The SharePoint Information Governance Mismatch. Presented first at the SharePoint Evolutions Conference 2015. This session highlights the key challenges of trying to implement IG in SharePoint for Large and Global Organisations. The session also provides pointers towards some ways of managing the complexity effectively.
37. - Data Owner
- Data Classification
- Retention Period
- Disposal Period
- Archive Period
- ‘May Contain Nuts’
- Any other attributes???
typical IG Attributes
66. Migrating your Intranet and Managing your Documents in SharePoint
- Randy Perkins
Managing the Content Lifecycle in Office 365
- John Halliday
Making Sense of the Information Jungle and the Path That Lies Ahead
- Agnes Molnar & Dan Holme
Achieving Governance through Transformative Migration
- Bradley T Smith
Content Classification Using Dependency Structure Matrix Analysis
- John Holliday
SharePoint Information Management
- Paul Turner
more of the iceberg!
Soulsailor Consulting is a small micro-consultancy focussed on:
"Enabling organisational value by positively disrupting technology projects"
bit.ly/BuySPGovManifesto
The topic of Information Governance is HUGE, it is much larger, more complex and harder to implement than you think, trust me…
In this session Intend to open your eyes to Information Governance and compliance and how they are mismatched in large global corporations.
I won’t give you an answer, but you will leave with lots of questions to ask your business and a steer towards the right way to approach this for you and your organisation
Assumptions:You already know ‘Why?’ you need Information Governance.
Large / Global OrganisationsHighly regulatedCollaboration/Knowledge (informal content)SharePoint
My Knowledge Context:Session based on experience in:Zurich (Finance)SABMiller (Brewery)First Quantum Minerals (Mining)large universities (Education)Swisslog (Logistics).
Who wins?
Business or Technology? Neither, perhaps it’s Legal & Compliance & Law that wins?
Wikipedia definition of IG
http://en.wikipedia.org/wiki/Information_governance
Clients definition of IG
My Governance definition
My IG Definition
What typically drives major investment into IG?
DataProtectionAct
FreedomOfInformationAct
DataProtectionDirective
HealthInsurancePortability&AccountabilityAct
GermanWorkersCouncil(BetrVG)
US-EUSafeHarbor
Sarbanes-Oxley
Basel_I
Basel_II
ISO
FACTA
RightToBeForgotten
German_BDSG
The impact of inaction includes:- Fines / - Scale of fines- Reputational damage- Lack of value from information assets
Questions to ask the business first
IG Requirements Gathering
What are your target systems?SharePointYammerLyncExchangeFileshares?etc
If your target system is SharePoint, then what bits should you govern?- Site Collections / Sites?- Libraries – all or just document?- Pages?- Lists?- Social?
What business data is in scope?Records,FilesharesCollaboration / Socialknowledge
What business data is in scope?emailvoicecustomer / business recordsApplication generated content???????
Easier to govern
What local legal or compliance or business led rules and requirements do you have?
EU Directives
Global initiatives
Organisation / Strategy led requirements
Nightmare to consolidate and govern
What local legal or compliance or business led rules and requirements do you have?
Local is the killer? How local?
Country?
Business Unit?
What are your data classification rules?Public/OpenInternal UseConfidentialHighly Confidential
What about using the concept of Business Impact instead?HighMediumLow
There’s no legal requirement for the traditional conf, highly, conf etc approach.
What does your data classification rules impact?Security/AccessWho can change the data classification of content?
…is this different to data classification? Is it linked?
Personal Data – means its highly confidentialLegally Privileged – exempt from Legal HoldData Pertaining to Minors – Highly confidentialSOX Compliant – whole can of worms
Have you clearly identified the types of information you have?
Will all these types of content live and be managed in under one platform??
Have you clearly identified:A Record (read-only/non-delete)
Have you clearly identified:A Business Record?
A Non-Record?Social content
We keep too much stuff… Common across most businesses is the fact that content does not get deleted.
How far back does your email archive go?
What’s the oldest file on your personal drive / file share?
Based on everything above, what are your Archive rules?Are you going to, do you need to, do you want to? WHY?Cheaper storage? In 2013 is it really much cheaper? (Shredded storage etc)3rd party tools for management?What about access to the content?
Based on everything above, what are your Archive (housekeeping) rules? 12mnths probably to soon (annual reviews etc.)
Based on everything above, what are your Disposal rules?Reduced storage?3rd party tools for management?Based on everything above, what are your Disposal (housekeeping) rules? 12mnths probably to soon (annual reviews etc.)
Based on everything above, what are your Disposal rules?Reduced storage?3rd party tools for management?Based on everything above, what are your Disposal (housekeeping) rules? 12mnths probably to soon (annual reviews etc.)
For all the above what will trigger the ‘action’?X months after last modified?X months after last accessedX months after custom trigger
Think about content usage cycles i.e. documents only used once a year or legacy system documentation
This is a BIG question!
