Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Microsoft 365 governance approach

Whitepaper providing tips and tricks to create corporate Governance around a corporate Microsoft 365 tenant

  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Microsoft 365 governance approach

  1. 1. Oliver Wirkus Office Apps & Services MVP sharepoint@oliverwirkus.de Organizational Governance Tips and Tricks for creating a corporate Governance document Version 1.0 (June 2020)
  2. 2. Preface Whenever I work with organizations on migrations to Microsoft 365 (SharePoint Online), building a modern digital workspace, a Microsoft Teams rollout, or something similar, I realize that Governance is an important topic. Sometimes, Governance-related work is an explicit part of the engagement, and sometimes Governance pops up as an essential topic that hasn't been added to the agenda explicitly. To me, this shows that most (if not all organizations) are aware of the importance of Governance. However, not too rarely, I realize that some organizations have difficulties when it comes to implementing Governance policies and regulations related to Microsoft 365 and its applications or services. Although there are many books and whitepapers available which in one way or the other deal with Governance implementations, there are also many approaches to implementing Governance at an organizational level, which sometimes leads to confusion rather than provide clarity and support. Although I don't want to add to the confusion, I decided to share my view on corporate Governance. I hope my approach (which is more hands-on and less academic) will inspire more organizations to not just think about corporate Governance but also start with implementing fundamental or necessary policies. Implementation details I don't want to dive into more information yet (we will have a closer look at details later). Still, I think it is essential to mention right at the beginning, what needs to be implemented when dealing with Corporate Governance: • Policies and Procedures which provide a guideline for all employees and protect corporate assets comparably • Governance document (s) which lists and explains the policies and provides guidance • Governance committee responsible for keeping policies and Governance document up to date • Recurring meetings of everyone involved in corporate Governance (Governance Committee, Corporate IT, Human Resources, Corporate Helpdesk, Legal, …) As already mentioned, I do not want to get lost in details. The above list is just meant to provide a high- level overview to make the following sections and paragraphs easier to digest. Different cultures Before starting with implementing Governance policies in your organization, I suggest stepping back and have a closer look at your organization from a distance. People are different, and so are organizations. Each organization has its own unique culture, and this culture dictates which internal processes are needed and how they are implemented. The corporate culture influences the way employees collaborate, how managers lead their corporate entities, and how employees communicate. It is as easy as this: ethnic cultures regulate how people live together, and organizational cultures regulate how employees work together! Corporate Governance policies must be adjusted to the corporate culture. If they aren't, organizations will face issues, and those policies will be an annoyance rather than supporting the daily business of employees. Although corporate cultures can't be categorized as they are far to complex, I want to provide a few examples:
  3. 3. Strict / Highly regulated Typical examples are organizations dealing with highly-confidential information, like healthcare, military suppliers, aeronautic suppliers, power generation & distribution, etc. Those organizations usually have strict and detailed internal processes, and those strict policies dictate the daily business. Any information needs to be protected and sharing information with anybody outside of the organization is a rare and highly regulated exception. There is a specific application or service for each activity which must be used without exception. Partially regulated I guess most organizations fall into this category. There are some established procedures, and at least some documents need to stay within the organization or even within a defined group of people. On the other hand, employees enjoy some liberty or freedom regarding managing their daily business. There can be multiple applications used for the same purpose, and sometimes, different corporate entities use various tools for the same purpose. In a nutshell: boundary conditions are predefined and must be observed. Employees enjoy some freedom but are also responsible for respecting the given limits. Scarcely regulated Some organizations (like start-ups or smaller consultancies) hardly impose any regulations on their employees, which results in an individual working style, but also requires very responsible employees used to working independently. As the organization grows, the C-level management recognizes the need for Governance and in most cases, Governance policies are implemented step by step. Technical Knowledge Another vital aspect to consider before implementing Governance policies is the technical knowledge of employees. Employees familiar with modern technology usually adopt Governance policies without needing detailed explanations. In contrast, employees dealing with non-IT businesses often adopt Governance policies much easier if the corporate Governance document provides detailed explanations on why specific policies are needed and how they are affecting the daily business. Here is a basic example of what that means: let's look at Azure Information Protection policies. Knowledgeable employees might just need an overview of the implemented policies and how to protect documents. Unexperienced employees will require a detailed description with charts and figures to understand and to adopt those protective policies. They might even need examples of why (and how) documents are protected and how this looks to external contacts.
