Governance by Design for Digital Public Infrastructures

David Porteous • Aug 30, 2022

Stay up-to-date on trends shaping the future of governance.

During the last six months, I have focused much of my time on governance in early-stage companies. Together with my colleagues in the new Agile Governance Platform, we have made the case why governance at the early stage needs to be different from that of large, listed companies. For example, in a recent Integral article, I argue that governance for firms at this stage of development should be redeveloped from the ground up, rather than imposed top-down by stripping down the bulging Governance Codes applicable to later stage entities. In the course of considering these issues, I have been reminded that digital public infrastructures (DPIs) begin their lives as startups too. DPIs may look a bit different from private tech startups: they may be less funding-constrained, and they may not have the pressures of commercial venture capital funding behind them. However, they too must pass through an early stage of experimentation before they can reach national scale and organizational maturity. In that early stage, they too have to wrestle with questions like how to make effective decisions in the face of complexity; and when to prioritize which policies and procedures to adopt. To assume that DPIs are ‘born adult’ is to miss out on addressing the complex, contested issues of early-stage governance which characterize the growth path of DPIs as they seek to achieve society-wide scale and influence. 


So what might
governance by design look like for new DPIs? And how does the answer differ, if at all, from early stage companies in general? To get to some answers, let’s first look through the lens of two recent publications which address the governance of DPIs more broadly.


Governance by deliberation


In 2021, a team of Harvard Kennedy School researchers led by Jeff Behrens reported on ethical considerations for the design and deployment of foundational DPIs in developing economies (although their analysis and findings seem hardly restricted to developing economies alone). 


Their main proposal is that
governance of DPI should be ‘deliberative by design’--that is, the mechanisms for structured consultation with all stakeholders should be built in from the design phase onwards. They argue: “Because digital public infrastructure is both experimental and fundamental to the lives of residents, deliberative governance should be integrated as deeply as is possible at all stages of the design, deployment, and stewardship of DPGs. Deliberation should be a permanent, rather than temporary, feature of the design and deployment of all digital public infrastructure.” 




Although the HKS researchers do not state this explicitly, the notion of deliberative governance can be juxtaposed with the seemingly hasty governance of the private startup world which ‘moves fast and breaks things.’ This is a key difference between DPIs and private startups: the latter are generally not required to consider broader public stakeholder needs; and most don’t in the focused rush to achieve product-market fit. 


To be clear, speed alone is never a principle of good governance at any stage. But in my opinion
agility in governance is also an important principle for DPIs in their early stages–at least as ‘agile’ has come to be understood in the world of software development. There, agile refers to the ability to break up a complex project into smaller tasks which can be developed, tested, and reassessed if need be, without impairing the overall outcome. Agile development was a response to long complex planning processes for software projects which often resulted in failure, notwithstanding all the consideration–either because the market had moved on, rendering the project obsolete or simply because the best planning struggles in the face of complexity. Similarly, deliberation alone will not actually deliver complex digital infrastructure–on its own, deliberation may risk bogging down in a quagmire of contestation and complexity, creating stranded digital assets. Deliberation needs to be linked with clear and effective decision-making protocols and leadership in cultures which consider risk. DPIs need 


Lessons from governance of retail payments systems


To consider what effective DPI provision might look like, let us turn our attention to one of the most developed classes of DPI today–retail payment systems. From small beginnings, many have advanced well beyond startup stages to become indispensable infrastructure of the modern economy. In recent years, there have also been a number of startup payment systems. Ownership models for retail payment systems vary from wholly private (think Visa or Mastercard) to publicly owned and operated, with public-private options in between. There is no one size fits all for governance models, according to the team of World Bank Group authors who considered these issues in a recent report


These authors don’t explicitly mention ‘governance by deliberation’ although some of their recommendations–about acknowledging, defining, and addressing public interests and stakeholder involvement is key, for example–align with the approach which HKS researchers propose. But what else can we learn from how payment systems are governed as an active, even booming, class of DPI? 


There are at least two pointers in this report. First, the authors point to the distinction between external governance, that is, regulatory oversight, and internal governance–how internal bodies like boards make decisions on behalf of participants or members. Payment systems usually have both in some form. External governance can be helpful in creating external accountability where needed while allowing internal governance to wrestle with complex issues on a more hands-on basis. 


