8 Things to Consider about SharePoint Governance in 2015

Accept that users know their business, not SharePoint or your governance plan.
One of your primary goals in a SharePoint governance initiative should be to identify high-risk, unstructured processes and transform them into “managed” services. Do you have a set of templates that are approved because they contain your intended governance controls—such as specific content types, metadata, or workflows? Even if users know the name of the template they are supposed to use, navigating the native SharePoint process for creating new objects can still be a daunting task. That's because this native process is unstructured—users are told what they should be doing and then left to their own devices.
In contrast, a managed service is simplified for the end user—perhaps by directing them to a provisioning process where only the allowed options are available. Now that you have directed the user, you can enhance the process with additional controls. Base the offerings available to the user on who they are and what their role is to the business. Put appropriate approval chains in place that are appropriate for certain requests.

When done properly, increased productivity can be an unexpected benefit of a well-governed SharePoint implementation.
It’s natural to think of governance as control. In reality, well-governed systems are the easiest to use. Take the example above where a user is trying to create a new site or list—their experience is actually better in the well-governed process because they are not left to figure it out for themselves. You will be much more successful in selling your governance initiative to the business if you design your processes with the end user in mind and communicate these improvements as part of the overall strategy.

One size does not fit all.
It's tempting to see SharePoint as a single box of content. Administrators are often disconnected from the user content in workspaces and have no way of understanding the varying business importance and potential risk of shared information. There is a reason why Microsoft started calling SharePoint lists “Apps” in SharePoint 2013—it’s a reflection of how SharePoint is housing an increasing number of business processes and applications, each with their own governance needs. Shouldn’t there be more to provisioning a library in a publishing site than in a team site? Shouldn’t getting access to a project site require a simpler process than to a highly sensitive content site? As admins, we need to find ways of understanding the types of sites we have, and then securing them with the right amount of governance controls.

Automation is essential.
The aforementioned concepts may sound great, but who actually has the time to make sure every site, list, and document has appropriate governance controls? SharePoint admins cannot manage this effort if they are busy doing repetitive, manual tasks every day. Try to automate as much as possible so that governance controls are enforced the minute an object is provisioned. Options include PowerShell, third party tools, and custom applications, but you should not rely on manual effort to apply and enforce governance controls across SharePoint.

Be prepared to brush up against business process.
Sometimes existing governance processes are vague because the business processes behind them are vague. If you want to create well-governed, business process-driven services for SharePoint, you must understand the business logic behind the control. Whatever requirements are outlined by the business can be enforced with the proper tools and knowledge, but first you will need to understand (or push for) that clarity.

Plan for both proactive and reactive governance controls.
Basic Governance, Risk, and Compliance (GRC) concepts state that implementing a control is not enough – we also need to monitor if the control is working. Keep this in mind to ensure you are designing a complete governance solution. SharePoint is notoriously ill-equipped at broadly scoped monitoring and alerting, so this is one area that you will want to investigate when choosing third party solutions.

More reports do not necessarily equal more governance.
Do not mistake “reporting” for actual governance controls. What someone does with that report—how often they check it and what they do after that—may be part of your controls, but reports themselves don’t enforce more than the vague specter of accountability at some point in the future. They certainly do not provide proactive control. When asked for a report, stop and ask, “Why?” Why is that report needed? Who will consume it? What will they be expected to do with this information? If the goal is to detect and remediate policy violations, there is a good chance you can use technology as the front-line control.

Think beyond SharePoint.
Understand that SharePoint governance is simply an extension of the overall IT governance strategy, which in turn is fed into the overall corporate governance concepts of the organization. The better you can connect your governance efforts in SharePoint to your organization’s core governance objectives, the more supportable and sustainable they will be.