  4. 4. Type of Business It is not just the corporate cultures that have an impact on how Governance needs to be implemented. The type of business can also have an effect on how a specific organization manages corporate Governance. With Type of Business I mean the percentage of computer usage during the daily business of employees. Here is an example: organizations that rely on their IT infrastructure a lot because employees use computers on a 9-to-5 basis will need a different Governance implementation compared to organizations that are using computers just occasionally (like manufacturing industries). If only a few employees predominantly use computers (e.g. to manage invoices), corporate Governance will look different compared to an international management consultancy dealing with confidential information. Level of Modernization Some users are early adopters, some are hesitant when it comes to switching applications. The same is true for organizations. Some organizations like to hop on the bandwagon of modern technology very early as they consider themselves innovative, some organizations want to stay with their established environments and change only if there is a need associated with a timely ROI (Return on invest). Per se, there is nothing wrong with either approach. However, corporate governance needs to be implemented differently if an organization is innovative and likes to change applications frequently compared to organizations staying with their established IT infrastructure for a more extended period. Frequent changes to corporate IT require the corporate Governance document to be written in a different way to keep up with frequent changes. Different Locations If an organization has multiple locations, these locations can be in different provinces, countries, or even different continents, and that can impact a corporate Governance implementation as well. Different countries might have different legal policies regarding employment law (e.g. compare North America with Europe), which needs to be considered. Also, even an established corporate culture can vary between locations, which can be caused by different religions or forms of social interaction. Don't assume the corporate culture to be the same at each location. A corporate Governance document needs to adjust to local conditions, even though it might be considered a technical document.
  5. 5. Corporate Governance Team Someone needs to be responsible for the corporate Governance document. In most organizations, a team or group of employees is responsible for creating, maintaining and publishing a corporate Governance document. As I mentioned before – organizations are different, and so is the composition of the corporate Governance team. Think of the following paragraphs as food for thought and feel free to adjust my suggestions in a way that best fits your organization. Roles and Responsibilities A dedicated team usually manages corporate Governance. Some organizations call this team "Governance Committee", others might call it "Steering Committee" or "Governance Team" or might use different names. Anyways, corporate Governance needs to be managed by a dedicated team which is made up of members of various corporate entities. There is no one-fits-all approach as requirements and organizations are different, but I think there is an ideal composition of a corporate Governance team, which I would like to share with you. Not all roles I mention here will be needed for your organization, though – please feel free to adjust the provided composition to your needs and requirements. • Head of corporate Governance • Team members from different departments • Member of the corporate IT team • Member of the corporate Helpdesk • Member of the corporate legal department • Member of corporate Communications • Member of corporate HR • Member of the corporate Change Management team • Representative of the C-Level execs Meetings and agendas The corporate Governance team needs to meet regularly, but not all members need to attend each meeting as there can be different types of meetings. • Meeting of the entire team • Meeting of the core team • Quick check-ins In the beginning, while the corporate Governance document is still being created, there need to be more meetings of the entire team. Once all corporate Governance policies are in place, the Governance team
  6. 6. can switch to meetings of the core team or even quick check-ins predominantly, as long as the entire team still meets regularly (like once every two months). The agenda of those meetings will differ based on the audience and the meeting type. Quick check-ins usually have a short agenda, whereas meetings of the entire team typically have a more extended agenda, including reports from all involved departments. Decisions should only be made by the whole team, which means that the entire team needs to meet. Quick check-ins are used to check the current status of corporate Governance and the progress of assigned tasks. Meetings of the core team are usually used to prepare meetings of the entire team in case there are significant changes or updates to the corporate Governance policies. In essence, regular meetings are crucial, but the entire team needs to meet only if there are decisions to be made or e.g., once a quarter if that is considered appropriate by the team. The head of Corporate Governance is responsible for ensuring, meetings are scheduled ahead of time, the proper audience is invited, and detailed meeting notes are created and shared with the entire team (and not just the attendees).
  7. 7. Corporate Governance document Now that we learned that corporate Governance depends on many factors and needs to be managed by a dedicated team let's have a look at related deliverables. Most organizations create and maintain a corporate Governance document that is created and updated by the Corporate Governance team. Whenever a major version of the corporate Governance document gets created, it is reviewed by corporate Communications, transcoded into a PDF document and passed over to the HR team. HR is responsible for publishing the latest version of the corporate Governance document. Some organizations might prefer other options for publishing the document, though. What I explained above is the ideal process, or let's say it this way: I described a general process used by many organizations. Some organizations don't create a single document but multiple documents, each focussing on specific topics. There might be a Governance document related to general corporate security policies. Another document focuses on policies related to managing corporate documents, and another one focuses on the usage of social