Second, the World Bank authors stress the
need to allow for evolution in governance. Evolution can be linked to good practices like undertaking regular board effectiveness reviews. While the HKS researchers would likely not dispute this, the World Bank authors are more explicit about the need for these infrastructures to recognize and respond to changing market conditions: even if some payment systems function as domestic monopoly infrastructures, technology innovations such as cryptocurrencies or central bank digital currencies may threaten their existence. Recognizing these threats may help to keep DPIs agile. 



Proportionality in governance


While proportionality has already become a widely accepted principle undergirding financial regulation, the World Bank authors include proportionality among areas for further research in governance of payment systems. According to Fernando Restoy of BIS, regulatory proportionality means that the regulatory approach should be tailored to a firm’s size, systemic importance, complexity, and risk profile. How to apply this principle to DPI? By definition, DPI has from the outset the potential to be systemically important; indeed that potential scale motivates the argument for governance by deliberation to take into account the possible effects on stakeholder groups. However, to paraphrase the title of the famous book by philosopher Alaisdair McIntyre, ‘Whose proportionality? Which deliberations?’


Proportionality involves balancing tradeoffs. Someone, or more specifically, some group of people needs to make those calls. Deliberation alone does not resolve tradeoffs or conflicts, though it may highlight them.
Deliberation needs to be proportional too since it is not cost-free in time or resources. To apply this, I would argue that there is a pressing need to come up with playbooks for new DPIs written after considering cases with too much or too little deliberation. As one example of too little deliberation, I described in an earlier Article the case of the UK’s Open Banking Implementation Entity as a type of new DPI which arguably moved too fast to achieve remarkable outcomes but with too little deliberation about its internal structures, resulting in an external investigation and changes in governance announced in 2021. But my hunch is that too much deliberation may be as problematic for advancing societal goals, even though the consequences may be different. 

 

Alongside deliberation, proportionality should therefore be a foundational principle of governance by design for DPIs. Rather than simply accepting that everything to do with a new DPI may be systemically important, the application of proportionality should enable internal and external governance structures of DPIs to parse a DPI project into dimensions requiring different levels of intensity of deliberation. This approach can allow for greater agility in early-stage DPIs which will reduce the risk of a future landscape cluttered with digital white elephants.


At Integral, we provide ESG Consulting advice, evaluation, facilitation, mentoring and coaching services to develop governance systems that fit your organization’s purpose and stage of growth. To explore further how we can help you, read about our services, or set up a free consultation.

