But that doesn't mean that there aren't opportunities, and perhaps they are the opportunities that we'd choose, but I believe there's an option here for some companies to turn a the crisis into an opportunity to reexamine what they're doing and look for new opportunities. I think the organizations that are willing to work and take risks now, will be the ones gaining benefits down the road.

To help stimulate a discussion (if not the economy), it's worth calling out a few ways in which organizations can manage (or even reduce) IT costs while retaining (or even increasing) functionality.

One of the first ways is to make sure you're working more closely with the business--when it comes to everything from application development to maintenance to governance. In fact, you can start by stopping--it's a good time to clear the decks and realign priorities and value to the new economic landscape. Start by working more closely with business leaders, sharing the projects you currently have, and their priorities, and then work with business leaders to determine which ones are most critical.

One potentially practical tip for stepping back and savings some resources or money might be in temporarily (depending on business requirements) agreeing to reduce services levels, for example, on select systems or applications. Perhaps an organization could reduce service levels by increasing the amount of time the help desk has to respond to requests (say from 2 hours to 4 hours) or lengthening the amount of time IT has after a disaster to get systems (or selected systems) back on line.

Of course, any changes like these have to be a joint decision with the business. Nevertheless, it's a good idea for all IT groups to take a step back and make look for opportunities to save or cut back on resources and spending where they can--as long as those cuts or savings are aligned with business needs.

According to its press release, as a result of the current global economic crisis and its impact on the region, IDC has lowered its growth rate forecast for the APEJ IT services market for 2009 to a 'post-crisis' forecast of 9.6% from the previous forecast of 11.2%.

"The impact of the global economic crisis on the services market has to be viewed from a number of perspectives and these are changing constantly," said Philip Carter, Associate Research Director for IDC Asia/Pacific Services research. "The recent Satyam saga is a very good example. The implication in terms of IT governance for clients dealing with services vendors, the offshore players in particular, highlights how clients have to maintain a constant balance between cost and value."

One of the results of all this will be a focus on getting back to the basics. According to the report:

"With the global recession hanging over economies in Asia, IDC expects overall IT services growth in the region to slow down, forcing organizations to move back to basics with an increased focus on cost management and less so on business transformation projects. However, the Satyam scandal has shown that low cost delivery of services needs to be complemented by impeccable corporate governance and financial transparency and this is the balance that customers will be assessing intensely in the challenging year ahead."

The end result? An increased focus on governance for 2009 and perhaps a realization that good governance and corporate transparency can help organizations weather difficult economic times.

"What decisions are made, who makes them, and how, are the essence of Governance."

And now that the economy is significantly tougher than it's been in recent memory, most corporate decisions are more critical than they've ever been. To help organizations make better decisions, Romero has come up with a couple rules for rational decision making:

- First, be clear on the objective.
- Second, be sure you can measure the result of your decision.

Of course, in his blog, he goes into the details for each point. Suffice to say that if you can't answer either one appropriately, you're not going to have a governable solution!

In fact, you have to like his opening paragraph--

"Why is it that when we hear the word compliance we tense up anticipating that we've done or are about to do something wrong? Perhaps it's the widespread misperception of the role that compliance plays in the organization. Or maybe it's because we've experienced challenging or even unsuccessful attempts at enforcing compliance at various levels in the company."

In my experience, compliance does make people tense up--it make both IT and business people cringe a little. Often times talking about compliance is like someone running their fingernails down a chalkboard--it's jarring, and instantly your mind turns to other things you would like to be doing, or other places you'd like to be.

But Patel's point in the article isn't just that compliance is unpleasant--it's that compliance may actually be easier than you think. From his perspective, if done right, there's no need to actually tense up after hearing the word compliance. No need to protect your ears from the chalkboard sound.

Instead, he argues, a SOA infrastructure can actually be the enabling connection between IT and business:

"Successful organizations will tell you that the speed and efficiency of implementing and enforcing compliance is directly proportional to the health of their IT infrastructure. Ideally, a standards-based service oriented architecture (SOA) can be the bridge that enables IT to meet business goals. In this case, the goal is compliance.

With SOA as the foundation, a company can move from a weak IT infrastructure that doesn't support business goals to an organization that has a more flexible architecture that ensures adherence to regulations and policies required by both internal and external forces."