media. Regardless of how a corporate Governance document is created, the most important aspects are: • it needs to be easily accessible to all employees • it needs to be up to date • employees need to know to whom to reach out if they have questions or concerns • it needs to describe Governance policies and regulations in accordance with corporate culture • it needs to be created and written in an employee-centric manner Document structure overview A corporate Governance document needs to be adjusted to many aspects, which is why there is no one- fits-all approach. What is working for one organization might not work for others. Nevertheless, in this section of this document, I want to try to provide a high-level skeleton that can be used as a template to create your Governance document. The following chapters are meant to provide this skeleton. Let's start with the introductory chapters: Governance Introduction This chapter provides an introduction to Governance. It should explain what Governance is, why Governance is essential, how Governance will help and support your employees, and how Governance is handled by your organization. The wording of this chapter is critical, and I recommend to always look at how Governance is affecting your employees. Governance is an essential topic for every organization, but your employees are the ones whos daily business is affected by the Governance policies. In other words: you should not use a wording like this
  8. 8. "Employees must not share files with external users". Instead, provide an explanation of why a specific policy is important and why it is affecting the security and integrity of your organization. If your employees understand the meaning and purpose of a regulation, they are much more likely to support it. Why we need Governance This chapter focuses on the Why – means: why is Governance needed in your organization. Here, the same guiding principles as described in the previous paragraph apply. Don't focus too much on restrictions and limitations and introduce Governance as an important guideline to ensure, data and documents are managed securely. You can also look at Governance as an essential tool that ensures proper collaboration and protects staff and organization in an equal measure. Expected usage This chapter provides information on how this document is expected to be used by the entire staff. Keep in mind that some of your employees might be scared by corporate Governance policies. This paragraph needs to explain (and provide examples) of how the corporate Governance policies affect the daily business of your employees. Again – Governance should not be introduced as a tool to supervise employees, but to support them. Specific examples provided here will help your employees to understand the importance of corporate Governance policies and how they can support them with their daily business. Getting help It is crucial that your employees don't feel left out in the rain – especially when they have questions or something is unclear. This paragraph needs to provide a list of members of the corporate Governance team and their roles and responsibilities. Also, this paragraph needs to provide contacts that can be reached out to if there are questions or if anything is unclear. My recommendation is to encourage your employees to actively reach out to the corporate Governance team whenever they have a question or need clarification. The way that your employees reach out to your Governance team can be used as an indicator of how well corporate Governance is adopted. Message from Executives This might be uncommon, but I think a message or statement from the executive board shows that Governance is an important topic and gets full support and attention from the entire management. Very often, organizations struggle with Change Management because the board of executives doesn't support the new technology. "Why am I forced to use xyz when my CxO can easily bypass corporate policies?". Corporate Governance can only be implemented successfully if it is fully and actively supported by the executives and managers of your organization. Corporate Governance is affecting everyone in your organization! Governance and Security This chapter provides detailed information regarding why and how Governance is improving security. Don't focus on specific examples, but give an overview regarding the security approach of your organization. This overview can include topics like mobile usage, apps, sharing of information or home office. Sometimes it can make sense to refer to previous security breaches and provide
  9. 9. details on why that happened and how Governance can prevent this from happening in your organization. Governance and Harassment This chapter provides detailed information on how corporate Governance is protecting employees from harassment, mobbing and bullying. Corporate Governance is not only used to protect corporate assets, but also to protect employees. Don't focus on specific Governance policies here, but provide information on how your organization is protecting employees. It is advisable to mention that your organization's prime directive is to protect its employees. Governance and corporate procedures This chapter provides detailed information on how and why corporate Governance policies affect established procedures. In many organizations, there are specific procedures – like requesting approval for an order, processing confidential information of a potential new hire or creating an IT ticket if something is wrong with a computer. Most (if not all of those procedures) are affected by corporate Governance. If there are some prominent examples in your organization, this would be an excellent place to share them with the readers of this document. Suggestion for Improvement This chapter provides information on how employees can suggest improvements. Corporate Governance policies will affect the daily business of all employees, and enhancements of any working routines (in consideration of Governance) should not just be welcomed, but actively encouraged. I propose to offer a prize or award for the best improvement once a quarter. I think the explained introductory chapters are important to clarify why Governance is essential and how Governance is handled by your organization. Keep in mind that it is likely, that some (especially older) employees might be confused or scared if your organization starts to establish corporate Governance policies without onboarding the entire staff. The following chapters are meant to be examples of how specific topics can be handled by a corporate Governance document. My examples will focus on Document Management and Social Media usage.
