Goverance Managed

GovernanceMeasured
Welcome to Fusion talk with Anouk and Steve.
The little blue thing. Now you know what it is. He was so surprised when he saw the video of it.
That's because I don't do governance. So I, I can quote. This week I did, a presentation at, an event in Stockholm and, I did a bit of governance and it still failed. So I took out my new slide mover thing. Images that didn't work when I was in Bremen. I set it all up. So I thought, I'm going to make sure it works. So I'm sitting at the back of the room, I get my Surface, and I put the slide projects slideshow, on, and I clicked the clicker and, the slides moved on quite happily. So then they finished the presentation. A few minutes later. I wandered to the front of the stage, I plugged in my laptop. Click, click. Nothing happened. So I didn't do the governance on my clicker because I didn't read the instructions.
And what was the instruction saying?
Don't know. I went into the presentation and I had to. I was live at that point. I was standing. So I didn't read the instructions. And in fact, I think I followed the advice of a very good friend of mine. I threw all the boxes away. So anyway, so that's that. So I also didn't follow the governance on my microphone boxes when we, when Marin and I bought these microphones for the of365 podcast. Distilled podcast. I got the boxes and I keep boxes forever. Just in case. You never know. I know, I know. Weird. It's like I keep all the little tops for the whiskey bottles. The silver tops too.
You keep boxes and still you listen to friends that tell you to throw away boxes.
I did do. Yes. Well, I'm changing. So anyway, I threw away the Rhodes boxes, so that meant I had to open the lid for the first time in two years. and I've never read the instructions on there either. And as you say, there was a little plastic bag and inside was a rubber ring.
A little blue ring.
Yes, little blue ring. Now, the first thing that I wondered about was whether it's something sexual. You know, is it one of those things that keep you. I'm not going to go down this conversation. It's not a Fusion talk thing. We don't do that kind of stuff. But it was the first thought anyway. So, of course then, I got no instructions on. There was no instructions on to do it. But we had had a bit of occasion where we're getting Clicks on the microphones.
Yeah.
And so I was thinking of buying new cables for the studio because we'd had the cables a little while. and then I read what you do with the little blue ring. And the little blue ring is to stop the plugs wobbling in the bottoms of the microphones. So it stops the clicking. Yeah. So I didn't do the governance because I didn't read it. I had to go and look it up afterwards.
And that's an issue with a lot of people. They don't read instructions or manuals, emails.
They don't read messages, they. No, adoption.
No, I know myself.
that's true though, isn't it? We're all as bad as that. It's not just our. I mean, we're laughing here as if it's. Our users are the only people that.
Do this, but we are all like that. we think we know how it works. And yes, we know it for maybe 85, 90%, but the last 10% is missing. And that's why you need to read instructions.
But it's only men that don't rfm.
No. That's just the thing that women would like to believe, but we are exactly the same.
So you don't RFM either?
No.
Okay. Governance is a strange, strange thing.
It is, it's strange. And we all need it.
Certainly in our game. We certainly need it.
Yes.
So what we want to talk about, we talked in the last podcast about governance and kind of calculating it and working it all out and all that kind of stuff and working out where governance needed to be applied.
We did.
And so we then had this really weird idea in the middle of this week. Or was it me? Was it you?
I don't count who has the weirdest.
Ideas if this turns out to be a great podcast. Of course it was you.
You wanted to say it was me, but you just.
I know. I saw the look. Come m across. I saw the look, I got the look. No, no, no, I was my idea. I'm not going to argue about it. So I said, look, let's talk about measuring governance. So I kind of got some post its
00:05:00
up here that I started off with. So knowing governance is okay, knowing governance is working, knowing governance is successful. Yes, they're all a key part of the governance life cycle that you need to be on top of.
It is. And, we both are working on a project where we both know this is a big issue. There is no government in place, and if there is something nobody knows of.
It, it's interesting, isn't it? The process is about getting something working, not managing the quality of it when it is completed and working. So yes, you can create sites, they're on the site, away they go. But we often come and stuck when it comes to content types and metadata, because we set these sites up for people and then they just start using it and then nothing happens.
True. And most of the time they don't use metadata and content types like it should.
No, because they don't want to. They just want to focus on throwing the documents in and then they can't find anything after a while, stuff like that. So, let's talk about this then. So how do we know that governance is okay?
I find it always a very difficult one to know. I think we need to break down a little bit about how you can check all of those kind of things.
Okay. I think it's fairly obvious. Everybody knows what you have to do here, but if you don't, I'll tell you. So that's okay. No, that's not. That was a very good lead into one of the blue post its. I get it, I get it. It. All right. Yes. So what we tend to do is define the governance, what we actually want the governance to achieve, what it needs to deliver, and potentially how it's going to be applied.
