Governance During the No-code Gold Rush: Part 3

Written By: Ty Shewmake
November 26, 2018
9 min read

Ty Shewmake, CTO at VeilSun, discusses the final installment of his approach to no/low-code governance, and how to establish an effective no/low-code governance framework in this three-part series.

In part 1 of this blog, I talked a little bit about what’s new and exciting in the no/low-code development world. Part 2 was all about how to think about and shape your organization’s right-sized governance. In this final installment, we’ll put it all together—creating a governance framework and transformation plan.

The Elephant in the Room — IT’s View of the No/Low-Code Revolution

Many IT organizations, used to their traditional and comfortable Systems Development Life Cycle (SDLC), are resistant to no/low-code. I believe they think no/low-code lacks the governance required to consistently produce quality web software.

Nothing could be further from the truth.

There, I said it. As someone developing and managing software development for more than 20 years, I believe out of the box, no/low-code apps (at least those built in Quickbase) are far more governed and secure than traditionally-developed web software.

So, what’s going on here with IT?

In many cases, IT’s problem with the no/low-code world is that they perceive there’s a lack of a no/low-code development governance process. Assuming this is correct, and that governance is important, let’s explore what no/low-code governance can be.

Software Quality Goals (or, what we want to be when we grow-up…)

At a very high level, most organizations’ software quality goals aim to satisfy these 5 key software quality goals:

  1. Design Quality
  2. Security
  3. Auditability
  4. Currency (keeping previously-developed apps current)
  5. Maintainability

You may have more goals. You may have fewer goals. However, if you nail these 5, you should be in good shape. So, where do we begin with no/low-code? We’ll begin with a concept called the “LCSDLC”.

Driving Quality — The LCSDLC

As a developer, I’m pretty used to the good old traditional Systems Development Life Cycle (SDLC). It really did help IT developers crank out reliable and secure software for more than 20 years. It’s structured, understandable, and auditable. It’s been what IT has hung its hat on for a long, long time. Developers are schooled on it. Managers are certified in it. It’s the way IT does software.

However, I don’t think the old SDLC quite fits the new no/low-code world, “as is”.

The traditional IT SDLC assumes a consistent level of expertise, training, certification, and experience across developers—something not always present in the no/low-code world. So a bit more oversight is probably in order.

The traditional SDLC process looks something like this, as it applies to a professional IT developer developing an online application:

  1. Plan
  2. Analyze
  3. Design
  4. Build
  5. Test
  6. Maintain (sometimes included, sometimes not)

Makes sense, right? There are various versions of this SDLC, but you probably get the gist.

The SDLC is a powerful tool. As part of a wider quality framework it should be part of your no/low-code world, it’s the centerpiece of quality assurance.

“But, ‘Low-code is not traditional web development’,” you say. Yep, you’re right.

Unlike traditional IT web development, no/low-code development moves at the speed of thought. So, the question is, can we adapt the traditional SDLC, pare it down here, bulk it up there, and dust it off for no/low-code success? Yes. Because software quality is all about process, we can create a new LCSDLC (Low-code Systems Development Life Cycle).

So, at VeilSun we’ve done this—and at 10,000 feet it looks something like this:

  1. Plan
  2. Analyze
  3. Design
  4. Design Review
  5. Build
  6. Build/Security Review
  7. Test
  8. Maintain
  9. Ongoing Audit

Though we’ve added 3 (audit) LCSDLC steps, we’ve also drastically reduced the depth of detail of the original 6 SDLC steps to require far less effort. Low-code builders won’t go as deep—nor do they need to.

In practice, your LCSDLC process should be lightweight and nimble. It should never slow progress and should result in Web software quality that far exceeds the quality of traditional development. Whether it’s 3 steps or 12, it should be template-driven, and easy to use.

Where the Rubber Meets the Road—A Governance App

So, how do you get there? In a nutshell, it’s very difficult to manage governance without using a Quickbase governance application to direct your LCSDLC development process workflow.

Every builder (IT or otherwise) embarking on the development of a no/low-code app should be required to begin a workflow event in your governance app that overlays a best practice governance template to their development initiative.

Simple apps use simple templates. More complex apps (or those that access corporate or external data) are necessarily more detailed.

The driving principle is the fact that all no/low-code development work should be a governed process.

At the end of the day, the organization’s governance application should accomplish the following as development of a new app begins:

  • Questions the builder to assess the complexity and risk of the app
  • Identifies key sponsors, stakeholders, responsibilities, etc.
  • Informs low-code management and IT of the pending initiative
  • Notifies Realm Admin to create an empty app and assign the builder as an Application Admin
  • Provides a template for the builder to assess and document business need
  • Provides a simple template to list requirements
  • Provides a way to create a 5-minute project plan/timeline
  • Provides a common data dictionary
  • Automatically audit apps to identify schema changes
  • Provides the builder with a structured roadmap specifying the order and requirements of every checkpoint, including the actual tasks that must be completed to clear that checkpoint. Checkpoints could encompass:
    • Design Review
    • Security Review
    • Auditability Assessment
    • Test Plan Review
    • Acceptance Criteria Review
    • Maintenance Plan Review

Your compliance app directs effort, educates builders, promulgates and documents standards, and measures compliance against standards—while at the same time allowing no/low-code development to move at its own blinding speed.

A governance application should be the cornerstone of every no/low-code governance process—for organizations using builders, vendors, or internal IT developers. Again, governance should not be an onerous process, and by using Quickbase’s incredible workflow capabilities, governance can be extremely lightweight.

