Take control of release management

by

When software development is outsourced, release management governance becomes more important, not less. You’re effectively letting another organisation change your production environment — so the rules, controls and decision rights must be crystal clear.

What release management governance is

Release management governance is about controlling what goes live, when, by whom, and with whose approval.

When development is outsourced, governance ensures:

  • You stay in control
  • Changes don’t break the business
  • Risk is visible and managed
  • Suppliers can’t “push code” without permission

The 8 core governance elements you need

1. Clear ownership (non-negotiable)

  • Business owns releases
  • Supplier builds, but does not decide
  • One named Release Owner on your side

If no one internally owns release decisions, you don’t have governance.

2. Formal release approval gates

At minimum:

  • Development complete
  • Testing signed off
  • Security checks done
  • Business approval given

No approval → no release.
This must be written into the contract.

3. Environment separation

Suppliers must never:

  • Deploy directly to Production
  • Have standing admin access

Minimum environments:

  • Dev (supplier-controlled)
  • Test/UAT (shared)
  • Production (customer-controlled)

4. Change & release linkage

Every release must be traceable to:

  • A change request
  • A business requirement
  • An approved backlog item

If it can’t be traced → it doesn’t ship.

5. Defined release management cadence

Decide upfront:

  • Scheduled releases (e.g. monthly)
  • Emergency releases (strictly controlled)
  • Blackout periods (e.g. payroll, month-end)

Suppliers love clarity here — chaos helps nobody.

6. Independent testing & acceptance

Never rely solely on supplier testing.
You need:

  • Customer-owned UAT
  • Clear acceptance criteria
  • Formal business sign-off

This is where many outsourced projects quietly fail.

7. Rollback and recovery rules

Before every release, you must know:

  • How to roll back
  • Who decides
  • How long recovery takes

If rollback isn’t documented, the release isn’t ready.

8. Post-release accountability

After release:

  • Was it successful?
  • Any incidents?
  • Lessons learned?

This feeds supplier performance management and future decisions.

Contractual points people often miss

Make sure contracts explicitly cover:

  • Who can deploy to Production
  • Approval authority
  • Audit rights
  • Security and access controls
  • Release documentation standards
  • Penalties for unauthorised releases

Governance that isn’t contractually enforceable is just “guidance”.

Board perspective

Outsourcing development does not outsource accountability.

Strong release management governance:

  • Reduces operational risk
  • Protects business continuity
  • Improves supplier performance
  • Increases confidence in digital delivery

Leave a Comment