I saw an interesting story in the news two days ago. It's about a company that has received multiple "good governance" awards. Well, it turns out that their "good governance" has led to the chairman having to admit that their finances were falsified. Know who I'm talking about? Satyam. Yes, that good governance award winner - the one that turned out to have over $1B of "falsified" cash on their balance sheet.
Sure, this is corporate governance, not IT governance - but it raises an interesting question for IT and SOA governance: How do you know your governance is not being bypassed? Because this is exactly what happened in the Satyam case.
The thing that likely got Satyam into the problem was likely one key thing: Their governance checks were manual, not automated. This meant that they could be easily bypassed or avoided. They were people processes, not automated processes.
SOA What? The moral of the story is that governance that's not automated (with the checks in the right, unavoidable, places) is governance that doesn't work.