John Peluso, Vice President of Product Management, AvePoint
As 2015 approaches, it's a good time to reflect on the experiences of the past year and what these experiences have taught us. I was lucky enough to have the opportunity to speak with many forward-thinking organizations in high-governance industries—including banking, pharmaceutical, insurance, and the public sector—and understand their SharePoint governance needs. The list below discusses the most common themes I have seen this year and advice to consider for 2015, whether you are looking to improve your SharePoint governance implementation or are beginning to plan your governance initiative.
Accept that users know their business, not SharePoint or your governance plan.
One of your primary goals in a SharePoint governance initiative should be to identify high-risk, unstructured processes and transform them into “managed” services. Do you have a set of templates that are approved because they contain your intended governance controls—such as specific content types, metadata, or workflows? Even if users know the name of the template they are supposed to use, navigating the native SharePoint process for creating new objects can still be a daunting task. That's because this native process is unstructured—users are told what they should be doing and then left to their own devices.
In contrast, a managed service is simplified for the end user—perhaps by directing them to a provisioning process where only the allowed options are available. Now that you have directed the user, you can enhance the process with additional controls. Base the offerings available to the user on who they are and what their role is to the business. Put appropriate approval chains in place that are appropriate for certain requests.
When done properly, increased productivity can be an unexpected benefit of a well-governed SharePoint implementation.
It’s natural to think of governance as control. In reality, well-governed systems are the easiest to use. Take the example above where a user is trying to create a new site or list—their experience is actually better in the well-governed process because they are not left to figure it out for themselves. You will be much more successful in selling your governance initiative to the business if you design your processes with the end user in mind and communicate these improvements as part of the overall strategy.
One size does not fit all.
It's tempting to see SharePoint as a single box of content. Administrators are often disconnected from the user content in workspaces and have no way of understanding the varying business importance and potential risk of shared information. There is a reason why Microsoft started calling SharePoint lists “Apps” in SharePoint 2013—it’s a reflection of how SharePoint is housing an increasing number of business processes and applications, each with their own governance needs. Shouldn’t there be more to provisioning a library in a publishing site than in a team site? Shouldn’t getting access to a project site require a simpler process than to a highly sensitive content site? As admins, we need to find ways of understanding the types of sites we have, and then securing them with the right amount of governance controls.
Automation is essential.
The aforementioned concepts may sound great, but who actually has the time to make sure every site, list, and document has appropriate governance controls? SharePoint admins cannot manage this effort if they are busy doing repetitive, manual tasks every day. Try to automate as much as possible so that governance controls are enforced the minute an object is provisioned. Options include PowerShell, third party tools, and custom applications, but you should not rely on manual effort to apply and enforce governance controls across SharePoint.
Be prepared to brush up against business process.
Sometimes existing governance processes are vague because the business processes behind them are vague. If you want to create well-governed, business process-driven services for SharePoint, you must understand the business logic behind the control. Whatever requirements are outlined by the business can be enforced with the proper tools and knowledge, but first you will need to understand (or push for) that clarity.
Plan for both proactive and reactive governance controls.
Basic Governance, Risk, and Compliance (GRC) concepts state that implementing a control is not enough – we also need to monitor if the control is working. Keep this in mind to ensure you are designing a complete governance solution. SharePoint is notoriously ill-equipped at broadly scoped monitoring and alerting, so this is one area that you will want to investigate when choosing third party solutions.
More reports do not necessarily equal more governance.
Do not mistake “reporting” for actual governance controls. What someone does with that report—how often they check it and what they do after that—may be part of your controls, but reports themselves don’t enforce more than the vague specter of accountability at some point in the future. They certainly do not provide proactive control. When asked for a report, stop and ask, “Why?” Why is that report needed? Who will consume it? What will they be expected to do with this information? If the goal is to detect and remediate policy violations, there is a good chance you can use technology as the front-line control.
Think beyond SharePoint.
Understand that SharePoint governance is simply an extension of the overall IT governance strategy, which in turn is fed into the overall corporate governance concepts of the organization. The better you can connect your governance efforts in SharePoint to your organization’s core governance objectives, the more supportable and sustainable they will be.
SharePoint governance strategies have evolved quite a bit in 2014 and they don’t seem to be slowing down as we approach 2015. Take these trends and advice into the coming year to create and implement a comprehensive SharePoint governance process.
John Peluso is Vice President of Product Management at AvePoint, responsible for leading product vision and development as well as employee and partner enablement, particularly in AvePoint’s governance offerings. With more than 17 years of experience helping organizations understand how they can drive secure collaboration and business productivity through an effective use of technology, John has held both technical and business management roles, resulting in a deep understanding of the priorities and concerns of both sides of the organization.