Prof. Andrew McAfee (see my previous post) in a blog post in Nov 2006 asked his readers to consider this: Imagine two competitors, one of which has the guiding principle “keep security risks and discoverability to a minimum,” the other of which is guided by the rule “make it as easy as possible for people to collaborate and access each others’ expertise.” Both put in technology infrastructures appropriate for their guiding principles. Take all IT, legal, and leak-related costs into account. Which of these two comes out ahead over time?
My guess would be the latter.
So, what is Governance?
In simple terms I’d say that Governance is the set of policies, procedures and structures you define and establish in an organization to guide and direct the use of technology to achieve organizational goals. So it is about both IT and the business.
In the Enterprise 2.0 context, one finds that companies are concerned when it comes to allowing the use of such technologies across the firewall. The typical concerns are around monitoring the content posted in blogs and wikis, fears over potential lawsuits emanating from the publication of information that is slanderous in nature or hate-oriented or which can be interpreted as being harassing or discriminatory in any shape or form. There is also concern around the potential for trade secrets, new product information, R&D information and other such inside information getting out. At the client I am at currently, there is tremendous concern over the possibility of allowing for collaboration between internal employees and any external entities.
I wonder if the very same concerns existed when email was first introduced or way back when the telephone was first made available in a business setting.
Most companies tend to have an information security policy and that seems to have generally sufficed to handle these concerns around email and phone calls. In a similar fashion, I think it’d be useful to extend that information security policy to cover Enterprise 2.0 technologies such as blogs, wikis, RSS, podcasts, social networking, etc. It’d also be useful to highlight and publicize these policies so that employees are aware that instant messages or blog or wiki posts or comments on a discussion thread are to be treated as public communication. Also, one needs to consider that typically online, social communities tend to be self-policing and self-correcting.
So I would like to suggest that for a company to successfully embrace Enterprise 2.0, it should first decide how it wants to handle the content that will be generated through the use of such technologies. Would it not be reasonable to assume that all such information should be treated as the company’s digital assets?
So when it comes to providing governance around your Enterprise 2.0 solution, it might be useful to look at the following areas:
* Findability – how can you make it easy to find relevant content so users do not have to remember URLs or content locations? What can you do to provide true enterprise search capabilities? Can the search experience be customized?
* Retention – how long should content be retained both from a legal perspective and because of the business necessity to find older content? How about a mechanism to archive content that isn’t being actively used?
* Versioning – how many versions of content would you like to support? Make it easy to go back to a previous version but manage this effectively to minimize storage costs. Can you enforce storage quotas?
* Information Architecture – what guidelines do you want to provide around navigation and search? What kind of metadata do you want captured with different kinds of content to make it easy to find pertinent information? Do you have specific thoughts around taxonomy? Also, would you want to use workflows to manage document state? How about content approval policies? How do you integrate the content in the collaboration system with your enterprise portals?
* Customization – is the system customizable and does it provide the ability to turn functionality on/off as needed? What kinds of user customization of the system would be acceptable? How do you plan to verify that those customizations are safe to be deployed to your Production environment? Will there be a rollback mechanism?
* Security – provide adequate security so that content that needs special security can be effectively protected. Also verify that there are adequate mechanisms to audit and report system usage, and enforce information management policies such as retention, auditing, expiration, etc.
* Acceptable content – state upfront what kinds of content are acceptable i.e. regarding text, images, videos, audio, etc. Also specify your policy around sharing this content externally.
* Integration of such systems into the organization’s Enterprise Content Management system – How do you envision the information flowing from the location that provides free collaboration to your enterprise content management system? How do you plan to handle e-discovery? Where should the final, legal record of content reside?
* Tools – finally, evaluate the available Enterprise 2.0 tools to see which one best meets your needs in light of the requirements outlined above.
* Documentation – document your policies and procedures and the custom framework you are going to implement with respect to the software tool(s) selected above and publicize its availability.
To exercise the system, a pilot rollout could be considered and the guidelines and policies then be tweaked appropriately based on relevant feedback. But after that, IT should get out of the way and strive to effectively enable and empower the business to use these Enterprise 2.0 technologies.
One other thing I think companies should focus on is identifying and establishing the process for maintaining a single version of the truth when it comes to content management. Having multiple redundant versions of the same content for example in email, the user’s pc, a shared network folder, a collaboration space and a content management system is not a good idea not only in terms of governance and compliance but also very expensive when you think of backup and storage costs and not to mention the amount of time lost in finding out which is the latest version or the single version of truth. I had a colleague use the term “single point of truth” or SPOT and thinking in terms of SPOT should be a key focus area for governance. In this regard, you could for instance institute a policy that states that internally, email should not be used to forward documents but instead that a link to the document on the intranet or collaboration area be emailed. The same policy could be adopted for external communication as long as an extranet site is available to share content with external collaborators.
Today it is becoming common that the business is beginning to make use of Web 2.0 tools without overt IT involvement. With regard to Web 2.0, this is not as significant an issue since it is mainly about the consumer aspects and geared towards the individual user. However, when it comes to Enterprise 2.0, I do not think that is necessarily the best thing to do long term. For Enterprise 2.0, my recommendation would be that the business work hand-in-hand with IT and make use of a corporate vendor that builds and integrates its Enterprise 2.0 offering with existing infrastructure and has the vision, and proven financial and technical abilities to engineer a solution that can scale well and provide the necessary controls and mechanisms outlined above.
I would like to propose that IT be forward-looking and embrace Enterprise 2.0 technologies and strive to empower and enable the business to effectively use such technologies. And I would also propose that the business work in association with IT to achieve its ends instead of pursuing solutions that are good for a single department but may not scale well to the enterprise or are unable to provide the functionality needed long term.