The challenge: Re-architect those systems into a more flexible whole based on reusable, consistent components in a service-oriented architecture (SOA). The project, which began in 2003 and is continuing, strives for the kind of business value and technical sophistication that wins awards—like the CIO 100.

But with ambition comes risk. SOA’s aspirations of more efficient software development and more agile business execution can’t be fulfilled unless you manage the architecture, the development processes and deployment properly through IT governance practices. "Governance was seen as essential from the beginning," says Bartell. To ensure cooperation and coordination, the three agencies—which operate under a coordinating body called the Federal Financial Institutions Examination Council (FFIEC)—created a written agreement, signed by all the agency heads, which stipulated a single set of governance components. "The governance [document] served us well in helping us all reach common ground on key decisions quickly and keeping the business functions and outcome goals clearly defined throughout," adds Bartell.

The stakes for good SOA governance are much higher than in traditional software development, because SOA links development directly to business operations. Under SOA, software components represent specific business activities ("credit check," for example, or "find customer record") that can be mixed and matched into business processes and workflows. Good SOA governance means thinking through all the implications of such interactivity and creating a process for managing the components. A badly managed software architecture will ultimately translate to a badly managed business in the SOA era. "Governance in SOA is important because we’re codifying business services," notes Judith Hurwitz, president of consultancy Hurwitz & Associates. "It is both a business transformation and an IT transformation." CIOs hoping to succeed with SOA need to put together a plan for governance even before their developers release the first service to the company, because those services will play a crucial role in determining the future course of the most important business processes of the company. Not looking ahead invites a continuation of the complexity and lack of agility that plagues IT-supported business processes today.