Is the best API governance strategy a boring one?

tyk-blog-LEAP-Is the best API governance strategy a boring one_

As a sector-agnostic API management solution, Tyk is used by major banks, cutting edge consumer technology businesses, the automotive industry, theme parks, telcos, travel businesses and more. It means Cofounder and COO James Hirst has seen a wide variety of approaches to governance – and in some cases, a complete absence of governance.

James’ experience has shown that asking a fast-paced business whether APIs are compliant, whether assessments have been done, whether templates are in use and so on – all those phrases associated with governance – is often unwelcome. To fast-moving teams, the idea that governance introduces restriction and normalization can feel like kryptonite. But is this an outdated stereotype? Does governance always become complex and burdensome?

At the recent LEAP 2.0 API Governance Conference, James invited API sector experts to dive into this topic with him. With insights from Sreekanth Cherukuri of Coforge, Inditex’s Bruno Pedro and tech journalist and editor Bill Doerrfeld, the wide-ranging discussion covered:

  • Whether every organization needs to focus on governance from the outset
  • Why governance is a foundational principle as API complexity grows
  • Why teams try to avoid governance processes – and what you can do about it
  • How to understand the return on investment (ROI) of API governance

Should every organization spend its time, energy and resources on governance?

Moving fast and breaking things – shipping the minimum viable proposition – can make all the difference when it comes to beating your competitors to grabbing market share. It’s why small, fast-paced startups and scaleups often focus all of their attention on delivering at pace and delivering efficiently, pouring their resources into things that move the needle, rather than governance.

At the other end of the spectrum are huge, established banks and healthcare providers, where pressure for good governance is really significant. So, is there a tipping point where governance suddenly becomes important, or is it never safe to ignore it?

It’s something that businesses grapple with as they grow. Many question whether they need governance from the outset or seek to understand what roles they have to set up to cover API governance. One big question is always how much time API governance will take up and what the cost of that will be. Because everyone has their day job to do and API governance is often seen as an extra to that.

Much depends on the size and maturity of an organization’s data adaption towards APIs, and how much the team understands their standard operating procedures on how they design, build, secure, govern and control their APIs.

API governance cuts across sectors, with common themes in term of typical objectives, KPIs and measurements, though different organizations will of course have their own priorities. For banking and finance businesses, for example, security, efficiency and compliance are hugely important for open banking and for ensuring real-time data access and customers’ centralized views of their accounts. In the retail sector, the focus is on supply chain management, omnichannel initiatives and using APIs for integration with suppliers, manufacturers and logistics providers. In insurance, security, compliance and interoperability are top of mind, with seamless interaction required for claims management processes and underwriting systems.

Yet despite their differing perspectives, API governance is a crucial investment across all of these sectors. It helps measure return on investment, reduce total cost of ownership and deliver business ability.

Governing API complexity 

As organizations grow, their API portfolios tend to become more complex. Many end up with a disparate API portfolio with different competing styles in use, from API formats to the style in which APIs are designed. Many organizations are also juggling different API management vendors, with different management solutions and gateways in place.

API governance can help to consolidate some of those competition solutions. It can be particularly beneficial for API-first companies. After all, if you’re building APIs with the idea of externalizing them to consumers, they need to be reliable and resilient. Governance achieves those goals – even when shipping things fast is a priority. It’s a foundational principle in terms of delivering APIs that consumers can rely on.

Why do teams avoid API governance?

Implementing API governance doesn’t guarantee that teams will work within the framework. Organizations can spend time, attention and focus on developing really extensive API governance only to find that, a year later, teams are using loopholes and workarounds to ignore it. In the worst-case scenario, governance systems, processes and documents end up becoming shelfware.

You can avoid this happening by keeping governance nimble and ensuring it adheres to four key principles; governance should be:

  • Easily understandable
  • Easy to follow
  • Easily measurable
  • Easy to report

Do you need all this in place from day one? Not necessarily. You can start small, certainly, but governance should always grow in line with these principles.

Keeping an eye on your key performance indicators (KPIs) helps with this. When you build an API, you look at aspects such as scalability, reliability, performance, high availability, disaster recovery and so on. On the governance side, KPIs are more about how the API performs in a test environment, in load tests and the like. And how you can automate your test cases, of course. You won’t necessarily define all of this at once, but it does need regular attention – quarterly, at a minimum.

Governance reviews like this work well as socialized events that engage a wide range of stakeholders – architects, developers, testers and more. They can consider the guardrails that have been defined, how relevant they remain over time and whether improvements are required. It’s a continuous journey and incorporating feedback from all stakeholders will ensure that governance processes remain relevant over the longer-term. By planning ahead in this way, you can add value with governance, embedding it into the right processes within your development lifecycle to ensure its continuing success.

While stakeholder involvement can support the success of API governance, a lack of it can do the opposite. A lack of consultation and a mandated governance program is a surefire way for teams to try and find workarounds. Engagement and training are important tools for avoiding this and for growing a common understanding of the importance of governance and the value that it delivers. Doing so will ensure people want to follow governance processes, as well as having to. It’s about people governance and communication, not just API governance.

The cost of API governance 

Efficiency is everything for modern businesses, so is governance an overhead that people should be examining? Is it possible to streamline governance to increase productivity?

In many organizations, governance is still at an immature level, making it hard to understand the true ROI that robust governance can deliver. That said, governance can do much to drive a better ROI overall, rather than simply being an overhead, because it’s more of a practice than just another tooling subscription.

With the current scrutiny of budgets and emphasis on productivity, many organizations are looking at DORA metrics or developer experience core productivity metrics – deployment frequency, lead time for changes and so on. While you can measure API governance with some of this, you also have to consider that the ROI from APIs, API platforms and governance isn’t exactly what those typical coding behaviors can be attributed to; you need different metrics.

Atlassian provides a good example of this. The organization has considered broken client integrations as a governance metric, demonstrating the value of its internal governance framework in reducing broken client integrations for partners who use its APIs. It shows a clear improvement in the end experience as a result of investing in API governance. Metrics that demonstrate such improvements are a helpful way to consider the ROI that API governance delivers. Improvements to time to hello world and time to first value also ably demonstrate this.

Showcasing the relationship between governance activity and organizational outcomes in this way is an excellent means of demonstrating the value of API governance to non-technical audiences. It aids understanding that governance investment isn’t about buying tooling – it’s about embedding processes that can have a meaningful impact on the organization’s bottom line.

Exploring API governance

Keen to explore the value of API governance in more depth? Our articles on balancing governance and agility in federated API management and governing event APIs are great next steps.

And, of course, the expert Tyk team is always here to help. Contact us to discuss all your API governance needs.