Okay--so that doesn't necessarily mean that SOA (or compliance) is easy--but he does make a good point that when an organization has a strategy plan that encompasses SOA and compliance, they can work synergistically to enable each other. The end result? A far better connection between business and IT, and corporate goals that are being met, instead of being ignored.

"By driving compliance and governance across lines of business through an SOA, companies can ensure greater consistency and reuse of best practices. These capabilities become increasingly more important as the SOA evolves and new policies are introduced.

Ensuring a successful governance solution requires analysis, tracking, and improvement of enterprise policies and architecture as a company's initiatives change and evolve. A policy-based approach to SOA governance will help establish strong auditing and conformance mechanisms that limit corporate liabilities, ensure business continuity, and reduce integration costs and complexities."

That's why CA's new version of its GRC Manager, CA GRC Manager 2.0 is a nice option for companies concerned about risk management.

The product seeks to increase business insight into risk management by providing a framework for facilitating risk identification, assessment and mitigation.

One of the problems with risk management, governance, and compliance has been a tendency for organizations to address them individually--risks or compliance objectives in one area don't necessarily translate or carry over into others. What was lacking was a holistic platform for more consistent and centralized risk management.

To help organizations make that transition, CA's GRC Manager 2.0 includes a common risk management framework that helps provide a consistent (there's that word again!) approach to risk identification, risk assessment, and risk metrics. While the risk may be different across an organization, it's important to have a baseline foundation that can help tie it all together.

I think this is a good example of the types of broader, more business-focused risk management and compliance products that we'll be seeing more of over the next few years.

While Metastorm as has been a leader in the BPM area for years, one of the things that I think they're doing right, and one of the things that seems to have contributed to their strong results is the powerful combination of BPM and enterprise architecture. BPM by itself is important and good. But when combined into a broader context with enterprise architecture, organizations can leverage not only process improvements but overall business improvement, through a unified enterprise model that can help disparate parts of an organization collaborate and innovate in ways that would otherwise be too difficult.

Few would argue that there are basic governance issues when it comes to posting or information sharing on social media sites. But what about the other side of the equation--how should organizations moving into Web 2.0 and social media institute IT governance--or even should they?

From Andre Yee's perspective the answer is was no--at least not from an IT perspective. Phil Wainewright took the position that when it comes to social media, IT interprets 'governance' as 'prevention' and believes that most IT organizations aren't equipped to provide the type of dynamic and supportive governance that social media require.

While I understand Phil's point, I disagree. While IT governance for social media may require a different approach, today's IT organizations (and governance vendors!) should be able to provide Web 2.0-oriented governance solutions that support overall business governance concerns without completely killing social media initiatives. Social media/Web 2.0 are all just different avenues, approaches and processes for communication, feedback and business opportunities. That's why I think the question is valid, and that IT organizations at least need to be thinking about it and perhaps creating a Web 2.0 governance or social media governance strategy.

As I've noted in my previous column, there are many ways to address governance concerns--from manual governance processes to governance-specific solutions. A product like BP Logix Workflow Director falls in the middle (or, okay, perhaps on the side). It doesn't directly address governance per say, but at the same time, organizations using it to automate processes can build in the rules, validation and process automation that will contribute toward an organization managing its processes better and more consistently. In this scenario, better governance is basically a byproduct of good process automation.

BP-Logix is a web-based solution that enables organizations to manage, automate, track, audit and report on critical business process. The product includes a combination of functionally, including: workflow, electronic forms, document management, collaboration and integration. The product also includes a built-in business rules capability that makes definition and on-going management dynamic and manageable.

While the product could be considered "BPM-lite" it's actually a fairly sophisticated solution for a wide range of basic process automation and management requirements. While organizations with heavy integration requirements will probably do better with a different solution, BP Logix can provide a practical solution for many automation, workflow, e-forms, reporting (and compliance/governance!), and document management requirements.

I like governance products--but I also really like products like BP Logix, which can solve real business process or automation problems and deliver real value-add, while also delivering the additional benefit of better management, better reporting and management and feed into a compliance/governance strategy.

But it's important to point out that that sometimes good governance is just like the power to go home that Dorothy is chasing after in the Wizard of Oz--the magic doesn't come from outside, it comes from within. Good governance should not only come from outside governance products and solutions, it also should come from the organization itself (and well-defined processes, policies, and procedures) as well as from other IT solutions.

More on this, as we'll see, shortly.

