Few topics get a CIO's attention like Microsoft's SharePoint document and collaboration platform and the governance challenges that accompany it. The relationship business has with SharePoint is very much a balance of love and hate.

SharePoint is typically deployed with the goal of solving certain defined challenges around collaboration and content management. But once the application gets out of its cage, look out. Without tight control, it quickly becomes viral without hope of containment.

There is no question the business climate today forces organizations to face ever-growing challenges in managing, protecting and regulating their information. As the amount of business content grows, the number of challenges and amount of risk grows as well. Add in the need to be prepared for litigation and e-discovery document requests, and the lack of governance and enforcement of business policy on SharePoint content suddenly pose a risk you can attach significant cost to. These are persistent risks that bring large exposure to your business operations.

Breaches can occur as content is created, during an e-discovery investigation and at many other points along the information lifecycle. Thus, those without a comprehensive governance program are ill equipped to proactively manage, control or discover their own business-critical content.

So why is SharePoint so hot? There are many reasons, but two float to the top very quickly. First, there is a belief that SharePoint is the answer to a whole host of business problems. Generally speaking, this is absolutely legitimate and true. Second, SharePoint allows the business end user (that's you and me) to go about creating and storing content as we see fit. As a company rolls out SharePoint, a lack of forethought to governance lays the path for out-of-control and completely unmanaged content growth. As a case in point, CMS Watch noted that a North American bank reported more than 5,000 uncontrolled and unaudited instances of SharePoint. Another business, a major energy company, reported finding more than 15,000 previously undetected instances of SharePoint. Houston, we have a problem.

SharePoint is uber successful. It's the fastest-growing server product Microsoft has ever released. During 2008's SharePoint conference, Bill Gates' remarks about SharePoint were very telling: "SharePoint is a product that's based on a vision of letting workers share information in a better way, and making sure that it's done in a very broad fashion, creating a product that you can assume everyone in a company has access to, and creating templates that everybody is familiar with and they just use as a matter of course to get their job done."

It's clear that Microsoft wants SharePoint to become part of global business's DNA, and they're well on their way to achieving that goal.

Enabling the end user to proliferate content seems to be the natural enemy of information governance, but it shouldn't be. The business should do everything possible to enable workers to do their jobs as fast and accurately as possible. Policy that disrupts business processes is not effective governance. Transparency is the key. The reality is a SharePoint deployment can be a terrific opportunity to provide governance architecture for your information assets.

Be clear, we're referring to a governance architecture, not a governance solution, and a little intellectual honesty is called for here. No single tool will provide an information governance silver bullet. Effective governance is the result of the right combination of tools, business processes and policies. Tying these things together in a way that meets the goals and obligations of the business is the essence of a solid governance strategy.

The output of collaborative processes or ad hoc content development in SharePoint can create important business records that need to be managed and maintained according to organizational and regulatory policies. For accuracy, these policies must be applied consistently across the enterprise, not just with SharePoint content but with every format or host application. As you probably know, a document originated in an informal workflow or unaudited SharePoint site is as susceptible to regulation requirements or e-discovery requests as any other.

Your organization may intend to use SharePoint to create simple or even complex workflow mechanisms where, for example, client contracts are developed and approved. The workflow can oversee the evolution of a Microsoft Word document from a standard template through the addition of terms, conditions and pricing. A process such as this can be simplified greatly through SharePoint and improve the responsiveness and consistency of the process. SharePoint can be used not just to duplicate existing processes but to improve them so the work can be more closely aligned with the organization's goals.

But what type of policy is applied to the final version and all the drafts before it? An even greater question lies in how the policy is applied. Is the printed, signed copy maintained as an important business record? What about the electronic version? Are any earlier drafts valuable for other uses, and if so, how are they stored? Moreover, what policy dictates how a collaborative project is handled upon its finalization?

In a larger context, these questions and many others are probably answered within your corporate records management policy and retention schedule. Knowing what to retain, where to find it and how to retrieve it is an objective of any comprehensive information governance strategy and solution. And, policies that are applied across SharePoint need to be consistent with other repositories, such as email, email archives, line of business applications and enterprise content management systems.

Using the U.S. Department of Defense standard as a guide is a good start.

The Department of Defense 5015.2-STD version 3 is the accepted standard by which to measure in the records management community, which includes industry professionals, vendor suppliers and users of electronic records management systems. It is no doubt the gold standard used around the world and across all industries for evaluating the functional requirements of records management solutions.

For the vendor community, the standard describes the functional capabilities needed to properly manage the authenticity, reliability, integrity and usability of records. For the user community, the standard's certification process provides an independent assessment and gold seal of approval that qualified products have successfully demonstrated compliance to stringent requirements. I like to equate it with the "Good Housekeeping Seal of Approval."

The Joint Interoperability Test Command is the testing body that performs the product certifications for the Department of Defense. In addition to core product testing, the JITC specifically tests product pairings as well. SharePoint integration is considered a product pairing. For a complete listing of SharePoint paired certified products, visit the JITC Web site.

SharePoint governance efforts can be simplified by managing content in place, which is a highly recommended approach. This is a concept by which policy is applied to content in SharePoint without the need to move or copy it. The JITC Web site listing Department of Defense 5015.2 certified products is a good source for vendors that follow this approach. By leveraging a federated approach to governance, content created within SharePoint can be managed in place, helping you to make the best use of your existing infrastructure investment and user training. And key to this approach is that your existing business processes are not impacted. It is important that content is kept fully available regardless of format or location, and within the users' familiar working environment. Some key attributes to keep in mind with any governance tool:

  • Accessibility: Ensure that content is fully secure but accessible according to your security model.
  • Policy and security: Have the ability to apply corporate policy (e.g., retention rules, etc.) and plan security automatically and consistently to all content, not just SharePoint, to reduce your exposure to risk.
  • Transparency: Minimize end-user burden by enabling automatic and transparent rules to auto-declare and classify SharePoint content as corporate records. For example, this can be performed during or upon project completion, and can automatically remove drafts of corporate records based on policy, to ensure the proactive application of retention management policies.
  • E-discovery: E-discovery readiness and effective data preservation with hold management capabilities (that suspend disposal eligibility until all holds are released), should be a core capability. This ensures that document retention is facilitated in a reliable, consistent and accurate manner and assures against spoliation.

Organizations that take the time to consider these implications and develop an information governance strategy are better prepared for the reactive processes of discovery, audit and regulatory compliance. This preparedness minimizes the impact on resources resulting in an increase in efficiencies, reduced costs and ultimately improved business agility. Important points to incorporate into your governance plan are:

  • Having clear policy and retention guidelines;
  • Understanding how information is created and who the owner is;
  • Understanding your legal requirements;
  • Having clearly defined legal hold procedures; and
  • Having the right tool to apply policy transparently in an automated fashion.

Don't forget to audit and evaluate your progress, and always establish continuous improvement processes.
Deploying SharePoint without a governance strategy is a recipe for trouble. A solid strategy serves as your roadmap to elevate the way your organization governs its most critical information assets by widening your focus beyond the constraints of repositories, applications and departments. As a result, you can ensure that high-level business objectives for compliance and the application of policy controls are being met not just for SharePoint but across the entire enterprise, all while you facilitate information sharing and collaboration. Your governance strategy will then allow SharePoint to become more valuable as a content management and business process tool. Now you can get back to running the business.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access