Create your collaboration governance plan
It is always best to start your move to Microsoft 365 with a clear vision:
What are your key business goals?
How will the tools and capabilities provide value to the organization as a whole and to individual employees?
How will you measure success?
A clear vision statement provides critical guidance to the inevitable decision tradeoffs you will need to make in thinking about your governance plan. The degree of formality and the depth to which you need to document the governance plan should align with the outcomes you want to achieve. The vision, thus, provides a framework for both the context and investment in governance.
Microsoft 365 creates new paradigms for technologies to support the business. These new paradigms change the way these technologies are adopted, managed, and governed.
Microsoft 365 governance should complement existing policies that govern on-premises environments. But, since the cloud enables new opportunities to support the business, it is important to understand these opportunities and think about a governance approach that creates an appropriate balance between user goals, business risk, and industry and regulatory requirements.
Thinking about governance first means starting your journey to the cloud with some key decisions to best position for overall success. Some of these decisions include:
Is external sharing supported and in what scenarios? Learn more about external sharing.
Who can and how will groups, sites, and teams be provisioned? Learn about how to control who has the ability to create groups.
What type of content can be published in each type of environment – and what features need to be enabled to prevent users from accidentally publishing information in inappropriate locations? Learn about information protection in Microsoft 365.
There is no perfect answer to these questions – the right answers are the ones that balance risk and benefit for your organization.
What does governance mean for Microsoft 365?
Governance planning for Microsoft 365 is about making sure that you are protecting your critical information assets while minimizing risk. Governance includes several key areas, each of which needs to be planned, coordinated, and adapted to align with changing organizational needs and the evolution of the technology.
Operational Assurance – keeping the platform operational, ensuring performance. This is largely an IT task with most of the work provided by Microsoft.
Information Assurance – managing content throughout the life cycle, treating information as an asset including records management, compliance, and security. Information assurance requires an understanding of both business goals and regulatory requirements. Ideally, you want to use automated policies that prevent users from making mistakes or warn them in scenarios where they need to make an informed decision. Where it is not possible to enforced by policy, you need to plan for education and training.
Outcomes Assurance – steering empowered site or team owners in the right direction to achieve business results. Outcomes assurance is largely about providing guidance to content authors and site, group and team owners – ensuring that the appropriate training is available to ensure that they know how to make good choices to get desired outcomes within overall organizational standards and practices.
Governance planning should come first, but governance needs to be something that you continuously revisit in an iterative process. As your data estate changes over time, you will want to revisit your governance decisions to adapt to changing business needs and feature availability. You may find that you need greater oversight to ensure conformance. You may find that you need less oversight to encourage more creative application of core features. You may find that roles and responsibilities need to be updated to reflect changes in the solution or changes in how users are using different applications.
For example, one of the key empowering capabilities of Microsoft 365 is the ability to easily work collaboratively with people outside your organization. Some organizations in some industries choose to block all external sharing. Others enable external sharing in specific scenarios or with specific organizations. There is no right or wrong governance decision when it comes to external sharing – and there are many different scenarios where you can enable different settings in Microsoft 365 to allow sharing in some cases and block it in others. However, if you are just beginning your journey from an on-premises environment to the cloud, it is important to think about external sharing decisions and understand the benefits and risks associated with the different available options.
Think about governance first
Your investment in Microsoft 365 is only as good as the value of the content and experiences you enable – so thinking about governance at the start of your journey ensures that you will neither lock down or enable too much before you have had a chance to understand and evaluate the implications of each decision. There are multiple "knobs and dials" you can turn in the Microsoft 365 admin center and for individual sites and teams. An effective governance plan is critical to achieve business goals – but governance is about balancing risk with benefits. If we lock everything down, people will find a way to work around the rules if they need to do so to get work done.
Thinking about governance first allows you to:
Balance risks and benefits. Carefully reviewing governance decisions early in the deployment allows organizations to understand the complete environment – business, regulatory, legal, compliance – and plan a solution that optimizes for all outcomes – balancing risks with benefits – sometimes accepting the risk and other times, choosing not to accept the risk. If you make informed decisions up front, you get better outcomes without sprawl and unmanaged content.
Adapt to different organizations and different types of content and scenarios. Governance decisions are unique decisions for each organization – one size does not fit all. Not only does each organization have different governance needs, but governance decisions are often not the same for each type of content in Microsoft 365. For example, governance for team content may be different from governance for intranet content and from individual content in OneDrive.
Align to business priorities. The time to start thinking about governance is when you are identifying the key business priorities for the solutions you build in Microsoft 365. These key business outcomes define the context for governance planning. This is important because your business goals will help you define how much time and energy you need to invest in governance. For example, if improving content discoverability across the organization is not very important, you probably do not need to spend too much time focused on enforcing or planning file naming conventions. If, on the other hand, you want to help reduce instances of multiple versions of the same document in various repositories across the enterprise, then your governance decisions will need processes and policies and training to ensure that content authors understand how to name files and follow "one copy of a document" guidance to make sure content is posted in only one location. It also means that you need a process to ensure that you are not unnecessarily creating more than one site or team for the same purpose.