Typical Basic IG attributes include: - Data Owner - Data Classification- Retention Period- Disposal Period- Archive Period- ‘May Contain Nuts’ Indicators
What do you guys use?
Data Classification and Security - Twins?- Brothers & Sisters?- Unrelated?
I’ve found that data classification should inform but not explicitly state the security….
Data classification informs the user how to ‘handle’ the content i.e.e steers them to appropriate behaviours
Back to the original question, why is it so hard for large and global organisations to implement information governance and why is there such a mismatch between the technology, principles and business requirements?
All the things we’ve talked about so far!
Cynefin… ‘Place of multiple belongings’ As you will see later this is extremely relevant to the practice of IG
Information Governance sits in the ‘Complex’ Quadrant as an ‘Emergent Practice’
Dave Snowden (Ex-IBM)
Place of Multiple Belongings – multiple influencers
SenseMaking model, not a Classification Model
Highlight Analysis versus Facilitation in each zone.
Technology Projects are typically in the Complex zone
Business Problems & Technology projects are what I would class as “Complex” Problems
Show the pronounced ‘canevan’ - Cynefin Matrix… Show where Business & Technology is versus a technology problem.
Simple Domain - “Everytime you do X you get Y”
Complicated Domain - “If you apply method A, on the advice of experts B and C, you will get to Z”
Exchange deployment
Complex Domain - “Based on department X feedback, let’s try this new configuration of sites, document libraries, folders and content types”
Business projects & Technology
Chaotic Domain- “Try method A and see whether it got you any closer to Z. Review whether your understanding of Z has changed as a result”
http://www.youtube.com/watch?v=N7oz366X0-8
How the hell do you implement a solution that caters for all this IG stuff AND delevers usability, putability, finability, business adoption and business value?
Ask the audience whose doing IG?Whose doing a simple approach?Whose going all out complex?
In business systems (CRM, Accounts etc.) its easy because business systems do one thing
In SharePoint, it’s complex because SharePoint can do many things, we’re building solutions and functionality and new use cases AFTER the IG foundations have been applied, especially in the context of Collaboration.
The cost of solving the problem versus the financial penaltyWhat motivates me to do this over and above other business priorities (make money / cut costs etc.)
For many Global orgs the financial penalties are insignificant. This may change with some legislations proposed to have the fine at 5% Global annual turnover EVEN if the issue is at a local level.
Theory:Evolving, global approach but with many local nuances. Germany, USA, EU etcRules based (doesn’t fit collab)Records ‘heritage’ (doesn’t fit collab)
Practice:Business expects one solution, but has many complex rules, some date back pre- SharePoint, what is practical to implement versus the rule bookMany rules aren’t complimentary i.e. we can’t take the worst case from all the rules and just implement that (no covering arse)
Practice:Business doesn’t expect information governance to be the problem the responsibility of the end user, except perhaps data classification.But they expect it to be intuitive.Complexity should be in the system, not business users heads
Tools:SharePoint Has simple approach to IG through Information Governance Policies.O365 is evolving this further with more Compliance & data management & rights management features
Metalogix
Sharegate
Gimmal
Tools:Tools (Avepoint, metalogix etc) come from SharePoint Governance not Information GovernanceVendor tools fit simple scenarios (3 levels of compliance etc etc)
In a lot of cases they are focused on admins,
So how do we manage this complexity, assuming we want to even try?
Lets finish of with some approaches to managing the complexity of IG in our SharePoint solutions
Approaches to managing IT Complexity
Vision (and stick to it)
Whatever steps we take they need to allow us to do ‘goal alignment’ every step of the way….
Age old question:Build versus Buy versus Customize versusDo Nothing!
If your orgs Governance rules (such as values for retention disposal etc) are owned by business locally, do that analysis first before solutionising.
The granularity and diversity of the rules & values can have a huge impact on solution & usability
Local capability versus global Tech Solution.- One solution for everyone to use consistently- deliver capability that local IT customize to meet local needs
Business Led Requirements = Too ComplexIT Led Requirements = Too simpleget a balanced approach
** SharePoint Information Management Policies deliver a lot of whats needed for a pragmatic solution
Simple Global IG -> Use SharePoint information management policiesComplicated global IG ->Use SharePoint & a toolAdvanced IG –> CustomComplicated & local -> Custom
Try to consolidate (rules), Try to trust (people),Try to be pragmatic (technology)
Don’t go to prison
Don’t get fined [too much]
Don’t get a bad reputation
When applying governance policies don‘t go lower than library level… user & tech complexityIdeally stay at Site or Site Collection level.
A good (tech) solution to IG in a global organization with considerable complexity would be
You need a HUGE FOCUS ON Business change… extract of your xlsEspecially if your migrating from fileshares to a well governed SharePoint solutionCentre of Excellence / Records & Information Management Function
Lots of great sessions this week on Information Governance related topics.
Check them out or watch them on the Conference DVDs.