Editor’s note: Read David Kelly’s previous two columns on SOA governance here.

In the past few columns I talked about SOA governance, specifically, why we need it and why it’s so hard. In this week’s column I wanted to look a little more closely at what it takes to implement a good SOA governance strategy.

(Note: The structure of this column and portions of its content were influenced by Anne Thomas Manes, Research Director at the Burton Group, as part of an ebizQ Webinar on Discover Your Inner SOA: Automating Governance is the Key. My thanks to her for letting me “re-use” and expound on her points.)

So, what does it take to put an SOA governance strategy in place? According to Anne, there are four main considerations: policies, processes, metrics and your organization’s culture.  Let’s take a closer look at each one of these aspects.

Polices are used to help determine what’s right. For example, polices help define what the right way to build a service is, what granularity is appropriate, what the right way to deploy a service is, how to configure services, and more. Organizations should make sure that policies span the entire lifecycle—encompassing everything from service definition to end-of-lifecycle (such as how and when services should be retired).

While it would take more space than I have here to outline all possible SOA considerations (for a more complete list and additional insights, consider reviewing Anne’s research at Burton Group, www.burtongroup.com), it’s worth noting the types of decisions that organizations have to make in regards to policies.

For example, at the start of the lifecycle you need to determine how to decide which services should be built and when. You also need to define how to classify services. It also doesn’t hurt to articulate who’s going to fund or pay for it. The next step typically deals with services design. Now that you’ve decide to build a service, what technologies and standards should be used? What tools and what interfaces will you select?

Once a service is created, organizations need to consider how they get deployed—what are the requirements for moving services from development to production? What levels of testing are required or appropriate? How are services instrumented for management and security? Organizations need to define SOA governance policies to address all these types of considerations.