Why Governance? A Real-World Governance Situation (this happened to me)

It’s 8:00AM on a Saturday morning. After you get a cup of coffee, you log in and the first thing you see in Yahoo News is a piece talking about yesterday’s EasyMerge.io creds hack (not the real name). In the back of your mind, you know that some of your 45 Quickbase apps connect to EasyMerge.io but you can’t remember which ones. You call your lead developer but can’t reach her. Five minutes later, your boss calls and asks, “Do we connect any apps to EasyMerge.io?”

When all your no/low-code apps are cataloged and described in your governance app (along with all external connections and dependencies), you can instantly assess and mitigate risk without having to ask questions.

A Playbook for Everyone

Smart organizations leverage no/low-code builders—people from diverse backgrounds, jobs, and experience levels to build their Web apps. Internal business people and vendors, along with traditionally-trained IT developers, can all successfully build secure, maintainable, and high-performance no/low-code apps in a governed environment.

While the LCSDLC governs development, the way you implement no/low-code transformation can dramatically affect your no/low-code ROI.

Implementing your LCSDLC

Your LCSDLC is important, but it’s only part of your wider no/low-code governance framework. Whether your organization has 1 or 1,000 Quickbase apps, you’ll want to implement your LCSDLC as a part of your holistic governance process.

A no/low-code transformation is not an event; it’s a process.

As a process, it should be treated as a project. The typical VeilSun governance framework project process includes these 8 phases:

  1. Discovery/Inventory
  2. Governance/LCSDLC Design
  3. Blueprint
  4. Killer app/low-code POC (optional)
  5. Training/Certification
  6. Production
  7. Specialty Training/Mentor Program
  8. Continuous Compliance (Ongoing Oversight & Training)

Phase 1: Discovery/Inventory

During Discovery/Inventory, the organization inventories/identifies:

  • Existing low-code applications with risk analysis
  • Professional IT development expertise
  • Existing no/low-code developer development expertise
  • Potential no/low-code developer development expertise
  • Development goals
  • Application currency gaps
  • Data resources (systems, applications, spreadsheets, APIs, microservices, etc.)
  • Data dictionary elements
  • Owners of existing governance processes

At VeilSun, during Discovery we’ll typically install our “VeilSun Enabled Framework” Quickbase governance application to manage the no/low-code transformation process.

This governance application helps us (and the organization) closely manage and monitor each phase of its low-code transformation, and subsequently, each low-code development project.

Phase 2: Governance Design

Every organization’s governance program is different. During Governance Design, the organization works with stakeholders to develop right-sized governance standards required by the business while designing governance review and audit processes that enforce those standards.

Governance Design includes:

  • Defining Application Review Board membership and processes
  • Defining responsibility for and designing organizational data dictionaries
  • Developing architectural standards and review/certification processes
  • Defining security standards and review/certification processes
  • Defining code review standards and processes
  • Developing developer training standards/certification processes
  • Defining user access/permission standards and processes
  • Assigning sponsors/guardians to each data resource
  • Defining documentation standards/certification processes

This phase defines the basics of the organization’s LCSDLC framework and produces app development governance process templates.

Phase 3: Blueprint

During the Blueprint Phase key users and leadership collaborate to create, review, approve, and resource a comprehensively written enterprise low-code development/redevelopment plan containing:

  • Governance process implementation steps, responsibilities, and delivery dates
  • A prioritized low-code application re-development list
  • A prioritized new low-code application development list
  • Key governance responsibilities and sponsorship assignments

Phase 4: Killer App or POC

VeilSun typically develops and deploys one small “Killer App” to help the enterprise embrace the vision of its low-code future (if required).

Phase 5: Training and Certification

During this phase, the organization trains and certifies the following positions in their relevant aspects of low-code development:

  • Business unit leadership
  • IT leadership
  • PMO staff
  • IT staff & developers
  • Natural builders
  • Governance staff

Phase 6: Production Development

A development production schedule is established, and development assigned based on complexity and risk. As training is completed and governance is established, VeilSun typically coaches and mentors developers (IT, vendor, and citizen) throughout application design and development as required. VeilSun also provides development/integration expertise.

Phase 7: Specialty Training or Mentor Program

VeilSun trains selected, talented individuals on more complex development strategies and integration methodologies.

Phase 8: Continuous Compliance (Ongoing Oversight & Training)

Establish an Ongoing Development Program to provide additional development resources, training, and oversight.

In many ways, what is old can be new.

The SDLC that served IT so well for so long can be adapted to assure quality in your governed no/low-code transformation by becoming a lightweight, understandable, check-the-box process.

An optimal LCSDLC provides a common frame of reference for new builders, IT, security people, and management. It bridges the gap between IT and builders and removes barriers to no/low-code adoption.

If your organization already has a ton of Quickbase apps, all is not lost. You can always retrofit governance standards and begin the march toward a more managed no/low-code world.

Governance should never be too much work. The alternative is far worse.

VeilSun is a professional services firm that has helped hundreds of organizations over the last 12 years successfully navigate their no / low-code transformations. VeilSun Low-Code Enterprise (VLE) service is a new framework that provides a quick-start to small and large organizations embarking on (or enmeshed in) their transformation.

Contact us any time to chat about your organization’s no / low-code transformation.

Written By: Ty Shewmake

Never miss a post — subscribe to the Quickbase Blog.

Sign up to receive the latest posts on everything from Operational Excellence to Digital Transformation.