Clear guiding principles and high-level goals for governance provide a framework for developing an effective IT governance process. While every institution must determine for itself how IT governance should be structured and what role it will play, there are common principles that can be used to help the institution understand the purpose of IT governance.
IT Governance Is a Technology Process
The "IT" part of IT governance reflects the scope and purpose of the process. IT governance is critical to successfully managing the technology assets that compose IT. Governance provides a mechanism to allow technology assets to be researched, proposed, reviewed, endorsed, supported, implemented, and communicated.
IT Governance Is a Strategic Process
Fundamentally, IT governance is a process for strategic IT decision making. It is essential to understand the mission of the institution and weave it into the IT governance process to ensure that governance decisions align with institutional objectives.
You will need to distinguish between governance and operational management. Governance often answers broad "what" and "which" questions (e.g., Which projects shall we do? What are our priorities?) but not tactical "how" questions (e.g., How should we technically solve this problem?).
IT Governance Is a Community Decision-Making Process
When designing a decision-making process like IT governance, it is critical to make sure that appropriate representatives are included and that their roles are well understood. IT governance will not succeed if there is a lack of clarity about who makes decisions and which decisions they are permitted to make. You will need to distinguish between advisory roles, which provide input into decisions, and endorsement roles, which make decisions and are accountable for them. It may be useful to use a RACI model, in which the types of decisions that will be made are analyzed to determine who is Responsible, Accountable, Consulted, and Informed about each decision.
The nature and impact of IT demands that IT governance be carefully structured to include the input of a wide variety of stakeholders, such as contract management, compliance, budgeting, policy, privacy, and IT security, as well as representation from student affairs and academic personnel. Further, effective IT governance demands that participants have at least a cursory understanding of the impact of technology on the institution's functional processes.
IT governance must support the institution's decision-making model. This is reflected in the organization of IT: Is it centralized? Decentralized? A hybrid of the two? In a highly centralized model, IT governance participants might be largely drawn from the academic and business units, whereas when the model is decentralized or hybrid it may be important to include the voices of the rest of the IT community in the decision-making process.
It is important to understand the culture of decision making at the institution. Are decisions typically made unilaterally by the IT organization or delegated to governance committees? If the institution has a more collaborative or democratic approach, IT governance will need a framework to guide decision making. In some institutional cultures, it is acceptable to make decisions in which there is dissent. In this case, voting rules are important. In others, decisions require consensus, and IT governance will need processes and leadership that can help achieve this.
It is also necessary to consider whether someone such as the CIO or an entity like the executive cabinet will have final decision-making authority. It should be established whether IT governance will have the power to veto or petition for a review of such decisions.
When making decisions, governance participants should be aware of the institution's shared values regarding IT. This can help participants weigh options so that decisions are aligned with institutional and IT strategies. Values might include local autonomy, privacy, digital literacy, stewardship, etc. Supporting processes such as prioritization scorecards and training for IT governance participants can ensure that the institution's values are reflected in governance decisions.
IT Governance Is a Behavioral Process
IT governance can encourage certain behaviors in the use of information technology. In order to do this, it is necessary for there to be clarity about the problems that IT governance is trying to solve. Will IT governance shape strategic plans? Address compliance risk? Provide technical review of projects or initiatives? Prioritize investment? Determine policies? Allocate funding? Serve as an education or communication mechanism?
A fundamental component of IT governance is the identification of the criteria for which decisions will go through the IT governance process. Effective IT governance requires that it actually be used, which means the community needs to understand when to engage in the IT governance process. It will be helpful to design a simple scorecard that can be used to help determine if a decision requires governance review. Criteria might include financial thresholds, business impact, strategic impact, user impact, and risk. Be aware that lengthy or complex rules are counterproductive and unlikely to be used consistently.
IT Governance Is a Flexible Process
A challenge for IT governance is to balance the need for oversight with the potential for unnecessary bureaucracy. Avoiding bureaucracy requires that IT governance have clear, transparent, and well-understood decision-making and escalation processes. It's likely that processes will need to be refined as the institution's IT governance matures. Because of this, it's important to build in a regular review process to assess the efficacy and effectiveness of IT governance.
If processes are flexible, then bureaucratic barriers are less likely to impede progress. For example, perhaps decisions could be made between meetings by e-mail or agendas could be crowdsourced. With flexibility and adequate support for the mechanics of IT governance, the process can successfully facilitate progress on projects and even support innovation by providing a clear, streamlined process for translating good ideas to supported projects.
The mechanics of IT governance matter: predictable meeting schedules, agendas developed in advance, documentation of decisions, and effective communication methods are important.
IT Governance Is a Valued Process
The degree to which IT governance is valued is reflected in its placement in the institution. Where on the org chart is IT governance hosted? Is it part of the CIO's office? The executive cabinet? Or is it further down on the org chart, perhaps in a Project and Portfolio Management Office? Who is responsible for making sure IT governance works, and where do they report?
For IT governance to succeed, the institution must acknowledge that it is critical to the successful implementation of IT across the institution. Such a critical process requires attention and support, including staff resources and funding. Institutions with successful IT governance processes deliberately plan for the staff time required to support IT governance. At some larger institutions, a full-time staff person is devoted to IT governance. At other institutions, the responsibility for managing IT governance is incorporated into other staff members' duties. If IT governance is not actively managed, its effectiveness will suffer.
EDUCAUSE IT GRC Resources
EDUCAUSE provides resources that help you define and implement IT governance, risk, and compliance (GRC) activities on your campus. Learn more and view additional resources on the IT GRC website.
Kelly Arruda is the IT governance coordinator for UCLA.
© 2017 Kelly Arruda. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.