Essential SharePoint 2013: Practical Guidance for Meaningful Business Results (2014)

Part I. Planning

Chapter 4. Planning for Business Governance

Danish philosopher Søren Kierkegaard said, “People understand me so poorly that they don’t even understand my complaint about them not understanding me.” If he lived in this century, Kierkegaard could have been talking about SharePoint governance—the most misunderstood and misrepresented concept in the SharePoint space! Though everyone seems to have a different definition for governance, we all seem to agree that it’s one of the most important success factors for a SharePoint deployment. It’s a bit like the story of the blind men and the elephant¹—everyone has a different perspective.

1. If you have never heard this story, a good explanation is available at http://en.wikipedia.org/wiki/Blind_men_and_an_elephant.

With many controversial topics in the business world, it’s helpful not to get hung up on definitions—especially if everyone agrees on the outcome. When it comes to “governance” (which we might as well call the “G” word since everyone seems to have his or her own unique perspective), the goal is something that most folks agree on—making sure that your solution is successful. What we all might disagree about is what is included in the “G” word and what you need to do to make it happen. We generally consider governance for SharePoint as the people, processes, and policies necessary to ensure that your SharePoint solution meets both short- and long-term business goals, including those that may be required for legal or regulatory purposes. Without clear business goals, a governance plan is really meaningless. Without a governance plan, it’s virtually impossible to achieve your business goals.

For the discussion in this book, we will talk about SharePoint governance as having four dimensions, each of which requires a set of people (roles), processes, and policies in order to achieve—and each of which helps reduce risk:

Technology assurance

Information assurance

Guidance

“Consumability”

Technology assurance—keeping the trains running on time. Whatever you want to call it, there is an element of the “G” word that is totally in the realm of the technology infrastructure team. Governance in this context means taking care of the “back end”—ensuring that backup and recovery plans are implemented (and tested), capacity planning for the solution (which includes understanding solution content, geographic distribution of the user base, and how the solution is used in a business context or contexts), ensuring performance, maintaining service-level agreements (SLAs), applying software patches and upgrades, and so on. Adding SharePoint to the mix of technology platforms in an organization may add a new element to technology assurance processes, but good IT departments are already doing this for other infrastructure applications—and the business users of SharePoint have a right to expect that the IT team will take care of the technology assurance required for SharePoint. If you are deploying SharePoint 2013 Online, Microsoft will take care of a lot of the technology assurance for you, and your IT shop can focus more on monitoring than on executing. When you are deploying SharePoint on-premises, there are certainly SharePoint-specific responsibilities that you need to worry about. If you are responsible for technology assurance in your organization, please read Chapter 5, “Planning for Operational Governance.” If you are the business owner of a SharePoint solution, your role for technology assurance is to make sure that your service-level expectations for SharePoint are realistic and directly tied to business risk. As one of our colleagues used to be fond of saying, “You can have anything you want, as long as you have unlimited time and money.”

Information assurance—ensuring that information in all its forms is adding value. Information assurance is the process of managing content—reviewing it, disposing of it, securing it, making note of when it is a record, and ensuring that records management processes are followed. We hope that you do not have to invent information assurance policies for SharePoint—your organization most likely already has an information assurance plan in place. If not, implementing SharePoint could serve as the catalyst for creating a formal records management/information assurance plan. The challenge you may face is that it’s possible that your organization has an information assurance plan that is not actually followed or enforced. This all-too-common situation means that your organization has some significant exposure risk from an e-discovery perspective, but it also means that you may have some challenges getting users to comply with content management policies—especially those designed to remove or archive expired content—because you haven’t enforced these policies in the past. The important thing to remember is that decisions about information assurance are not technology decisions; they are business decisions, and the IT team responsible for implementing SharePoint should be following, not creating, policies. Once the business requirements are identified, business owners should be accountable to ensure that the policies are communicated, applied, and enforced in the context of your SharePoint content. Information assurance is related to corporate compliance and risk mitigation—it is not optional. Security is a really big part of information assurance, and the security plan for your solution and your content is one of the most important areas of solution planning. Managing permissions is complicated—because business is messy—and this is a good area in which to invest in one of the several good third-party tools on the market to help manage and automate the application and review of permissions on your SharePoint site. For more information on this topic, refer to Chapter 12, “Planning Security.” But remember, tools can only help you implement policies that you have already defined—so the first step is to define the policies.

Guidance—steering empowered users in the right direction to achieve business results. Making SharePoint governance “stick” is about education and support—ensuring that the people empowered with specific roles and responsibilities have the training and appropriate guidance to ensure that they can accomplish their business goals efficiently and effectively. Wherever possible, guidance should be built into site templates. For example, creating standard document library templates that already include enterprise metadata will make it painfully easy for site owners to understand how to leverage predefined metadata to help make their content more “findable.” Proper guidance also includes the built-in critical role of the moderator that is part of the template for the SharePoint 2013 community site (see Chapter 15, “Planning for Social Computing”). And it means providing a training roadmap for new users that teaches them key SharePoint concepts just at the moment when they need to learn about them. There are often entire departments or teams dedicated to IT and information assurance, but rarely enough (or any) focus on providing users with another equally, if not more important, “G” word—guidance—about how to get the most value from the investments they have made in SharePoint.