Yeah. And about that, defining of the governance, if people would like to learn more about it. Our previous podcast was very good about that.
It was, yes. So that was cool. I understand that. So then you can define the governance and we'll come back to that in a little bit, I think. Because, governance has to have a balance. So the output of the governance is that it has to be achievable. So on a theoretical level you need to make sure there's nothing blocking you trying to apply that governance and then potentially then you can test it.
Yes.
So next stage is to test the governance is working and it's achieving what.
You would like to get of it.
Yeah, that's a really good point actually. So if you've got a governance that is. We've got a list of things that need to be governed here. So if you've got governance that is managing onboarding, then I guess it's easy enough to do a test.
I think it is.
If you've got a governance that is managing the life cycle of a document. Not so easy to do a test.
No. and also if you have a governance about power, automate flow, also not that easy to test.
M so consequently, you do need to revert back to the governance at some point. so, yes, so we've talked about defining the governance, we've talked about testing the governance and then defining a process for ensuring the governance is maintained. The easiest thing to do is set up a process and then ignore it. And it happens all the time. Hey, you will create the user accounts like this and they will be blue with number seven and a triangle at the end of it. So the governance is blue seven triangle. But if somebody creates a blue eight triangle, then you need to make sure that they have all the instructions and the process they need to continue on by doing blue seven triangle. Because once they start doing blue eight triangle, they'll continue to do blue eight triangle, because that's what they remember doing last time. And then you're now not doing the governance anymore.
True, but then you have your process, but you need to have keep on looking on that process that everyone is living like it and everyone is doing the right way. So you need to review it every. How many times.
Well, I guess what you actually need to do is to measure it. So how do you. So let's assume that you do, an onboarding governance for creating new accounts. Something simple. We'll go back to some of these other ones in a little bit and revisit them. So successive governance is that the account is created with the username, with the naming, convention, with the access to whatever they need to do.
You have very good posters.
00:10:00
Yes. It's this kind of day today.
You see, you're only saying these things now because you've got your driving licence back. So I can't retaliate.
No, it already started this morning when we were in the meeting.
Oh, yeah, yeah, when you stabbed me in the back. you do know why it fell off though, don't you? You don't, do you?
They are not sticky enough.
No, if I stick it here, it won't come off.
But you stick it on a white.
Sheet of paper and that white sheet of paper is a. Yeah, post it.
But.
And so post its are not supposed to stick to post its.
How can the post it know it's a post it?
But that's the governance. The governance is that the post it is supposed to be able to work in the following way. It's a process.
So why did you stick it on the post it then?
Yeah, I don't know, actually. That was an. That wasn't because I didn't have a document that told me not to do that.
He's trying to get himself out of it.
I'm not going to get out of it. It was the post. It fell off and that's fine. so, yeah, we need to find a better way of doing this in this, in the studio here.
you need to have your whiteboard back.
Maybe. Now I've given that away to a charity and it will take space now. We need to think about that a little bit. We could use that there, I suppose. Or we could project it.
Yes.
We could take a laptop on and do it electronically.
We can do that. Yes.
So what we're actually doing here is defining a, governance. So we're defining the governance on how we're going to prepare our notes for a podcast and have them in a place that we can read them.
Yes.
So what we're actually, what is important for everybody to understand when you're creating a governance, you need to know what it needs to achieve. So what's the goal of the governance? The goal of the governance is usually a definition of something that needs to be completed with a way that it, is going to be processed and completed, and then a way of testing that when it's completed, it is safe or kosher or completed to the right standards. That's what governance is about. And you see it everywhere. You see it when we talk about blue post its in our recording studio, creating accounts, building a house, putting electrical wires in. There's a set of rules of governance that need to be applied. And then there are ways of testing it.
Yes.
The easiest way of. Or, what I find always the easiest way to explain to people what we mean with governance is everybody everywhere in the world knows how to boil water with a water cooker. Because it works the same everywhere.
Does it?
Yes.
Does it work the same halfway up the Himalayas?
probably. You will not use a water cooker over there.
They will. So you're halfway up a mountain. You put a fire and a saucepan on top of it full of water. It will have a different kind of process because the. All right. Yeah. The pressure's different. It boils at a different temperature and a different time.
And it's not a real water cooker that you have on your kitchen island or anything else. You boil it above fire.
you're just in the mood to argue with me, aren't you?
Always.
You're in this cocky little position here. You're sitting there on the side of the sofa, back against the wall, legs crossed, going, I'm protected. Surprised you've not got a white Line around you that says I'm safe in this zone.
No.
Anyway, we defined it earlier where we said knowing that governance is okay, working and successful, that's what we're trying to achieve. It's a very simple way of doing it. And we know that governance is a process or a set of rules. Our viewers already know that, our listeners already know that. So we defined it. We need to test it. The testing is important. Yes, as we saw yesterday.