S H A R E

By David Porteous 29 Jun, 2023
Framing the purpose of a company as beyond making profits for shareholders alone is age-old, but the move to state corporate purpose explicitly is newer. Stating purpose is part of a deeper transformation of a growing number of companies–from being product-driven to becoming purpose-driven.
By David Porteous 25 May, 2023
Data governance is now a well-established domain of knowledge systemizing the rules on how data flows over a data life cycle within organizations. In essence, the DPI approach is all about managing digital data in a safe, effective and principled way for public good. Therefore the governance of DPI is essentially the same as data governance, right? Wrong. The relationship between data governance and governance of DPI can be likened to that between hygiene practices and a hospital. The hospital needs to have hygiene practices in place at a very exacting level to function effectively and safely; but a hospital is much more than its hygiene practices alone. A hospital has to serve patients, manage billing, procure supplies, operate secure buildings–all sorts of functions which are part of operating essential social infrastructure. Governing DPI is similarly complex. It is true that governing DPI will include governing data , and as I have sought to understand the older domain of data governance, I have been struck by some parallels for DPI. Here’s one: just as hygiene practices and protocols have evolved over the decades, so too has data governance. We can only hope that governance of DPI will also evolve from today’s rudimentary understanding. If you read recent books like “Disrupting Data Governance” by Laura Madsen (2019), several more echos emerge: “Data governance is one of the keys to effective data management, yet there’s a lack of shared definition”—I have been on record arguing that it is unnecessary, and maybe even futile, at this early stage to have too precise a definition of DPI, yet some boundaries are needed if DPI is to avoid this same judgment as data governance in twenty years’ time. “Data governance is about trust”—so too, ultimately, is DPI even when citizens are required to use one. “Balancing the forces of protection and promotion (of the use of data) will take some effort, each needs to be well defined and managed to avoid losing focus on their respective needs”—indeed, balancing these forces in the operation of a DPI is a critical function, maybe the critical function, of DPI governance. All those similarities should not conceal one big difference between these two fields: data governance is about the usage of data as a valuable asset within an organization , while DPI is all about supporting flows of valuable data across organizations . This is obvious for payment systems, but even digital ID systems exist to provide forms of secure authentication or verification to relying parties. Optimizing the interoperability of data for public purposes is at the heart of the DPI approach. DPI governance can therefore be framed as a form of ‘meta-data governance’, where the DPIs are themselves stewards of sorts of types of data within digital data ecosystems. That makes the task of DPI governance more challenging, but also potentially more interesting and rewarding. How long will it be before we have textbooks for DPIs with sub-titles like the standard Data Governance text by doyen John Ladley: “How to design, deploy and sustain an effective [data] governance program.” ? I hope we can accelerate the learning cycle with DPI.
By David Porteous 19 May, 2023
There is general agreement that good governance matters for Digital Public Infrastructure (DPI). There is much less agreement at this stage about what governance means in a DPI context. One way to explore building consensus is to explore whether existing widely accepted frameworks could be adapted to the DPI context. Since DPI at its heart is all about exchanging digital data for different purposes–from payment to identification– it seems appropriate to consider the original ‘by design’ framework which was developed for data privacy. This framework was built around the concept of Privacy by design. Since its first use in 1995, privacy commissioners and data protection authorities around the world have recognized privacy by design as an international standard which they intended to promote and incorporate in policy and law. It was originally articulated as seven principles which together signaled an intention to embed privacy considerations proactively throughout the data use cycle. While the privacy by design framework is agnostic about the organization handling the data, the operators of DPIs are types of institutions with a particular purpose which demands specific governance features. The comparison of data to DPI is somewhat akin to that between blood and the heart in the human body–blood, like data, is widely distributed but the heart is the ‘essential infrastructure’ responsible for pumping it. Privacy by design is about protecting the ‘blood chemistry’; governance by design for DPIs is about ensuring that the ‘heart’ functions well, including but not only protecting the unique blood chemistry. So, governance is really the means which connects to ends like this. With that contrast in mind, how well might the principles of privacy by design inform governance by design? The table below maps privacy by design principles in the first column to my suggestions of counterpart principles for governance of DPI in the second column. You will see that the majority of principles (those numbered 1,3,5 and 6) map across pretty easily to governance of DPI. This isn’t surprising, considering a concern for ways of using data is at the heart of both.
By David Porteous 04 May, 2023
