The trick is to not deploy SOA all at once, because by the time most "big-bang" efforts are completed, the business needs may have changed and much of the implementation will be outdated, says Sandra Rogers, program director for SOA, Web services and integration at research company IDC (a sister company to CIO’s publisher). Instead, create the architecture and deploy specific services in phases, perhaps by focusing on one application domain at a time or choosing projects based on business urgency. "You can build incrementally," says Suzanne Peck, CTO of the District of Columbia. In 1999, Peck began reorganizing 370 legacy systems into nine functional groupings in preparation for a new SOA. The services include both new code and Web-services-based interfaces to legacy code, as well as new composite applications.

But until you develop the underlying architecture, you can’t build anything. "How you’re going to manage version 2 [of your services] and beyond is important to think through up front," says Metzger. "It’s important to understand how volatile a particular business process is."

Any organization implementing an SOA should create a basic architectural model for a manageable piece of the business, and then apply that model opportunistically to individual projects, using them both to test the model and to deploy the SOA in pieces, says ZapThink’s Schmelzer. That architecture includes identifying all of the business processes, the interactions among them, the specific applications and functions (existing and needed) to deploy them, and the flow of business logic and data to execute the business processes. Identifying these pieces lets you understand common functions that can be standardized across all processes, as well as identify the compliance, security and management requirements.

Be prepared to spend up to a year doing the initial business process and architectural analysis, advises TrueCredit’s Metzger. But that extra time spent up front will pay off exponentially, he says. Today, new services at TrueCredit have only a six-week development cycle. At the District of Columbia, some services are delivered in as little as 12 weeks (more complex ones take four to six months).

Challenge 2: Take Governance Seriously

Because SOA is ultimately about creating and managing IT processes in support of business processes, governance is critical. "Development organizations are used to building applications, but now they are assembling parts," says Dennis Gaughan, research director for IT governance at AMR Research. And that development has to be done in a standard way—which can rub developers the wrong way. "SOA takes a lot of the control away [from individual developers], so you get resistance," says John Stubbs, CIO at Sony Pictures Entertainment, the distribution arm of Sony. Sony Pictures’ SOA efforts have resulted in a common service for managing the licensing rights of movies and TV shows across several lines of business (including DVD sales and theatrical releases) affecting 39 business units (including legal and marketing). The IT group is now using the SOA to deploy common Web services for its SAP Financials processes like accounts receivable.