No-Code & Lack of governance
Quixy Editorial Team
August 9, 2023
Reading Time: 7 minutes

There is a surge in global spending on digital transformation initiatives (it is slated to reach $3.4 trillion by 2026). Customer expectations are rising for quick, on-the-go access to information and services. COVID-19 has further accelerated this digital acceleration. At an enterprise level, though, such initiatives are leading to complex digital processes and programs that are falling short of their goals. These are the times of aggressive innovation, but these are also the times of unprecedented challenges.

By encouraging business users to learn no-code development and become citizen developers, (a part of the workforce that is non-technical but can build bespoke applications using no-code platforms), organizations can:

  • Build a versatile workforce that is well-versed with business and programming logic and can quickly respond to product iterations – something that is a must-have to achieve rapid innovation goals.
  • Democratize software development, where business users can build priority-specific applications on their own, by following guidelines from IT teams.

What’s the catch?

As no-code empowers business users and makes them self-sufficient, there is a risk of IT being neglected, which may lead to shadow IT and limit the adoption of no-code technologies across the organization. A no-code solution not vetted or approved by IT may backfire big time for both internal and external users.

Just by adopting a no-code platform and having a bunch of business users who know the basics of no-code development, you can’t guarantee to deliver safe, compliant, scalable applications. This is the gap that prevents no-code development from being fully accepted and harnessed in organizations. There needs to be rigorous training, allowing only those who pass their tests and obtain a license to use the platform. There must be standards, best practices, methodology, and certifications to give organizations the confidence to establish and scale citizen development.

This is where a well-established governance model can enable business users to work in tandem with IT teams and contribute equally towards innovation. Having governance guardrails can enable business users to align their work with the organization’s IT standards and bypass risks. These guardrails need to be clearly communicated and understood. In the end, you want to harness the benefits of no-code development to address your biggest pain points and business problems without losing out on your IT team’s experience and expertise, which it has acquired over many years.

A governance model can ensure:

  • No-code developers don’t harm the organization’s processes, systems, and security.
  • IT collaborates appropriately to drive successful business outcomes.

It can serve as the backbone of any citizen development program by addressing the following questions:

  • Who are your citizen developers?
  • In which departments will citizen developers operate?
  • What types of apps will citizen developers build?
  • How can citizen developers contribute to application delivery?
  • What requirements must be met before deployment?
  • What quality control standards must be met?

Under the umbrella of a governance model, IT teams can help citizen developers in:

  • Choosing the right no-code platform
  • Establishing the operational, tactical, and strategic teams
  • Defining the roles and responsibilities throughout the software development lifecycle
  • Understanding the technical aspects of LCNC platforms to seamlessly integrate third-party services.
  • Monitoring and maintaining no-code applications

Also read: Making Shadow IT a Frenemy

A proper governance structure can curb “shadow IT” in an organization

CEOs and CIOs often bring up “shadow IT” when arguing against no-code platforms. They argue that no-code platforms allow citizen developers or at least give them an opportunity to independently build applications without any intervention from IT – and there is a risk associated with it. What’s the risk?

Citizen developers may end up building half-baked applications, and the IT team may not be aware of it. Such incompetent applications may float across different departments and hamper the organization’s innovation goals. In other words, LCNC platforms potentially allow business users to form a “secret society of application development.” This secret society is what we call Shadow IT.

The downside of shadow IT

  1. Shadow IT can derail your entire innovation program by making no-code development unaccountable in your organization.
  2. Shadow IT creates a false impression that no-code platforms don’t require any prior training, and anyone can jump in and start building applications – which is not the case.
  3. Shadow IT creates unmonitored, unmaintained pockets of data-sharing and reporting within an organization, something that can put proprietary data and key assets at risk.
  4. Shadow creates systems that may not be interoperable with other internal programs.

A well-established IT governance model can bring that much-needed accountability and make no-code development collaborative and successful.


How to create a governance structure?

Under citizen development, business users have the freedom to leverage no-code platforms, but at the same time, their roles, responsibilities, and permissions need to be defined, so that the creation of shadow IT can be avoided. This can be achieved through a governance model which defines the scope of work at multiple levels.

You can follow a top-down approach when building your IT governance model, starting from a single authority that governs your entire citizen development program, where each program may have multiple projects and initiatives. This office can be housed within your IT department and can be headed by your CTO.

The office can establish the best practices for no-code development and implement them across the organization so that all teams (technical and non-technical) are on the same page. Other responsibilities can include:

  • Selecting the best no-code platform for the entire organization.
  • Maintaining the citizen development policy and guidelines.
  • Aggregating and providing resources.
  • Organizing workshops, hackathons, and community events for citizen developers.
  • To identify and prioritize high-value no-code projects. For example – building no-code applications to automate critical workflows when there is a time crunch.
  • Cataloging and publishing a list of relevant data services and APIs.
  • Reporting on the status of various no-code projects to internal and external stakeholders.

At the platform level, you can have a tactical team to manage roles, permissions, and authorizations on the platform. This way you can give controlled freedom to citizen developers and ensure adherence to privacy and security requirements.

