Skip to content

Architecture governance

The EA problem

Architecture without governance is just documentation. Governance is how an organization steers change: it states what it believes (principles), what it requires (standards), what it has decided and why (decisions), and how significant changes get reviewed before they land (review/approval). The trap is ceremony — governance that generates artifacts nobody reads and gates that slow everything without improving anything.

How ArcaMira addresses it

ArcaMira treats governance as a spectrum from guidance to enforcement, and keeps it lightweight. Everything lives in two hubs: Standards & Principles (/governance/standards-principles) and Decisions & Reviews (/governance/decisions-reviews).

Principles (in Standards & Principles) — durable guiding statements. Broad architectural intent, applied as good practice; link them to entities to show what guides what.

Standards (in Standards & Principles) — concrete, implementable requirements that entities comply with. Compliance posture rolls up into a Compliance report in the same hub: what's non-compliant, what's not yet assessed, and which exceptions are expiring.

Exceptions — the policy-exception register, also in Standards & Principles. When something can't comply yet, grant a time-boxed exception (from the Compliance report's non-compliant rows) rather than letting the gap go silent. Each exception has an owner and an expiry, and a lifecycle — revoke / renew / mark-remediated — with overdue ones swept to expired automatically. Granting is an overlay: the underlying assertion stays non-compliant and is flagged "excepted until …", so posture is never quietly inflated.

Decisions / ADRs (in Decisions & Reviews) — Architecture Decision Records with status tracking. They capture why a choice was made, link to the entities they affect, and can supersede one another.

Reviews (in Decisions & Reviews) — the ARB workflow, with two methods: a solution review to govern a change, and a selection scorecard for a weighted candidate/vendor comparison that produces a ranked pick. Entities move Draft → Under Review → Approved → Archived, enriched with the entity's risk signals and NFR posture so the board reviews with context, not just a name. A standing Architecture Review Board weighs in asynchronously: reviewers are modelled as seats (Enterprise Architecture, Security, Data, Network…), each registering a position — Endorse / Concerns / Object / Abstain — that is advisory to the chair, who records the decision. Configure the board's seats and occupants under Governance → Decisions & Reviews → Review Board; every new review is auto-populated from it. Impacted people who don't have accounts are handled without giving them access: a decided review can be shared as a no-login decision-pack link, and a named person can be asked for detail via a scoped request-for-input link whose response is captured on the review as an external · unverified note — the structured replacement for the ARB email chain. "Approved with conditions" becomes tracked conditions — each condition has an owner, a due date, and a lifecycle (open → met / breached / waived), and open/breached ones surface on the affected entity's page, not just inside the review. Reviews that end in rejected or deferred collect in a searchable Denials register, so past "no"s aren't forgotten. Use reviews for significant new entities or material changes — you don't review everything.

Check-in cadence — entities can be put on a periodic check-in schedule; overdue ones surface in the Intelligence hub and on the entity's signals bar, so governance stays alive rather than a one-time stamp.

NFRs and criticality flow into governance: an application's non-functional requirements (availability, RTO, RPO) cascade through its dependency chain, and contradictions are surfaced for review.

On framework overlays

ArcaMira deliberately doesn't ship framework-classification overlays (a Zachman Matrix overlay once existed behind a feature flag and has been retired). The test every feature has to pass: does it reveal something new about your estate, or does it mostly teach a framework's vocabulary? Capabilities, dependencies, redundancy, blast radius, and lifecycle risk pass; classification grids don't.

What good looks like

  • A short, real set of principles people can actually name.
  • Standards that matter, with a compliance report that's used in decisions.
  • ADRs for the choices future-you will ask "why did we do that?" about.
  • Review reserved for things that warrant it; check-in cadence keeping critical entities fresh.
  • Exceptions tracked with expiry dates rather than quietly forgotten.