#Issue 71

As the Head of Platform Engineering, Engineering Director, or Head of Architecture, why should you care about API governance now?

This is the question I have to answer in the first five minutes of my initial conversations with engineering leaders. Here is how I do it: I use two simple models, one about risk and the other about business value. Together, I use them to focus attention on the governance work that actually matters to their business right now.

My IGT-API Risk Model groups the API-related risks engineering leaders should be aware of into five categories:

The model is not meant to be exhaustive — specialist enterprise API security teams, for example, will have a far longer list of items inside the Security category than I do. The point of the diagram is to be a discussion starter. Walking through it with engineering leaders helps them name the risks that are highest priority right now, in light of where their business is heading.

But which risks should be highest priority? That depends on the business outcomes the organisation is chasing and that is what the second model is for.

My IGT-API Business Value Impact Model groups the outcomes most affected by unmanaged API risk into four categories:

Each of these comprises far more than just APIs. But for engineering leaders, the value of the model is in seeing how the five risk categories map onto the business outcomes their organisation actually cares about. Here is how I draw that connection:

Used together, the two models give engineering leaders a defensible answer to the "why now?" question. You are no longer arguing for governance in the abstract. You are pointing to specific risks that put a specific business outcome at risk, today.

Which risks in the IGT-API Risk Model are top of mind for you right now? And which of your organisation's current business priorities do they map to?

If your answer points to API Sprawl and Change Management Risks, the obvious next step is to find out where your organisation actually stands on a critical foundation: API discovery. My IGT-API API Discovery Maturity Rubric is a twelve-question diagnostic — with an Excel scoring sheet — that you can use this week.

The IGT-API Risk Model and Business Value Impact Model are not the whole answer to API governance. But they are how I open the conversation with engineering leaders, because they turn governance from an abstract good into a concrete defence of the business outcomes the leader is already accountable for.

I am still running the ‘Beyond the Linter’ study that explores how organisations actually run the people-and-process side of API governance. Take part in the study and share your experience with governance. Also, is there anyone you can recommend to participate in the study? Let me know.

Also, I will be speaking on API Contract Testing at API Conference London on Tuesday May 12th. Even though the topic is about contract testing using Arazzo, I will be exploring it from an engineering leaders’ perspective. Hope to see you there.

Book a 30-minute conversation with me.

The Ikenna Consulting Newsletter delivers weekly insights on API governance operating models, helping engineering leaders' understand why governance is an operating model problem, not a tooling problem.