Effective SharePoint Governance
Are you thinking about deploying SharePoint in your organization? You won't have to do much research before you come across the big "G" word—governance. Just the word itself is somewhat imposing and definitions for it will vary. In fact, if you ask three different experts what governance means, you're likely to get four different answers. And while I have yet to find the one perfect definition of governance, I can accept this one from Microsoft: "Governance is the set of policies, roles, responsibilities and processes that guides, directs and controls how an organization's business divisions and IT teams cooperate to achieve business goals." In short, it is a "how-to" guide.
Why do we need governance? Because we want to ensure (or even better, assure) that the IT solution achieves the business goals. With complex systems like SharePoint, users need help. Users need guidance on what they can do and how they do it. Trust me, they aren't going to just "figure it out." You may also have content that must comply with legal regulations such as HIPAA or Sarbanes-Oxley—without a governance plan, you may be in legal jeopardy.
Moving past the "what" and "why" of governance, an even harder question to answer is how to implement SharePoint governance. Part of the challenge here is that there is no one way, no right way. How SharePoint is used varies greatly, and for that reason you'll never find a master template on implementing SharePoint governance. Nonetheless, there are a number of suggestions I'd like to share on how you can effectively implement a SharePoint governance plan.
Start small. There are many reasons why organizations avoid governance altogether. Since governance is so overarching, it seems overwhelming and many don't know where to start. For others, they dive in and start setting policies on everything and never finish. In overly optimistic companies, they assume or expect end users will somehow collectively develop the plan over time. Avoid these traps.
One of the best practices for a SharePoint deployment also applies to your governance plan: start small and grow it incrementally. For example, we wouldn't recommend turning on every SharePoint feature starting on day one. SharePoint does way too many things. Turning on everything confuses users and makes governance planning impossible. Start by enabling a small subset of features to match only some of your business goals. Maybe you only start with social collaboration or enterprise search. Then, have the governance plan focus on just this area. As SharePoint expands, revise the governance plan.
Be sure to recognize that the degree of governance will vary depending on your business goals. For example, if you plan to use SharePoint for informal team collaboration, you'll need fewer rules than if you're a hospital managing sensitive patient records.
Consider the organization's readiness. Assess your company's culture and determine what I like to call governance readiness. Do you have clearly defined policies and procedures in other systems? Are users comfortable with these policies? Governance policies you create should match the readiness or maturity level. For example, if your company has been lenient on how expense reports are approved, you don't want the new process to be rigid and tightly managed. People adapt slowly and your governance plan must keep that in mind.
If this is your organization's first attempt at governance, you might consider holding off on some of SharePoint's advanced features such as records management as it does involve complex governance planning. And, even if you can articulate the ideal governance plan, the users won't be ready for it. As time passes, the organization and its staff will adapt and evolve. When it does, you can tackle the more complex business problems.
Form a governance board. SharePoint is a business and technical solution and, therefore, you should have a cross-functional board of business and IT personnel that develop the plan. Membership should include key departments that are affected by the SharePoint solution. In many cases, your board consists of the major stakeholders. In all cases SharePoint involves people, so make sure HR has a seat at the table. If SharePoint will be protecting and preserving legal records, make sure legal is represented as well. While the board functions like a steering committee, don't make it too large. If possible, try to limit the count to no more than 10 people to avoid committee paralysis.
Here's another important reason to have a cross-functional board membership: your organization may have other governance plans that are owned and enforced by other business units. When you develop a SharePoint governance plan, be sure that it aligns with other plans. For example, you may have an IT policy that states that no personal files shall be stored on any corporate system. This policy should then be inherited by SharePoint's governance plan.
Answering the Common Questions
Getting users to accept and properly use a new system is not easy. We call this the adoption challenge. A typical reason is because there is no guidance on how the system should be used and who should be doing what. A governance plan should provide clear guidance, like an easy-to-follow recipe. Remember, it's the "how-to" guide. The best way to do this is to make sure that it answers common questions that come up. And with SharePoint, you'll have a lot of them—here are just a few:
- How/when do I create a new website?
- How do I find/publish/protect/preserve/expire/recover content?
- Where do I store this type of document?
- How do I apply metadata to classify this document?
- Who owns this content and what are this person's responsibilities?
- Should I still store files on the file server?
The questions you come up with should be based on how your organization will be using SharePoint, and they will vary from other organizations. When answering the "how" questions (e.g. How do I create a new website?), don't just fill in the how-to-do-this-in-SharePoint answer. Really think about how users should be using SharePoint for this task. For some organizations, the built-in way to create a new website works. For others, there may need to be a request and approval process.
Answers to the "who" questions become the roles and responsibilities part of your plan. This is essential to make sure that users understand and are empowered to fulfill their duties. You should know that SharePoint often creates new roles, and these roles may need to be filled by new or reallocated employees. Be sure to consider who will be responsible for content areas that have special rules such as security or data quality.
To make the answers easy to find, publish them as a FAQ within SharePoint. When it comes to training, your governance plan becomes a core part of your training plan. You can't just train people on how to use the basic SharePoint product and expect them to correctly apply it in their day-to-day tasks. Instead, train them on how they will use SharePoint to perform these daily tasks. For example, you might have an HR scenario such as "using SharePoint to manage the onboarding of a new employee." When you do this, you'll often get an unexpected benefit: users want to use the new system. By showing users how it will make their job easier (which hopefully is a business goal), you're able to sell them on it, making them advocates. This is the best way to address the adoption challenge.
Can you Enforce It?
While you hope most people do the right thing, if you have no way to enforce a governance policy, it becomes weak and ineffective. Within SharePoint, some policies can be enforced in an automatic way, whereas others must be enforced manually. For example, you can enforce what types of files (e.g. PDF or MP3) users can upload into SharePoint, but there is no automatic way to limit the total space used by a single user.
While SharePoint is an incredibly powerful product, there are a number of areas like this where built-in features do not provide any automatic enforcement. Fortunately, SharePoint is very customizable, and often a software developer can write custom code to supplement these limitations. Also, a number of third-party vendors offer products to help address many of the governance needs. Be sure to consider these when planning your governance enforcement.
You should not define governance policies in areas where they cannot be enforced. So, in the previous example, unless you have a user running and monitoring a custom report on how much space each user has, you should not have a policy on it. This is a reason why your IT department has a seat on the governance board. He or she provides input on what you can and can't do with the system.