Corporate Governance for Software Products

2023 08 01 head

Since good governance is about the processes for making and implementing decisions, then effective governance and accountability structures are vital.

Organizations shall successfully use an agile approach to deliver business change through the investment in programs and projects.

Agile approaches are the most used frameworks to develop successfully digital products.

Our corporate governance processes shall support agile values and development methods.

The four guiding principles to enable successful governance of agile delivery are:

  1. Governance should mirror the Agile manifesto principles, particularly the art of simplicity.
    You shall maximize the work not done.

  2. Agile delivery teams decide on the empirical performance metrics they will use. They shall self-monitor to learn.

  3. Collaboration is an essential change in your mindset.

  4. Independent reviews of agile delivery should focus on the behaviors and practices and not just the processes and documentation.

Agile governance is about defining the fastest route that brings the most value. By focusing on the things that matter, we apply an agile focus on governance and how to manage program and project risks effectively.

Agile works best when processes are clearly defined and transparent to everyone. Good governance for programs and projects, regardless if agile is applied, requires a defined structure, ways of working, processes and systems to operate succinctly. As a result, enabling programmes and projects the ability to scale up and down to adapt quickly to an organization’s changing needs and environment.

2023 08 01 process

TOGAF defines architecture governance as the practice and orientation by which software products architectures are managed and controlled at an enterprise-wide level.

Architecture governance does not operate in isolation, but within a hierarchy of governance structures. The structures can include distinct domains with their own disciplines and processes:

  • Corporate Governance

  • Technology Governance

  • IT Governance

  • Architecture Governance

These domains of governance may exist at multiple geographic levels: the global, regional, and local levels within the overall enterprise.

Corporate governance is thus a broad topic, beyond the scope of an enterprise architecture framework such as the TOGAF framework.

Agile Corporate Governance PMI

Your governance team, which may be called an oversight, audit, or control function, will monitor and guide teams throughout your organization.

The aim is to enable them to succeed by removing or at least reducing any barriers that they may experience, to motivate them to do the right thing for your organization and your customers.

They to ensure that they remain compliant with appropriate legal regulations and guidance.

Governance typically addresses areas such as:

  • The evolution and support of roles and responsibilities to streamline how people work together.

  • Definition of decision rights and decision-making processes to streamline interactions between people.

  • The evolution and support of common procedures and guidelines to ensure the appropriate commonality of activities and artifacts.

  • The evolution and support of common guidance to motivate the efforts of teams across your organization.

  • Promotion of ethics and social responsibility.

  • Effective and timely investment to sustain and extend the organization over the long term.

  • The monitoring of activities to provide insight into their effectiveness.

  • Formation of a governing body that is responsible for guiding governance activities.

  • Definition of exceptions and escalation processes to streamline critical interactions.

  • Creation of a knowledge sharing strategy to grow individuals, teams, and the organization as a whole.

  • The support and monitoring of risk mitigation strategies across your organization.

  • Adoption of a reward and compensation structure to support the attraction and retention of excellent staff.

  • Strategies to share information throughout the organization.

Disciplined Agile promotes a lean approach to governance. Lean governance is the leadership, organizational structures and streamlined processes to enable everyone to work together effectively in sustaining and extending the organization’s ability to produce meaningful value for its customers. There are several reasons why a lean governance strategy is important for your organization’s success. Lean governance strives to ensure that:

Your organization’s investment is spent wisely

Organizations make investments in their people, in their infrastructure, and in their processes to enable them to better serve their customers. From a financial point of view, your goals should be to regularly and consistently create real business value and to provide an appropriate return on investment (ROI). To do this, you must determine how you will execute your strategy by selecting and prioritizing the most valuable initiatives to undertake. You must also monitor these initiatives to ensure that they fulfill their promise, and if not then remediate them appropriately.

Your teams are empowered to carry out their work

An important aspect of lean governance is to ensure that people and teams have the authority to fulfill their responsibilities. Many agile transformations run into trouble when the roles and responsibilities of people are not agreed upon, or when they are not properly supported by senior management. Another important strategy is to empower teams to choose their own way of working (WoW), to self-determine how they will work together, enabling them to tailor their approach to meet the needs of the situation that they face.

People are motivated to work together effectively

There are two aspects to this. First, teams need to work effectively with their stakeholders. Second, teams also need to work effectively with their colleagues. To do this, you must adopt processes and organizational structures that encourage people to collaborate together and to learn from one another.

