The Microsoft Office 365 environment boasts a spectrum of components, some of which can be managed by your organization’s existing frameworks. However, other components of the O365 environment may require the development of a unique governance hierarchy framework.
Organizations implement varying levels of governance hierarchy frameworks to align strategy, policies, and procedures. At the highest level, an organization’s Corporate Governance Framework defines the “systems of rules, practices, and processes by which companies are governed”.
Below this layer is a myriad of function-specific frameworks, such as the organization’s IT and Digital Governance, Records Governance, and Data and Information Governance Frameworks.
While these functional governance frameworks contribute to the overall governance of your new or existing O365 environment, gaps are likely to remain.
This article explores those gaps that your new O365 Governance Framework should address while acknowledging those components covered by your organization’s existing governance frameworks.
And while each organization requires its own unique set of governance frameworks, this article also argues that if your organization lacks functional governance frameworks, then those frameworks should be considered before creating a single governance framework to address all O365 components.
We’ve Got You Covered
The following Office environment components should be covered under your organization’s current functional governance frameworks:
O365 Application Implementation and Utilization Consistency
O365 components addressed: application selection and utilization, application integration, O365 security
Office application(s) involved: all
Contributing governance framework(s): IT Governance
The suite of applications associated with the O365 environment is not only large and slightly overwhelming to the average user, but this list of available applications is also constantly changing as Microsoft updates their technological objectives.
How do you know which applications are useful for your business, and how do you keep consistency in user adoptions of those applications chosen to meet the business needs?
A robust IT Governance Framework has been credited with enabling ROI realization for IT investments.
One major component shared by robust IT governance hierarchy frameworks is the alignment of IT objectives and the business’ requirements, objectives, and strategies4, allowing for technology investments that support business needs.
So, if the business has performed accurate needs analysis and their requirements are documented, knowing which O365 applications are necessary to enable these requirements is not nearly as difficult as guessing.
However, the micro-governance required for each of the implemented applications is vital to O365 ROI realization and is detailed in the section of this paper describing the O365 Governance Framework.
This alignment between the business and IT also ensures that ‘Shadow IT’ (the application implementation and utilization by a user outside of an IT Department’s list of authorized application usage) is kept to a minimum, reducing security risk, and increasing application adoption consistency across the user population.
O365 components addressed: O365 security, permission levels, change management
Office application(s) involved: all
Contributing governance framework(s): IT Governance
It goes without saying that the security of the O365 environment is largely the responsibility of the IT Department, and its corresponding standards and processes should be outlined in the IT Governance Framework.
Additionally, the O365 environment allows for general security to be managed by the business through administrative functionality that does not require IT development intervention.
However, given that the organization’s typical user is one of the most significant (and uncontrolled) risks to a technology environment, the business bears much of the responsibility to mitigate user-related risk through employee cybersecurity awareness training, and detailed documentation of access and permission levels (including view, read, and change), followed by the necessary change management (as the employees’ permission requirements change due to promotion, termination, or other mortality causes), and prompt collaboration with the IT Department when these changes occur.
This process is particularly efficient if the O365 environment pulls user information from existing Active Directory (AD) lists.
The business’ responsibility for ensuring security in their cyber work environments should be outlined in the Company’s Records Governance and/or Information Governance Frameworks and is detailed in the following section.
O365 Digital Records
O365 components addressed: records, correspondence threads, emails, logical topology
Office application(s) involved: SharePoint, Teams, OneDrive, Yammer, OneNote, Outlook, PowerPoint, Word, Excel, Access, Stream
Contributing governance hierarchy: IT Governance, Digital Governance, Records Governance, Information Governance
Digital Records is a grouping of Office components for which contributing functional governance frameworks carry a lot of weight. The term ‘digital records’ encompasses just about any formal and informal collaboration, communication, and work product.
For the public sector, a Freedom of Information Act (FOIA) request could send employees scrambling to locate an informal communique buried in an Outlook folder, while a federal or state regulatory agency could cause a private sector employee to search their personal OneDrive for an expenditure receipt.
The manner in which digital records are structured, stored, archived, and deleted could determine if a department fails an audit, or an employee spends a weekend reproducing misplaced deliverables.
Before a SharePoint environment becomes a rampant dumping ground for old documents or miscellaneous content from a terminated employee’s hard drive, the company’s Records, Digital, and/or Information Governance Frameworks should detail records retention and destruction policies as well as the records’ physical security and cybersecurity protocol, while empowering departments to create approved and socialized naming convention and taxonomy.
Another vital component in the Digital Records category of Office components is the environment’s landscape or layout (logical topology) and how well it enables communication and data flow between the various O365 applications.
Without efficient data flow, not only is communication onerous and out-of-sync, but data contextualization and associated metadata may be lost, effecting data searches and retrieval. Efficient topology design will vary by organization and O365 environment structure.
You’re on Your Own
Now that your organization’s existing governance frameworks have addressed a majority of your O365 environment’s components, the remainder of this article will focus on those components that require the development of a unique O365 Governance Framework that easily integrates with the function-specific governance frameworks under the organization’s Corporate Governance Framework.
O365 User Adoption and Training
O365 components addressed: application usage
Office application(s) involved: all applications
Contributing governance hierarchy: O365 Governance
Among the many things to consider when migrating to the O365 environment or increasing user adoption and utilization of an existing O365 environment is employee training.
While some of the applications available in the Office suite are intuitive and commonly used (like Outlook email), other applications (like PowerBI) may be less understood by the average user.
And even commonly used and understood applications may contain functionalities that are not widely implemented but could enable specific business requirements.
Formal O365 training programs, workshops, or lunch-and-learns can broadly socialize the value each implemented O365 application brings to the business.
A particular focus on how these applications mitigate or eliminate specific business process- or work-related pain points may drastically increase user adoption and overall organizational consistency.
This training should be managed, directed, and implemented by either an O365 Governance Committee, or a joint collaboration of O365 experts from both the IT Department and the business.
This governance entity also ensures all Office-specific governance needs are addressed and liaises with the owners of the organization’s function-specific governance frameworks to ensure integration of Office utilization with their corresponding standards and policies.
O365 Application-specific Governance
O365 components addressed: application selection and utilization, application integration, Office security, records, correspondence threads, emails, logical topology, O365 security, permission levels, change management
Office application(s) involved: InfoPath Forms, PowerApps, Office 365 Forms, Third-party Forms and Apps, Workflows, Custom Apps, Reports and Dashboards, Business Connectivity Services, Searches
Contributing governance hierarchy: Office Governance
Depending on your organization’s existing data transfer mechanisms (for team collaboration, communication, personal material storage, and digital records management), and their pending migration to an O365 environment (or their current implementation within an O365 environment), application-specific governance will be required.
Detailed in a previous O365 governance article, the applications requiring specific governance are:
- InfoPath Forms
- PowerApps and Office 365 Forms
- Third-party Forms
- Custom Applications
- Business Connectivity Services
- Third-party Applications
- Reports and Dashboards
A Layered Approach
Assessing those governance frameworks already in place within your organization will prevent your IT Department and business collaborators from creating an O365 Governance Framework that addresses components already governed by those frameworks.
Let existing governance hierarchy manage their intended components across all technological environments, while utilizing your O365 Governance Framework to speak to those components that are unique to an O365 environment.
Additionally, beware the temptation of using an Office-specific governance framework to address similar components across non-O365 environments.