Centralized vs. Federated Governance for Citizen Developers when Using Low-Code

Published October 13, 2022

The demand for robust and efficient software applications has been steadily increasing and has in turn prompted companies to invest in rapid code development. Low-code has allowed organizations to incorporate citizen developers who do not have coding expertise to develop complex, yet scalable applications in a short amount of time through platform plugins and drag-n-drop widgets. This has enabled organizations to improve productivity between IT and business teams. However, due to the lack of development experience, there are many challenges organizations face when maintaining low-code projects programmed by citizen developers. Let us discuss these challenges and a few governance frameworks to manage low-code applications.

Who are citizen developers?

To identify the potential problems introduced by low-code applications, we must first understand the developers behind them: the citizen developers. Citizen developers are employees within an organization that range from business users all the way to junior developers with little to no coding experience. Organizations employ citizen developers as a method to close skills shortages when staffing a project. By having enough knowledge in technical concepts and a good grasp on business goals, citizen developers have a cross-functional advantage. However, projects developed by citizen developers may have security vulnerabilities due to the lack of expertise in development methodology and programming skills. These deficiencies can lead to an accumulation of technical debt due to the absence of proper software architecture.

Two Governance Approaches: Centralized vs Federated

How can you solve the shortcoming of an application developed by citizen developers? There are two approaches organizations can take to reduce the risks associated with low-code developed apps: (1) centralized and (2) federated governance.

Centralized Governance: Centralized governance is when a single organization or a group of people are responsible for all decisions, discussions, and development. In the case of low-code control, this centralized entity exerts consistent control across organizations and provides reliable regulatory compliance and security approvals. This entity may be the only source of approval across the entire organization. Although this approach will guarantee the coverage of security control from low-code apps, being governed by one team can create a bottleneck due to the team’s ability to handle all compliance requests if substantial amounts of sub-organizations require approval.

Federated Governance: The second approach, federated governance, aims at resolving some of the bottleneck issues seen in the centralized model. In federated governance, individual business teams have full freedom to govern their system while being responsible for controlling their own software quality and security risks. In low-code control, every team has its own approval body as opposed to a single centralized head within the company. The entirety of the production process for a low-code application is completely up to the teams’ discretion. Although this solves the problem of delivery bottlenecks from the centralized approach, each team may have their own security standards, risk analysis, and quality control which vary vastly across a single organization. This irregularity creates a quality control risk for the organization and makes it difficult to have a unified standard across the entire organization.

Here is a quick recap on each approach, their benefits, risks, and when to use them:

Organizations can benefit from employing citizen developers to implement low-code because of their broad knowledge in both the business and technical landscape. However, compliance controls and reinforcement of application’s security are required since citizen developers lack expertise in software development. Each of the governance approaches aims at resolving this problem in different ways. The centralized method opted for a single body of control while the federated hands each team the autonomy to govern their own software control. The decision to implement either of these governance methods must not be taken lightly and must cater to the existing capabilities of your organization. To see which approach may be right for you, contact Infinitive today.

Contact Our Expert

David Chau Vo

 Consultant, Full Stack Development