The H.W. Questions are end of this content based on case study reading and analysis

A Case Study of Improving Information Technology Governance in a University Context

Michael Hicks, Graham Pervan, and Brian Perrin

Curtin University of Techology, Perth, Western Australia

Abstract. The objective of this study is to explore the criteria of effective information technology governance processes employed in universities and their impact on the diffusion of appropriate technology to the base level users. From this analysis, we hope to develop a set of best practice guidelines for IT governance and related processes in respect of universities. This will realize significant benefits by providing a reference model or benchmark based on the key characteristics of IT governance that are most effective in achieving high levels of IT and business goal alignment, effective use of IT resources, and IT risk management. A large Australian university that is currently undergoing a major restructure of its IT governance process was selected to be the subject of this case study involving interviews and a survey of internal stakeholders. The results indicate there are still some problematic issues, but overall there is a perception of significant improvement in key areas of IT governance. Additionally the recognition by the university that IT governance is an ongoing process seems indicative of an IT governance structure that is rapidly improving in all accepted measures of effectiveness. A healthy sign of a good governance structure in this case is the IT governance-aware attitude of key members of the executive management. The survey results illustrate the effect IT governance constructs may have on the diffusion of technology in larger organizations where key business functions, such as research, rest substantially at the individual level. In this case a lack of lower-level consultation is perceived by staff as an impediment to the diffusion of technology appropriate to meeting user IT needs. Keywords: IT governance, business alignment, IT resources, university governance, mechanisms of IT governance.

1 Introduction

Universities are highly dependent on the institutional processes that use information to support their research, administration, and teaching activities. Information technology governance within these organizations guides, at the strategic and operational levels, these institutional processes. This study investigates the processbased relationship between the key constructs and mechanisms of IT governance typically found in universities and the level of effective IT governance that the university achieves. As such, it explores the manner in which systems to capture, create, and use information are developed and integrated within the organization. This contributes to the continued discussion of IT governance in various organizations in keeping with prior International Federation of Information Processing (IFIP) 106 M. Hicks, G. Pervan, and B. Perrin conferences. Examples include papers presented on IT governance practices in small and medium-sized enterprises. This study expands this discussion to larger-scale organizations. The degree of success in IT and business goal alignment, effective use of IT resources, and IT risk management are considered essential outcomes of effective IT governance and are used as indicators of the level of effective IT governance that the university has demonstrated. IT governance from a structural and process point of view, including the typical characteristics of IT governance, is well covered in the literature. However, the approach to IT governance from the perspective of its impact on the three key outcomes of IT governance in the context of Australian universities is relatively unexplored.

2 IT Governance Research

2.1 IT Governance Importance

Business dependency on IT has been described as extreme, with IT now becoming pervasive in most organizations. IT departments are demanding an ever-expanding amount of financial and other organizational resources to achieve their promised, but never quite realized, potential. It is clear that effective IT governance has many characteristics, although it is equally clear that the omission of any particular one is not determinant of a defective or nonexistent IT governance function. This is emphasized by the many different approaches adopted in analyzing IT governance. Weill and Ross, for example, use a structured definition with the focus on the decision making rights and "accountability framework" an organization instigates in respect of IT decisions. By contrast the IT Governance Institute of ISACA and the Standards Australia Committee on ICT Governance and Management take a process based view of IT governance, looking at a "system established within an organization" to direct and control IT now and in the future. This approach entails a wider, more pragmatic list of IT governance determinants, such as extent and richness of communication between business and IT management and use of multi-constituency measures of success as well as many other mechanisms and processes.

