IT Operating Environments Best Practices

Overview

Gate criteria and required evidence create the standards for promotion decisions. Promotion authority defines who is empowered to make those decisions. Without defined promotion authority, promotion decisions are made by whoever happens to be involved in the delivery - often the development team itself, which has an inherent interest in promoting its own work regardless of gate readiness. Self-certification of gate readiness by the team seeking promotion is a governance conflict of interest that consistently produces lower gate fidelity than independent review by a designated authority.

Best Practice

Assign explicit promotion authority at each gate in the enterprise delivery pipeline and require that every promotion be authorized by a documented approval from the designated authority. Promotion authority should be calibrated to the significance of the gate: lower environment gates may be authorized by the engineering lead or project manager; UAT gates require business owner authorization; PEN gates require security authority authorization; PSTG-to-PROD gates require change management board approval and designated executive or governance body authorization for significant deployments. No solution should advance to the next environment without a recorded approval from the designated authority for that gate. Digital approval records in project management or delivery tooling are acceptable - informal verbal approvals are not.

Benefit(s)

Defined promotion authority with required documented approval ensures that promotion decisions are made by individuals with the appropriate organizational standing and the appropriate perspective to evaluate gate readiness. The development team’s desire to advance its work is balanced by the independent review of an authority whose accountability is to the quality of the gate rather than to the velocity of the delivery. Documented approvals create an auditable promotion record that demonstrates governance compliance and provides a clear accountability trail if a promoted solution subsequently produces a Production incident.