We did.
We have a bit of a project going on where we're trying to translate some pages. and we were using Microsoft's AI translate feature, but it wasn't reloading the translated code into a page. So we had to do a bit of a breaking down session to understand what actually was actually happening.
It did a part well, part 12. And for a part it wasn't okay, so.
But typically for a developer, she tested it. So when we went on to production with it, it should have worked. What went wrong? Oh, you didn't test it fully.
I test it all my way.
She created a test that knew would make her code look good. No, I mean the basics were there, wasn't it? You got a document,
00:15:00
you put the text in and away you went. But of course as soon as we started adding some strange characters like quotations and stuff like that, it started not to re import. So we had to start digging around.
Depending on which language.
I know, I know it was a complicated process, but your testing needs to try and encompass all of the eventualities, all of the options.
Yes.
So that was a lesson we learned from yesterday. and then there's going to be processes around it and that's where we need to kind of document it so we know that it's done. How would you, how would you test that your onboarding process is done? Log on with the account, that will.
Be probably one thing.
And make sure they can get access to the right places.
That's another thing. Make sure there is an email box configured and those kind of things.
Yeah. So you check what services they've got access to. Yep, that would work. And then you would have a process for securing it. So you would then, I don't know, change the password and make sure you can't log in.
Yes.
And then it's ready to hand over to the end user.
The amazing first time login. You need to change the password.
Yeah. Part of your documentation. So that would be good. So we were at the stage where we make sure that it's ready to go live and working and what you need, of course, is a checklist.
Yes.
So if it's an onboarding, you could have a checklist that's, you know, create the account with a link to a page. So if it's somebody new, never even done it before, they can go and say, okay, what am I need to do here? So step by step, instructions for onboarding.
Anyway, for on and off boarding, that's the best thing you can do.
No, that's true. So we're using that as an example. Then we've basically got a governance, making sure it's okay, risk assessed. We've made sure that it's covering everything, that it's working, that it's successful, and that it's appropriately documented. Is, there anything missing?
yes, I'm guessing there is.
Would you like to hazard a guess?
So you are saying, it's properly documented, there is risk assessment done. you have the process in place, you have the steps, in place.
testing. Testing, developers testing. Yeah. Now, of course, we need to sort of just clarify it with the person responsible for the governance. So the help desk manager, if it's a help desk or service desk that is building the accounts, then the service manager, you would need to do a handover and a test to make sure it's done. So you would say, hey, Mickey Mouse has just joined the company. Here's his name, his details, create me account. And when Mickey logs in, we expect him to see this, this and this.
Yes.
And away it goes. Easy. And then you can walk away and say it's done.
Do you think it's easy?
Oh, yes, absolutely easy. Is it easy to be successful? No. Okay, so let's just follow this through. So I have this thing up and running, I've tested it, and it's good to go. When's the next time that I should review it or test it.
In your on and off boarding process?
actually, we haven't finished it, have we? No, because we've not closed. Mickey Mouse is still logged in. So we'd need to have the offboarding process tested.
Yes.
Yeah, same thing, though. Steps, instructions, documentations and that kind of stuff. where does auditing fit into this? Is that our way of measuring success?
Is it auditing or is it reviewing or following how many times it been, through the process that people follow the process?
I think auditing is not a measurement, it's a checking, it's a confirmation process. And I think reviewing is not auditing. I think reviewing is just how often you think it should be retested. So you said something about workflows, which we'll have a look at them in a minute. When we look at them, there was a process, ah, an auditing process that Microsoft recommend. So I think that if I was doing onboarding and offboarding, what would I want to do here? Maybe I would want to work out how many new employees or new accounts are going to be created and then take 10% and then do a check at 10%
00:20:00
and a check at 50% and then if both of those are okay, then yes.
But my problem with that is how do you, if the accounts are okay, how are you so sure that people follow the governance plan you had for it? If you have a senior person in your organisation that is dealing with the on and off boarding process and has found his own way that he finds easier to work with, is he then following the governance or not? How do you measure that?
Don't know how?
I don't know. It's my biggest question with all of this because.
But that's where the audit comes in, isn't it? So the audit would have a list of things that it needs to check. So you would take a sample and you say, hey, what was the 15th account that you created? Oh, that was Minnie Mouse. So you would then go and make sure that Minnie Mouse's name's correct. You would make sure that they've got the right permissions, that it's the right role. If you're using role based access control, and maybe you go and talk to Minnie Mouse to make sure that she's getting to everything that she needs to get to it. and then take it from there. And then maybe you take the name of the last person that left the organisation and make sure that their permissions have been removed and their account is now been held. So you have a checklist. So that's an audit. So you just need to decide how often to do the audit.
Yeah, it's an audit, but still, people can do it on a different way.