“Consumability”—communicating your governance plan in a way that users can easily process and understand. Once you understand the basic governance elements, you can structure the conversations required to make good decisions about what you need to do for your specific solution. Documenting these decisions is important. But creating a massive governance document that no one reads or can process is almost as bad as not having a governance plan at all. Successful governance plans are “consumable” by the people who need to understand them. When your governance plan is consumable, it can also be enforced—and without some kind of continuous review, your well-documented governance plan is just a piece of paper. This doesn’t mean that all of the elements of your governance plan need to be enforced in the same way. You will clearly need to monitor and enforce rules related to legal or regulatory compliance differently from guidance that results in better content “findability.” But all elements of your governance plan need to be well understood by the people who have to follow them. And to do that, your governance plan must include a plan for making it consumable. We will spend some time talking about how to make your governance plan consumable in this chapter, but this is an emerging practice area and it is likely that you will want to keep up with our blogs and speaking engagements as we continue to learn more about successful approaches to ensuring the consumability of governance plans.

Chapter 5, “Planning for Operational Governance,” focuses on the first governance dimension, technology assurance. The discussion in this chapter describes a series of steps to help you think about planning for SharePoint governance considering the last three dimensions: information assurance, guidance, and consumability. These three dimensions have the greatest impact on the business owner for SharePoint as a whole in your organization and the business owner of each individual SharePoint site.

Tom Byrnes, Enterprise SharePoint Architect at Biogen Idec, has a very simple definition for SharePoint governance that provides an excellent framework for the recommendations in this chapter and a guiding principle for the governance plans you create for your SharePoint solutions. According to Tom, governance means making sure that there are “no sharp edges.” In other words, governance means ensuring that you are not creating a situation where your user, your organization, or your solution can get hurt either intentionally or accidentally.

An effective governance plan means that your solution has “no sharp edges.”

—Thomas Byrnes, Enterprise SharePoint Architect, Biogen Idec

What’s New in SharePoint 2013?

SharePoint 2013 adds a new dimension to the concept of governance, with new types of content (such as activity posts) and new user actions (such as liking, following, and mentioning) that will need additional governance focus. Here are some of the new governance concepts that you will want to think about:

New types of content to govern—especially social content. Each new version of SharePoint brings new types of content to govern for which we need to provide guidance, and SharePoint 2013 is no exception. The implication for governance planning is that there are new governance decisions to make. For example, if you are enabling the new, rich social conversation capabilities, you will need to discuss with your legal team whether there are any compliance issues associated with retaining conversations (i.e., legal discovery issues). There is no built-in process to automatically support “aging out” of the newsfeed, so you will need to consider how long to retain activity posts. You will also want to review what is legal to talk about in discussion posts (for example, certain types of personal information about yourself or others). Similarly, you will want to talk with your executives about what is appropriate to discuss. And you will need to communicate to your users that when they click the button to enable their personal sites for the first time, they are explicitly acknowledging that they are participating in a social conversation—that they can be followed and people can follow and mention them—without requiring explicit permission.

Easier to share. SharePoint 2013 Online makes it easy to invite external users into a site or give them access to just one document on a site. You will need to think about whether you want to make this feature available (for the environment as a whole or on just some site collections) and if it will be available, what type of guidance to provide to users. For a more detailed discussion of the implications of some of the security decisions you will need to incorporate into your governance plan, refer to Chapter 12, “Planning Security.”

New types of users. Office 365/SharePoint Online customers can take advantage of a licensing model that allows organizations to give access to their SharePoint environment to “guest” or extranet users. Extranet user licenses are free, but extranet users have a “second-class” user experience that needs to be considered as part of your governance plan.

In addition, we’ve learned a lot about effectively creating and deploying governance plans since Essential SharePoint 2010 was published; an increasing number of our clients have asked us to help them create effective governance plans. Even if you have read Essential SharePoint 2007and Essential SharePoint 2010, you will find a lot of new information about governance in this chapter. Some of the key lessons we’ve learned in the past three years include:

Creating “consumable” governance plans is as important as (if not more so) creating a governance plan in the first place. Yes, you need to have a governance plan. But if it’s not consumable, it’s not worth the paper it’s (ideally not) printed on.

You can’t talk about business and technical governance to the same audience—unless you want to put everyone to sleep (which is why we have added a separate chapter about operational governance to this edition of the book).

If a particular action is required for legal or regulatory compliance purposes, the best approach in your SharePoint solution is to control it with technology—either with a third-party tool or with business rules that are applied with information management policies. It’s critical to make a distinction between rules or policies that users have to follow for compliance purposes, and recommended guidance, which is more about the practices necessary to achieve desired business outcomes or, put another way, about risk mitigation for business goals. Your users may not necessarily have to follow guidance, but if they don’t, your organization may not achieve the desired business outcomes.

Not having an effective governance plan is just as detrimental to the success of SharePoint 2013 solutions as it was for previous versions. Since it is easy to build new sites and perhaps even easier to add new content in SharePoint 2013, it is easy for SharePoint solutions to quickly grow out of control. A carefully thought-out governance plan can ensure that you effectively manage your investment in SharePoint for organizational success.

Why Is Governance Planning Important?

A portal or collaboration solution is only as good as the value of its underlying content. A strong governance plan is essential to ensure that a solution delivers worthwhile content to its users in an effective way. Moreover, governance planning is especially important for SharePoint solutions because SharePoint is designed to empower users who are typically not IT or content management experts and may not be aware of best practices that will not only improve usability but save them a lot of time and energy when creating and deploying new sites.