How should we be communicating about governance?
Many governance decisions can be implemented by turning on or off features in Microsoft 365. That can help enforce your governance standards but it may not help the people in your organization understand what is available to them and why (or why not).
Traditionally, governance teams have created long documents outlining every governance decision. Unfortunately, those long documents rarely got read – which meant that governance requirements that rely on people to enforce rarely worked. Try to avoid creating long documents targeted to multiple audiences as you think about how to communicate your key governance decisions. Instead, think about these alternatives:
Embed governance decisions directly in the solutions you create. If you want to ensure that sensitive information is protected throughout Microsoft 365, implement sensitivity labels to ensure that your users don't accidentally expose information that they shouldn't. Block the applications where you can't provide the appropriate protection. Learn more about sensitivity labels.
Reinforce with training. Adapt solutions such as Microsoft 365 learning pathways to ensure that your organization-specific expectations are reinforced with Microsoft-provided training.
Deliver as a site, not a document. Create your own Microsoft 365 Adoption Center in a SharePoint communication site to ensure that your content authors and site and team owners understand not just "how to" but also "how should." Create topic-specific pages that address different business scenarios to provide both guidance and best practice to leverage or enable different capabilities in SharePoint and Teams and other applications to achieve business outcomes.
What are the key success factors?
Incorporate these key success factors to ensure successful governance planning for Microsoft 365.
Identify your governance core team
Governance is a team sport. Make sure that your core governance planning team includes representatives from both business and IT. Your team will likely need to meet more frequently in the beginning of your rollout and then periodically to review new capabilities and new business expectations.
Work through the key governance decisions – but don't try to make every decision at once. Make the critical decisions about provisioning and naming and external access and then work through the remaining decisions.
In addition to external sharing, discussed earlier, another key decision for every organization is how to provision sites and groups. For example, consider the following:
Because it is so easy for users to create Microsoft 365 groups, you may want to open group creation so that IT is not inundated with requests to create them on behalf of other people. To avoid "group sprawl," you could create a custom workflow that sends an email with governance, training, and other information to group creators soon after the group is created. (For example, "You just created a site/team, community, etc. -- here are your responsibilities and links to training...") On the other hand, depending on your business, you might want to control who has the ability to create groups.
If you want to control how SharePoint sites are created, you can hide the Create site link on the SharePoint start page. Create a custom form, or create a custom site design and site script to automate provisioning new modern SharePoint sites using a pre-defined site structure that can include links to your governance and training best practices.
Align decisions to business goals
Business outcome goals should be the primary driver for your governance decisions:
Understand the regulatory requirements that affect your organization. Some of your key decisions and implementation requirements may need to be aligned to the environment in which you operate.
Try not to be trapped in "It's what we've always done." The cloud and increasing globalization of many organizations introduces new opportunities. Challenge assumptions if they do not align with business goals. Can you relax the rules for some scenarios or for some people? Can you get the same business outcome using the features of Microsoft 365 rather than blocking an activity entirely?
If you lock everything down, people will find a work-around. Try to understand the key business scenarios your users want to enable and provide guidelines and training as appropriate.
Consider incorporating activities to review key sites and activities to make sure that site and team owners are following your governance guidance.
Define roles and responsibilities
In addition to your governance team, there are several other key roles or teams that you will want to think about to position for success with Microsoft 365. Some roles may be combined or filled by the same person and others may not be appropriate for all organizations. Most organizations have an Executive Sponsor for Microsoft 365 as a whole and some also have a Steering Committee or team either for Microsoft 365 as a whole or just for the intranet. Learn more about the comprehensive admin roles and permissions available in Microsoft 365.
Revisit as business and technology changes
Governance for Microsoft 365 is not "once and done." Have a plan to stay on top of what is changing in Microsoft 365 and adapt your governance guidelines if needed. (This is an important reason why creating a long governance document is not a good idea. Businesses and technologies change. Updating a web page is easy. Updating and re-distributing a document is much harder.)
Have a strategy for communicating governance policies and guidelines
Ultimately, the success of your governance planning efforts depends on how well you have communicated expectations to the members of your organization. In addition to the suggestions described earlier, consider the following:
Can you incorporate "how should" with your "how to" training? In other words, can you create a "user resource center" for Microsoft 365 where you can provide resources and training to help provide guidance and training that will help users adopt Microsoft 365 effectively? The best governance content provides guidance that helps all users adopt and get the most value from Microsoft 365.
Should you create a certification and re-certification for site and team owners?
Can you create a Microsoft 365 Champions program for your organization? In addition, consider joining the worldwide Microsoft 365 champions program to get ideas and approaches for your own champions program and to connect with like-minded people and thought leaders from within and around Microsoft.