  10. 10. Example chapters After a lot of suggestions and recommendations, I would like to provide two examples of how sections in a corporate Governance document could look. The following examples are not meant to be used in a copy and paste fashion. Think of them as templates that you can use to create proper sections in your corporate Governance document. I used wording similar to what you would use in your corporate Governance document. Document Management The following section of this document describes how we understand Document Management and how we implemented our Document Management system. For us, Document management includes: • How we create documents based on corporate templates • How and where we store documents • How we tag documents with Metadata • How we collaborate on documents • What document-related procedures are implemented • How we archive documents Document Management also has some security-related aspects, but those will be explained in the section regarding Security and Permissions. For now, please understand that documents often contain confidential information that should not be shared with anybody outside our organization. We also implemented security-related procedures to support you with deciding what can be shared and what must not be shared. Corporate Document Templates To ensure, official documents follow our established guidelines and branding, we have created corporate document templates that need to be used, whenever a new official document is created. Most of the document templates have been created and/or approved by our HR department and/or Corporate Communications. Corporate Communications will be your point of contact if you have questions or experienced flaws using the templates. We encourage everyone in our organization to reach out to Corporate Communications with suggestions for improvements. The following templates are available at <URL>: • Corporate Newsletter • Corporate letter • Manual
  11. 11. • Order • Request for Proposal • Oporating Agreement • Non-disclosure Agreement • Business Meeting Minutes • Business Report Saving and Storing documents Basically, we all have three options when it comes to saving documents: • Local hard drive: Documents can be saved to a folder on the local hard drive of your computer, but this is not the recommended approach. In case of a hardware failure or if the laptop gets stolen, locally stored documents are lost. We highly recommend using the following two options to save corporate documents securely. If any, only save personal notes or temporary files that are not business related to your local hard drive. Any corporate documents must not be saved to your local hard drive to ensure they are saved to a secure and corporate-controlled environment. The benefit for all of us is that we can access our files anytime from anywhere in a secure manner. The loss of information is reduced to a minimum for all of us, while usability is significantly increased. There is one exemption to this policy: field workers or employees traveling to remote locations can synchronize the contents of specific SharePoint document libraries to their local computers to have access to important files while being offline. Please refer to chapter OneDrive for Business Synchronization to learn more. • OneDrive for Business: Everyone of us has an OneDrive for Business account, which allows each employee to save up to 1 Terabyte of data. Think of OneDrive for Business as your secured hard drive in the cloud. This storage should be used for corporate purposes predominantly. Although we allow employees to use a fraction of this storage for private use temporarily (means: for instance, you can save your images of the recent corporate event to OneDrive for Business), OneDrive for Business is storage for corporate files and documents. Use OneDrive for Business if: ▪ you want to keep copies of documents that you might need for for daily business ▪ you start to work on a document and during this early stage nobody else needs to have access ▪ you work with a small group on a document and the final storage location of the document isn't clear yet ▪ you work with a small group on a document that needs to be kept confidential As a rule of thumb: all corporate documents need to be saved to our corporate SharePoint to ensure they are managed in a secured manner and can be accessed (if required) by everyone in our organization. OneDrive for Business is meant to be used as your personal storage for business-related information only. Corporate documents should be stored in OneDrive for Business only in the mentioned cases. The benefit for all of us is that -if documents are saved in SharePoint- we all can retrieve those documents by leveraging SharePoint Search (proper permissions assumed). One the other hand, every one of us
  12. 12. has her/his personal storage to save personal documents. However, we encourage all employees to use OneDrive for Business wisely and in an appropriate manner! Please refer to section Retention and Security to learn more about how we are managing corporate OneDrive for Business accounts. If you have questions regarding what to use when, please reach out to our Corporate Governance team. • SharePoint: All business-related documents need to be saved to our corporate SharePoint. Exceptions to this rule are mentioned in the section on OneDrive for Business. Only our corporate SharePoint environment ensures that documents (which are our second most valuable asset) are saved in a secured and controlled manner and can be retrieved by leveraging SharePoint Search. If in doubt, please reach out to your manager or contact our Corporate Governance team. The fundamental structure of our SharePoint environment is described in chapter <Our SharePoint Structure>, but each corporate entity is responsible for maintaining their SharePoint sites based on the organizational policies described in section <Overview on Corporate Policies>. Besides providing a secure environment for all our corporate documents, SharePoint provides additional benefits briefly mentioned here but will be described in detail in the next chapters. There are also several training videos available in our corporate Microsoft Stream training videos section. • Versioning: Documents saved to SharePoint can (if the library is configured that way) be versioned automatically. Rather than authors or editors creating versions manually (like Newsletter_V1.docs … Newsletter_V7.docs), SharePoint will version documents automatically. This versioning allows editors even to revert back to a specific version. Please refer to chapter <???