A governance plan establishes the processes and roles required to

Avoid solution, team site, and content “sprawl” (e.g., unmanaged sites and content that is not periodically reviewed for accuracy and relevance) by defining a content and site review process

Ensure that content quality is maintained for the life of the solution by implementing content quality management policies

Provide a consistently high-quality user experience by defining guidelines for site and content designers

Establish clear decision-making authority and escalation procedures so policy violations are dealt with and conflicts are resolved on a timely basis

Ensure that the solution strategy is aligned with business objectives so that it continuously delivers business value

Ensure that content is retained in compliance with records retention guidelines

Adoption of a new SharePoint solution often involves a dramatic change in user behavior—specifically, greater integration of technology into day-to-day work and increased collaboration. This is especially significant if you are deploying the social features of SharePoint 2013. In more traditional IT solution deployments, the solution business logic changes relatively infrequently. In a SharePoint solution, both the back-end database and business logic change frequently and often significantly. Moreover, the business, market, and technology are guaranteed to change during the lifetime of the solution. This implies that business stakeholders must be continuously engaged since SharePoint’s ability to meet user needs is critically dependent on areas such as data quality, content relevance and currency, and frequent updates, all of which are business user responsibilities.

When Should You Start Thinking about Governance?

The time to start thinking about governance is really when you are identifying the key business priorities for your solution. The key business outcomes for your solution define the context for the governance plan. This is really important because your business goals will help you define how much time and energy (and money) you need to invest in governance. For example, if improving content “findability” across the organization is not very important, or you have an alternative enterprise document management solution but having a single place for individual teams to collaborate is critical, you probably don’t need to spend too much time on enforcing or planning strict document metadata rules in SharePoint. If, on the other hand, you expect SharePoint to help reduce “versionitis” (multiple versions of the same document in various repositories across the enterprise), your governance plan will need to include processes and policies and training to ensure that users follow the “one copy of a document” guiding principle and send links instead of attachments, and that you have a process to ensure that you are not unnecessarily creating more than one site for the same purpose.

While you need to start thinking about governance at the start of your SharePoint project, you may not have all the answers to the key governance questions at the beginning. Don’t let that deter you—it’s the governance conversations that are most important at the beginning because they get all the key stakeholders focused on the effort that will be required to ensure that your solution is optimized for success. No matter when you start thinking about governance and creating the first set of governance artifacts, do not think of governance as being “done” at any one point in time. Your governance plan needs to be something that you continuously revisit throughout the lifetime of your solution, so make time in your project plan to revisit the plan as you learn more about how users are using the solution and capture feedback from their experiences. As your SharePoint environment evolves, revisit your governance plan to adapt to changing needs. You may find that you need greater oversight to ensure conformance. You may find that you need less oversight to encourage more creative application of core features. You may find that the roles and responsibilities need to be updated to reflect changes in the solution or changes in how users are using SharePoint.

Communicating the substance of the governance plan is a core component of launch planning and the ongoing management of your SharePoint environment. For this reason, we have included “consumability” as a critical element of governance plans. But communication also has to include some type of enforcement and review. If you aren’t committed to enforcing your governance plan, why bother? Remember: there are mandatory elements of your governance plan and “guidance” elements. The mandatory elements should be those related to regulatory, records management, or legal compliance as well as any element that is fundamentally vital to the success of your solution. If you are not prepared to enforce the mandatory elements of your governance plan, you should at least be aware of the organizational risks.

What Is in a Governance Plan?

An effective governance plan provides a framework for design standards, information architecture, service-level agreements, infrastructure maintenance, and your overall measurement plan. It is intended to summarize and tie together, not replace, the documents that describe these activities in detail. Referencing this related content rather than embedding it in the governance plan will keep the plan from becoming unnecessarily bloated and unmanageable.

In addition, the governance plan should reference all of your existing IT policies for topics such as the appropriate use of technology resources, confidentiality of content, and records retention. Since so much of the focus of SharePoint 2013 is on social computing, you will also need to reference or potentially update your social media policy. Again, your SharePoint governance plan doesn’t need to include these policies, but it should reference them where appropriate.

The business governance plan is a business document; its primary audience is the business (content) owners of your SharePoint sites and the users who produce and consume the content on those sites. Since all users can effectively produce content in SharePoint via social tags and ratings, everyone in the organization needs to be generally familiar with the governance plan, at least at a high level.

Talking about the contents of your governance plan makes it seem like the governance plan should be a single document. If there is one key lesson we’ve learned about this topic in the past three years, it is that no one in your organization wants to read a big governance document—so don’t create one! You will probably have better luck if you create a series of short governance documents, each targeted to people in a specific role related to your solution. But you might not even want to create documents at all and instead create a series of contextual Web pages that you can organize and display in multiple contexts—for example, in line with the tasks that users will execute or linked from your training environment. That’s why we often refer to what you will create to “deliver” your governance plan as governance “artifacts,” which may be Web pages, quick reference cards, videos, vignettes, tchotchkes, or, sometimes, actual documents.

The governance plan needs to include the following key elements, no matter what type of artifact you use to represent them:

Vision statement: a clear statement of purpose reflecting the business outcomes for the solution.

Guiding principles: statements that outline organizational preferences supporting the vision.

Roles and responsibilities: descriptions² of the key roles required to support the solution and a summary of the responsibilities and, if appropriate, the skills and learning expectations for people serving in those roles.

2. In fact, your governance plan doesn’t need the descriptions—it needs the people who fill the roles! If you have governance roles defined but no one filling the roles, you may be able to say you have a plan, but that’s the point we are trying to make throughout this discussion: a plan without execution does not ensure success.

