Projects >> IT-Governance

Background

The UF-HSC Information Services Advisory Council realized that a number of issues listed on the ISAC Issues List were related to governance for Information Services in the Health Science Center (HSC). (See the Minutes from the December 2005 meeting for details.)

A small team was charged to research governance and to report back to ISAC. A significant number of references were accumulated from a variety of sources including books and articles, the Educause Web site (EDUCAUSE is a nonprofit association whose mission is to advance higher education by promoting the intelligent use of information technology), web sites from other educational institutions, and material created by Peter Weill and Jeanne W. Ross from the Center for Information Systems Research at MIT's Sloan School of Management.

We have summarized the ensuing research findings pertaining governance in this set of web pages.

Formal definition of Governance: Specification of the decision processes, rights and accountability framework defining how policies, resources and architectures are established, deployed, used, managed and enforced.
A less formal alternative definition: Decision rights and accountabilities between groups.

back to top

What is NOT Governance?

• Governance is not just how groups are organized and led.
• Governance is not about bureaucratic rules and regulations.
• Governance is not management.

IT Governance: Decision rights and accountabilities to encourage desirable behavior in the use of IT (Peter Weill at MIT's Sloan School of Management provided this definition):

• How are information and technology related decisions made? (selection, deployment and use)
• Who gets to make the decisions?
• Who has input?
• Who is responsible and accountable and for what?
• What are the processes?

IT governance is about determining WHO systematically makes and contributes to decisions, not about making specific IT decisions (Management does that). Since IT planning processes have changed over the last few years (There are virtually no static multi-year plans left. Planning and executions happen simultaneously.), a clear and smooth operating Governance structure is needed for allowing well informed information and technology decisions to be made effectively, transparently and quickly.

back to top

What is the decision domain of IT Governance?

• Defining role of IT in the organization. (Defining the underlying Principles. Define how we use IT to our advantage)
• Decisions involving infrastructure strategies.(How and by whom)
• Decisions involving systems and services architecture (Compatibility and Integration)
• Defining who is responsible and accountable for what?
• Decisions regarding business applications (How, by whom and at what level)
• Defining Investment and Priorities (How much, how and by whom. E.g. Squeaky wheel, Golden rule)

'Effective governance processes are characterized by both methodological comprehensiveness and social interventions, involving strategic integration of business and IT decisions and building collaborative relationships and shared understanding among key stakeholders.' (Ribbers, Pieter et al: 'Designing Information Technology Governance Processes: Diagnosing Contemporary Practices and Competing Theories. Proceedings IEEE on Systems Sciences')

back to top

Toward Good Governance

Good governance and decision making in higher education institutions is impacted by (Source: Educause Material):

• Institutional characteristics
• Culture and Climate
• Private vs. Public institutions
• Research Intensive, comprehensive vs. Liberal Arts and Sciences. (Research demands a diverse and robust IT infrastructure. Standards are less likely to be in place.)
• Size does matter
• Sources and level of funding
• In well funded institutions the leveraging of resources is less of an argument
• Needed is a predictable stream of operational and capital funds (Need to understand the degree of risk the institution is willing to take)
• Leadership style
• Leadership style of the CEO and other exec officers
• Vice Provost vs. Vice President
• In academic institutions the CIO needs to report to the academic leadership
• Formality of planning
• IT planning should align with the institutional planning mode
• Organizational culture
• For most day to day activities, culture determines how things get done.
• Mistrust and silos make good governance difficult, if not impossible. (Too much time is spent on politics)
• Decision making style
• Decision making style of the CEO and other exec officers. Highly centralized decision making structures are less likely to be effective
• Type of IT leadership structure
• Having a seat 'at the table' is crucial

Elements of good governance

• Well defined governance bodies (base them on items listed above)
• Well defined roles of the decision making groups
• Well defined interrelationships with various other IT groups (Understand central and Unit roles)

Other elements impacting IT Governance:

• Top Level Understanding and Support:
1. CEO understands importance of IT to all sectors of the institution
2. CEO understands that changes in IT organization and decision making are needed
3. CIO receives significant executive power
4. CEO concurs with concept of using a formal IT planning and management model linked to budget and personnel evaluations
• Type of CIO
1. CIO needs to be 'at the table'
2. CEO needs to be personally involved with the CIO helping designing and implementing the governance structures
3. Clearly defined CIO position and role: CIO involved in general decision making, not just IT
• Definition of Policy and Decision Making Roles
1. Desirable to have a IT Policy group made up of key decision makers from across the institution. Responsible for: Deriving policies, approving major institutional IT initiatives, approve the IT plan, make detailed recommendation regarding the allocation of IT resources, both central and distributed.
2. Establish advisory committees for areas such as:
• Academic issues
• Administrative issues
• Student issues
• Definition of Central and Distributed IT Unit Roles
1. Central Unit Roles clearly delineated and defined
2. Distributed IT Unit Roles clearly delineated and defined
3. Relationship between Central and Distributed components clearly delineated and defined
• Definition of IT Planning Style
1. Link strategic planning with management, have objectives tied to budget, and have assigned personal responsibilities to managers.
2. Refresh plan every year, with a 3 year rolling planning cycle.
3. All distributed IT Unit plans are part of the final plan and all segments of the client community were involved.