> to learn more about versioning. • Check-In/Check-Out: This feature allows authors/editors to lock a document to ensure, nobody else can alter the document. We highly encourage you only to check out a document, if that is really needed as it will prevent others from providing updates to the document. Also, don't forget to check-in documents if you finished your work. Don't leave documents checked-out overnight, over a weekend, or even during vacation! We developed a corporate policy that prohibits all employees from keeping a document checked out overnight! If you need exclusive access to a specific document for a long time, please use your OneDrive for Business account or check with your manager. • Co-Authoring: This feature is enabled by default as it allows all of us to work on a document simultaneously. In essence, this means that users from different locations can provide updates to a Microsoft Office document (Word, Excel PowerPoint) at the same time using the Microsoft Office web apps or desktop applications. Co-Authoring does not work with checked-out documents (see the previous chapter). In our corporate knowledge base, you'll find training videos regarding co-authoring. Co-Authoring is our preferred option to collaborate on corporate documents. We all benefit from being able to work with our peers on documents collaboratively anywhere and at any time. Any measures which are suitable to prevent others from co-authoring need to be limited to a necessary minimum.
  13. 13. Social Media Usage The following section of this document describes how we understand Social Media and how our organization uses Social media internally and externally. The term 'Social Media' is used very broadly, but in an organizational environment, we need to distinguish between internal usage and external usage. • Internal usage: our Microsoft 365 environment provides many applications (services) and options for our team to engage with peers, postings, multimedia content and even documents. Every posting, like or comment that is published in our Microsoft 365 environment is considered internal usage of social media. • External usage: postings or comments published on external services (like Twitter, Facebook or LinkedIn) are considered external usage. All employees are allowed to publish information regarding our organization if the information is publicly available and if the author acts as a private person. Only our official spokesmen are permitted to speak and publish on behalf of the organization. If in doubt, please contact corporate Communication. Code of Conduct Using Social Media is an impersonal kind of communication as computers and keyboards are used rather than talking to others. Even though considered impersonal, the general rules of interpersonal communication apply as well. In other words: regardless of the type of communication, we as an organization have applied a zero-tolerance policy when it comes to racism, harassment, bullying and any kind of abuse. We are all working at the same organization and teamwork is our key to success – regardless of roles and inner-organizational hierarchies. The well-being of every employee is crucial to the continued success of our organization. We have implemented two options for every employee to reach out to our HR counselor if you want to report any kind of infringement to our code of conduct: • You can always reach out to our HR counselor and ask for a private and confidential 1:1 chat. • You can use an anonymous form to report any kind of infringement. Although this form is hosted within our Microsoft 365 environment, we have made every effort to ensure, everyone in our organization can use this form without revealing her/his identity. The anonymity will be checked twice a year by external experts who report to our board of executives
  14. 14. Summary To me, corporate Governance is a topic that many look at from the wrong angle. Corporate Governance is supposed to be a guideline for all employees rather than a restrictive document with too many "You should not …" type of statements. Every form of human coexistence needs rules, and that is true for human collaboration in an organizational environment as well. Also, our modern digital world with all its interconnectedness requires policies to protect corporate assets. However, it's not what you say, but how you say it. If you want your employees not just to adopt, but to support corporate Governance policies, you need to use proper wording. Turn your corporate Governance document into a success story by creating it as a guideline for your employees, rather than an endless list of prohibitions and proscriptions. Create an easy to use structure and keep in mind, that employees might not just read the entire document (for instance during their onboarding), but are looking for guidance on a specific topic (like versioning or Azure Information Protection policies). A Microsoft Word document might do, but consider publishing your Governance document as an electronic knowledge base or a Wiki, which will enable your employees to search for a specific topic quickly. User-adoption is another crucial topic if you want to turn your corporate Governance document into a success story. You need to work on promoting your Governance document actively. One excellent option to achieve this is to embed quizzes or similar games (Gamification) to corporate newsletters. If you award the best suggestions for improvement, that will also promote your Governance document. It does not take too much to create a successful corporate Governance document and it all starts with how you look at corporate Governance!

    Soyez le premier à commenter

Whitepaper providing tips and tricks to create corporate Governance around a corporate Microsoft 365 tenant

Vues

Nombre de vues

140

Sur Slideshare

0

À partir des intégrations

0

Nombre d'intégrations

3

Actions

Téléchargements

4

Partages

0

Commentaires

0

Mentions J'aime

0

×