Policies: documentation of the nonnegotiable aspects of your governance plan, policies that you will monitor and enforce. For example, this could include your expectations about how often content needs to be reviewed. You may have different policies (and levels of review) for content on the intranet versus content in team sites. Your policies should also include a review plan for the policies themselves as well as the entire governance plan.

Guidelines: documentation of best practices and recommendations that will improve the user experience for your solution but that are not necessarily policies that you intend to enforce or mandate. Your recommended guidelines are designed to increase user comfort and make it easier for people to both comply with your policies and get value from the solution. Think of your guidelines as providing examples to manage expectations in addition to providing best practices. This is especially important for areas like the user profile and the new activity feed. For example, if you want users to complete an “About me” statement to improve the ability to find and leverage expertise, provide examples of what a helpful “About me” statement looks like.

In addition to these elements, your plan will likely also include procedures for common tasks such as requesting a new site, requesting a new shared Content Type or attribute, requesting a new site template, and so on. Publish these procedures so site owners and other users can easily find and follow the processes you define.

How Do You Create the Governance Plan?

Figure 4-1 shows a summary of suggested activities you will want to include in the process to create your governance plan. Though we show it as a sequence, you’ll most likely work on several of these activities simultaneously—and revisit most of them as your solution and organization evolve.

Figure 4-1 Activities for governance planning

Think about Governance during Design

As discussed earlier, governance planning should begin when you are first envisioning the solution (and any solution enhancements). You can and should start to raise the key governance questions during your initial stakeholder analysis and visioning sessions. You may not be able to answerevery governance question before you have a solution design, but if you are going to need to establish new organizational roles or have to change job descriptions in order to ensure solution success, you will need to raise these issues as early as possible.

Identify a Small but Inclusive Team

If you are documenting your governance plan for the first time, you will probably find it most effective to put together a small team to review the key “framing” decisions for governance and then divide up the work to document the details and create the appropriate governance artifacts among the team members. The best reason to start with a small team is that you can actually make some initial decisions and have productive conversations about topics. Once your small team has made some initial recommendations, you can review and discuss your “straw man” proposal with your larger steering committee or governance board.

The team should clearly include representatives from IT, but you will also want to include people who can represent the interests of those responsible for training, human resources, communications, and knowledge management in the organization. For certain key decisions, you will need to bring in specialized resources—for example, you will probably want to review any fields you will expose in the user profile with your legal team, and you will clearly want to work with your records management team to identify policies required to ensure that your document repositories are compliant.

Have a Clear Vision

A vision statement describes, at a high level, what you want to achieve with SharePoint—essentially how the solution delivers value to the organization and to each individual employee. Use the vision statement your SharePoint project sponsors and stakeholders established for the solution as a foundation for your governance plan. Be sure that the vision is clear because the degree of formality and the depth to which you need to document the governance plan should align with the outcomes you want to achieve.

A clear vision statement provides critical guidance to the inevitable trade-off decisions you will need to make in thinking about your governance plan. For example, you may hear about the dangers of the SharePoint “wild wild west”—an uncontrolled environment with unstructured and “unfindable” content—and that this “chaos” is the primary reason you need to have a governance plan. If the solution you are developing is designed as a key element of your corporate knowledge management system, the “wild wild west” is indeed a scary and unacceptable environment. But what if your goal is to create an experimental environment where new SharePoint site owners can create “practice” sites to try out new skills or test alternative approaches for specific business problems? In this scenario, an overly restrictive governance plan doesn’t make a lot of sense. You may determine that you can’t afford an unlimited number of “practice” sites, so you may want a governance policy that says that all sites are deleted after a specific period of time, but in this scenario, the “wild wild west” is fine. But you know that only because there is a clear vision. The vision, thus, provides a framework for both the context and the investment in governance. Once you are clear about your vision, the next step is to gather your core project team together to think about the principles that will guide your governance plan.

Develop Guiding Principles

Guiding principles define organizational preferences supporting the vision. These critical statements reflect best practices that users and site designers must understand and internalize to ensure the success of your solution. It is very likely that your organization will share many of the same guiding principles that we’ve seen in successful SharePoint deployments.

Use the examples shown in Table 4-1 to help define a starter set of guiding principles for your solution. Think about how you might create some supplemental reference material to help users internalize these principles—or consider adding a “principle of the day” to the home page of your solution. If users have a good understanding of the guiding principles, you have a reasonable shot at getting them to follow your governance guidelines.

Table 4-1 Examples of Guiding Principles

Think about the Deployment Model

SharePoint is typically implemented for four major categories of solutions: intranets, collaboration solutions, extranets, and Internet sites. Within each general category, you might also be using SharePoint for specific application solutions; for example, you might use your intranet to deliver business intelligence information or to approve purchasing requests with a business workflow. The degree of formality of your governance plan—as well as the extent to which you invest in enforcing your governance plan—will be tied not only to your overall vision, but also to the general category of solution you are deploying.

One way to think about how your deployment model impacts your governance is to consider two key deployment dimensions: risk and reach. In this context, risk means the degree of risk to the business if incorrect or invalid content is exposed. Reach indicates the breadth and depth of the audience to which your solution is exposed. For example, your Internet site has the widest reach and may also have the highest risk for your organization. If inappropriate content is exposed on your Internet site, it could be very damaging to your business. Figure 4-2 illustrates how you might think about plotting some of the typical solution categories along these two dimensions and how the formality of and investment in governance planning aligns with this framework. Remember that your particular deployments might not map exactly to the placement of each solution category in the model, so you will need to adapt this framework for your situation. The main point of thinking about your deployment model in this way is to help focus your investment in governance toward the solution areas that have the biggest impact and highest risk. When it comes to governance, one size does not fit all.

