Understanding IT GRC in Higher Education: IT Governance

A recent EDUCAUSE Center for Analysis and Research (ECAR) study on IT governance, risk, and compliance (GRC) programs in higher education found that almost 55 percent of institutions have a formal IT governance body. Institutions with an IT governance body

• are more likely to involve a broad range of stakeholders in IT decision making;
• make more strategic IT investment decisions;
• have broad-based support from leadership, faculty, and other stakeholders for IT initiatives; and
• have IT organizations that contribute more to institutional strategic planning and policy than those that don't have such a body.¹

By providing more informed decisions, better investment decisions, and more stakeholder support, IT governance programs help ensure that information technology aligns with the institutional mission.

What Is IT Governance?

IT governance consists of decision-making processes that ensure the effective and efficient use of IT in enabling an institution to achieve its strategic objectives. Effective IT governance programs ensure that technology strategies, policies, procedures, and initiatives align with those objectives. Decision-making authority and levels of collaboration will vary based on each institution's culture, but all IT governance programs should include a broad base of stakeholder input.

IT governance includes the people, processes, and structures necessary to guide decision making around technology issues. Components of IT governance programs include:

• Decision-making and advisory bodies at different levels of the institution (e.g., board of trustees, campus-wide, or college/unit) with different levels of authority
• Resource management (technological, financial, and human resources)
• Project portfolio management
• Service portfolio management
• Institutional data standards and management
• Risk management
• Regulatory and institutional policy compliance oversight

IT Governance Models

The structures of IT governance programs at colleges and universities vary greatly based on institutional size, organization, culture, and control (private vs. public). Some IT governance programs feed up into an institutional governance program; others do not. The ECAR IT GRC study found that more than three-fourths of the institutions with an IT governance program also have that program represented on their institution's governance body. The IT GRC Advisory Committee has generally seen two types of IT governance programs in higher education: "Hub and Spoke" and "Parallel." The institutional models and websites shared in this article serve as examples of the different types of IT governance program structure, but are not inclusive of all IT governance programs at higher education institutions.

"Hub and Spoke" Structure

Some institutions create a single IT governance structure with specific functions delegated to subcommittees. Subcommittees are typically organized by domain, such as academic IT (student systems), administrative IT (business or administrative systems), infrastructure, networks, and information security. Examples of this structure include University of Michigan, Northwestern University, University of Florida, University of British Columbia [http://cio.ubc.ca/content/structure], Case Western Reserve University, the University of Notre Dame, and Appalachian State University.

"Parallel" Structure

Some institutions create multiple, parallel IT governance structures. The most common example uses one structure for administrative IT functions and a separate structure for academic IT functions. These different governance councils then work together to make IT governance decisions. These parallel IT structures may themselves be "hub and spoke" structures. Examples of this structure include University of Pennsylvania [http://www.upenn.edu/computing/group/it-roundtable/governance.html] and University of California, Los Angeles [https://oit.ucla.edu/governance].

Key Questions to Ask about IT Governance

Whether institutions are first considering implementing IT governance structures, or modifying already existing structures, the IT GRC Advisory Committee recommends that leaders ask the following questions:

• What do you need to govern?
  • Consider your resources: What financial, technological (infrastructure and services), and human resources are available?
  • What goals are you trying to achieve or what issues are you attempting to cure?
  • How can you leverage your existing organizational structure (e.g. centralized vs. decentralized IT) via governance to take advantage of opportunities for aggregation, resource sharing, and broader planning for increased efficiencies?
• Who are your stakeholders?
  • Do you have support from the institutional president and senior leadership?
  • Do you have support from stakeholders such as business process and service owners?
  • How can your stakeholders help you achieve your governance goals?
• What other governance initiatives do you have at your institution?
  • How will IT governance fit into and inform already established institutional governance processes?
  • What IT decision making processes are already in place, and how will they fit into a more holistic IT governance structure?

Conclusion

Adopting an effective IT governance program is a critical step for IT to become a strategic institutional partner. In a higher education setting, IT governance should be a collaborative effort that includes input from a wide variety of stakeholders.

EDUCAUSE provides resources that help higher education institutions define and implement campus IT GRC activities. For advice from the IT GRC Advisory Committee, see:

• "Understanding IT GRC in Higher Education: IT Governance" (this article)
• "Understanding IT GRC in Higher Education: IT Risk"
• "Understanding IT GRC in Higher Education: IT Compliance"

We also invite you to contribute to the IT GRC body of knowledge in higher education. To learn more, visit the EDUCAUSE web page on the topic.

Acknowledgments

The EDUCAUSE IT GRC program began in January 2014 to provide resources that help institutions define and implement IT governance, risk, and compliance (GRC) activities on your campus. The inaugural IT GRC Advisory Committee includes Cathy Bates (Appalachian State University), Niraj Bhagat (Southern Methodist University), Mike Chapple (University of Notre Dame), Michael Corn (Brandeis University), Elias G. Eldayrie (University of Florida), Merri Beth Lavagnino (Indiana University), L. Sue McCormick (University of Virginia), Steven J. McDonald (Rhode Island School of Design), Peter J. Murray (University of Maryland, Baltimore), Marty Ringle (Reed College), Cheryl Washington (University of California, Davis), and Madelyn F. Wessel (Virginia Commonwealth University).

While all IT GRC Advisory Committee members contributed to the content of this advice, special acknowledgment is due to the members of "Team Governance" (Cathy Bates, Mike Chapple, Michael Corn, and Marty Ringle), who took responsibility for reducing the many thoughts of the committee into the final advice offered.

1. Jacqueline Bichsel and Patrick Feehan, IT Governance, Risk, and Compliance Programs in Higher Education (Louisville, CO: ECAR, June 2014). The study also reported that respondents at institutions with an IT governance body more strongly agreed that they participated in IT strategic planning, policy making, and investment activities than respondents at institutions without an IT governance body.