Compuware Changepoint 2009 is an IT portfolio management solution that allows organizations to have greater visibility into all the work of IT. Changepoint 2009 provides advanced financial and resource management capabilities, as well as functionality to help drive user adoption. Organizations should use Changepoint for both financial planning (for tracking and understanding the value of IT investments) as well as for improving resource management (for example, allowing organizations to do "what-if" scenarios"). When used correctly, Changepoint allows organizations to take a business-centric view of their IT organization, resources, and assets, and match them more effectively and efficiently with ever-changing business needs.

Changepoint 2009 adds new functionality in three key areas: financial management, resource management, and usability. These changes reflect the new economic climate that enterprises find themselves in today, enabling IT managers to improve portfolio management, identify priorities, and deliver on business and IT goals with tightened budgets and waning resources. By adding functionality in investment planning, resource management, and funding allocation, Compuware provides an even stronger solution that can help customers develop mature financial discipline, a necessity for today's IT department.

Given today's economy, this type of portfolio management product can be an important part of the IT/business toolbox. Offering IT staff better ways to manage their annual planning cycles, funding allocation, and investment decision making processes is a requirement in the face of the new economy, and Changepoint customers will find themselves at an advantage. The flexibility of the Compuware Changepoint platform to be implemented internally or hosted off-site is another key benefit for both large and small companies.

While this is good, it also points out that in many cases, SOA is still about technology (another point that Anne Thomas Manes was making a few weeks ago in her "SOA is Dead" viewpoint). When bits come to bytes, developers have to be in there coding SOA services and managing SOA interactions. Organizations can commit to the higher-level benefits and overall vision of SOA, but without solid developer support, SOA projects will linger, take longer than expected, or not deliver the benefits expected.

However, I am a little concerned about Software AG's overall SOA approach and market presence. While Software AG has compelling technologies and a rich experience when it comes to SOA, it doesn't seem to be able to consistently translate this experience into expanded market presence as much as it should. Perhaps this partly because SOA and SOA governance remains an area that requires continued education. From that perspective, Software AG continues to deliver the goods--a range of SOA-oriented education and best practices materials that help organizations understand how to leverage, manage, and profit from a transition to SOA. Its CentraSite Community is certainly asset for both Software AG as well as organizations pursuing SOA and SOA Governance. And while a single SOALink Cookbook isn't going to really move the needle much in terms of awareness or market presence, it's another positive step for helping the SOA community.

However, super-sharp analyst Tony Baer, in an article for Ovum's Straight Talk service, has a question:

"Although not covered by existing SOA management tooling, the practice of portfolio management for software projects is already addressed by project or product portfolio management tools. The question is, is SOA such a special case that it demands its own governance silo?"

Tony has a good question--do we really need a SOA special case here? In short, my response is still what it was when I wrote the original blog. In other words, "yes." But let's look a little closer at Tony's perspective.

Project Portfolio Management (PPM) products were designed to help IT managers manage IT in a way that the CFO and business managers could understand--what's the investment in certain projects, what's the payoff, etc. By treating IT projects in a similar manner to financial investments, business and IT leaders are able to make rational and informed decisions about existing and new IT investments.

One of the problems, as Tony points out, is that the PPM systems require a huge amount of data, on an on-going basis, to provide the information necessary to make those informed business decisions. In effect, PPM's comprehensive approach to the problem is both a positive (when done right and filled with the right information, it can help organizations make the right decisions) and a negative (without complete information, decisions will suffer, and the overhead required for the care and feeding of the PPM system can become more of a waste of effort than a true value add).

That's where the opening for SOA-focused portfolio management, like SOA Software's Portfolio Manager come in. Portfolio Manager is designed to do a similar thing, but just for the area of SOA and SOA services.

From Tony's perspective, this is reasonable, but not optimal:

"SOA Software claims that its solution is a much simpler approach for managing service portfolios. We believe that in the short run it offers a pragmatic option for the select group of IT organizations whose SOA initiatives have hit critical mass. However, organizations should use it as a bridge strategy only.

In the long run, service portfolio management is just a workaround that, if left standing, would create an additional governance silo. As SOA should be a means not an end, it cannot survive in the long run as an island of automation."

