Governance is something of a dirty word. It often generates a visceral reaction in people, conjuring up images of red tape, bureaucracy and time-consuming audits. These are seen as roadblocks to progress, innovation and adoption of new ways of working. This is especially true when we are looking to accelerate the rate of change or delivery speed, such as commonly occurs when adopting DevOps or Agile practices.

Below, I will discuss why we have governance, how it gets applied, and some immediate approaches you can look at to help change your ways of working.

Purpose

Let’s start with the purpose of governance. Governance practices intend to manage risk. I sometimes hear “This doesn’t apply to me. I’m in a small start-up,” but all organizations, whatever their size, need to manage risk. In one form or another, we are all subjected to governance. In larger organizations, we have added complexity to deal with in creating and managing risk.

It is also true that heavily regulated industries like finance and healthcare have additional external regulatory concerns to take into account. Whatever size of organization you are in, there is still a need to consider governing different risks, such as security and operational.

A common way to talk about collective risk management practices is Governance Risk Compliance (GRC):

  • Governance: Cost-effectively govern the organization’s risk landscape
  • Risk: Identifying and mitigating risks
  • Compliance: Documenting and reporting on how we address risk

This is critical. In recent years, poor governance practices can be traced to security breaches that have cost companies millions and millions of dollars
Great! So governance has a purpose! Maybe it isn’t all bad…

Application

Although governance is needed, there is a balance to be struck. Too much and everything grinds to a halt, and too little, and it could cost you considerable amounts of money.

When we map the flow of value through an organization with value stream mapping, we also look at mapping dependencies. Often these dependencies are to external groups that perform a governance function to support the value stream. For example, to release a new product, I may need to get:

  • approval from legal for the terms and conditions
  • security to validate my changes to the system
  • architecture to validate my technology choices

Traditionally, we can consider these activities as governing the software delivery process and indeed, they all play a role in managing risk. Problems occur because the team delivering the value stream (working on the product) has to ensure they check in with each of these areas and then wait for a response.

Often the areas they are checking in with have no idea of the context of the team. At best, this results in more back-and-forth as each group tries to understand the other and, overall, more frustration.

Two of the biggest problems we see are:

  • Using a ticketing system to manage communication between the delivery team and the governing body
  • Having committees you need to run the gauntlet every time you want to make a change or try something new

Both of these are a surefire way to kill your delivery team’s flow, usually at the price of adding little or no value. Indeed, they rarely result in improving safety, which is, after all, our goal.

So consider burning your ticketing system down and, what I call, Kill The Committee (to replace it with a more collaborative approach). Both have their place but require a long hard look when examining your value streams.

How can we find a balance between speed and safety? Satisfying the need for governance while allowing teams to continue to make more frequent changes?

Creating visibility

The most significant factor we’ve seen in helping organizations overcome this hurdle is to automate governance into the delivery pipeline. By incorporating governance checks into the platform responsible for running the pipelines, we can check our controls with every change. However, the lack of communication between different areas often gets in the way of making this happen.

We have found building a roadmap for the automation of governance practices helps create the necessary clarity. Having this roadmap is valuable for several reasons:

  • It allows us to show progress toward simplifying our governance practices
  • It helps guide you as to whether you are going in the right direction
  • It creates visibility into what we will be looking to automate

We go through a generative process in creating the roadmap, creating more value for customers in the process. Xodiac’s approach to creating powerful, dynamic roadmaps takes a risk-based approach to prioritize activities. A roadmap is not a static object.

It is a generative tool we can use to create discussion and, ultimately, alignment across those responsible for governance and those responsible for delivery. By creating conversation around the purpose of the controls and how they are to be satisfied, we create a common understanding of what needs to happen to ensure safety in our pipelines.

We use another tool to clarify conversation across different areas: package the controls into an easy-to-remember mnemonic. I use the acronym TACO for this, standing for Traceability, Access, Compliance, and Operations. This can become a useful reminder to teams to check they’ve taken care of all the necessary controls.

These actions will help alleviate some of the immediate pain as you look to accelerate your delivery practices. To make further progress, look at realigning your governance teams to your delivery teams as an effective way of moving forward. Value Stream Mapping can be useful in identifying how this is best accomplished.

Wrapping up
Understanding the purpose of governance, where it comes from and how to manage it effectively is critical to increasing the flow of value in your organization. Whether you are looking to provide higher quality service to constituents or ensure that your core banking system’s latest version is secure, understanding governance is vital.

Xodiac’s road mapping and metrics practices represent the first steps of Xodiac’s 12-step Focus, Improve, Thrive program. Together they represent a way to help you drive even more success from your organizational change.

Related Posts

Business professionals collaborating with portfolio management tools - one person carrying a toolbox full of wrenches and tools while others work together to select the right tools for their organization

How to Choose the Right Portfolio Management Tools

Tools don’t solve problems by themselves, but when chosen thoughtfully and integrated intentionally, the right portfolio management tools can make a huge difference. They help reduce friction, surface issues early, and create the transparency you need to adapt and lead effectively in your organization.

Read More »
Silhouette of a professional analyzing digital workflow diagrams showing execution pathways leading to success, with process flows and team boards in a blue tech environment.

Streamline your execution like a pro

Even when priorities are set correctly, execution can falter due to bottlenecks, unclear ownership, and misaligned processes. Streamlining execution isn’t just an operational issue—it’s a portfolio design challenge. Learn how to structure your portfolio to enable smooth delivery by selecting work that fits team capacity, organizing around value streams, removing unnecessary dependencies, and establishing clear accountabilities.

Read More »

Enhancing Product Delivery Through Iterative Processes

This blog discusses the core activities, tools, and stakeholders involved in the Product Development Lifecycle (PDLC). It explains how the Xodiac PDLC framework helps businesses identify gaps in their product development process and continuously refine their products to meet user needs and business goals.

Read More »

Contingency Planning: How to Navigate and Mitigate Risks

Effective product delivery is a constant challenge in today’s dynamic business world. Whether embracing agile methodologies, implementing DevOps practices, or following traditional project management approaches, one common thread runs through them all: the need to manage risk.

Read More »

More Blog Posts