How to doom Office365 governance (over and over again)

Paul Culmsee
May 7 · 11 min read

What if I told you many IT governance efforts, despite best intentions of managing or reducing risk, actually do the opposite and increase risk to the organisation. Sound counter intuitive or outright blasphemous? A younger me would wonder what older me is smoking right now, so let’s see if I can make a half-decent case and convince all you under-appreciated IT admins that adjusting your thinking will benefit you and your organisation.

The way I am going to do this is to outline what I call anti-governance patterns. These are mindsets or practices that are highly common but consistently lead to sub-optimal outcomes. They are not obvious to the untrained eye, lying hidden until organisations start down the road of governance efforts.

While I am thinking about organisations working with Office365 as I write these lines, it should be noted that these anti-patterns are pretty universal across and beyond IT.

Governance anti-pattern 1: Confusing the means with the ends.

The closest I will ever go to defining governance is to tell you that the factual origins of the word. “Govern” is a nautical term from Latin and actually means “to steer, guide or pilot”. We aim to steer the energy and resources available for the greatest benefit to all.

Despite being a nautical theme, the end-in-mind does not have to be a physical place, but it can be a “better” place than where we are now. After all, if the present state was good enough, we would not invest the time, effort and money into any type of improvement effort, let alone invest in platforms like Office365.

Figure 1: Governance as a means to an end

Now the above might seem obvious, but for many IT departments, the mental model they use for governance looks more like this…

Figure 2: Confusing the means with the ends

The bias towards this mental model of governance is quite understandable, given IT is usually the custodian of the means to an end — the critical business systems that exist to deliver value to the organisation. However, when viewed through the lens of steering, it exposes a bias that has risk management implications.

If IT remains cloistered and disengaged from the business, governance framed this way is illusory at best and highly risky at worst. This is because to steer, we need to understand what the destination is, or at the very least, all be reasonably aligned on the direction.

If you accept the premise that governance is a means to a greater end, we need to focus on three key aspects:

  • Goal Clarity (What does the aspirational future state look like?)
  • Role Clarity (Who will do what to get us to that state?)
  • Task Clarity: (How will we get to that state? What are the boundaries/rules?)

The anti-governance pattern is when governance is confused as an end, rather than the means, goal clarity is given short shrift and task clarity gets the overwhelming focus. The risk of this is an overly control-driven and process-centric regime that:

  • is likely not aligned to organisational business and strategic direction
  • takes considerable energy and effort to maintain. Take away this effort and energy, then things often degrade back into the sort of chaos that gave rise to the need for governance in the first place!
  • Creates a rod for the back of IT because pace of change results in new challenges and opportunities that the original governance regime never accounted for
  • Results in alienated compliance of the user base and encourages “shadow IT” solutions (which today are usually a website sign-up away), creating further governance challenges.

Ironically, these are often the very risks that drive governance efforts in the first place. IT departments, with best of intent, trying to escape the painful legacy of past poorly executed technology platforms, end up unknowingly create the conditions for the same thing to happen again.

So, remember this mantra — governance is a means to an end, and not the end in itself. The act of developing a shared context of what the problems or opportunities are (Goal Clarity), determining which folks need to be accountable for addressing them (Role Clarity) and using that to always steer the governance decision making is the key to managing these strategic risks.

A practical way to do this is to:

  • Examine your organisations mission and strategic plan. What does it aspire to both in terms of goals but values and behaviours? How can your technology investments help to meet these objectives? This ensures you do not overly focus on the risk-mitigation aspects of governance and consider a broader perspective
  • Ask the following question to key business stakeholders. If you had “Insert goal here”, how would things be different to now? The nice thing about the framing of this question, is the answers are often measurable “increased this” or “decreased that”. Not only are these excellent ways to get goal clarity, they become potential KPI’s which help you measure your success.

Governance anti-pattern 2: Models, definitions and the illusion of clarity.

Another way to state the above anti-pattern is that the more comprehensive the definition of governance is, the less it will be understood and the less applicable it will be.

What the… Are you incredulous reading this? How can one understand something without first defining it? I mean, that’s pretty much what university teaches us to do! Trust me, if this is your reaction, I can assure that you are not the only reader to react this way and I have stood up in front of academics and said the same thing…

To explain, consider Figure 2 where the means versus the ends are confused. Given that now “governance” is the end in mind, insight is often sought about what constitutes governance — what are the “bits”. This search usually results in a well-intentioned whitepaper, poster or model that breaks governance down into sub-areas and posits that if each of these conceptual bases are covered, everything will be peachy. As an example, consider this popular model of SharePoint governance from 2013…

Figure 3: A popular governance model for SharePoint 2013

To illustrate the hidden risks here, consider this picture of the Mona Lisa…

Figure 4: A paint-by-numbers Mona Lisa

Looking at the above picture, we clearly see this is actually not the Mona Lisa, but a paint-by-numbers model of the Mona Lisa — a representation of the original. The implicit claim made with a model like this is that by filling in the numbered areas with the right colours, you too could have your very own Mona Lisa — just like the original.

What do you think? If we painted this model, would it look like the real Mona Lisa?

Unlikely! As everyone instinctively realises, it would probably look as amateurish as a finger painting. Yet in many ways, the (oft unstated) implication of pre-supplied governance models is if you “paint the numbers”, success will be assured. However, unlike the Mona Lisa example, many people are blind to the fact that “painting by numbers” on governance may result in substandard, and in many cases, even undesirable outcomes.

In this case the risk is how you use such ready-made models. Considering our first governance anti-pattern, the first issue is that goal clarity continues to be overlooked and in fact task clarity gets even more focus.

But the issue goes deeper. We need to recognise that models are simplifications of reality. Model-makers look at the real “thing” being modelled and attempt to analyse it by breaking it up into what they think are its constituent components. In the Mona Lisa example, someone has looked at the colours and shapes of the original and used that as a basis to create a model of it.

But here’s the thing … it would have taken Leonardo da Vinci years to master the craft of painting and along that journey there would have been many missteps and refinements to his technique. So, there is much more to the Mona Lisa than the painting alone. It represents Da Vinci’s journey of learning. Such a journey cannot be represented by anything other than the original and even that won’t tell you why Da Vinci chose a certain colour or brush stroke. Nor will it show you all of the false starts, missteps and crappy paintings that came before and ultimately enabled Da Vinci to create the Mona Lisa.

Similarly, ready-made governance models all but ignore the learning journey of organisations — not just the events and circumstances that give each organisation its unique character, but the inevitable missteps that will occur going forward. While it’s obvious to all that a paint-by-numbers Mona Lisa model is but a caricature of the original, this is much less obvious in the case of governance models with cool sounding names, supplied by consultancies or product vendors. You simply cannot “paint the numbers” and shortcut your way past the learning journey (Enterprise Architects — I am looking at you here!).

The other side of the coin is what model-makers choose to keep. In general, such models are not based on any one case study or reference. They are often the combined result of retrospective examination of many (perceived) successful organisations. Apart from the fact that such studies are flawed because they only look at successes, not failures, they work towards creating a mythical picture of the ideal. The problem is such an ideal does not actually exist.

Governance Anti-Pattern 3: Governance as a Teddy Bear

The world of those tasked with custodianship of enterprise platforms like Office365 is one that is beset with ambiguity. Users have aspirations, organisations have strategies to deliver, projects abound in their various guises, vendors are constantly enhancing their products and pace of change is a constant challenge. You might have heard the term VUCA before — Volatility, Uncertainty, Complexity and Ambiguity

Recent work in neuroscience has shown that the brain processes risk very differently from ambiguity. With risk the rules are known (such as playing poker), but in the case of ambiguity, not all the rules are understood and there are many “unknown unknowns”. Studies show that unlike risk, ambiguous situations are processed in the areas of the brain that govern our emotional responses. The implication for this is huge… for many people ambiguity creates a strong feeling of anxiety.

Figure 5: A typical ambiguity coping mechanism

Now think back to your childhood for a moment. Kids rely on teddy bears, security blankets or some other object as a surrogate protective figure for security and comfort. They serve as psychological support when kids are anxious or in a new or scary situation. This is a primal instinct too, as orphaned animals are often given fluffy toys to cling onto to help them cope with an uncertain situation.

But guess what… as adults, we never really stop using such support objects — they just take on a different form. For grown-ups in the corporate playground, real teddies are supplanted by less obvious ones such as processes, tools, techniques, methodologies or even people (such as Big Q consultants or management book authors :).

Figure 6: An example of highly common corporate Teddies

The thing is, using these “grown-up teddies” is not a problem. Indeed, it is a key part of the process of learning and gaining experience. If you are a project manager, chances are you may have “clutched” the PMBOK (or some other similar PM tome) when you were a newbie. For others it might be ITIL, TOGAF or Scrum.

Which of these is your particular security blanket is beside the point. The important thing is that as confidence grows and learning is internalised, what was once ambiguous is suddenly less so, and perhaps even business as usual. In this case, such supporting objects are used with increasing discretion and flexibility, just like the child who eventually lets go of their teddy.

But of course, with kids and adults alike, this does not always happen…

Figure 7: An example of Teddy removal before the wielder is ready

The key point is that sometimes the developmental process of learning via these support objects is disrupted. When this happens, these teddies can become fetishes — objects that are held onto with a pathological intensity, not because they lead to better outcomes, but because they reduce anxiety for those who use them! In other words, the tools become ritualistic ends in themselves, rather than means to achieving ends. If you have ever thought to yourself “Why are we following this wrong-headed process?” chances are you might be dealing with fetishes at a corporate scale.

It is important to understand that those who cling on to fetishes do so because it makes them feel better. Cognitively, the situation has gone from feeling ambiguous to feeling logical. For people with an aversion to ambiguity, this is a highly desirable state to be in and they are highly resistant to leaving it.

Figure 8: The inevitable outcomes of fetishized governance

But chances are, any governance approach that takes a rigid, one-sized-fits all, mechanistic approach to the use of tools, processes and techniques, might have a teddy bear or two driving their use. Such a fetishized approach to the use of governance invariably ends up making things worse because the most important factor — the feedback loop that incorporates new learnings — is entirely absent. Practitioners are blind to this affliction too, continuing to believe in their fetishes come what may, precluding any genuine learning. In fact, any questioning of the approach is likely to evoke a reaction akin to trying to remove a teddy bear from a child before they are ready to let it go as per Figure 7.

Leave this pattern to play out a few times, and eventually the governance approach will not only fail, but blame may even be attributed to the technology platform, not the flawed governance mindset used to deliver and maintain it. A telltale sign of this is a history of problematic technology investments where value did not get realised because, from the perspective of the afflicted, the previous technology platform was simply crap.

The anti-pattern of anti-patterns

So how does your organisation fare? I am sure you have encountered a whole bunch of teddies lurking around the offices and cubicles of the modern workplace. I am equally sure you have also experienced the reaction when you have accidentally trodden on or inadvertently pulled a teddy from someone before they are ready.

It is important to realise that there is no getting away from ambiguity in the present-day corporate environment. We must therefore need to learn to tolerate and even harness it. Indeed, ambiguity is best viewed as a primal force that is neither good nor bad in itself…it just is.

Understanding ambiguity doesn’t preclude the need for governance, but if you are unconsciously driven by a need to run away from ambiguity, the regime you put in place is unlikely to meet the needs of the organisation.

A useful tip is identify your favorite corporate teddy bears (need for process, need for structure, need for order) and ask yourself what is driving your need for them. The first step towards understanding how to implement effective governance lies in understanding yourself and how you handle ambiguity.

You can’t expect people to loosen their grip on their teddies without you doing it too…

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade