GRC Business Considerations for SharePoint

By Jeff Shuey posted 05-18-2014 17:03


There comes a time in every business where management thinks … I wish we would have thought about that before.

Usually this happens just after a Discovery Request shows up on the doorstep.

Not to worry. All is not lost. Sure, it would be great if some forethought and planning had gone into effect before the Discovery Request. However, even if everything hasn’t been considered, secured and reviewed by a Records Management professional it’s not game over.

The Good News

Even if you just dove into SharePoint without considering the implications, options and possibilities for future Compliance and Governance there is still time to make adjustments. Of course, you cannot Un-Ring the Bell, but you can put efforts in place to be prepared for the next Discovery Request.  And there will be another one.

Don’t Fear the Discovery Request

What’s that old line … If you aren’t being sued by someone you are doing it wrong!

If your business is successful you should expect to be sued. It’s a fact of business. Trying to ignore it or deny it is foolhardy. Plan for it and have your ducks in a row beforehand. SharePoint can help.

More Good News

You CAN think about these things before you deploy SharePoint.

However, even if you have already deployed … you CAN retroactively go back and re-establish control over your content.

SharePoint has some powerful capabilities for managing content which includes the Governance, Risk and Compliance (GRC) aspects of your content. Taking the time to understand them is both prudent and time well spent.

A few areas where SharePoint can help insure your GRC  I will leave it as an exercise to the reader to dive into these a bit more. The good news is that there is a lot of information about each of these points on Microsoft properties and on the blogs and in the books by many of the experts that have made their careers in the SharePoint community.

  • Content Types – These are the Secret Sauce of SharePoint. Knowing how to design, develop and deploy Content Types is one of most mis-understood aspects of SharePoint. Take the time to learn more about Content Types. The time spent will be very valuable to insure your GRC efforts are properly aligned.
  • Document ID’s – This is where a unique identifier is assigned to each piece of content. Whether it’s a contract or even a physical object. Yes, physical objects (engineering drawings, molds, materials, etc.) can be tracked in a SharePoint environment. A DocID is the way each element can be tracked and monitored through a complete chain of custody.
  • Declaring Records – This is one of those actions that should be as automated as possible. The end user should not have to decide what should be declared as a record. Third party tools are available to help manage this aspect very effectively and in a predictable and repeatable manner.
    • Hint: The SharePoint Partner Ecosystem is very robust – there are ISV’s, SI, and Learning Partners with expertise across every business imaginable.
  • Using the Records Center – Microsoft has made it very easy to start using the eDiscovery capabilities within SharePoint. There are several options to consider. The right options are dependent upon the business application and may be related to integration with other Line of Business (LOB) systems. Explore them and choose the option(s) that work best for your business.
  • Site Commissioning / Decommissioning – Content comes into the SharePoint system on a regular basis. Make it as easy as possible to bring content in by creating rules to Create and Commission Sites. The same is also true when it comes time to REMOVE a site from SharePoint. The site may not actually be removed from the system. However, by having a De-Commissioning Policy in place the business may be able to more effectively handle GRC issues.

The Top Three Priorities for Information Governance

There are a lot of moving parts to a SharePoint deployment. Paying attention to what the business needs are is important. It is also important to pay attention to the technical needs of both the people using the system and the way SharePoint is designed, developed and deployed.

Information Governance Priorities

  1. Augmented Records Management
  2. Archiving and Long-term Retention
  3. Robust Governance (Site Governance)

These are three points the business needs to consider. These are points identified by both the Records Managers and by the IT Department. By addressing these upfront, or if need be after-the-deployment, the business can be ready for that next Discovery Request. When deployed effectively there is no need to Fear the Discovery Request.

GRC for Everyone

The need to manage risk is important in every business. However, like many security measures the guts of the effort should be transparent. Many of the legacy systems forced the users to follow specific taxonomies and processes to insure the content was secured. Modern day tools, like SharePoint, can handle content in a myriad of ways. Some of this are listed above with the most important and powerful being the Content Type. SharePoint has come a long way in the 15 or so years it has been around.

This is not your father’s EIM.

SharePoint will continue to grow and scale to encapsulate vertical and horizontal business elements. In doing do there will be a continued need to include GRC capabilities. The smart businesses are already including GRC planning. They are asking for guidance from both Records Managers and IT Departments. And, they are involving the business decision makers in the process to insure alignment across the organization.

GRC is not hard, but does require planning. Take the time. Make the plans. Execute wisely and you will not need to Fear the Discovery Request.

#lob #legal #Partners #e-discovery #archive #ElectronicRecordsManagement #sharepoint #grc #EIM #content #compliance #SharePoint #retention #governance #records #microsoft