Critical Success Factors:

• Ensure there is a philosophical fit between the CIO's style and the CEO's
• CIO position is a the cabinet level and CIO establishes relationships within the group
• Match Governance structure to decision making style of the Institution
• Align IT Planning with Institutional Planning. Link it to budget and Unit and individual performance
• Build processes into governance that focus on alignment and trust development between all Units and their clients
• Carefully develop role definitions and care for them over time
• Build various and continuous feedback loops in all processes
• Asses results fro processes and report them to all IT constituents
• Remain open to adjusting processes and have a methodology defined to do it
• Educate constituents; communicate to them the vision, opportunities for involvement, annual objectives, and results

back to top

The Weill and Ross model

Based on extensive research and their experience with a large number of both European and American enterprises, Peter Weill and Jeanne W. Ross have published several articles, including a book, on their findings. They developed a model that outlines a constructive approach toward IT governance. The material below is based on their published material (See references).

They define IT governance as: the decision rights and accountability framework to encourage desirable behavior in the use of IT.

(Example of desired behavior could include: responsible use of IT, business driven decision making regarding IT, tracking the value of IT, and so on.)

Weill and Ross identify three components of governance:

• IT Decisions Domains; What are the key IT decision areas?
• IT Governance Archetypes; Who decides or has input, and how?
• Implementation Mechanisms; How are decisions formed and put in place?

back to top

IT Decisions Domains

The five key decision domains they identified to define the scope of IT are:

• IT principles; High level statements on what the role is of IT and how IT will be used. E.g. Utilize industry standards, Rapid deployment of new applications, Reuse before buy; buy before build.
• IT infrastructure strategies: Strategies for the base foundation, centrally coordinated services; how should these be priced; how to keep these up to date. e. g., network, shared data, etc.
• IT architecture; Set of technical choices to guide the organization. The architecture is a set of policies and rules that direct the use of IT, including technology, data, applications, etc.
• Business application needs; Specifying the needs for purchased or internally developed systems.
• IT investment; Decisions about how much and where to invest in IT including project approvals, justification techniques, and post implementation continued review of value to the organization.

back to top

IT Governance Archetypes

The next component of their governance framework identifies the people or groups of people involved in the decision domains; who decides or has input, and how. Weill and Ross suggest 6 archetypes (The translation into in HSC language is ours):

1. Leadership Monarchy; A group of, or individual senior managers (SVP; VP; Dean, Chair). Senior IT manager does not act independently.
2. IT Monarchy; Individuals or groups of IT senior managers.
3. Feudal; Unit leaders, key process owners or their delegates.
4. Federal; Shared by HSC senior management and other College/Unit senior management. May include senior IT management.
5. IT Duopoly; IT senior management and one other group, e. g., HSC senior management or College/Unit senior management.
6. Anarchy; Every Unit or even users act and react independently.

(The 'Anarchy' archetype is only included for completeness. It is not considered to be a desired outcome, only a reflection of current state.)

A table can be constructed that ties the two together into a one page framework:

	IT Principles		IT Infrastructure		IT Architecture		Business Applications		IT prioritization and Investment
	In	Dec	In	Dec	In	Dec	In	Dec	In	Dec
Business Monarchy
IT Monarchy
Feudal
Federal
Duopoly
Anarchy
legend:     In: Input Rights     Dec: Decision Rights

NOTE:
This table can be used to document the current state as well as to guide the efforts toward the desired state.

back to top

Implementation Mechanisms

The last component of the model deals with how governance is implemented; What are the structures, processes, and supporting structures.

Their model provides the following categories of mechanisms to specify how the decisions will be enacted:

• Decision making structures: who is responsible, who is accountable. (Typically Councils, Committees, and their interrelationships, budgeting and approval processes, and so on)
• Alignment Processes: making sure decisions achieve the desired outcome. (Typically the IT organization as a whole, SLA's, metrics, and so on)
• Communication Approaches: disseminates governance processes and individual responsibilities to those who need to know. (Meetings, documented procedures, portals, and so on)

OK, so now what?
The Weill and Ross framework can be used to help create effective IT governance. They suggest the following process:

• Use the table framework from the previous page to examine and document the 'current state' (the existing situation).
• Define the desired objectives and the associated behavior.
• What IT governance do we want to have in place to attain de desired objectives and behavior.
• Identify the performance goals for the governance including metrics, roles, responsibility and accountability.
• Start the (difficult) transition from the 'current' to the 'desired' state.

Their research identified a number of characteristics critical for effective IT governance:

• Transparency; make the governance processes transparent to all.
• Actively design governance; the process is NOT: IT governance by default.
• Know when to redesign governance; changing governance structure is a major undertaking and should not be done frequently.
• Educate about governance.
• Good governance requires choices; good governance structures are simple and address a small number of goals and metrics.
• Create a solid process to handle exceptions; A clear process brings the issues in the open.

Weill and Ross believe that not having governance in place results in an uncoordinated set of mechanisms created and implemented at different times, each addressing an immediate and often local issue. The end result of this would be an ineffective structure to align with the needs of the organization.

Pages created by Jan J. van der Aa using various material with assistance from Marian Boyle and Tom Jordan.

back to top