As policies and procedures are growing in number and importance for organisations, many are turning to Office 365 –and in particular SharePoint– as the place to hold these key documents. There are many reasons why you'd want to do this. In this discussion starter we explore why it's a good idea to use Office 365 for storing policies as opposed to storing them on one of the many available policy management cloud services. We also talk about the gaps and introduce our own policy management tool for Office 365, Teams and SharePoint
which fills the feature gaps that most organisations are looking for.
To start, let's clarify what we mean by policy and procedure management, or policy management for short. Policy management is all about being able to manage the lifecycle of policy documents in a robust and process-driven way, from the creation of new policies, through to the dissemination of policies, through to policy review (to ensure they are still fit for purpose). If you know anything about SharePoint then you'll recognise straight away that it excels at document management. But by using some of the other tool set in Office 365 we can build a fairly capable policy management feature set that will suit many small organisations.
Let's look at what Office 365 and SharePoint can offer:
1) Document storage
This is one of the primary functions of Office 365, especially through SharePoint. By using SharePoint to store your policies you are keeping them in-house and under your control. One of the complaints of traditional cloud policy management tools is that you have to store your documents on their infrastructure. So if you decide to move provider, you have to find ways to migrate your policies or risk losing them. Storing documents in your Microsoft cloud is also more secure with confidentiality guaranteed by Microsoft.
2) Document metadata
Adding metadata such as tags, descriptions, department, owners, contacts, etc. is useful, especially if you have many policies and you want to make it easy for people to find the right one, without necessarily knowing the name of the policy. SharePoint document libraries make it very easy to add controlled metadata alongside each of your policies.
3) Document search
Microsoft Search is what powers document search in SharePoint. It enables you to search document titles and body content. Thanks to its integration with Microsoft Graph it can intelligently suggest results that are most relevant to the person searching. It also respects your document permissions (see next item in the list). Also notable is that you can set up search so that if a user types a certain keyword, say, expenses, then you can surface the expenses policy as the top search result. This is called promoted results
4) Permissions and access control
SharePoint has powerful permissions and access control built in so you can control who owns a document, who can edit it, who can read it. And through integration with Active Directory groups you are able to control access in a very targeted way.
5) Document version control
SharePoint document libraries have a toggle in settings where you can switch on version control. This means all versions, including small changes that are made to a policy, are saved so you can refer back to them and if necessary roll-back. This is useful in a policy management context in case there is ever any litigation and you need to be able to go back to a previous version to see what was in place at the time of an incident.
6) Document creation workflow
The creation of policies often needs to be a controlled process. Ensuring that a policy is written using the correct template and that a policy is checked by the right people before publishing are typical things you'd want to control. Thanks to Power Automate, the workflow tool in Office 365, it's easy to create policy creation workflows.
7) Document review workflow
Similar to the above, you might want to set a review period for a policy so that say, once a year, the policy is reviewed by a group of people to check that it is still fit for purpose or might need updating. Again, Power Automate is the tool to help do this.
8) Easy integration with your intranet
Most organisations who have Microsoft 365 also have their intranet on SharePoint, Viva and Teams. Having policies and procedures available from your intranet is a no-brainer when it comes to raising awareness of them. If they are already housed on SharePoint then doing this a very easy task to set up.
Where are the gaps?
1) Document dissemination and targeting
Office 365 gives us tools for sharing a document - these are good for controlling who a document goes to but they can be pretty basic in terms of how they alert someone. If you share a document with a group then everyone will get a one-off email alert. That's it. There are no reminders and it's only on email too (no Teams or mobile notifications). It's also quite a manual process, so it's easy to make a mistake. If you had to do this with many documents it would take a long time as there is no way to bulk share documents.
2) Making a policy a mandatory read
There's no 'mandatory read' designation in SharePoint or Office 365. You could put a metadata flag against it which would be visible if a user goes to the document library, but that won't necessarily be tied to the sharing alert that goes out to people. You'd have to paste a message into the share alert informing people that this is a mandatory read. One way around this is to create a view of the library that filters to only show mandatory reads and show this on the intranet homepage so that people are aware of them. Another issue with this approach is that some policies are only mandatory for certain people. The above solution doesn't provide any granularity.
3) Policy acknowledgements
When a company sends out a mandatory read to its staff it wants people to acknowledge that they have read it. It's possible to request this attestation using Microsoft Forms. Essentially you build a simple form which allows people to click a confirm button once they have read a document. You can gather acknowledgements inside a SharePoint list. Once again though, this is pretty basic and the key criticism is that your list tells you who has read it but not who hasn't.
4) Recurring mandatory reads
Most mandatory policies need to be re-read by staff at least once a year. This means the policy owner would need to remember to send out an email asking people to re-read the policy each year. Again, this is open to human error and forgetfulness and is not a very robust way to manage critical policies.
Requesting people to read a policy is often not enough. Getting people to prove they have read it means you have to test their knowledge. There is no easy way to create a quiz inside Office 365.
6) Reporting and auditing
A robust policy management regime includes reporting so that policy owners and compliance managers on a micro level can show who has and who hasn't read a mandatory policy, which version they read, when they read it, the quiz score etc. On a macro level they'd want to be able to show policy reads across a department, location or even across the whole company. This is not possible using a home-built policy management system on Office 365.
7) New employee onboarding
When new starters join they typically have to read a lot of policies. Managing this as an ongoing, robust process is not easy. For example, what happens when a new starter joins, reads all the policies and then the following month you send out a whole lot of annual policy re-read emails to the whole company? Does the new starter have to re-read everything they only read last month, just so that they can be on the same re-read cycle as everyone else?
8) Alerts and notifications
A robust policy management tool would send out reminders to people to tell them to view a must-read policy. And then once they've read it, it would cease sending reminders. It would also send alerts on email, Teams, a mobile app perhaps, and ideally let the user choose how they want to be alerted. Similarly if someone had many policies to read you'd want alerts to aggregate policies into one notification so as not to bombard the user with too many alerts or emails.
9) Chasing and escalations
If someone ignores a must-read policy notification repeatedly, you'd want to be able to do something about it. This means you'd want to set a 'read by date' and then an escalation procedure so that say, the line manager and the compliance manager are warned when someone misses the read by date.
10) Integration through Teams
Now that people spend more and more time inside Teams, it's becoming ever more important to serve up information and notifications through Teams. There are many different ways to do this well but you can do it on a simple level by showing your policy library as an app in Teams.
How to fill the gaps?
There are two options to fill all the gaps that I've covered above. One is to build functionality using Microsoft's rich toolset, especially using tools like Power Automate, Power BI and some clever code. This is not an easy task by any stretch of the imagination but you'll have fun along the way and learn a whole lot! Another way is to look at our policy management for sharepoint software
that is quick and easy to set up and lets you keep all your policies inside SharePoint and leverage the good stuff like version control, workflows etc. but whilst still delivering the gaps that bring you the sophistication that a robust policy management regime demands.
If you've tackled some of the policy management challenges described above, join the discussion and tell us what you've done and how you've done it.