Okay, let's just go back a second because you jumped into how do we know it's working? Okay. When we were still talking about testing and checking the processes working.
Okay, but that's also my question. If you have in your onboarding process a checklist, first create the account, create an email box, make sure it has permissions to the intranet. If you have those three steps and in that order, you need to follow it in your governance. But your person that is doing the onboarding says, right, I'm going to create the account. I'm going to say, all right, he has access to the intranet and then I'm going to create the email box. He is not following the steps we defined. He does the steps, but in a different way. Does it matter or it doesn't matter then if everything is done.
That'S a great question.
And my question is how can we make sure that everybody is following the same process, the same steps? Because if the person that is sick starting to do the onboarding process didn't finish, didn't follow the governments, he fell sick, somebody else needs to step in. How does that person know what is done and where he needs to go to?
But if we have a checkbox, would the checkbox not be done in order? And so if somebody goes off sick, they could say, oh, they only got down to step seven, I'll continue on and do step eight, nine, ten, you.
We should think yes, but we are ah, people, I'm not like that. I don't follow those steps most of the time.
Yeah, well, dear customers, just be careful when you book her. No, but okay, but what you're trying to do is you're trying to take this apart unreasonably. You should be in security. They do shit like this.
No, thank you.
So it's a great question. So do you care that somebody did something in the wrong order as long as the end result is complete? But then you said yes, but if they go sick in the middle of it, then nobody will know what they did. How often is it likely to be that somebody would go sick in the middle of it?
Probably not, but.
So therefore you don't care? No, not in do care. In which case you number them and tell them to go down in order. And that is the process.
I think it's also part of On what you define the governance, explain. If it is like an on off boarding process, there is a chance that people will not get sick when they are doing all of the steps in between. But if it is completely deploying and packaging some kind of solution that takes up to 14 hours to package and then still four hours to deploy, there is a chance that people are getting sick in between.
Okay, so what did you do for the translation? To be able to check where things were and what they did. When you built the workflow for the translation, what did you do?
I build its workflow. I did
00:25:00
tests on my environments.
Yeah, yeah, but to be able to make sure and check what was happening, you Added some monitoring, steps. So you would do the same thing, would you not? You would try and build the process to make sure there was some kind of monitoring step. So even if it's a 14 hour process or 14 day process, you'd still do a checklist. And it's more important to do the checklist at that point than anything else. And if it's automated, you would kind of sit there and write to a list and say, this stage has been completed. So you can build those checks in as part of the process to make sure it's done properly. Or you can just get somebody else, if it's an automated one, they get an email that says, hey, this is now being completed. Can you check it? Because stopping it until then, just like a finance process, you know, I can. I set an invoice and I approve a purchase order. It then gets lost in the system because it actually has to be approved by somebody else. And I can't work out where that is on my view, but it's the process that was built and you get used to it and you get to know it. Why haven't I got a purchase order yet? Oh, because it hasn't been approved. Ah. I, know who next is approved. And yeah, you have to take. Otherwise you write it down. So you can do this. You just need to think it through. That's part of the process of. Is governance okay? Is it working? Is it successful? A definition of success then is I've got an account created and I've got a sheet of paper with checkboxes on for the different stages. And maybe I've got a date against each one to know that they're all done in the right order or a time. So then that basically confirms that the process was operated in the right way.
Yes.
All right, so that's good. Then we know how to do governance. It's boring though, isn't it?
It's not the most sexy subject to talk about.
Oh, it's a great subject to talk about. We're sexy, so we're talking about it. No, but I'm too sexy for my shorts. Too sexy for my.
It's that kind of day.
I lost my hat this morning. So it is going to be this time of day. I'm in depression and I broke my bloody tooth as well.
You are in depression. You don't look like that.
What do I look like?
How do you say that? This morning with wearing brown.
Oh, I don't know, I can't remember. Yeah, I'm having a Bad day because I've got a brown jumper on. Throw the brown jumper away, then never wear it again. That threw Mark terribly. That did. Anyway, irrelevant. So, we have a process. So we've made sure the governance is okay. We're not worrying before. We've made sure that it's working by having checklists and everything else. And then we can test that it was successful. And we're coming back to my point that says you then regularly check every 10 for a while until you have a level of confidence that the process is operating the way it should do. And then you audit it so that you can confirm that it has been initiated the way that you want. And that, I think is the difference with the audit. so that's fairly cool. All right.
And after the audit, you still review it once in the.
Oh, I would suggest that your audit runs every six months or every two years or whatever.
Yeah. So your audit is also a little bit part of the review to make sure everything is still in place. All right.
Typically, if it's a process for managing something that needs to be managed for some kind of standard, then you'll have auditors in anyway. You just add it to the list of things they check.
Yes.
Actually, that brings another point. There's probably a check to do before you start building this process. So if you've got, you know, you, you know what you want to have governed, we're going to go through a list of these and look at some of the specifics. And you know that governance is about making sure it's okay working and successful. This kind of assumes that you're designing it from nothing.
Yes.
But it could well be that there's already a bunch of audit levels that you need to apply anyway. So then you would need to do some research to find out why. So for example, onboarding and offboarding in an IT system with ITIL and everything else, and this too is all about those accounts, then your auditors probably already have the checklist that you need.
Yes.
So you could save yourself a bit of work and in fact, if you don't check it, you could double the work if you didn't follow their checklist or the things that they said needed to happen.
True.
So that's rather interesting.
So I think before you start designing the process,
00:30:00
you need to talk with people in your organisation and auditors you are, working with.
Well, you also need to, to make sure that you're not building a process that nobody doesn't want, that nobody wants to use.
Yes.
So that the process is as simple as it can possibly be. and, that it's actually checking all the boxes, checklist, but it's actually doing what you want the governance to do. M. Good call. Very good call. All right. Neat. Neat and neat. All right, so some of the blue posts. Post it gone then. Still stuck, though. Look, look.
Oh, boy.
You started this.
Why?
Well, you just. Instead of ignoring the blue poster falling off, you had to actually, it was quite fun to see your face because you went, yes, I get to take the.
I'm not going to ignore that.
No, that is very, very true.
That would be way too easy.
So we had some examples then just to, you know, bring some of this to a little home where I thought what we could do is think about some of the steps that we might, might do. I really should take a photograph of you sitting in the corner here. I mean, you took photographs for posting people. You're comfy.
I am.
You're comfy. I need to keep walking around because I got a poorly tooth.
You can sit as well.
Yeah, it's really strange, isn't it? So, I went to Stockholm, bought a bunch of toffees for the office. I put them all out for everybody and I ate on one today and broke my tooth. Literally, I broke my tooth. It's only a tooth. It's not hurting. but you're kind of waiting for it to start hurting. You know, teeth hurt. And so I'm sitting here going, I'm not going to drink any water. I'm going to be careful what I eat. And it's pathetic, actually. Yeah, you're allowed to agree.
All right, so no comment.
So we put up with a bunch of stuff here. So we talked about Ms. Teams, archiving sites, SharePoint labelling, external sharing, onboarding and off boarding, which I think we've probably talked about. Then we talked about power platform and some governance around there. So what I'd like to do is I'd like to take one or two of these and go through this process where we say, look, is do we need governance? Yes or no? What it would be and consist of how we prove it's working and then how we prove it's successful. Yeah, we may only have one. I mean, we've already been rucking on for about half an hour already, so.
People are getting already tired of us.
Are you bored with us yet, folks? We're listening. No, keep going. No, that's fine. They're all good. all right, Mississippi Teams archiving. So there is a feature where you can decide that under certain conditions a Microsoft Team site can be archived. So Microsoft Team site, if people don't understand, is a collaboration space. So it has chats and documents and it might have some workflows and processes in and one of 55,000 connectors doing something or whatever the number is nowadays. but of course, eventually the usage of that site becomes irrelevant and it's taken up storage on your environment. So you may want to say, I don't want to deal with this anymore. or it's just that it's now another team site that somebody's still got in their navigation that's just getting in the way.
Or even a team site where you don't have any owners anymore.
Okay, you see, you've done it again, haven't you? We're going down a nice logical conversation line and then you suddenly go, boom.
That's my brain. Sorry, forget my comments.
I get it. But don't forget it because it is important. So it's part of the process. So we're going to do mst. Ah, government. So let's have a talk about. So, knowing that governance is okay for an Ms. Team site is defined by what now? You can say it.
The owners you still have.
Making sure that you have some owners. Yep.
also checking if there is some changements on the team site.
So, well, let's just do it from a practical perspective. So, making sure that the site is being used. New documents, new posts or, updates or. Yeah, so people are actually working. So they should be able to add documents, they should be able to add posts and things. they should, may or may not be able to do sharing with externals.
Yes.
and basically any number of criteria on how that site would want to work. External sharing, internal sharing, whether it's private or public. So there'll be a set of criteria that say, okay, this site is okay.
Yes.
So that's good. So how do we define. How do we know that it's working? Well, now let's just step back a little bit. So we will create a process for creating a new team site.
Yes.
Now, it could be that it's created by somebody else on the request of a ticket.
Hm.
Could be that the user creates it themselves.
Yes.
Each of which will require different governance because there's less chance of being able to decide that a user has done it themselves. Oh, there's very rarely that. She's short of words. So it's an interesting question. So, I'm a big believer that anybody should be able to create a team site. And I think so are you. You was just trying to work out how to put the governance in place, if that's what you have.