“How can we stop going faster while our ability to see further ahead is decreasing?” In today’s world of fast-evolving digital technology, it can be challenging to make informed decisions in complex fields like Digital Public Infrastructure (DPI). With the increasing speed of change, this question posed by Peter Senge and his co-authors in their 2008 book, Presence , remains relevant. The question is applicable in any complex field in which information is limited and the interaction of feedback loops unknown. But DPI has complexity associated with fast-evolving digital technology compounded by public and private sector decisions about its deployment. No wonder the discussion surrounding DPI is filled with both optimistic expectations and valid concerns, from the potential to reduce inequality to the potential to enable dystopian surveillance and state control. The air of recent G20 meetings and World Bank spring meetings was saturated with claims about the promise of DPI and its perils. How then are we to make sensible decisions in the midst of this complexity? The most useful approach I’ve found for navigating complexity is scenario thinking. Scenario thinking is a disciplined approach to building plausible stories of potential futures (note the use of the plural, because there are always multiple paths to the future). A large part of distilling complexity down to more manageable levels is isolating the swing factors, or ‘key uncertainties’ in scenario language. The different possible outcomes of these will interweave to create rich stories, which, like good fiction, will likely have some unexpected twists and turns. These stories, or scenarios, are the backdrop against which to test how different choices may turn out. A robust strategy is one which yields the best outcomes across the widest range of scenarios but also identifies early warning indicators of major scenario shifts so that, where needed, the strategy can shift too. An important aspect of the scenario process is the way in which it helps participants build shared language and understanding, leading to new collaborations and actions to prevent unwanted outcomes. The scenario-building process has now been applied in thousands of cases at the level of country and company strategies around the world. In many, it has led to remarkable shifts in perspective. For example, the complexity of climate change has launched a whole new range of scenario tools which unpack the possible range of implications for public and private strategists to build into their risk disclosures. So how might scenario building apply to the nascent field of DPI? Here’s one way. As I have discussed in other posts, DPI lacks a single accepted definition right now. I point out in the white paper, “Is DPI a useful category or a shiny new distraction?”, that the absence of a single monolithic definition may even be a good thing in the early stages of a field, as witnessed with the older acronym ‘ESG’. However, definitional choices carry consequences. Scenarios could help to answer a driving question like: “Which definitional parameters of DPI will most affect its developmental outcomes?” Layering the different choices about what type of DPI, and therefore whether to promote or protect or regulate it, on top of the fundamental forces driving digital and societal change would be a complex exercise to do well, to be sure. But, I believe, one worth doing. Because as Peter Senge reminds us, reaching actionable clarity is a worthwhile goal–but to get there, you need first to walk through the pit of complexity. Scenarios offer a path through the pit.
By David Porteous 20 Apr, 2023
In a recent Devex post, Achim Steiner, head of UNDP, and Amitabh Kant, India’s G20 Presidency sherpa, join the growing calls for more investment in DPI as a means of driving growth, reducing poverty and increasing resilience in the face of crises. However, with government budgets already stretched, where will the additional funding come from? While donor funding may help, it cannot fill the gap alone. The field of physical infrastructure offers another way for cash-strapped governments to fund infrastructure projects: public-private partnerships (PPPs). Governments have long used various methods to raise funding or move the risk of providing essential services to the private sector. However, the modern push for infrastructure PPPs gathered momentum in the 1990s as countries like the UK and Australia explored new ways of financing essential infrastructure. Multilateral financiers became major promoters of PPPs, offering technical assistance to governments through specialist agencies like PPIAF , and co-funding designed to entice private funding to defined PPP projects. They even documented their approach in a comprehensive PPP guide directed at governments, together with associated training and certification . Could a PPP-like approach work for digital infrastructure as well? In principle, the answer has to be yes. Like physical infrastructure, digital infrastructure involves an upfront design and build process and requires subsequent operation and maintenance. Private sector providers can play a combination of different roles in PPPs at different stages, but the key difference from a pure service contract is whether in fact the main private partner assumes significant financial risk. One of the big arguments in favor of PPPs was that having private partners assume risk was the best way of managing it, rather than simply passing it over to governments who were often ill equipped to do so. However, ensuring delivery as specified and without unfair exploitation of either party over a long period required a complex web of contracts. Both parties needed the capacity and willingness to work within clear and fair contractual frameworks. But when they did, the state had clear oversight and control of infrastructure without having to build and manage it. The state often assumed full ownership of the underlying asset after the PPP contract period ended. Even if states have the financial capacity, most are highly unlikely to be able to build their own digital infrastructure in-house. They will rely on technology partners for this, even if their role is to deploy and modify open source applications in a specific context. Even when a government agency chooses to maintain a DPI once built, it will likely rely at least in part on external service providers to support it. In other words, the digital services environment is already rife with complex contracting and inter-dependencies between contractors and clients. Taking an explicit PPP approach