IT Governance Is Broken. Here’s How We Can Fix It.

IT governance has traditionally been clunky and bureaucratic. So, how can we balance innovation with governance in the age of citizen development?

Anyone who’s ever worked in corporate IT knows that governance models can be a dystopian nightmare. A simple process may require filling out multiple forms and tracking down an overseer for a lengthy review. All this red tape can hinder agility and innovation, which are imperative in today’s tech-driven acceleration economy.

Of course, some form of IT control is necessary to drive business accountability and mitigate technological risks. Especially as companies adopt new strategies like citizen development, setting guardrails around new abilities is essential to retain security. Yet, archaic manual checks and unnecessary oversight are a thing of the past. The new governance models must be more streamlined and refined from the ground up.

There is hope for a more utopian approach to governance, according to Jon Scolamiero, with Mendix, which offers a low-code development platform. A new governance model should embrace automation for simple checks, reduce unnecessary bureaucracy, and respect the abilities of its users. The net benefit is less wasted energy and more time spent building positive business outcomes.

I recently met with Scolamiero to learn about a more human-friendly governance framework proposed by Mendix. In this article, we consider what it takes to get there.

The Problem With Governance

Large multinational enterprises commonly adopt governance frameworks such as CMMI, ITIL, or COBIT. Yet, such frameworks can cause more harm than good—research shows that traditional IT governance is killing innovation. A recent Gartner survey found that 70% of company standards are not designed to apply to digital business teams.

“The governance model is incredibly important. But governance, as it exists today in IT, is not working. All the major governance frameworks are often decreasing business value and time to market,” said Scolamiero.

He describes the overall goals of IT governance as follows:

1. To ensure that IT departments can generate business value
2. To keep management in check and accountable for results
3. To mitigate the risks of technology

Unfortunately, in practice, these targets often translate into enforcement of check lists that employees must tediously complete before starting a project. Scolamiero compares this kind of mundane corporate governance to Terry Gilliam’s surrealistic film Brazil, which depicts the incompetent bureaucracy of a soulless government facility. “If you work at a big-name company, that’s a reality, it’s not a joke,” he said.

Such governance requirements are often too heavy and at odds with today’s agile development creed. These old control structures can disable productivity and negatively impact culture. So, how can we advance them?

A Governance Model For The Low-Code Age

As I’ve covered before, the low-code/no-code movement is democratizing software development. Low-code platforms empower knowledge workers to apply their expertise to software application development, enabling those from non-programming disciplines to construct workflows and internal applications.

“Low-code is unlocking software creativity and makers within organizations,” said Scolamiero. “It’s allowing non-traditional technologists, such as business analysts, accountants, UX designers, and writers to create software with human-usable interfaces.”

However, low-code adoption could face difficulties without a change to corporate governance structures. “Without changing the way you do work, you’ll only get so much speed and benefit,” he said. “If you really want them to make their own software, you need to change the governance model that allows them to do that.”

Mendix’s IT governance framework outlines the following four general steps:

1. The core mission
2. Foundational principles or values
3. Organizational and functional governance
4. Technical governance

“The model breaks this down and applies it to every IT initiative,” Scolamiero added. For example, he described a company needing to deploy new laptops. IT provisioning would have a common governance model that aligns with those four steps.

Tips for New Governance Models

A quality governance approach should be concise to avoid being overbearing. “Keep it simple, keep it focused, and update/remove anything that isn’t efficient enough or relevant,” reads the guide. And, incorporating a governance model in conjunction with a low-code platform offers immediate benefits, like utilizing baked-in Role-Based Access Control to secure development.

In our discussion, we unearthed some other tips for creating and enforcing company standards:

• Shift it left: Engineer the model to enable citizen developers, but provide a safety net. To achieve this, he encourages shifting checkboxes left, similar to the shift-left DevOps approach.
• Incorporate automated quality gates: Don’t involve humans when it’s not necessary. A low-code platform can run automated software measurements to ensure quality. If it passes this gate, code can move to production automatically. Only if it gets, say, a 2.5/5 score, would the system trigger IT involvement.
• Automate the training process: Citizen developers need to be trained. Before allowing citizen developers to utilize a certain component, a platform could require they first pass a training course. Once passed, it automatically provides full access to the requested toolset.
• Let plebeians change the model: Actual users should be entrusted to refine the governance model as things progress, says Scolamiero. Only by giving power to “boots on the ground” can you avoid the issues of previous authoritative corporate governance structures. “If you let workers edit the governance model, they will naturally make it more efficient.”
• You can’t anticipate all edge cases: The point of governance is to get back to getting work done. Anticipating all edge cases is “a fool’s errand,” said Scolamiero. He advocates for models with simple rules. Plus, if workers are allowed to edit it, they can adjust it when edge cases do arise.

Governance as an enabler

In this emerging age of low-code and automation, governance must pivot toward being an enabler instead of an inhibitor. After setting rules that make sense, streamlining governance enforcement with automated reviews and gates is one way to avoid the traditional manual process. It also makes sense to proactively measure the cost and value of these initiatives over time.

It remains to be seen if the specific Mendix framework actively aids other organizations. But above all, an important takeaway here is that governance frameworks must treat users with empathy as human beings. Of course, there are certainly downsides to incorporating too much automation in the software development process. (If you think about it, a platform with too much robotic oversight could pose a much more sinister corporate overlord.)

“An important aspect of being a leader is to give up control,” said Scolamiero. “You can be incredibly efficient without losing respect for people.” Mitigate risk, and trust people to do their jobs. By giving them the ability to refine the governance framework along the way, hopefully, we can avoid some of that dystopia.