I'm a believer of it, but it really depends on the company.
Okay, well, it is relevant for today's conversation, but you're not wrong. Of course it depends on what the company wants to do, but let's assume that. Well, let's look at both of them. So, this is a company that does not allow an end user to create their own team site. So then I guess we have our checklist built for all the instructions that the help desk or whoever's going to create it or whoever's going to build a script to create it knows what boxes needs to be checked.
True.
Okay. And then we can go through what we talked about before working it out or assessing it and auditing it and everything else. So in that case you've actually got a fairly easy process to do.
Yes, I think the easiest, one of the easiest processes you can have.
Yeah, just a manual checkbox and checklist and record them somehow and all that kind of stuff. What if you then decide users can create themselves?
I think if users can create themselves that you. That it or somebody else does need to do checks on them, that they follow all of those, but they won't.
Have access to IT steps.
no, but your, teams admin can already check a lot in the admin centre.
Okay.
M say that one of the rules you have in your company is that you need to have at least two owners for a team.
You can automate that process.
Yes.
So you can set it so that any team site created has to have two owners and then you can check a few boxes to decide what happens if not.
Yes.
So that one is easy enough to do. I agree. So actually it's a really very good point. Your governance needs to be dealt with at the team's admin level that says make sure this feature is set this way.
Yes.
You can also decide when a site is going to expire. Now, is this any difference for our, governance process?
I don't think so. Not for that level of the process. Because it's a governance that is set for the entire company based on it creating them or the people itself creating them.
So based on how you're going to work it, you then do the governance accordingly. Oh, there it is. The first piece of pain from my tooth. It started.
That's because you are focused on it. Focus on something else.
Okay, I'LL try and do that. Right. Knowing governance is okay. All right. And is working. So you define the scope of that governance, and in particular, you say users are going to create teams themselves, and then you would go through all of the settings that you want to be done, and you would find a way of making sure that technically when they create a site, those sites are created to that standard.
Yes.
Easy.
If we tell it like that. It is.
Yeah. It's fine. It's easy. It's nothing to do with the security team. They will not come and screw up your process. They will not try to get you to do something that's impossible to do because they read about it in Men's Weekly. from, you know, security man, from the bank.
No, not at all.
Never do anything like that at all.
And users don't read things on the Internet that they want to try and change.
No, no, no. That's got nothing to do with governance. So that's okay. But I know where you're coming from. But that was interesting is that when you create a team site, you get the choice of doing a private or a public site.
Yes.
And one of the things was happening was that our users were creating public sites. Security really didn't like that.
No.
So we had to put a process in where we run a workflow that
00:40:00
checks whether sites are public or not so that we could then change it.
Have fun.
And then, that means the security team then had to, They also went down the list because they found out how to go and check and run them off, and then that's fine. But now they forgot they've stopped doing that, so we. We don't have to keep running our process. So, was it successful? Yeah, maybe.
No. If you stopped it, then it's not successful.
To be fair, I don't know whether we stopped it. I honestly think it's still running, probably, but needs to be a monthly process that then needs to be checked.
Yes.
And I'm, fairly certain we don't do it. We don't check. It failed.
But that's also one of the things with governance. You make all of those sets, you do those checks, you do those audits, reviews, everything. But when. Sometimes it just stops or people don't do it regularly enough anymore.
No. And that, I think, is where the blue people come in. So when you put your team together, you need the blue people who feel the importance of making sure that all the checks are boxed, all the boxes are checked as well. and that, you know, everything is all good. You don't want a lot of green people that are so laid back they don't care, you know, blue checkers.
But just to be sure that everyone understands what you mean with blue and green people.
Yeah. You're fairly sure most people do the.
Test that you can do to see where you are.
Yeah. To see the kind of person you are. And blue people are very detail oriented and they don't sleep at night unless they know all the boxes are checked properly.
Can you believe that I'm blue and green?
yes. Can you believe that I'm actually in more or less equal blue, green, red and yellow?
Yes. Only the blue part maybe.
Not so sure. Yeah, it's ah, cool. Do you know that Yoshi and I are nearly identical? It's true. Same test, nearly identical. All right, good. So, yeah, so basically you're going to say you've got to, you've got to look at all the criteria that you're going to do. And I think we should touch on this thing about failing to do governance because I feel that, we want to help people. Success be successful here and we're kind of implying that it's okay to fail because we fail. Yes, but we failed. It's the word failed. So we set governance up and then it ends up missing out somewhere. It's because you didn't set up, the successful criteria. The bit that says test the process, the bit that says check the process and you didn't put the right people in place to do it. So you've, it's important that you don't set yourself up for failure. And if I keep talking, it's really good for looking at your face when you're trying to get a word in edgeways. You may now speak. Sorry, I couldn't resist that.
if you take over, I will tell you.
