Why a forum, not a committee
Governance in Microsoft 365 doesn't fail because organizations lack policies — it fails because decisions get made in isolation, by the wrong people, at the wrong altitude. The most common pattern is a series of well-intentioned single-team decisions that contradict each other six months later: IT enables external sharing the same week IM publishes a 'no external sharing' policy; Security tightens conditional access in a way that breaks a Teams workflow business users have been using for a year.
A governance forum is the mechanism for getting the right people in the same room at the same time, with enough authority and context to make platform-wide decisions stick. The word 'forum' matters: this is not a committee that approves things in isolation, it is a working venue where trade-offs are surfaced and arbitrated.
Core composition
A working forum has representation from four pillars (introduced in Doc 1.1) and a defined chair with authority to make decisions when consensus stalls.
| Pillar | Typical role | Brings to the forum |
|---|---|---|
| Business leadership | Senior business sponsor or COO delegate | Business priorities, change tolerance, user advocacy. |
| Collaboration & intranet | Digital workplace lead, communications director | User experience, IA, intranet strategy, adoption. |
| Identity & security | CISO delegate or security architect | Access posture, threat model, sharing risk, conditional access. |
| Information management | Chief Information Officer, IM director, or records lead | Retention, classification, compliance, lifecycle, regulatory posture. |
| Chair | Often the IM director or a digital workplace lead with cross-pillar credibility | Sets agenda, drives decisions, owns follow-through. |
| Secretariat (recommended) | Program manager or governance analyst | Agenda, minutes, decision log, action tracking. |
Where the chair sits in the org matters. If the chair is too far from business operations, the forum becomes an IT body and loses business legitimacy. If the chair is too close to a single business function, decisions get framed through that function's lens. The IM director or digital workplace lead is usually the right altitude.
Cadence
Most forums settle into a three-tier cadence:
-
Monthly working session. Operational decisions, change requests, exceptions, ongoing initiatives. The bulk of forum work happens here.
-
Quarterly strategic review. Roadmap, maturity model progress, license posture, KPI review. Pulls in executive sponsors.
-
Ad hoc decision calls. For time-sensitive items — incident response, urgent Microsoft change, urgent business request. Should be rare.
Between meetings, the secretariat maintains a decision log and a backlog of items the forum will consider. Anything in the backlog is visible to all members so nothing arrives at a meeting cold.
Decision rights (RACI)
The forum doesn't make every decision — it sets the policy envelope and arbitrates the cases that don't fit. Most operational decisions stay with the function that owns the area. A working RACI for common platform decisions:
| Decision | Responsible | Accountable | Consulted | Informed |
|---|---|---|---|---|
| External sharing default at tenant level | IT | Forum | Security, IM | Business leads |
| New site/workspace template | IM | Forum | Business, IT | End users |
| Sensitivity label taxonomy | Security | Forum | IM, Business | End users, IT |
| Retention label policy | IM | Forum | Security, Business | End users, IT |
| Conditional Access policy change | Security | Security exec | IT, Forum | Business leads |
| Tenant-wide naming policy | IM | Forum | IT, Business | End users |
| New connected app or third-party integration | IT | Forum | Security, IM, Business | End users |
| New department onboarding to platform | IT/IM | Forum | Business sponsor | Department |
| Site-level permission decisions | Site Owner | Information Manager | Broker | — |
| Workspace request approval | Broker | Broker | Information Manager | Requester |
The most common RACI failure mode is letting too many decisions reach the forum. If every site-level permission change ends up on the forum agenda, the forum becomes a bottleneck and loses focus on platform-wide work. Push operational decisions down to Site Owners and Brokers wherever the policy envelope allows it. The IM Governance Body (below) is the right venue for everything between Site Owner discretion and forum-level policy.
The IM Governance Body — fast-cycle decisions
The main governance forum is the wrong venue for routine catalog evolution. A request for a new library template, a new term in the taxonomy, a refinement to a content type, or a new site-type variant doesn't need executive review — but it does need a defensible approval path that runs faster than the monthly forum cycle.
The IM Governance Body is the answer. It is a smaller, faster sub-body that operates inside the policy envelope set by the main forum, with authority to approve changes that don't alter platform-wide policy.
| Main M365 Governance Forum | IM Governance Body | |
|---|---|---|
| Composition | Cross-pillar — business, IT/IM, security, IM lead, executive sponsor. | Information Managers + 1–2 Brokers + 1 IT representative + 1 security delegate (when needed). |
| Cadence | Monthly (working) + quarterly (strategic). | Weekly or biweekly. Decisions logged and effective within days. |
| Decisions in scope | Tenant-wide policy: external sharing, retention, sensitivity, conditional access, license posture, major architecture changes. | New library templates, content type changes, taxonomy additions, library catalog evolution, retention label refinements (within forum-set bounds), workspace template variants. |
| Decisions out of scope | Routine catalog and template work (delegated to IM Governance Body). | Anything that changes platform-wide policy (escalates to the main forum). |
| Output | Forum decisions; communications; roadmap. | Catalog updates pushed out within days; CoP-visible decision log; remediation tickets. |
Without an IM Governance Body, every new library template request waits four weeks for the main forum agenda — and the forum has no appetite to spend its agenda on template decisions. The result is that catalog evolution stalls, business areas build their own shadow patterns, and the standard catalog stops being authoritative. The IM Governance Body removes this bottleneck without giving up on governance.
The IM Governance Body's outputs land directly in the Kybera Impact catalog. New library templates flow into the Library Catalog; new content types flow into the Information Model; taxonomy additions flow into the term store. The Workflow Engine deploys the changes across the tenant once approved.
Without this fast cycle, catalog work becomes deployment work — a different (and slower) process.
What gets brought to the forum
Three rules of thumb help filter the backlog:
-
Cross-pillar impact. If a decision affects more than one of business, IT, IM, or security, it goes to the forum.
-
Default-changing. If a decision changes the default user experience for the whole tenant, it goes to the forum.
-
Policy-affecting. If a decision changes retention, sharing, sensitivity, or access policy, it goes to the forum.
Examples that should NOT come to the forum:
-
A single department renaming a site.
-
A site owner adding a new library to their site.
-
Routine M365 Group membership changes.
-
Per-site permission exceptions (those go to the Information Manager).
Absorbing Microsoft change
Microsoft ships ~800 platform changes a year. Most are small (a UI tweak, a minor feature). A handful are material — a new licensing model, a new sharing default, a new app retirement. The forum's job is not to track everything; it's to have a process for catching the material ones in time to act.
A working pattern:
-
Designate a watcher. One forum member (often the digital workplace lead) reviews the Microsoft 365 Roadmap and Message Center monthly.
-
Triage list. Each material change goes onto a triage list with proposed action: configure, communicate, ignore, defer.
-
Forum review. Triage list comes to the monthly meeting. Forum decides on the response, including who communicates to users.
-
Communications calendar. Major user-facing changes get a planned communication, not a 'we noticed it broke this morning' email.
Impact's Insights modules feed the forum with the data it needs to make informed decisions: adoption metrics, sharing patterns, retention coverage, sensitivity-label coverage, lifecycle status. The Workflow Engine routes policy-affecting requests to the forum's approval chain. The forum still does the thinking — Kybera Impact removes the data-gathering tax that otherwise eats half the meeting.
A forum can run effectively on stock M365 — Microsoft 365 admin center, Purview, Entra ID, and the SharePoint Admin Center provide the levers. Expect the secretariat to spend meaningful time pulling data manually before each meeting. Decisions get made, but the latency between 'we should look at this' and 'we have the data to decide' is days, not minutes.
Communicating decisions
A decision that doesn't reach users isn't really a decision. The forum maintains a decision log and a communications cadence so changes don't surprise the organization.
-
Decision log. Public-to-the-organization. Captures the decision, rationale, effective date, and any user-facing change.
-
Change calendar. Forward-looking schedule of changes that will affect users. Published to managers and champions.
-
Champion network. Departmental champions get briefed before a change reaches their team. (See Doc 3.5 — Community of Practice.)
-
Self-service guidance. FAQs, quick-reference materials, and help-desk talking points are updated alongside the decision, not after the change lands.
Discussion Questions
• Do we have a Microsoft 365 governance forum today? If not, what would it take to charter one?
• Who should chair the forum, and what authority do they need to make it stick?
• Are the four pillars (business, collaboration, identity/security, IM) all represented at the right altitude?
• What cadence fits how this organization actually works — monthly working sessions plus quarterly reviews, or something else?
• Where do current decisions get made today, and which of those should move into the forum?
• How are Microsoft platform changes monitored and triaged today? Is anyone watching the Roadmap?
• How do users find out about platform decisions? Is there a single source of truth?
• What's the threshold for forum review — what kinds of changes are big enough to require coordination?