API governance: It’s time to rethink governance

Truth #1 – Technology governance largely deserves its tarnished reputation

Truth #2 – Governance is needed more than ever and is currently being disrupted

Disruption? This article will start to walk you through how it’s being disrupted and what you need to know.

The governance dilemma

Typical promises made by traditional technology governance practices include risk management, data protection, legal compliance, standards compliance, access management, reusability, etc. In today’s world, it remains hard to argue with this value promise. The challenge is that typical governance practices are inherently at odds with the direction of the business world.

Traditional approaches to governance simply cannot keep up with the rapid evolution being forced on companies by unprecedented pressure from:

• Small companies repeatedly disrupting entire industries by unbundling value streams
• IoT, conversational UIs, & AI fundamentally changing customer expectations and corporate customer interaction models
• Consumers holding incredible power over brands & companies

As companies scramble to remain relevant digital transformation has become essential, the lines between business and IT are vanishing, and APIs are now the primary means of leveraging productized business capabilities. This movement is one of the drivers behind technology governance disruption.

New governance challenges

Today’s business challenges continue to lead us toward more, smaller, cross-functional and largely autonomous teams… each focused on independent delivery and innovation. Add to this the adoption of cloud (platforms & infrastructure), APIs, & continuous delivery tooling and a few realities emerge:

• Pervasive & gated governance processes cost far more in business reaction time than the value they typically deliver
• Changes come from more places within the business than ever before
• Changes are delivered at a dramatically faster pace

The result… the risks of irrelevancy & disruption frequently lead businesses to abandon governance in favor of pace. However, the risks associated with ungoverned change are amplified significantly by the increase in internal change agents and speed.

Where does this leave us?

Governance redefined

Today’s emerging governance practices are based on a different set of fundamentals:

Let’s take a closer look at a few key distinctions:

1. Value & Transparency Driven: Transparency is the cornerstone of the new governance paradigm. As business capabilities are digitized and exposed via APIs, the API Gateway becomes a massive enabler for “free”, consistent and credible performance data collection.
   • What are the business performance measures for this API?
   • Who uses this digital product and how?
   • How well is the product performing against expectations?
   • What is the consumption trend?
   • How is our sensitive data being consumed and by who?
   • In many ways, the emerging governance paradigm is simply another manifestation of the build–measure–learn cycle described by the Lean Startup Method.
2. Data-centric: The movement towards API gateway-based integration and microservice architectures dramatically reduces the number of pathways available for sensitive data to flow across systems and in and out of organizations. This trend has the potential to create remarkable transparency around how sensitive data flows and is consumed thereby reducing risk as well as the effort associated with data governance. Closer oversight may still be needed in certain business contexts but transparency will be dramatically improved which will translate into decreased effort and increased agility.
3. Community-based: To draw a parallel, the quality and value of retail products are now largely defined by the consumers of those products (ever buy a product on Amazon rated 1 star with 300 reviews?). In many cases, an embrace of your API consumer community can create a similar effect via your API portal. Taking steps to create an internal economy for digital products can further the impact of community governance. Community of practice… guidance via portal how to, security etc.
4. Risk-based: One size fits all governance practices are being rejected in favor of a risk-based approach using a sliding scale. An example might be:
   • High-risk changes (PCI, PHI Data usage) – gated pre-release inspections
   • Mid-risk (PII data usage, API portal taxonomy impacts) – just-in-time community of practice guidance
   • Low-risk (Anything else) – post-change measurement
   • Obviously, team leader accountability & trust plays a crucial role in success.

Wrapping up

To be clear, I am not at all suggesting that there is no place for traditional governance practices. I am saying that unless you are dealing with very high levels of risk (e.g. space travel) or certain legal / compliance contexts you should be transforming your technology governance practices from an impediment to a business decision amplification engine.

Learn more about how to build APIs for consumers, not systems.