Trust me, I’m a doctor.
Maintaining architecture governance in a world of agile development can seem difficult. Christian Holmboe writes about what we can learn from the management of the COVID-19 pandemic.
Christian has a PhD in Computer Modeling and Pedagogy and has worked as an Enterprise Architect since 2004.
“Trust me, I’m a professional.”
The other day, I had a plumber and an electrician come to my house to install a new dish washer. They both did a good job and made sure that everything was done according to current standards and regulations. I don’t know the details of these regulations, but I trust the professionals to do so. The authorities, the insurance companies and the society at large also trust the professionals to know the applicable rules and to perform their work accordingly. No-one asks. No-one checks. And usually everything works out well.
Of course, you will always have some exceptions of not carrying out work according to best practice- And of course, not all professionals are equally skilled. Sometimes you can be unfortunate and make a mistake. That is part of the tradeoff made when we – at some point in history – settled for a system based on trust in professionals, rather than explicit control and formal verification procedures. “Trust me, I’m a professional.”
This system of trust is the foundation for most practices in our society. In most situations, we settle for trusting that a majority of people will comply with policy or act on common sense. However, this trust is also accompanied by a certain level of control in areas where the consequence of someone – or a lot of people – not following suite is considered too large. We typically expect extra quality assurance mechanisms to be in place for things like aircraft maintenance, bank vault security or operation of heavy-duty equipment.
“Trust me, I’m a citizen.”
Trust based regulations also apply to society at large. There are many rules, regulations, obligations, and general recommendations that apply to our behavior as citizens of society. Most recently, this has been very evident in the handling of the Covid 19 pandemic.
Authorities of different countries have had quite different approaches to how they have managed this. Lock downs, mask mandates, curfews, vaccination schedules, social distancing, surface disinfection, work from home, group size limitations, Olympic events without an audience – the list goes on and on, and we have learned to live with rapid changes in recommendations, policies, regulations, and formal mandates.
Mere recommendations will not be sufficient if you depend on every single citizen to follow all instructions. A legal mandate would be more efficient to prevent infection transfer, but it comes with the cost of enforcement and the risks of reducing public support if the feeling of intrusion gets too strong. Governments have therefore carried out a careful balancing act between making general recommendations or enforcing strict rules.
The key question is what level of compliance we need to ensure sufficient effect from a policy. If a critical mass of a population is expected to operate according to the recommended, mandated or prohibited behavior, that will often be more cost effective than taking the extra measure of implementing rigid control mechanisms to prevent the minority from breaching the guidelines, whether by accident or on purpose. It is about the rule of large numbers, and it is a matter of trust – not in professional workers, but in professional citizens. “Trust me, I’m a citizen.”
“Trust me, I’m an architect.”
So, how does this relate to architecture governance? Similar to the national health authorities being responsible for putting appropriate measures in place to limit unwanted effects of the pandemic, organizations should have an authoritative body responsible for putting in place appropriate measure to ensure that implementation projects, procurement activities, and IT service development move in the desired direction and comply with external regulatory requirements. The head of this body - typically a CTO, a CIO or a Chief Enterprise Architect – have three main types of measures at their disposal: (1) Proactive, (2) active and (3) reactive measures.
- The proactive measures comprises of the rulesets, policies, principles and guidelines that are established to guide the behavior and choices made by the solution architects or decision makers.
- Governing by active measures implies that the responsible body ensure the desired outcome by making decisions, creating roadmaps, and designing solutions itself.
- Lastly, reactive governance is the practice of having an architecture approval board – or several as the case may be – that oversees all solution proposals, procurement plans, and technology choices.
An architecture governance board is as an approval body function and gatekeeper, ensuring that all activities are compliant with the target architecture. Traditionally, architecture governance in many organizations has tended to be unnecessarily heavy on the reactive part. Mature organizations will typically also have the proactive requirements well documented and communicated, but still maintain a set of rigid reactive control mechanisms to oversee architecture work.
I advocate that most organizations would benefit from increased emphasis on proactive measures and that they should base the actual design work as well as the approval and verification on trust. Solution architects are professionals. If it is communicated and understood that it is your responsibility, as an architect, to act according to a certain set of principles, follow some specific guidelines, ensure necessary anchoring, and verify information security compliance for your design - then it should be expected that the majority of solutions in your organization will have the desired quality and contribute to the realization of your target architecture.
This poses two important questions to be answered: Will it be sufficient for the realization of your target architecture that the majority of your solutions are compliant? And is the level of competency and professionalism of your architects sufficient to be trusted?
To best meet the challenges of aligning architecture governance with the buzzwords of modern IT service development (i.e. agile development, autonomous product teams, rapid deployment, and Dev-Ops), my recommendation is to adapt a proactive approach to architecture governance and empower your tech leads and solution architects to take responsibility for their decisions and designs. “Trust me, I’m an architect.”