Any he's right. For most organizations, if they've chosen to implemented Portfolio Management, SOA portfolio management should be a subset of the organization's overall portfolio management. In effect it's like saying that SOA governance and management should be separate from IT governance and overall IT management systems. Of course they shouldn't be. But sometimes they are--due to the developmental stage an organization is at, or due to a specific need to manage or address specific technical (or process) capabilities that aren't yet addressed in a broader, more global product, it can be a wise move to invest in more focused, specific solutions.

That's why I feel that SOA Software's Portfolio Manager product is the right product, at the right time, for SOA. In general, we're not there yet with traditional PPM products (or even management products). SOA is still a specialized case in so many ways, that it makes sense (at least for now) for organizations to reap the benefits that a targeted approach like this can deliver, as long as they have an eye on a longer-term strategy where such capabilities are eventually rolled into a broader view.

"With power comes responsibility. The promise of Service Oriented Architecture (SOA) offers significant opportunity for service reuse and the realization of a fully integrated enterprise. But left unchecked, the flexibility enabled by an SOA will result in a Wild Wild West of enterprise IT. To properly harness the power of SOA while delivering value for the enterprise, certain controls are essential. Incorporating service discovery, service security, service management, and policy governance in a ubiquitous and transparent framework is essential to the success of any enterprise SOA deployment."

One of the key points that Lawlor makes is that good SOA requires more than just a SOA infrastructure:

"Effective SOAs employ service discovery, service governance, service security, and service management in proper proportions."

In the piece, Lawlor goes on to detail the different aspects of a SOA architecture, including the Publish-Find-Bind notion that underlies the loose coupling of services and allows services to be coupled from providers. Of course, managing that effectively requires additional layers of control (hence the importance of the management and governance aspects).

Lawlor goes on to discuss aspects of "Publish-Time" (or change time) governance, which helps manage the services as they're published (logically) to ensure adequate quality and conformance to standards.

Of course, once a service is published and running, there's a whole range of run-time governance or management aspects to take care of, including security, management, and runtime governance enforcement.

It's a great article to dig into.

Here's a bit from their press release:

"Portfolio Manager(tm) is an SOA portfolio management product that helps customers better align IT investments with business initiatives and become more adaptable to their changing requirements. It helps customers identify candidate services and build an SOA roadmap through SOA Modeling (i.e. top-down analysis), Asset Identification (i.e., bottom-up application inventory), and SOA Roadmap Management (i.e., service identification, prioritization and allocation) processes. To achieve these goals Portfolio Manager functions as part of SOA Software's unified SOA Governance automation suite."

According to the press the release, the product is available now and starts at $50k. Of course, like many governance products it's not cheap. But the when applied to a reasonable-sized SOA project it's a reasonable investment--especially when it comes to increasing the effectiveness and potential ROI.

The intent behind the tool is to provide a framework for organizations to maximize their SOA investments, mainly through better planning and priority processes. Once an organization moves beyond pilot projects or limited deployments into a broader SOA program, defining what services are needed when, and identifying what the services need to consist of, is crucial. SOA Software's Portfolio Manager provides a way for organizations to understand the relationships between services and prioritize their development based on business needs.

Based on what I've seen, SOA Software's Portfolio Manager is a solid step in the right direction for SOA governance. While not for every organization, the product has enough compelling attributes to make it worthwhile for larger organizations committed to SOA to evaluate.

If you listen to some people and blogs, you get a lot of marketing hype about SOA without a lot of demonstrable results. You get a conclusion that SOA is dead.

And while good likes like SOA aren't easy, and the results generally don't just fall into your lap, I think there's more here than simply declaring SOA dead and moving on to the next big thing. From the organizations I've talked with, SOA is still alive and well, and doing quite nicely, thank you.

Perhaps you've had a different experience, though. Either way, this week's Webinar on SOA Infrastructure for Any Economic Climate is a great place to explore these issues and come hear how (or if!) other organizations are having any luck using SOA during these difficult economic times.

Now that every IT group is pinching pennies and rethinking their infrastructure needs, come find out if it's time to throw SOA out, time to hold steady with your SOA plans, or (perhaps) time to invest even more. What's the responsible way to build a SOA infrastructure given the level of business uncertainty today? Join me, along with Marianne Hedin, Ph.D., Research Manager, Worldwide Services and Services-Oriented Architecture: The Services Opportunity at IDC and Marie Wieck, Worldwide Service Product Leader for SOA and Middleware Services at IBM to learn more on this week's webinar. See you there.