You must have clear, concise, and well-articulated policies and processes in place but at the same time, try to remain flexible. According to Forrester, insufficient governance jeopardizes coherence and security – but excessive governance impedes operational agility. Therefore, always leave room for changes and enhancements.

Organizations can use the Center of Excellence (CoE) model to govern their citizen development program. You can build your CoE team comprising a C-level executive, solutions architect, application specialist, project manager, no-code lead, and UX designer. The team can supervise citizen development activities across the organizations, define best practices, and provide ongoing support to all no-code implementations.

Different models to establish CoE

Different models to establish CoE

1. Centralized Model

As the name suggests, in this model a core team (single point of contact) handles CoE functions and distributes the role and responsibilities across the organization. The scaling of no-code development is easier in a centralized model but the quality of the core team is highly critical, otherwise, the entire project may get rigged with bottlenecks.

2. Decentralized Model

In this model, the CoE is bifurcated into business units, with each unit having its own set of capabilities, guidelines, team structures, and mission-critical priorities. Teams can build custom applications with no-code platforms, for their respective processes. With no single point or a common reference point, different versions of truth and expectations may exist regarding no-code development. Therefore, it may be challenging for an organization to scale and move in one direction.

3. Hybrid Model

Centralized and federated CoEs have both benefits and shortcomings, and therefore, organizations can opt for a blended or hybrid model, where a core team can support operations and delivery, whereas the business units can stick to their own MCPs, team structure, and governance.

Standard principles of governance

  • IT is in charge of security not no-code developers, including the security of information, access and permissions, processes and system integrity.
  • IT takes the sole responsibility of creating a secure space for no-code developers.
  • Setting of rules should be a joint initiative of IT and no-code developers, and should be supervised by CTO.
  • The competency center is the primary point of reference for no-code development projects rather than IT.
  • There should be constant communication between no-code developers, IT, and the competency center.

Also read: Digital Leadership in a New Era and How Workplace Culture Matters More Than Ever


Adopting, promoting, and scaling no-code is an enterprise-wide responsibility, but the major responsibility for managing no-code development falls on department managers since most of the resulting systems are at that level. Department managers should educate themselves on how the technology works, what tools the organization supports, and the desired relationship between citizen developers and the IT organization. They should also educate their department members regarding the opportunities and responsibilities of citizen development. Internal digital portals (or “storefronts”) should be created to help citizen developers, coders and leaders collaborate, learn, and encounter roadblocks. As no-code systems scale and create their own datasets around business processes, organizations should invest more into analytics and infrastructure to support governance.

Frequently Asked Questions (FAQs)

Q. What is No-Code Governance?

No-code governance utilizes no-code or low-code tools to enforce policies and compliance measures for application development. It focuses on security, data privacy, and organizational standards through access controls, compliance management, security measures, monitoring, auditing, and change management. This approach ensures that applications built with no-code tools adhere to regulations, maintain data integrity, and meet organizational requirements. By implementing effective no-code governance practices, organizations can mitigate risks, maintain compliance, and ensure secure and consistent application development and deployment.

Q. What are the features of good LCNC governance?

Good LCNC governance encompasses clear policies to guide LCNC development, access controls to restrict modifications to authorized individuals, compliance procedures to meet regulations and standards, robust security measures for data protection, monitoring and auditing mechanisms for performance tracking and issue identification, and change management processes for controlled modifications. These features enable organizations to establish effective LCNC governance, ensuring data security, compliance, and risk mitigation in LCNC development and deployment.

Q. How testing supports good LCNC governance?

Testing is crucial in supporting good LCNC governance. It ensures that LCNC applications meet quality standards, functional requirements, and performance expectations. Testing validates compliance with regulations and industry standards, identifying vulnerabilities and ensuring proper data handling. It plays a critical role in change management by testing modifications before deployment to minimize errors and disruptions. Testing helps mitigate risks by identifying security vulnerabilities and performance issues. It also involves user acceptance testing, and gathering feedback to align the application with user expectations. By incorporating comprehensive testing practices, organizations can enhance reliability, security, compliance, and overall application quality, thus promoting effective LCNC governance.

Q. What role does governance play in ensuring data security in no-code development?

Governance plays a vital role in ensuring data security in no-code development. It establishes security measures, such as authentication, encryption, and access controls, to protect sensitive data. Governance also enforces compliance with data protection regulations, preventing unauthorized access and handling of data. By implementing citizen development governance practices, organizations can identify and address security vulnerabilities, conduct regular security audits, and ensure proper handling and storage of data, mitigating the risk of data breaches & unauthorized data access.

Q. What are the risks of neglecting governance in no-code development?

Neglecting governance in LCNC development can expose organizations to several risks. It increases the likelihood of security breaches, data leaks, and non-compliance with data protection regulations. Without governance, there can be a lack of control over application modifications, leading to instability and functionality issues. It also increases the risk of mismanagement of sensitive data, inadequate access controls, and unauthorized application usage. Furthermore, the absence of governance can hinder scalability, maintainability, and alignment with organizational goals.

Related Post

Notify of
Inline Feedbacks
View all comments

Recent Posts

warehouse management system
Financial Management Software
platform updates
Business process reengineering
Financial Management System

A groundbreaking addition to our platform - the Quixy Sandbox!

Citizen Development Week Handbook Popup