Warning: This article contains explicit details on what governance in Office 365 means and how it can be implemented. Given the general aversion to the topic within many organisations I thought it wise to warn everyone of what is ahead. For those who are able, please do read on...
Raise your hand if you would like your organisation to start using Microsoft Teams or PowerApps or OneDrive or some of the other Office 365 services. Now raise your hand if you want to put a good governance structure in place prior to this. For anyone who took that literally please feel free to lower your hands now. From my experience, organisations are often quick to rollout Office 365 services but slow to implement or even consider what governance needs to be put in place for those services. This shouldn't be the case and putting some governance in place does not need to be an onerous task. Start small, start with some basics and go from there, you will be glad you did.
What does "governance" mean exactly?
Governance is a part of everything you do within an organisation. A typical governance plan defines roles and responsibilities, levels of accountability, processes and systems, and rules for how employees work together. These governance principles should be applied to Office 365. Consider how important Office 365 is becoming, it's not just for email anymore, its for document storage/management, content creation, collaboration, workflows, data sharing, communications (IM and Voice), task management and the list goes on. The real power of Office 365 only becomes apparent when multiple services are rolled out. It's clear where Microsoft are going, just look at Microsoft 365. Combine Office 365 + Windows 10 + Enterprise Mobility and Security and you have a comprehensive solution covering a large proportion of your organisation.
By developing an Office 365 Governance Plan it will answer important questions such as how the various components of Office 365 will be leveraged, who will be responsible for what, what access staff will be given and establish rules for its appropriate use. It should also outline well-defined procedures for growth and future change. Having the right control and governance should aim to address the following common issues:
• Frustrated Users – caused by delayed manual processes, the lack of proper guidance and support and non-intuitive experiences
• Insufficient Security and Permissions – leading to constant access requests or unnecessary risks to important information
• Ongoing manual intervention from IT – the lack of automation requires manual intervention leading to delays and extra workloads
• Proliferation and Sprawl – engagement of staff falls when information is spread across different containers leading to difficulty in finding relevant information
• Lower adoption – confusion over features and services leads to users using multiple tools
What the "basics" look like
First off decide which services your users should have access to and why. What is available will of course be dictated by your licensing but in many cases simply giving people access to all available services is not a good approach. Decide on which to give to users, document this and the reasons why and disable/hide the remaining services. Consider the fact new services are being added regularly, in the time you have spent reading this article something new has probably been released! Therefore that kind of open policy which some organisations have makes even less sense when you consider the platform is changing so frequently.
A good old RACI matrix is next. This stands for Responsible, Accountable, Consulted and Informed. It will cover the management and support of users, the ownership of the separate Office 365 components etc. The following are some of the questions that should be addressed by having the roles and responsibilities identified:
• Who is responsible when issues occur with a service?
• Who is responsible for giving users access?
• Who is responsible for decommissioning a user who has left?
• Who is responsible for managing updates to services?
Identifying the roles and responsibilities will serve to highlight the organisational changes which will be necessary to implement and maintain the new governance. For example, a Governance Committee will need to be setup, the members of which will need to be decided, it will need to meet on a regular basis etc. The implementation of an Office 365 governance plan is not merely the creation of a set of documents. It must become part of how an organisation operates.
Consideration needs to be given to each of the individual services which you decide to roll out. How will each be utilised? It is important to align their usage i.e. SharePoint Online, to a function or goal of the organisation. Service specific governance plans should be created. These will include corresponding roles and responsibilities, a usage policy and guidance for end users.
As I mentioned already, start small and build it out gradually. I've covered some basic elements but hopefully it will be enough to get you thinking about how your organisation is setup. Finally to finish off I wanted to ask a few specific questions for you to take away, have these items been considered by your organisation?
1. How is your Office 365 tenant setup for releasing updates - Standard or Targeted? (more info)
2. Does your organisation allow users to deploy 3rd Party apps from the Office Store? (more info)
3. How is your external sharing configured for SharePoint and OneDrive? (more info)