Project Management

Policy for Project Management

A policy for reviewing and managing the performance of projects should be approved by the Board and implemented by the executive of the CRC.

The policy may require each project to be described in a project plan, along with milestones, deliverables, payments, and risk mitigation measures. It should identify and describe the role of a Project Manager for each project. It should also describe any dependencies and links to other CRC projects.

In addition, each project plan should describe how they will lead to commercial, social and environmental impact, either directly or indirectly, and describe the process and organisations that will be required to achieve those outcomes.

The policy should outline the agreed process, timelines and responsibilities of project review, and how poor-performing projects will be managed. Ideally, this would include a project review template for project managers should submit to the delegated officers of the CRC.

Business Administration Systems 

This section outlines the business administration systems that need to be rapidly established to ensure the efficiency and safety of a new organisation starting up. It can be costly and time consuming to change an underlying software platform, so making the right decision early will save time and money later.

Cloud Platform: Google or Microsoft

A key decision to make is whether to use Google or Microsoft. 

The Google system is much cheaper, is less clunky and is arguably easier for document sharing. All of Google’s systems are browser driven and based on the cloud, and you get access to most of the system of apps when you sign up for a Workspace Account – upgrading the account generally gives more security and access to more data storage and video conferencing. It can be more difficult to engage people into the collaboration spaces who don’t have a Google account.

Microsoft is better integrated with Office tools such as Microsoft Word, Powerpoint and Excel and is often used by government agencies who find it difficult or impossible to formally work with Google workspaces. Microsoft systems are not intuitive and their website is not particularly informative, so you may need to hire a specialist consultant to assist you to extract the full value from a very deep and complex technology stack that may require additional licenses (and cost) as you use more of it. It can be quite difficult to engage people into the collaboration spaces who don’t have a Microsoft account. If you work in security sensitive areas like defence, you will need to download patches and change setting to strengthen the security of the Microsoft stack. 

Not for profits, including CRCs, can usually negotiate a big discount on some Microsoft license costs.

Really understand the relative benefits of each so you don’t set up under one and then find that you have to switch mid-stream – it can be very expensive.

In the end, you will probably go with Microsoft because government partners can engage more easily.

Document Management

Setting up a robust filing structure early on is essential to ensure files and folders are well organised and can be easily and intuitively accessed by the whole team (not just the creator). Failure to do so can result in significant lost time and expense in trying to track down the right file and version of the file.

In addition, file and folder naming conventions are key to maintaining well-organised electronic directory and drive structures. When used consistently this means:

• Files are easily distinguished one from another
• File names are easier to browse
• Retrieval is facilitated for all users (not just the file’s creator)
• Ensures document version control
  

It is good practice to develop a Naming Convention Protocol for the team to become familiar with. See example of Naming Protocol here.

Filing naming best practice

• Keep file names short but descriptive (<25 characters)
• Avoid special characters
• Use underscore or dashes instead of spaces or slashes
• Use date YYYYMMDD at the beginning of the document name (ie 20230201_Smith_Letter) – this will facilitate computer aided date sorting)
• For revisions of documentation such as reports, legal agreements etc use a version number (ie V01, V02) at the end of the file name

Elements to consider when naming documentation

• Date of creation (putting the date in the front will facilitate computer aided date sorting)
• Short Description
• Work
• Location
• Project name or number
• Sample
• Analysis
• Version number

Cybersecurity

It is recommended to engage a cybersecurity expert to ensure a comprehensive framework is developed across the organisation that ensures the security and integrity of its information technology systems and data. A cybersecurity expert can develop a policy that outlines the principles and strategies to be employed to protect the organisation against cyber threats and data breaches, thereby safeguarding intellectual property, personal information, and other sensitive digital assets. An example of Rozetta’s draft cybersecurity policy can be provided upon request.

The policy should be applicable to all individuals, including employees, contractors, affiliates, and anyone who has access to the information systems and networks of the organisation. It covers all types of technology and digital media, including but not limited to computers, mobile devices, network equipment, software, and data storage, whether owned by the organisation or used under its auspices.

