Successfully developing an IT governance process requires a thoughtful and holistic approach, from identifying the guiding principles to defining decision-making processes and assigning responsibility for managing and improving the process.1 A key element in the development of an effective process is the design of the IT governance structure. This structure provides a framework for the institution's decision-making and advisory processes.
The structure for institutional IT governance programs will vary based on a number of factors such as institutional size and control, the composition of IT operations across the institution (central versus distributed or some combination of both), the hierarchical structure of the institution itself, and institutional culture. Previous research has identified two general types of IT governance structures within higher education: the hub-and-spoke structure and parallel structures.2
The hub and spoke is a single structure with specific functions delegated to subcommittees. The parallel structure has multiple IT governance structures for separate institutional functions. For example, there might be one governance structure for administrative IT functions and a separate structure for academic IT functions. It is possible to have a combination, such as separate academic and administrative IT structures, each composed of subcommittees for particular functional areas.
When deciding between parallel and hub-and-spoke structures, it is important to consider the institution's funding model for IT, its organizational structure, its culture and values, and its strategies and goals. If academic and administrative IT are funded and organized separately, it may make sense to use a parallel structure. However, if the institution's strategy is to balance IT spending and project prioritization across academic and administrative functions, it would not be wise to separate these functions in the IT governance structure.
The IT governance structure may reflect or even change the institution’s culture. In this example, if academic and administrative IT have different values, make different technology choices, and have different decision-making processes, designing an IT governance structure that includes both can help normalize the processes and bring the two together. On the other hand, if that is not an institutional goal, then the different cultures may result in still different IT governance processes.
Institutions can approach the design of the IT governance structure by asking some key questions. The answers will help the institution consider the span and depth of the structure, the organizational level of IT governance, and appropriate stakeholder inclusion.
What Are the Goals of Implementing IT Governance?
The first step in designing a structure is to know what you intend to accomplish by implementing IT governance. In this step, you should consider how IT governance will align with your institution's mission and IT strategy. Do you want to address IT decision making comprehensively, including central and distributed units? Or do you want to focus only on central IT? Do you want to separate decision-making for certain areas, such as administrative and academic IT? Or do you want IT governance to align IT decisions across the institution? How will IT governance relate to institutional governance and budget processes?
Who Is Sponsoring IT Governance?
It is necessary to determine who has the ultimate responsibility for the decisions that IT governance will make. The top level of the IT governance structure needs to include those who are empowered to make these decisions. If it is the executive cabinet or the CIO, that group or person will need to be included at the top level of the structure.
Note that this does not necessarily mean that the executives must be part of a standing committee. While some institutions take this approach, at others the CIO brings in executives who have a stake in particular decisions on a case-by-case basis. A diagram of the structure can reflect the executive role in decision making, but in practice the stakeholders at the top level may vary. Regardless of whether the structure is composed of a committee at the top, what's important is for the decision-making responsibilities to be clear and for the process to be well understood and predictable.
If IT governance is sponsored farther down in the IT organization, such as in the Project and Portfolio Management Office, it is still important to determine who has the overarching responsibility for approving IT governance decisions and to consider how they will be included in the structure.
A RACI analysis that determines who is Responsible, Accountable, Consulted, and Informed for decisions can help shape the structure. Those who should be consulted on decisions may form advisory committees, while those who are responsible and accountable for decisions should be included in the IT governance decision-making structure.
What Is the Role of IT Governance?
You should determine what kinds of decisions IT governance will make. If the role of IT governance is to endorse decisions made elsewhere, you may need a less complex structure than if you want IT governance to make decisions in many domains. For example, will IT governance have a detailed project prioritization or resource allocation role or will it serve only to review and endorse large expenditures? Should it address smaller-scale projects or be limited to prioritizing large, enterprise projects? Will it be limited to signing off on IT policies proposed by central IT or will it have a role in determining IT strategy for the institution? or?
Is IT governance expected to make decisions or serve in an advisory role? What is the scope of IT governance: will it apply to the entire institution or only to central or enterprise IT? The answers to these questions impact the breadth and depth of the structure as well as appropriate stakeholder inclusion.
For example, If IT governance is intended to have decision-making responsibilities, a more hierarchical structure may be needed, while if it is entirely advisory in nature, a flatter structure may be more appropriate. Structures intended to solely to advise central IT may be designed in part to reflect the structure of the central IT organization, while those with a comprehensive decision-making role for both central and distributed IT may require a hierarchical structure composed of committees that reflect the institution's IT strategy.
How Is the Institution's IT Strategy Organized?
IT governance should align with the institution's IT strategy, which in turn should align with the institution's mission. If the IT strategy is aligned with the mission and is organized around areas such as research, teaching, and outreach, the governance structure should reflect those focus areas and the stakeholders should be drawn accordingly. On the other hand, if the IT strategy is organized around technology domains, the structure and composition of IT governance should be organized accordingly, with committees focused on areas such as security, communications, infrastructure, applications, support, and so on.
It is sometimes appropriate to create a structure that is largely organized around the mission but that has one or more IT governance committees specifically devoted to a technology area. This may occur especially around technology infrastructure and architecture decisions that require a level of technical knowledge beyond the typical IT governance participant's expertise. It is particularly important to distinguish between decision-making and advisory committees in this case.
In the End, Know When to Stop
"Everything depends on knowing how much," she said, and "Good is knowing when to stop."3
When you've answered the key questions and are ready to create your IT governance structure, think in terms of "just enough." You should have just enough subcommittees to match your strategy, just enough hierarchy to make good decisions efficiently, and just enough advisory bodies to provide the kind of feedback you need. IT governance needs to be agile and responsive to be effective, so it is important to avoid designing an excessively bureaucratic structure. The more complex it is, the harder it will be to maintain good communication and effective processes.
Most importantly, the campus community must be able to understand the IT governance process. Research indicates that the best predictor of a successful IT governance process is the degree to which people in leadership and management positions in an organization can describe it.4 It is difficult to get buy-in to a structure that requires a concordance to navigate. On the other hand, a well-designed structure gives the community a credible decision-making process, and that is ultimately what makes IT governance succeed.
Notes
- See Debbie Carraway et al., Higher Education IT Governance Checklist (Louisville, CO: EDUCAUSE, March 2017).
- See Joanna Grama and the IT GRC Advisory Committee, "Understanding IT GRC in Higher Education: IT Governance," EDUCAUSE Review, February 22, 2015.
- Toni Morrison, Beloved (New York: Knopf, 2006), 103.
- Peter Weill and Jeanne W. Ross, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results (Boston: Harvard Business Review Press, 2004), 13.
EDUCAUSE IT GRC Resources
EDUCAUSE provides resources that help you define and implement IT governance, risk, and compliance (GRC) activities on your campus. Learn more and view additional resources on the IT GRC website.
Debbie Carraway is director of information technology for the College of Sciences at North Carolina State University.
Joanna Lyn Grama is director of cybersecurity and IT GRC programs for EDUCAUSE.
© 2017 Debbie Carraway and Joanna Lyn Grama. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.