Fortifying the Pillars of Governance

What exactly IS governance?

Governance, at first glance, seems to be one of those broad, umbrella-like terms that can mean virtually anything. Definitions from different research firms and business consultants do little to resolve the issue. According to Gartner Research, IT governance is “the set of processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals.” Microsoft TechNet explains that IT governance is “the set of policies, roles, responsibilities and processes that guide, direct and control how an organization’s business divisions and IT teams cooperate to achieve business goals.” Though these definitions help frame the issue, it is often difficult for the IT administrator to define actual “good governance practices” from such broad definitions.

So what can we elucidate from these general definitions? To begin our discussion, let’s draw one important line in the sand: While IT plays an instrumental role in the performance of “good governance,” governance is not simply a software- or hardware-driven initiative. Let’s be clear: governance is neither a technology nor a tool. First and foremost, governance is a business decision.

This business decision must be made—and led—by the C-Suite. Executive-level management must ensure that it is stewarding and fully supporting the initiative in order to ensure it is truly effective. This executive-level sponsorship must cover the execution of the governance initiative, establishing the procedures necessary to implement governance, and purchasing the tools necessary to aid in that execution. Notice that “purchasing tools to aid in execution” is last on the list. A clear plan must be established first. Part of that plan must include getting all of the key organization employees to the table to hammer out a successful governance strategy. This roster can include the C-level executives, financial stakeholders, IT leaders, business division leaders, information architects/taxonomists, compliance officers, development leaders, knowledge workers and trainers.

What’s at risk? Exposure to legal and compliance-related issues, much in the same vein as Enron and other companies that fell victim to litigation leading to their ultimate demise. When these companies did fall, and numerous compliance regulations—including Sarbanes-Oxley—came out, many organizations reactively purchased technology platforms such as Microsoft SharePoint to centralize and standardize their businesses without proactively giving thought to proper governance. The end-result was often a collaboration environment and digital asset repository burdened with sprawl, decreased security, excessive administration costs, depressed user adoption and, yes, susceptibility to compliance-related issues—exactly what organizations were trying to avoid. This problem still rears its head today—according to research from the Association for Information and Image Management (AIIM), less than 50% of SharePoint implementations were subject to a formal business case, and only half of those required a financial justification. Consequently, most companies did not have a management plan as to which of SharePoint’s features were to be used, and where.

We will get to why Microsoft SharePoint is an excellent platform upon which to centralize and streamline organizations shortly, but it is important—whether your organization is in the throes of taming an out-of-control technology environment or is considering a move to the newly released Microsoft SharePoint Server 2010—that the following factors are considered before commencing your IT governance project:

• Establish initial principles and goals: Identify tangible, measurable policies and standards in order to accurately quantify the initiative’s benefit to the organization;
• Classify the business information and content: Ensure that your enterprise-wide information is organized and available in order to support your governance initiative;
• Develop an education strategy: Ensure that all end-users are given comprehensive training on the newly established governance policy as well as the tools and resources necessary to properly use the technology platform; and
• Craft an ongoing plan: Make sure the key governance stakeholders meet regularly to assess current progress and determine what, if any, actions should be taken to continue ensuring proper governance.

SharePoint: The Building Blocks of Governance
Microsoft SharePoint is the fastest growing server product in Microsoft history, and for good reason: organizations immediately recognize the platform’s ability to serve as a centralized document repository, online collaboration workspace, development platform and a gateway for other mission-critical initiatives including enterprise content management. SharePoint is truly unique, though, in that the many virtues of the platform also serve as the fundamental reasons why it is challenging to effectively govern.

SharePoint was intentionally created to act as a decentralized platform whose end-users are the primary contributors of content and developers of processes. This peculiar quality helps deliver four distinct benefits to the organization: pervasive collaboration, delegated administration, user experience and employee self-service. However, these very benefits also are the prime suspects for SharePoint’s governance challenges. Once the proper business plan and people are set in place for your governance initiative, SharePoint administrators can meet these challenges by addressing four key SharePoint management areas, or pillars:

1. Site and information architecture. SharePoint sites can be set up by an end-user quickly without requiring any pre-qualification, adherence to business protocols or information architecture. This is great for end-user adoption, but disastrous for streamlined administration, potentially leading to hundreds of non-business-aligned, duplicate and redundant sites;

2. Securities and policies. SharePoint’s decentralized nature also extends to security permissions and management. The goal is to ensure data access to only those so authorized, without over-burdening IT staff. Avoidance of a manual and labor-intensive policy and permissions management process demands that certain elements—like departmental team sites—are governed by active directory permissions, while others are efficiently managed via SharePoint permissions;

3. Operational procedures. SharePoint administrators face a peculiar quandary with regard to SharePoint data protection and data accessibility: administrators must ensure that user experience promotes collaboration and creativity, yet govern it in such a way that service-level agreements (SLAs) are kept, scalability is accounted for, geo-distribution and business continuity plans are established and information from legacy systems does not get lost in the shuffle; and

4. Compliance. Administrators must manage the initiatives, technological controls and procedural controls required to ensure that SharePoint’s infrastructure, its users and the information it supports operate under applicable laws, standards and policies. This requires that appropriate auditing, archiving, reporting and data protection strategies are put in place and documented.

Native SharePoint Governance and Limitations
SharePoint provides the building blocks for common administration and governance tasks, but it cannot natively perform all of the necessary tasks efficiently. SharePoint’s native administration and governance tools do not allow for the performance of global—or bulk—changes to configurations or settings. This holds true for discovery, reporting and rollback of changes as well. For example, with some exceptions, administrators cannot efficiently discover, propagate and retract customizations, SharePoint Solutions or SharePoint Designer elements throughout their various development, testing, staging and production environments. These types of changes and customizations must often be managed manually, which can be both error-prone and time-consuming.