may not reduce complexity, but it may enable it to be addressed in a more explicit and effective manner. A final question for now: was “the juice (of setting up PPPs for physical infrastructure) worth the squeeze”, particularly with regards to the end outcomes for the state? After all, PPPs in some places have generated controversies over the manner of their procurement, failed standards of service delivery, or the high price of their services. But the alternative—direct government procurement and delivery—has hardly been immune from criticism either. In 2015, the Independent Evaluation Group at the World Bank published its judgment based on evidence from the sizable number of PPPs supported by the World Bank Group. It concluded: “PPPs are largely successful in achieving their development outcomes.” There is ground to believe that PPPs can be successful in delivering public services. While the visibility of PPPs has faded slightly in recent years, in part because of association with privatization as a politically unpopular approach in many places, the call for blended finance options has risen. PPPs of course offer just that: a structured way to blend different types of finance, including donor and concessional funding. With eyes wide open from the past 30 years of experience of PPPs, I believe there is therefore a case to consider explicitly the circumstances in which digital infrastructure PPPs may work best for delivery and operation. It won’t be all cases, maybe not even a majority. But it may well be enough to make a substantial difference in the delivery of essential digital services. Read the Devex Post: Why digital public infrastructure matters more than you think
By David Porteous 29 Mar, 2023
This paper explores the usefulness of the term Digital Public Infrastructure (DPI) as a new category descriptor. In order to reach any conclusion, I first reflect on whether there is yet sufficient clarity about its meaning. This question leads to an exploration of the space in which to locate the existing definitions of DPI; and then to the wider question of what is the appropriate combination of definitional openness and certainty at this early stage of the field’s development? The answer is linked to the purpose for which a definition is needed: such as championing a field or investing in it or regulating it. The relatively rapid take-off of the term DPI reflects in part deeply felt but diverse hopes and fears about the emerging digital future, such that reconciling all these will not be easy; DPI alone is no magical fix. However, it is possible to pursue an emergent definitional path which starts broad and over time, rules out certain options as evidence gathers. Definitional questions aside, there is already evidence of convergence in substance across different sectors that can make DPI a useful lens beyond the existing sectoral lenses alone. In addition, the DPI lens allows new questions to be asked, for example about whether the fragmented approach to regulatory architecture for data is adequate. The term DPI seems potentially useful therefore, but it will require some careful shepherding to avoid either the confinement of premature narrowness or the vacuousness of prolonged vagueness,
By David Porteous 07 Mar, 2023
Could the dramatic failure of FTX have been avoided? What went wrong, and how can startups avoid making the same mistakes? Here a few of my thoughts: FTX's spectacular implosion has provided yet another demonstration of the tech law of amplification: namely, technology takes what works well and scales it; but it takes what works badly, and scales that too. Many circles of venture capital operate with the idea that a concern for governance should come later on in the life of a company. According to this view, governance at the early stage is restrictive and bureaucratic, and therefore antithetical to the capacity to move fast. FTX scaled superfast on this premise. At least Mark Zuckerberg recognized in Facebook's early motto that this could lead to breaking things. In the case of FTX, those things total $8 billion in claims to potentially up to a million creditors, apart from collateral reputational damage to the crypto sector as a whole.
By David Porteous 24 Feb, 2023
 What can “Tank Man” teach us about governance? A few weeks back, I wrote about the distinction between authority and power, and how this plays out in the context of startup governance. But for many people, the distinction between authority and power is not very clear. So, here’s a very visual way of representing the difference. In this iconic picture taken 1989, we see an unidentified man standing in front of a line of tanks in front of Tiananmen Square, standing against the government's violent crackdown on the Tiananmen protests. It’s obvious at a glance that all the power sits with the column of large tanks, and some authority too–after all, the tanks were called in by the government to crush the student protests. By contrast, the lonely protestor has no power; he is physically small compared to the tanks, seemingly outmatched by the state's might. Despite this clear imbalance, the man holds a certain authority. He has the authority to bring a column of tanks to halt. Where does his authority come from? Remember the definition from Victor Lee Austen: “Authority is held by a person/s who lead humans to a fuller exercise of their freedom to accomplish human tasks.” Tank Man’s courage gave him a moral authority which both tank captains and their commanders recognized–for a while at least. This concept of authority is not limited to the realm of politics. Even though they have no tanks to command, leaders of companies may also accrue wider authority inside and even outside their organizations. Inside, authority will grow to the extent that leaders build the capacity of their employees to flourish. Outside, a company’s products and services, together with the way in which they are provided, can enable even customers and citizens to grow also in their relative freedom to accomplish tasks. This type of authority creates the capability to influence without coercion. It’s the power of demonstration and that’s why we have celebrated examples of companies which have had influence, like Ricardo Semler’s Semco Partners or those others mentioned in Good to Great . Read more on my Linkedin .