Figure 4-2 Relationship of governance to deployment scenarios

For team sites, you will probably want to establish general rules about what can be posted and how long the information needs to be retained. These rules might differ for temporary project sites versus persistent team sites to support an administrative or departmental team, but you will likely want some level of consistency at least by site type, especially if the content is exposed to the entire organization or, in the case of projects, where it is feasible that someone might be working on more than one project at a time. If each project team site is structured completely differently, team members will have to spend valuable knowledge cycles figuring out what is going on every time they go from project site to project site. But in addition, you may want to allow some flexibility for teams to think about their own governance plan. In the context of an individual team, that might mean creating a team compact or charter to define how they are going to use SharePoint to collaborate. Your governance plan might thus include some policies, if you want every team to work the same way, and some recommended guidelines, if you want to allow teams to choose a model that works best for them by giving some preferred examples so each team doesn’t have to reinvent the wheel. As an example, one project team’s governance plan could define a policy that all meeting minutes will go in the team notebook, and another might have a policy that says meeting minutes are stored in a document library called Meeting Minutes. Would it be better and more efficient if every team stored meeting minutes in the same place? Probably, but unless you are in an industry or on a project that has regulatory guidance that applies to meeting minutes, you may not want to invest a lot of time and energy in this aspect of your governance plan.

It can be helpful to summarize the overall governance model for each category of solution in a table so that you can review and compare expectations. Table 4-2 is an example of a governance model summary from a SharePoint project that included an intranet and collaboration solution that you can use as a reference.

Table 4-2 Governance Model Summary for a Sample Deployment

Plan and Schedule the Governance Conversations

We’ve found that the framing decisions are easiest to discuss when presented as a set of questions that can be reviewed in a series of topic-focused conversations spread out over a couple of days or weeks. It’s definitely best to spread out these conversations by topic and to limit the conversations per topic to no more than three to four hours. You will likely need some time to think about the answers and get comfortable with the implications, so giving your team some time to ruminate about the decisions and their implications will improve the odds that you will be successful. These conversations will help you fill out an overview table similar to Table 4-2, and they will also help you align expectations around just what it is going to take to ensure that you get the desired results from your SharePoint investment.

Each topic has a set of questions that you will need to answer to determine the substance of your governance plan. You will likely find that the conversations themselves provide an opportunity to clarify and manage expectations for all of your key stakeholders, and for the most part there is no single “best” answer to any question. The right answer is the one that works in your organization and for your solution. To make it easier for you to customize the list of governance questions—and to allow us to update the list based on our ongoing experiences—we have created the list of key governance questions as an online resource that you can download and adapt to meet your needs. The questions are all listed in this section, but you can find the latest list, along with all resources, at the following link: www.jornata.com/essentialsharepoint.

Vision and Overview

The questions in this first meeting are designed to help ensure that you have consensus about the expected solution outcomes. While some of the other governance questions will be difficult to answer until the solution is designed, the conversations about vision should be part of the early envisioning process.

What are the desired business outcomes for the solution?

How are these outcomes aligned with the key strategic objectives for the organization as a whole?

What are the specific business objectives for the social features of SharePoint?

What are the business-specific “moments of engagement” where social will drive value?

Who is accountable for ensuring that the solution meets the expected outcomes?

How will success be determined?

Who are the key stakeholders for the solution?

Who is involved in content creation?

Who is involved in content consumption?

Who will be impacted?

What types of overall corporate policies for information management, business, or technology management apply to the solution?

Who is accountable for making sure that sites comply with governance policies and recommendations?

Is there a penalty for noncompliance?

What processes must be in place to ensure compliance?

What are the expectations around user training (who takes which training)?

What are the plans to incorporate policies and best practices into SharePoint training?

Who will be responsible for maintaining the governance plan?

Where will governance information “live”? How will it be communicated to users?

Enterprise Policies—Compliance

Are there existing legal, IT, and information management policies that SharePoint solutions must follow?

Use of IT resources

Electronic communications

Social media policy

Protection of personally identifiable information (PII)

Records management

How are these policies enforced in other systems?

Are there standard policies that need to be included in each community site?

Who is accountable for ensuring that policies are followed? How will accountability be evaluated?

How do the corporate records and discovery policies address

Intranet pages

Intranet documents

Intranet news articles

Intranet images

Team site documents

Community or team site discussion lists

Other community or team site lists and images

Newsfeed

Individual user content in SkyDrive Pro

Are there specific events in SharePoint that need to be logged for audit purposes? Are the right reporting tools in place to ensure that this can happen?

Enterprise Policies—Access

Are there any overall access restrictions (specific Active Directory³ or other groups permitted or not permitted to access the solution as a whole or individual types of sites)?

3. Active Directory is the Microsoft directory service used to manage access to a network and many applications, including SharePoint. Active Directory includes profile information about the employee such as name and e-mail address. Individual entries in Active Directory are combined into Active Directory Groups.

Can users invite external people to access content? Are there restrictions on specific types of sites where external access is or is not permitted?

Enterprise Policies—Provisioning

What is the provisioning process to get a new site collection?

Who can request a new site collection?

How is this decision reviewed?

Are site owners required to take any training? If so, how will training be provided (online, in person, etc.) and monitored?

What is the process to provision a team or community site within a site collection?

How will sites be decommissioned?

What is the plan for content archiving?

Enterprise Policies—Information Architecture

Who is responsible for managing the overall information architecture for the solution?