In line with the policy, additional measures could include:

• A register of all IT assets including organisational software and hardware, approved BYOD devices (if relevant), online and third party services see example here
• Conduct regular audits on BYOD devices (if relevant) to ensure compliance with antivirus, patching application hardening, encryption, password, personal firewall protection
• Ensure all staff are aware and understand the Cybersecurity Policy
• Creating a sanitisation process for devices once they have reached the shelf life and need to be discarded ensuring all data has been wiped
• Having an appropriate back up system in place for stored data and mailbox accounts. An example would be engaging a Third Party Vendor to monitor, schedule and maintain regular backups of all data and mailbox accounts. This can be done either at a separate physical location on a hardware device (ie laptop, hard drive) or via a third party cloud service. These can then be retrieved in the event of an incident requiring access to missing data.
• Have a process in place for staff to report any suspected or actual security incidents.
• Engage an IT expert to conduct regular training and awareness on phishing, password management, data protection and incident reporting
• If engaging any Third Party Vendors who require access to the organisation’s data, ensure the Third Party has undergone a risk assessment in order to evaluate their security posture and identify the risks they pose to the organisation including vendor reputation, security requirements, confidentiality controls, backup and disaster recovery.
• If a Third Party Vendor is engaged, ensure a Consultancy Agreement has been signed that addresses security responsibilities, right to audit, breach notification, privacy and destruction of data, service levels and insurance requirements.
• Implement an IT and Password Policy. An example of an IT & Password Policy is here. 

Essentials 8

In addition to the Cybersecurity Policy, your Cybersecurity expert should also advise you on meeting the minimum requirements of the Essential Eight. The Essential Eight is an Australian cybersecurity framework that aims to protect Australian businesses from cyberattacks. The three primary objectives are to prevent attacks, limit attack impact and data availability.

The mitigation strategies that constitute the Essential Eight are:

• Application control
• Patch applications
• Configure Microsoft Office macro settings
• User application hardening
• Restrict administrative privileges
  
• Patch operating systems
• Multi factor authentication
• Regular backups
  

More information the Essential 8 and associated government links can be Essential 8.

Document Templates

Having a suite of document templates early on will save time and effort and sure consistency of brand and recognition.  Templates such as agendas, minutes, reports, letterheads, powerpoint, e-signature etc is a good start and should be made available to the whole team.
Engaging a marketing agency who has developed the branding of the CRC could assist with this or alternatively can be done in-house if resources are available.

Customer Relationship Management (CRM)

A Customer Relationship Management (CRM) system is essentially a database with a reporting function to help you quickly create lists of appropriate contacts from your list, and store information about your stakeholders that becomes the corporate memory of the organisation. You want this information to be stored centrally, not just on individual email accounts and excel spreadsheets – because information is more valuable when it can be shared across a larger network, and information can otherwise be easily lost when individuals leave the organisation. 

A CRM can also be used to send you reminders about engaging with people, for example, to renew a contract, to maintain regular contact with key stakeholders and to remind the Board when policies are about to expire (for example). This helps improve stakeholder engagement.

Examples of popular CRMS are:

• Microsoft Dynamics 365 – powerful, extensive, clunky integration with other MS apps
• Zoho – very focused on sales support, relatively cheap and cheerful
• Hubspot – very focused on sales support, cheap and cheerful
• Salesforce – powerful, complex and more expensive
  

Some examples of how to use a product like Dynamics 365:

Select and store emails from partners directly from Outlook into Dynamics 365. This becomes a permanent corporate record that can be searched for and found by others who are interested in where the relationship is up to with that partner, or track down the right contact details quickly.

Create email lists from Dynamics 365 by searching for contacts in organisations, functions, projects and/or titles to quickly pull together a list of relevant contacts.

Store contracts in the CRM with end dates and set the system to send an email reminder when milestones are due or contracts are due to complete to send reminders to partners about what needs to be completed.

Store company policies in the CRM with expiry dates and reminder dates so that these policies can be renewed before they expire.

Policy Review Calendar

Company policies are generally reviewed on an annual or bi-annual basis and are reviewed by the appropriate Committee or Department.  To keep track of policies and their expiring dates (including managing version control), it is best to use a good CRM system that has features to:

• send alerts when a policy is expiring to the appropriate person
• record approval date and next review date
• store the actual policy (as well as previous versions of the same policy)
• state the Committee or Department responsible for approving the review
• the frequency of review 
• and other notes
  

Document Retention Policy

Organisations have a legal obligations to keep certain kinds of data on record for a specified amount of time and must comply with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs) and any other applicable privacy laws.

A Document Retention Policy is required to set out the Organisation’s approach to managing, retaining and destroying records and data (including personal information) held by the Organisations to ensure compliance with applicable data retention and privacy laws. The Policy should outline roles, responsibilities, and steps Rozetta must take when dealing with record and data retention and destruction.
An example is attached here (once finalised)