The next issue of EDUCAUSE Review is focusing on governance, risk, and compliance (GRC). Within a CIO’s visible spectrum are many infrastructure and service items (i.e., the things that a campus community expects from information technology), but the three areas of GRC often encompass hidden dangers that can derail a CIO’s more salient activities. I’ll talk about risk and compliance in a follow-up blog post. Here I’ll start with governance.
I come from a background in three higher education institutions where broader governance models—that is, models in which governance was shared with the faculty, students, and staff—were recognized as a vital part of how those institutions operated. Although each institution had a slightly different approach to shared governance, in all three it was logical to build IT governance on the foundation of the institution’s broader, shared governance paradigm. We built wide-ranging IT strategies and developed effective IT practices over the years at Indiana University and Louisiana State University with a strong dose of grassroots leadership through the campus culture. Most recently, at the University of Maryland, we’ve taken this same page from the playbook, and so far at least, we feel that excellent progress has been made: a formal IT governance structure was endorsed by the University Senate (86-0 vote!) and was convened this fall. In all three cases, we established IT governance by creating a sense of community involvement through crafting a strategic plan for information technology and then extending that process into a broader governance approach not just for the central IT organization but for the entire institution. By taking this approach to governance, we widened the responsibility (and authority) for information technology beyond the Office of the CIO. A good thing, yes?
Well, yes, it was a good thing for me, but . . . maybe not for everyone?
A recent conversation with a colleague reminded me, yet again, of the characteristic of “special snowflakes”: as CIOs, we are each truly unique in the cultures and the environments in which we exist. The IT governance model(s) that I described above, the ones that worked so well at three institutions, were not going to work for my colleague at his institution because its culture relied on a more “corporate” approach to its decision-making and operation: input was valued and accepted, but at the end of the day, directions were established centrally. For all I think I know about building governance models that truly do work, my experience and best-practice write-up—plus $4.75—would get my colleague a decaf tall mocha cappuccino light, but not much in the way of a working governance structure, or even a pathway toward one, at his institution. In fact, it might cause him difficulties with his corporate-like administration.
My method is to involve the faculty primarily, since they are often the drivers (if sometimes indirectly) of institutional decision-making. But even in a faculty-driven shared governance environment, to assume that success will come by appealing to individual constituencies, such as the faculty (or students or staff), would be facile (and perhaps fatal). And of course beyond the hopelessness of trying to please or appeal to any given segment of the campus constituency is the challenging fact of the diversity in thinking within these groups—in addition to the diversity between these groups! Besides, your institution may have a particularly strong focus on deans and department heads, or your institution’s president/chancellor and provost may have strong notions about the central administration’s role (including the CIO’s) in decision-making; your idea of “governance” through a campus constituency may thus cause chafing and the perception that you’re apple-polishing to build a coalition behind your agenda by going “straight to the people.”
The conversation with my colleague illustrates that, too often, we try to seek out a best practice—in this instance, for governance—when one simply does not exist for what we need. A best practice for producing a square peg does little good for getting that peg into a round hole! In this case, a best practice is having a governance structure that will work—rather than a particular governance approach that may not fit your institution, regardless of how successful that approach has been elsewhere. Rather than spending our time trying to determine the perfect governance model, we need to help each other explore alternatives that are working at given institutions and try to understand why they work as they do, as well as whether they might work for us.
There is no right or wrong governance model; there is only what we do. In whatever way governance is achieved—from community-driven shared governance approaches to top-down approaches and all points in between—IT strategy cannot be left to the CIO alone. Doing so undervalues the importance of information technology to our institutions now and in the coming years. IT strategy is not just our responsibility—it is everyone’s. Governance should be about creating, implementing, and delivering on an IT strategy, regardless of the manner in which we accomplish governance in our given institutional settings.