What type of information is most important for success?

Are there specific information management policies that apply to different types of information?

Who is responsible for ensuring that the information architecture supports effective information management?

How will the effectiveness of the information architecture be evaluated over time?

Enterprise Processes

What processes need to be in place to request new features or capabilities for the solution?

Who will be accountable for reviewing and managing enhancement requests?

Overall Design—Branding and Functionality

Are there required standards for branding?

Is there an overall design style guide that all sites are required to follow?

Who is responsible for branding decisions?

Is SharePoint Designer permitted?

Is the use of InfoPath permitted?

Are any third-party tools/apps permitted? Restricted?

Enterprise Content

Are there enterprise Content Types?

What are the considerations for shared metadata?

Is there any enterprise-wide mandatory core metadata?

Are there any specific content requirements for users’ personal content on SkyDrive Pro?

Are there enterprise-wide supplemental terms (managed metadata in the term store)?

How will metadata guidelines be communicated to site owners?

Are there specific policies or guidance for different types of content (for example, news, links, discussions, data files, multimedia files, images)?

Are there any overall requirements for dealing with inactive content? Does it get archived? (If so, how?) Does it get deleted? Who is accountable for managing inactive content?

Is there a plan to archive content that might be required for e-discovery or during a regulatory audit?

Are there specific types of content that cannot be stored in SharePoint?

Is there a need to identify “work in progress” versus “final” content, or are there specific places that content of each type needs to be published?

Who “owns” published documents? Contributor? Department? Does it depend on the site or site type?

Roles and Responsibilities

Who is the business owner for the solution?

Who is responsible for technical management of the environment, including hardware and software implementation, configuration, and maintenance? Who can install new Web Parts, features, or other code enhancements?

Who will be responsible for ongoing evaluation to ensure that the solution continues to meet business and technical expectations?

Who is allowed to set up new sites and who will be responsible for doing so? If this responsibility is controlled by the IT department, it is likely that IT will have to negotiate an SLA for site setup responsiveness with the business stakeholders. If this responsibility is delegated, users will need training to ensure that they follow acceptable conventions for naming, storage, and so on.

Who has access to each page/site? Who can grant access to each? Some organizations do not allow individual site owners to manage security on their sites. If this is something you decide to do, who will be responsible for managing security?

Who is responsible for managing metadata? Who can set up or request new Content Types or Site Columns? How much central control do you want to have over the values in Site Columns?

If the governance plan says that page and site owners are responsible for content management, are you prepared to decommission pages for which no one in the organization will step up to page ownership responsibilities? Who will be responsible for making these decisions?

How do the existing organizational roles map to the roles required for the new solution?

Are there additional skills that people need to acquire?

Are there additional resources that need to be hired?

Do the following roles already exist? (See the discussion later in this chapter for additional details about these specific SharePoint roles.)

Information architect

Center of excellence

Peer/business unit evangelists

Is there a requirement for training to have a specific role overall or for an individual site?

Who will be accountable for ensuring that lessons learned in various implementations across the organization are effectively shared with the rest of the organization?

Operational Decisions

For each type of content or collection of sites:

What type of availability is required?

What are the expectations for disaster recovery and backup?

What are the expectations for response time?

What is the impact on storage, network infrastructure, and other elements of the IT backbone?

What types of environments are needed to support the business outcomes (for example, development, QA, and production)?

How will migration be supported from one environment to another?

How will changes to the solution be managed?

What types of processes are needed to ensure that the solution infrastructure is maintained and monitored?

How will performance or infrastructure issues be escalated and resolved?

Site-Specific Governance Decisions

In addition to conversations at the enterprise level, you will also want to think about how your governance decisions may be different for each type of site or site collection.

Who can request a new top-level site? What is the process?

Who “owns” the persistent top-level navigation? What is the process for updating?

Who decides where the new site goes in the navigation?

Does the layout on each page/site need to be consistent?

Are there specific templates that must be used? Can site owners use any available Web Part or app, or is there a specific list?

Who can publish content?

Can users outside the standard security permissions be invited into the site (external and internal)? Note: External users can be prevented from access globally, but users with Manage Permissions privileges control which internal users access the site.

Are there specific policies or guidance for different types of content (for example, news, links, discussions, data files, multimedia files, images)?

How critical is availability, backup, and response time to this site type?

Who is accountable for ensuring that the content on the site follows governance policies and guidelines?

How will you ensure that the purpose and relevance of the site have not changed?

What happens to old or irrelevant content?

How often does content have to be reviewed? By whom?

Can content be deleted?

What about an entire site?

Who is accountable for determining and assigning permissions to access the site?

Is there a requirement for training to have specific permissions?

Talk about Social

One of the governance conversations that you need to have for SharePoint 2013 relates to how you want to use the social features; we are emphasizing this because the social features are new and evolving, and unless you have already been using a social tool in your organization, you will want to put some additional focus on social content in your governance plan. Moreover, even before you talk about social in the context of governance, make sure you have considered the role social plays in your organization and what outcomes you are trying to achieve. You will probably need to bring in some expertise from legal and HR when you have your governance discussions about social computing. Even though some of your users may be familiar with the use of social tools in their personal lives, you need to think about conventions and norms for your organization.

Start by looking at your organization’s existing social media policy because you may find that the “rules” for external conversations may be equally applicable internally. If your organization does not already have a social media policy, you can take a look at some of the publicly available policies from other organizations as a starting point to create one. For example, both Coca-Cola and Intel have made their internal social media policies public, and they include concepts and language that you may be able to reuse. There is a great Web site with links to many examples of social media policies that you can use as a reference: http://socialmediagovernance.com/policies.php. Here you will find links to both the Intel and Coca-Cola policies as well as many more from virtually every industry.

User Profile

Do you want to have a customized statement of acknowledgment (in addition to what users see “out of the box”) that reminds your users that when they create a profile, they are “opting in” to the social conversations in the organization and that they need to follow your internal social media policies?

What are the fields planned for the user profile?

Can users add their own picture? Any picture? Are there any privacy concerns associated with user pictures? Can users opt out of having their picture shared?

What are the expectations for “About me”?

What are the expectations for Ask Me About? How much of an expert does a user need to be in order to list a topic? Can users declare their own areas of expertise or does that need to be vetted by a third party?

What are the expectations for Past Projects?

What are the expectations for Skills? Can/should users enter non-work-related skills?

Do you want users to update Schools?

Can users enter Birthday if they choose? This is an optional default field in the profile, but some organizations consider this field personal information that should not be shared—even if someone wants to share it.

Are both personal and business interested allowed in Interests?

Newsfeed and Discussions

The SharePoint 2013 Newsfeed (and Yammer) presents an entirely new type of content to govern. As mentioned earlier, there is no built-in process to automatically support “aging out” of the newsfeed, so you will need to consider how long to retain activity posts. Many organizations apply the same policies to their newsfeed content as they do to archiving e-mail, but this may or may not be appropriate for your organization. You will also want to review what is legal to talk about in discussion posts (for example, certain types of personal information about yourself or others). Similarly, you will want to talk with your executives about what is appropriate to discuss.

Do you want to provide guidance about mentioning someone in the activity feed using an @mention or posting a photo of someone without asking permission?

Is there an existing policy for social media that applies to the newsfeed or Yammer (or needs to be updated)?

Are there specific topics or content that should not be included in activity posts? For example, in one legal implementation, attorneys were advised not to mention any specifics of open cases in newsfeed posts.

How will newsfeed policies and guidance be enforced and communicated?

Define Roles and Responsibilities

Roles and responsibilities describe how each employee as an individual or in a particular role or group is responsible for ensuring success of the solution. Documenting roles and responsibilities is a critical aspect of the governance plan, which defines who has authority to mediate conflictingrequirements and make overall branding and policy decisions. The conversations described earlier will help you focus on the types of roles that are necessary to ensure a successful SharePoint deployment. The discussion in this section defines each of these roles in more detail.

There are several key roles to consider. In smaller organizations, many roles may be fulfilled by a single individual. Tables 4-3 and 4-4 present lists of typical roles and responsibilities associated with SharePoint at the enterprise level and then for each individual site or site collection. You will likely need to adapt both the responsibilities and even the terms you use to describe each role for your organization, but these lists will give you a good place to start.

Table 4-3 Enterprise Roles

Table 4-4 Roles for Each Site or Site Collection

One thing that you will notice is that it really “takes a village” to successfully support SharePoint in any organization—whether you have an on-premises or cloud deployment. And because of the different types of skills required to deploy and maintain both SharePoint and the solutions you build, it’s virtually impossible to find a single person who can do it all or know it all. So, you will need a team—and the team may include specialized consultants that you bring in initially or from time to time in addition to your own staff and the extended SharePoint community. Many organizations find it helpful to organize their SharePoint resources in a center of excellence model, which may include full-time members of the IT staff supplemented with virtual members who work in various business groups around the company. Creating a center of excellence will help you create your SharePoint “brain trust,” which collectively can help ensure that you distribute what will certainly be scarce expertise in the most effective way. But you will also need to keep in mind that the need for certain skills and roles will change over time—you may need more external application development and information architecture support in the beginning and less over time as your solution matures or as your internal team gains new skills. However, as the organizational needs change, you may find that you need some additional support in specific areas. This is where the extensive SharePoint community can provide significant value—as a source of both free and fee-based advice. Be sure that your SharePoint teams stay connected to the community via resources like Twitter, the public SharePoint community on Yammer “SPYam,” hundreds of SharePoint blogs, the various LinkedIn and Microsoft forums, and the vast array of SharePoint Saturday and other conference events. You don’t always have to “own” every SharePoint role, and when you have staff who are new to a role and need support, the SharePoint community provides a rich and vast collection of people and content available to supplement and guide.

Andrew Kawa, senior manager at Goodwin Proctor LLP, shares his view on the importance of having the power user/evangelist and coaching roles:

We have several consultants that act in the SharePoint power user and coach capacities. It’s interesting because these individuals have ended up playing a much bigger role in governance since they are the ones closest to the content in the SharePoint deployment. They are the ones that can say “no, don’t create this site or don’t add this content because this other group is already doing the same thing and you will be conflicting with or duplicating their content.”

When site responsibilities are delegated to “business users,” each team site or functional area site will also need specific roles and responsibilities defined to ensure success. These roles are business-oriented and do not necessarily have the same names as the permission-based groups that are automatically created for SharePoint sites.

Define Policies and Guidelines

Policies define rules for SharePoint use; guidelines describe best practices. From a governance perspective, policies are usually driven by statutory, regulatory, or organizational requirements. Users are expected to meet policies without deviation. If your organization is subject to regulatory oversight, be sure you can actually enforce your policies, as a failure to do so may target you as being noncompliant. Guidelines are usually established to encourage consistent practices. Users may adopt some elements of the guidelines that work for them, while not implementing others.

As applied to the topic of file names, a policy might state, “Do not include dates or version numbers in file names,” while a guideline might state, “File names should be topical and descriptive.” In another example, the policy might state, “All SharePoint sites will have a primary and secondary contact responsible for the site and its content,” and the guideline might state, “The site contact is listed on the site home page and in the site directory.”

Each organization will have its own set of policies and guidelines. General topics should include content oversight, site design, branding and user experience, site management, and security. To ensure that your content is relevant:

Verify that your SharePoint polices and standards do not conflict with broader organizational polices.

Publish policies and standards where users can easily find and follow them. Some policies may need to be published to “all readers,” while others may need to be secured to protect the integrity of the application.

Regularly review and revise policies and standards to keep them aligned to organizational needs.

Determine Your Delivery Model

One of the most important considerations for your governance plan is determining how you will “tell the governance story” to everyone who needs to know it. The challenge: not everyone needs to know the same things about governance, so your communications and delivery model are going to be messy.

We’ve already talked about the fact that you can’t deliver the governance plan as one or more long documents, but that doesn’t mean you don’t need to document it. To create an optimal delivery model for your governance plan, you need to deliver just the right information to just the right people at just the right moment. This means that the ideal delivery model

Automates policies wherever possible. For example, if records retention codes are mandatory and generally based on context, ensure that these codes are defaulted appropriately in each context. If your policy doesn’t allow the use of SharePoint Designer, make sure that users do not have security privileges that would allow them to “accidentally” leverage a feature or tool you don’t want them to use.

Includes communications and training to help users internalize the main elements of the governance plan, such as remembering to “update in place” and minimize the use of e-mail attachments.

Provides specific and targeted information to users based on their roles and tasks. Be sure to incorporate your policies as well as guidelines into all SharePoint training—so users only learn how to do things the “right” way. But, in addition, consider creating a series of brief “quick cards” or task guidance to help reinforce your best practices.

It’s a good idea to create a central site for your governance policies and standards—a place where users can quickly look up both “how to” and “how should” information for the specific activities they need to execute in SharePoint. As with other compliance libraries, include a revision date and document owner metadata field to facilitate regular review to ensure that content is accurate and timely. System times/dates may not accurately reflect the revision schedule or subject expertise associated with the item(s).

Wherever possible, build your best practices into your site templates. Where you can’t, make sure that it is painfully easy for users to learn both the required policies and beneficial guidelines to ensure that the entire organization gets the most value from your SharePoint investment.

Socialize, Promote, and Verify

The final activity in your governance planning roadmap is making sure that you socialize and monitor the governance plan. To help socialize the governance plan, in addition to your power user evangelists, it helps to find executive champions to reinforce the guiding principles and best practices. One organization decided to attack document “versionitis” by recruiting senior executives to commit to not responding to e-mail messages when they included a document attachment. We know your governance plan has executive sponsorship because an early step in the roadmap was to ensure that your solution has a defined vision and benefit. A great way to socialize the importance of good governance is to get your influential champions to do it for you. Integration with training is key—teach people “our way” or the “best practice way” to do things from the beginning and your best practices won’t seem like something extra.

If you have a governance plan that you don’t enforce or monitor, do you really have a governance plan? Probably not. Therefore, it’s also important to think about how you are going to ensure that your policies and best practices are followed. Think about creating reports to show documents with limited or missing metadata or sites that are close to their “expiration date” and designate members of your center of excellence to work with site owners of sites that are not fully compliant. If ensuring that content is not ROTten (redundant, outdated, or trivial) is important, be prepared to delete pages or documents that do not follow the content management policies. Consider implementing a site audit plan that examines a small percentage of sites each quarter to try to get ahead of potential governance issues by looking for trends that can be addressed with training and communications. Actively promote stories about sites that demonstrate meaningful business value because they are following the governance plan to remind users that the governance plan is designed to ensure that your SharePoint solution meets business goals.

Key Points

The key take-aways to remember from this chapter are:

Establish a governance plan to ensure quality and relevance of content and ensure that all users understand their roles and responsibilities.

Remember that governance is really about both assurance and guidance—but it takes commitment to ensure that your governance plan is followed.

Understand that your governance plan is successful if your solution has “no sharp edges.”

Keep your governance model simple. Solutions need a strong governance model, but they don’t need complicated models with lots of bureaucracy. Make sure that all of your governance policies and guidelines can be tied to a specific business goal.

Think about the fact that no one cares about governance—until you make it all about them! Be sure to create targeted governance content.

Be sure to consider the new social features as part of your governance plan update for SharePoint 2013 even if you have a good governance plan for your SharePoint 2010 or 2007 solutions.

Wherever you can, build best practices into your site templates. Make it as easy as possible for users to comply with governance policies and guidelines.

Make sure that you have a governance board or steering committee with a strong advocate in the role of executive sponsor.

Don’t make the solution itself more complicated than it needs to be. Be careful about “overdesigning.” Just because SharePoint has a cool feature doesn’t mean that you need to deploy it—at least not right away.

Ensure that all users with Design or Full Control privileges have internalized your design guiding principles and that content contributors understand guiding principles related to content.

Think about how you will ensure compliance with your governance plan over time, particularly for highly visible sites. You may want to carefully monitor and review some sites and only spot-check others.

Make sure that your governance plan is included in all of your SharePoint training. You will be most successful if your users never learn how to do a task in a way that doesn’t follow your guidelines.

Keep in mind that an effective governance plan doesn’t have to constrain every move—it has to provide guidance to users to ensure that your solution remains effective and vibrant over time.