By David Porteous 10 Feb, 2023
Governance in a Post-Authority Era In my many years of observing private and public organizations of all sizes, I’ve made one very critical observation: governance often lies behind their failure to achieve their purpose. But governance failure itself is only a symptom of what I feel is a bigger issue that organizations are facing globally. In today's "post-authority" era—alongside all the other “posts” which characterize it, like post-modern, and post-truth—there is a growing mistrust of institutions and leaders that hold authority. The notion that there can be rightful authority is not accepted. Authority is seen as a potential or actual violation of the freedom of the “sovereign individual.” There is a pervasive sense that our institutions which should have authority—in government, religion, civil society—are all failing us. The result of the decay of authority is that other forms of power, like the coercive power of authoritarian regimes and the persuasive power of digital media, are on the rise. And they don’t usually provide a path to human flourishing. But what if the problem is less with specific authorities and more with our understanding of authority? I like how Victor Lee Austen defines authority: “Authority is held by a person/s who lead humans to a fuller exercise of their freedom to accomplish human tasks.” The word ‘authority’, a close cousin in English to the generative word ‘author’, comes from the Latin word meaning to increase. Rightful authority leads to flourishing for both those wielding it and those under it. Most of us are in both situations: under some form of authority but also wielding it in some way—as a parent, for example. Rightful authority brings with it the power to change circumstances, but power does not necessarily lead to authority. Consider the example of a #startup founder. She has the authority of the one who originated the idea for the company and who guards it jealously; but she lacks the power to bring that vision to fruition alone. As a result, she likely turns to those who have one form of power (money), but who don’t necessarily carry authority over her company: venture capital funders. When these funders provide the necessary financial resources, they also gain a level of influence and decision-making power in the form of shareholder votes. The founder/CEO’s authority is no longer absolute, even if it remains paramount. As the startup raises more funding, and grows to become profitable, alongside authority, the founder/CEO acquires more power: that is, she has more control over more resources and people and more effect on the marketplace. However, if the #CEO acquires too much power without being accountable to some form of authority outside of herself, the risk of abuse and failure grows. A rebalancing of authority and power needs to take place over time so that power and authority are appropriately distributed across the organization. Not only will the nature of this rebalancing change over time, but it will look different in different organizations. I see this as the basic task of #governance : optimizing the distribution of authority and power in organizations. When this is done well, it should result in conditions for everyone involved—employees, shareholders, customers and the communities in which they live—to flourish. In a post-authority age, it may be harder to do well, but that does not make it any less important. Do you have any thoughts on how organizations can effectively balance and distribute authority and power in this 'post-authority' era?
By David Porteous 02 Nov, 2022
Reducing the Risk of Ineffective Digital Public Infrastructures There are many risks associated with the rollout of Digital Public Infrastructures (DPIs). They can open the backdoor for governments to surveil and control their citizens. They can even fall into the hands of malicious actors and be used against the people they were designed to serve. Understandably, in the growing movement propagating DPIs, many people wish to reduce risks like these. However, in my view, a risk with less severity but perhaps higher probability is that many DPIs are simply not effective–meaning that they fail to fulfill the purpose set out by their creators or funders. As a result, they may become expensive ‘white elephant’ projects, like their counterparts in the world of physical infrastructure: “bridges to nowhere” or roads and dams built without real consideration of their use, but which are expensive to maintain. A world full of ‘white elephant’ DPIs may not seem as dark as other digital dystopias, but if the DPIs are indeed that important, the absence of well functioning DPIs carries costs. Of course, effective DPIs do not guarantee utopia either; but having more effective DPIs which achieve their purpose seems like a reasonable and attainable goal. Governance challenges for DPIs To achieve this goal, the question then becomes: how best to design, build and operate effective DPIs? I am convinced that a large part of the answer is by building sound governance structures which take into account both the specific and generic challenges faced by new DPIs. First, the specific challenges of DPIs . The envisaged large scale of deployment of most DPIs leads to heightened degrees of caution and oversight from the start in ways which typically do not constrain private startups. At the same time, DPIs often need the nimbleness to compete for take up against indirect competitors at least–for example, instant retail payment systems are a fast-growing category of DPI which rely on customers choosing to use them, rather than other available means of payment. In addition, many DPIs are built and managed as public-private partnerships. The ‘partnerships’ may take different forms: from build-own-operate contracts to service agreements; or indeed, using software provided by private open-source foundations. This aspect adds an additional layer of complexity on top of standard corporate governance.
More Posts
Share by: