Authors: Rob Burkett and Vadim Yerokhin
This past month, we hosted a webinar and podcast with RevCult, a Salesforce partner that focuses its efforts on security. RevCult Chief Growth Officer Brian Olearczyk and Chief Product Officer Pete Thurston facilitated a great conversation with the crew about what governance truly means, some key tips for designing a proper program strategy, and what it takes to build a strong Center of Excellence for banks and credit unions.
Learn more about Silverline’s solutions for Financial Services organizations and see how we can jumpstart your technology journey today.
No time to watch? Here’s what you missed.
What is governance?
Governance is one of the first — and most important — concepts that teams should seek to understand as they prepare for launching a Salesforce program. At a high level, a well-formed governance plan helps customers be effective and efficient with their resources to accomplish the goal of making Salesforce the system everyone wants to use.
One level deeper, there are a few major categories of governance to consider: what the strategic vision is for a Salesforce program, which rules drive the change and enhancement roadmap, and what tools are required to execute against this innovation roadmap.
In addition, a well-appointed data governance and stewardship plan is also an important part of a well-formed governance strategy and will inform the day-to-day tasks of technicians and end users alike in the system. Investing the time up front to define these concepts informs important security requirements and helps Salesforce programs avoid unnecessary confusion and future technical rework.
Building out a proper org strategy
There are a few important elements of a proper Salesforce governance plan — the first of which starts with a well-documented strategy that answers several key questions.
Why wouldn’t people do this?
One major challenge that enterprise programs have is cohesion on requirements. In some cases, Salesforce is such an exciting tool to get started with that admins and new users are eager to get started and forget about compliance and security needs.
A well-formed governance plan helps achieve agreement across lines of business on what’s important. Getting alignment at this level, in tandem with IT/InfoSec & Compliance, is critical to success.
What is change management in the context of governance?
In the context of governance, change management focuses on processes and procedures, and how people adhere to them from implementation all the way through past project completion. This can include:
- Documented administration decisions regularly communicated across teams
- Captured and collected change requests or enhancement suggestions
- Prioritization of changes and the value they bring to the business
- Communication, training, and support for users through all project phases
What is a Center of Excellence (COE)?
A COE is a group of people across functional areas within the business that represent each of their teams within the higher-order program strategy. This allows the business to build a framework for success and gets IT and compliance at the same table making decisions together.
In terms of technology and security, it is important that compliance drive requirements. Threat modeling helps determine courses of action should there be a breakdown in compliance adherence. Threat models will change over time, so the COE can raise these items in collaboration with the architects of the system to make decisions that will address immediate needs while considering the long-term requirements or vision for the business.
Centers of Excellence provide intentional communication to help organizations plan for change. Messaging from a COE helps tease out updates and processes, such as regulatory requirements or data retention and encryption requirements, etc. This allows for better adoption overall.
Aligning IT, Compliance, and business needs
How can we help IT and Compliance understand the possibilities of Salesforce in tandem with the business to drive clear requirements?
Education is the first step to help the joint team understand what policies can be developed to manage a proper security and governance plan. Types of policies include: Access Policies, View Policies, Do Policies, and Control/Monitor Policies.
Our advice is that at the outset of a Salesforce program effort, it’s best to facilitate a moderated discussion among a group of business, technical, and compliance stakeholders so that everyone understands one another’s point of view on threat models, the organizational tolerance for risk, and circle around important considerations like SSO or mobile device management.
Having a third-party partner available as your business makes big decisions around implementation and regulation often helps companies get started on the right path.
Learn more about Silverline’s solutions for Financial Services organizations and see how we can jumpstart your technology journey today.