Office 365 Governance Isn’t About Saying 'No'
Office 365 is a powerful platform with many different apps and features. It's a lot for most firms to digest. But the more features a business turns on, the more obvious it becomes that governance is key to good outcomes and long-term sustainability. The temptation is to say “no” to many apps at the outset, to shape what’s launched, and to maintain control.
Governance as a blocker, however, isn’t going to work when it comes to Office 365. Instead, firms should ride the wave and put in place three key governance elements.
With Office 365, It's Only Inevitable More Apps Will Come
With over 20 apps in the suite, Office 365 is powerful and complex, and getting more powerful (and complex) over time. And yes, some features and capabilities introduce significant risks and challenges for many types of firms.
While governance can be used to strictly manage what’s launched and used, this is like the child sticking his finger in the dyke to stop the water getting in.
Microsoft has a very open agenda of getting both deep and wide adoption of Office 365, and they’ve deliberately designed the platform so that there’s many cross-connections between tools. For example, if you enable Teams, then it automatically spins up SharePoint sites and Office 365 groups every time a Team is created.
This makes it hard to resist the rollout of Office 365, and even "pilots" tend to get away from the teams that created them.
The flipside of this, from what I’ve seen over the last two decades, is organizations that fully "convert to the religion" of a new platform get substantially more benefits than organizations that dabble around the edges.
This will be the case for Office 365, and it’s therefore best to ride the wave and rollout more rather than less. Governance, however, still remains key. Three elements need to be present in any governance initiative to be effective without creating roadblocks.
3 Elements of Effective Office 365 Governance
Element 1: Define the Guardrails
The fundamental rules of the road must be completely clear from the outset, and these must be communicated to every corner of the organization.
These might be rules such as:
- Customer information or customer data must not be stored in any Office 365 space.
- Office 365 may be used to involve external partners such as consultancies but is not to be used to communicate to customers.
- Information with a security rating of “sensitive” or above must not be stored in a normal Office 365 space (approach IT for suitable solutions).
- Key corporate records must be managed as such within Office 365, and the records team must be told of their existence.
- Core business processes may only be implemented or automated in Office 365 with the direct involvement of IT.
- Integration between Office 365-based solutions and external systems may only be established with the direct involvement of IT.
The specific guardrails will depend on the nature of the organization. Banks, for example, would have a strong focus on customer data and customer-facing processes, while a mining company would target the handling of safety processes.
Element 2: Identify Key Risks
Many aspects of Office 365 require close examination to identify key risks. External sharing within Teams, for example, has the potential to leak confidential information to third parties, such as contractors and consultants.
Sue Hanley’s excellent list of Office 365 governance questions is a great place to start when seeking out the key risks for your organization.
Assemble a list of risks with the potential to be high frequency and high impact. Ensure this list is manageable in size, and that it’s understood by all key stakeholders.
The key step is then to work through each of the risks and aim to find a way of saying ‘yes’ to business needs, while ensuring risks are managed. Some risks may end up with a ‘no,’ and the relevant features disabled, but this should be the minority rather than the majority.
Make sure key business areas are involved in this decision-making, rather than just having decisions made by a combination of IT and the risk department.
Element 3: Actively Manage the Platform (and the Risks)
Office 365 is not a platform at rest. A constant stream of changes and new features, now on a weekly frequency, are coming out of Redmond, Wash. Usage of the platform will also constantly be on the move, as the business builds skills and finds new uses for the tools on offer.
The most important element, therefore, is to actively manage both the platform, and the risks that go with it. This will involve a combination of governance processes, IT activities and third-party software solutions.
- Establishing provisioning processes for tools such as Teams, to ensure that key information is captured about each space (such as owner, purpose and expected lifetime) that enables better management.
- Putting in place active processes for monitoring platform usage, and then using the information to take proactive steps (such as automatically archiving unused Teams).
- Treating the rollout of Office 365 as a series of "waves" that take a holistic approach to training, adoption and ongoing usage, thereby helping to shape the usage of the platform.
- Conducting training programs to increase the digital literacy of staff, which will help to ensure they use Office 365 appropriately (cybersecurity training conducted by most larger organizations is a good template for this).
- Using the built-in Office 365 compliance tools to identify, and then prevent, specific breaches of the rules, such as putting customer data in an email.
- Making use of the extensive third-party market of tools that are designed to improve management of Office 365.
Be Pragmatic and Proactive
There’s no point obtaining a platform such as Office 365 if you're going to disable key features and turn off valuable tools, all in the name of managing risk.
Instead, taking a pragmatic approach to the platform, one that seeks to find the middle path of maximizing business value and minimizing risks. Above all, this will require proactive management activities that help staff (and the business as a whole) to use Office 365 in the "right way."
About the Author
James Robertson is one of the leading thinkers in the intranet space. He's the author of three books, "Essential Intranets: Inspiring Sites that Deliver Business Value," "Designing Intranets: Creating Sites that Work" and "What Every Intranet Team Should Know." Over 20 years in this space, he's also published the articles and methodologies that have guided teams around the globe.