicle to deliver compliance accelerators to the Agile team e.g. architecture/design patterns, toolkits, etc.
• Change of requirements for compliance evidence will help ensure that just enough documentation is provided to support the rationale behind each key design decision.
• Design artefact change is essential so that only a minimal set of light-weight artefacts, are maintained, as required by each control point owner e.g. a light weight design artefact when combined with the architectural decision documentation provides enough architecture and design for operational diagnostics and the starting point for the design of the next release. 

To deliver rapid change with DevOps and Agile, while ensuring compliance with the business controls framework, requires an integrated approach to rethink the design process and roll out organizational change, cultural change, and control point governance changes.

Simon Howden,

European Head of Cloud & Enterprise Architecture Consulting, Wipro

Simon works towards rebooting Enterprise Architecture for the digital era as the basis for strategic digital business transformation planning.  He holds experience in developing go-to-market offerings and supporting consulting methodologies and frameworks. He is responsible for building, developing and managing the team of consulting enterprise architects and cloud architects for shaping and delivering consulting assignments for clients.