Oh, yeah, I know that.
No, but I think also if you fail on your covenants, it's also the time to go back to the design table, see which people were there and start over the process again. Make sure that you learn from it.
You review while you're why you fail.
Learn from it and be better next time. You will be better next time.
Good, good, good, good, good, good. so yes, you could also then look at whether you can automate some of those things that are not being done.
So is failing always bad? No, because you can learn a lot of it.
It's a little bit like we're trying to set up or we're thinking of getting set up for our customer. Where we're trying to make sure that the users do what they need to do. and many years ago, before metadata checking in online was done, then I had a workflow that said, hey, you've uploaded a document and this and this and this is missing. And they would get a reminder. So in some ways the audit is doing that check. So it's a similar kind of process.
Yes.
And it's also, For me, let's go back to the workflow we tried to do yesterday, where I had your set of eyes and, you worked with me. Is it. Was I failing? Yes, because I didn't deliver what I should deliver.
It wasn't working. It's not that you failed particularly, but it was not working.
But it was also a learning process for me to understand more about what was going on. And it was good to have somebody else checking things with me, even if I was jumping from the one thing to the another.
Frustrating to hell. It was frustrating to hell.
But we both learned of it. And of course that's one of the main things.
Next time we think we might have a solution which
00:45:00
we're currently testing. So that's.
And for me it's a little bit the same with governance.
I agree. You should always go into governance on the basis that we're going to make this work and it will work fine and I will get over the hurdles, but they're not always so easy. John and I. Another blue guy. But John and I often sit and brainstorm this stuff all the time, because you're trying to identify the weaknesses or the places it will fail and everything else. and so in our case of our Ms. Teams archive, we defined the scope of what we're going to work within teams. We've kind of put the process in place. You would then go on and operate it and then you would check it every so often and make sure that it's being operated the way it needs to be operated. And if you can automate that, all the better and dashboard it. So cool. Cool. All right, let's choose one more. So we want to jump into, External sharing is an interesting one, but it's probably too big a one to do now, so maybe we'll do some security sharing ones later. I'd like to jump onto the power platform governance, because that's a thing at the moment.
Yes.
And it's ripe for completely screwing up your environment if you don't get it right.
it really depends on what you are doing. But yes, you can do a lot of things wrong with It. So it's very important that you get well informed about all of those things.
they could do that by listening to this podcast. If you continue on and tell everybody how to look at their governance.
One of the things inside of the power platform that you need to have governance on is reviewing your workflows.
Yes.
Because power platform is changing a lot. Microsoft is working on it. There are coming new connectors, they are updating their connectors, they are doing a lot of things. And if you have a workflow, it can run perfectly for a year and it can stop then why? And then you need to start searching why it stops. So making sure that you republish your workflow every six months is always a good idea because maybe you are working with a, connector that doesn't exist anymore.
Yeah, that's true.
Can be perfectly. Or you have an API call and the API call doesn't exist anymore or anything. Or there is a new, better connector to do it. And then you are keeping up to date with it. Is it governance based? Yes. Because you need to set that rule, you need to review and you need to do that audit on it. that's a very big step to start with.
So biz follows the same process that we've talked about. So we've got the power platform. we understand how we want the power platform to work. So we could say, hey, anybody can create a workflow or only a certain number of people can create a workflow type, of workflow. Hey, if it's this type of workflow, only certain people can do it. We can talk about the account, the context of the account that it needs to run within the environment where it is in the criteria for the different environments. I mean, it's a complicated thing. It's not something we can teach anybody now, to be honest. but now what you're also talking about, when it gets to the sort of success of it, there's a set of processes that you need to put into place for every workflow.
Yes.
Which is to republish it every six months and make sure that it's still working. So we now have a maintenance schedule. We do a maintenance schedule to make sure that workflows continue to work.
Yes.
That's actually basically what you are going to do here.
Every workflow. And that would then need to be checked and double checked and everything else. And the auditor will need to know that, hey, we have a workflow here for checking, the republishing of the workflows, workflow for the workflow. and they need to make sure that it was done appropriately and everything else.
Yeah. And if there needs to change something then they will get the information of it.
Yeah. If anybody gets really stuck on all this and they really want to find out what they need to do, then they should look at the ITIL standards. Itil, which is basically the standard for managing your IT systems and it's a whole library of processes and things that you can choose from and to use to actually manage your system. I've never read it and I never will, because I don't like things that are too structured. I'd rather build something and customise it for what you need to do. and then you also need somebody that is, as we talked about, blue people to actually make sure it gets, make sure it's done. But you also need to make sure you've got somebody that keeps checking, you know, I, I am now going to check tomorrow whether we're still checking for public or private team sites and.