Risks are monitored and mitigated at appropriate organizational levels

Although addressing risk at the team-level is a good start, it is not sufficient from an organizational point of view. Many small risks that are acceptable individually can add up to a huge risk for your organization. For example, one team using a new technology platform is an experiment. Fifty teams adopting that new platform at the same time is a significant risk if the platform proves to be problematic. Someone must be looking at risks from a portfolio perspective and guide teams accordingly.

Your organizational ecosystem is sound

Your organization isn’t just a collection of teams. It is an ecosystem of teams working together, supported by culture, ways of working, organizational structures, and technologies. All aspects of your ecosystem need to be healthy for your organization to thrive.

Everyone works in an open and collaborative manner

There are several ways that the DA toolkit promotes this.
First, work is performed in an agile manner that is inherently open and collaborative.
Second, all teams should present accurate and timely information to their stakeholders. For example, enterprise architects can make their work available to everyone, as can your portfolio management team, your data management team.
Third, everyone should be motivated to learn more about your organization, its strategy, its values, and how you intend to work together to achieve the outcomes you’ve set out for yourselves.

All of these things will continue to be true in the future

Lean governance balances your short-term and long-term needs. Too many organizations have allowed technical debt to grow in recent years, for the skills of their staff to stagnate, and to continue to tolerate traditional strategies that are well past their prime.

There are two fundamental reasons why individuals should be interested in lean governance:

You are being governed, like it or not

Regardless of the size or your organization, the length of time it has been in operation, or the sectors in which you work, someone is keeping an eye on and guiding your overall efforts.

You deserve to be governed effectively

Sadly, many governance strategies prove to be ineffective in practice due to application of traditional strategies and ways of thinking.


Minimal set of security checks for regular compliance.


Ensure compliance to OWASP Top Ten and best practices.

Penetration Tests

Implement regular penetration tests for all exposed solutions.

CVE Mitigation Process

Have a process to track and mitigate all published common vulnerabilities and exposures CVE alerts relevant to your digital products.

Respect the legal framework of your country and the foreign countries in which your solution is deployed:

  • Customer Protection

  • Customer Data Confidentiality

  • Accessibility

  • Lawful Respect for human beings (misogyny, xenophobia, racism, religious intolerance)

Technical Good Practices

Professional software engineers have a set of non-functional requirements to improve the adequacy of your software products. These requirements shall be part of the architecture of corporate governance.

Management fo used libraries

Libraries have to check for licenses, support organization. Regular checks for security flaws or published attacks must be implemented. A timely mitigation process must be in place

Tracking of potential security risks and timely update process

Potential vulnerabilities should be detected, documented. The mitigation process shall be triggered in accordance with the corporate governance.

Traceability and Logging

All systems shall have adequate traceability and logging features. Logging data shall be archived accordingly with corporate governance and legal constraints.


Auditability is legally mandatory for some systems. An adequate audit solution shall be implemented at corporate level. The architecture trend of distributed systems and services makes an overall solution the sole source of information.


Resilience shall be part of governance to ensure customer satisfaction and survival of the organization.

Communication to Users

Transparent and open communication to end users and stakeholders is a must in modern organizations. The communication approach shall be unified at corporate level.

Interfaces to external systems

Interfaces to external systems shall be logged and audited in full. This approach is mandatory to verify service level agreements. The data is also necessary if external partners initiate legal cases

Input validation

Input validation of all interfaces is a mandatory security and quality requirements. Enterprise data is a high-value asset. Care should be taken to guarantee the long-term quality and usability of strategic data. This information is often used over decades.

Lessons Learnt

Corporate governance requirements are non-functional requirements. They impact the architecture and design of the solution. The selected solutions are often constrained. Highly secure systems cannot, for example, use Node.js due to known flaws in the security area.

Awareness of corporate governance issues and legal consequences are often overlooked and not well-understood in many organizations. Education and awareness campaigns are necessary to increase professionalism [1].

Corporate governance departments have often a coercive approach. They are focused on the legal aspects and seldom understand the societal, commercial and technical facets. Try to reform them.

1. In Switzerland, multiple organizations had to shut down operations in 2021 and 2022 due to blatant security and governance issues. Beware non-compliance can be extremely costly and endanger the survival of your company.