Also check for the workflows you already have running in the environment. When the last time was that they've.
00:50:00
Been republished, I have no idea. But yes, I will, we'll get onto that. I mean there's a number of things like that, but we don't have enough workflows to worry about it at this point in time. Now let me rephrase that. We are not workflow focused enough as an organisation. So it's not a crucial part of our.
No, but it's the same production environment.
I'm, not suggesting for one minute we don't need to do it, it's just that priority wise, it's more important that we sorted out the backup of our server environment that wasn't working or that we need to make sure the security for our general accounts and service accounts was done properly.
True. It's not a, not a lot of organisations are doing it a regular check. that reminds me that we need to do it for another customer as well.
Okay. Yeah, it's fair to do. So I've worked that one out now. So. Yes, so we've just looked at one particular aspect here of, of power platform. but yes, so the republishing, when it needs to be done, how it needs to be done, who it needs to be done by, because certain accounts, certain rights are needed. and then how you measure that. So you've got a history of when that was published and when that wasn't published. Yes, it's a shitload of work Isn't it?
It is.
All right. Governance is a shitload of work and nobody pays for a governance manager to do it for you.
No. And to be honest, still, a lot of companies are not well aware of all of their governance rules and settings they are having.
No. And, it's actually quite dangerous not having somebody monitoring whether it's your security guy, your DevOps guy, SecOps guy, whether it's your, data, manager, whether it's. What's the role I'm looking for here? it's your compliance officer. That's the word I'm looking for. So your compliance officer should really have a list of things that need to be checked. and then sort of get in there and if you're in IT and you're taking over or building a workflow, governance, then you should actually find the compliance officer and say, hey, look, when we do governance workflows, these are the way the things that need to be done that we can make sure we're complaining, complying with.
Yes.
and then basically, you are meeting that last criteria of, whether we've defined the process for ensuring that everything is actually working and successful, and then you can effectively go live.
Yes.
You should also have a go live list. So you should also say that this workflow can go live because I've checked that the boxes were checked when they were created. I've checked that we've tested it against the criteria we said we tested it by. I've checked that we've got a process for making sure that it gets refreshed every six months. And, I've checked that we are in compliance with whatever we need to be done. So now we can go live.
That's actually quite good idea.
Yes, it's a great idea, but that's not what people do. Of course. They go, hey, I've run it now and tested it, so let's put it on production. So. Yeah. And that's because the driver is to fix whatever it's being designed and built for.
Yeah.
I've worked for an organisation, I work for a banking organisation that have a lot of processes in place for these kinds of things. Huge amounts. Everything was so freaking slow to make work. But, you know, when you're trans, when you're processing 50 billion euros or dollars or pounds worth of deals, trades, interest, you kind of got to make sure it works, because every hour that it doesn't, you're losing commission of millions. and so, based upon what kind of organisation you are, based upon the kinds of quality check in that you do.
Yeah.
So you have to decide really for your own organisation.
Yes.
Every, every organisation have different governance and different sets of.
But I'd like to suggest that as we finish off here that everybody is actually working to the same model. It doesn't matter whether you're that bank or whether you're, you know, a small little chemical company or whether you're a two man consultancy company. You need to understand from your governance perspective or how a system is going to work or how important it is. Okay. That you understand what the governance is that needs to be achieved and that when you have defined that that you've then made sure it works and it's doing its stuff and that you have some way of making sure it's successful and stays successful by measuring it or documenting it and everything else. But keep it simple. As simple as the bare minimum least privilege like the security people. You just got enough to do what you need to do as a job. You need to do just enough to make sure that you can see that everything is working the way it should.
Yes.
00:55:00
And that's it. That's a little approach on measuring governance. M I like.
We did a great job.
We always do a great job. The problem is that do we walk the talk? That's I, whenever I talk about governance it, it is very difficult to convince everybody that they should put some effort and resources into doing this the right way.
Yeah, of course. Because everyone thinks that they are needing to reinvent the wheel but everybody gets.
Caught somewhere and realising that, you know, they failed to do something and it's left a hole in their process or a security hole in their organisation.
Yep.
So you do need to find some way, some audit type of team that is constantly checking to make sure everything's down. Yeah. So that's the only way. The only way guys. Being diligent, due diligence, making sure it's all done. all right, so there we go. Three minutes to the hour. Steve Dolby here is saying I enjoyed doing this actually it was quite a good idea. Do we think it was a good idea?
It was a good idea.
Thank you very much for the idea. I thought that was brilliant. I'll be a gentleman here. I'll be a gentleman. So this is Fusion Talk, this is Steve, Anouk and Anouk. And we hope you've enjoyed this conversation and that you've learned at least one thing that your baby going to take away back to your office and change.
Let's hope the people learn let's hope they do.
Bye for now.
Bye.
00:56:38