2.2 IT Governance Decision Structures

As part of a general model for IT governance, Penrod recommended the creation of an IT policy group to make the high-level strategic IT decisions, with IT management responsible for the operational detail. Membership of the IT policy group would consist of the university's key decision makers, including the CEO, CIO, and other executives from the functional areas. Penrod foresaw that the policy group would be supported by advisory committees formed for specific issues. Policy groups would consist of representatives from both the technical IT areas and all of the functional units of the university that would be stakeholders of the issues being considered by the advisory group. Intercommunication with the policy group was considered essential and would be achieved by the advisory committees having chairs on the policy group. A Case Study of Improving Information Technology Governance 105

2.3 Reporting Mechanisms and Metrics

CobiT puts forward that IT governance is achieved through control of IT, so it delivers the information needed by the organization by managing the risks and securing IT resources, and by ensuring IT achieves objectives. This includes the support of business goals through a twostep process. First, the control objectives of CobiT are used to determine the ultimate organizational goal of implementing and maintaining policy, procedures, structures, and best practices. This ensures the achievement of business objectives and prevents, detects, and corrects events of an undesirable nature. The second step is determining what should be measured and how it should be measured. This involves bench marking, determining IT goals and metrics, and establishing activity goals. There are a number of studies that have addressed particular aspects of IT related issues in university environments, and many that address corporate governance challenges, but there appears to be a limited amount of contemporary research of IT governance in universities. Penrod, discussed above, and Clark are examples related to IT governance in universities. Both dealt with the building of IT governance decision structures. These studies illustrate the increasing importance of IT governance in all organizations, including universities. There is, however, no universal model of which IT governance constructs will constitute effective IT governance in all organizations. What is clear from the literature is that there are a number of characteristics that appear to increase the likelihood that an organization will have effective IT governance. The studies that relate IT governance specifically to universities have found these general characteristics should also apply.

3 Research Methods The objective of this in-depth case study was to explore the criteria of effective IT governance as used within a large Australian university. Essentially this research maps the approach to IT governance employed within the case study university and then, based on qualitative and quantitative data analysis, determines how effective this approach appears to have been. The case study was selected on the basis that it was a large, very diverse university that had recently reviewed and restructured its IT governance structure. As such, it was expected to provide a rich source of data about IT governance effectiveness in Australian universities. The research initially employed a qualitative approach, collecting data through interviewing of key personnel as shown in Table 1.

Interviewee

Acronym Deputy Vice Chancellor (Academic) DVC

Chief Information Officer CIO

Pro-vice Chancellor PVC

Director of a Corporate Service Area DCS

Head of an Academic Area HOS

Director Research and Development DRD

Assistant Director Research ADR

Dean of a Faculty DF

Description Number

Total surveys distributed 186

Survey returned as no longer employed or on extended leave 6

Total valid surveys distributed 180

Completed surveys returned 53

Percentage response rate 29.4%

This includes the CIO, the DVC responsible for IT, and representatives from the core business functions of the university: teaching and learning, research, and corporate applications. These were selected from a range of faculties across the university. An interview protocol for each category of interviewee was developed to ensure a standardized interview instrument that assisted in both gathering adequate data and supporting the analysis of that data in the case study. The interviews were recorded, transcribed, then checked and verified for accuracy. Data was also gathered through the collection of documents, policies, and memos from various university sources. A survey of teaching, research, and administrative staff in the Faculty of Business was then undertaken to quantitatively assess how effective the IT governance structure was from a user's perspective. Table 2 outlines the details of the survey and response rates. Table 3 shows the response rates by the respondents function; the teaching and research category indicates that the respondent has significant commitments to both functions.

Table 3. Survey Response Rates by Main Duties

Main Duty of Respondent - Number - Percent

Teaching - 5- 9%

Research- 6- 11%

Both Teaching & Research -31- 59%

Administration- 8- 15%

Other - 3 - 6%

Total - 53 - 100%

4 Results

This Australian university offers a wide range of courses over a number of geographically dispersed campuses. It has experienced a rapid and substantial growth in terms of student numbers, which has continued over the last two decades. It has a A Case Study of Improving Information Technology Governance 105 number of faculties, each with substantial student enrollments. Each faculty is active in research as well as teaching and learning. As can be seen in Figure 1, each faculty was responsible for its own IT areas. A peak governing body, the Information Plan and Advisory Committee (IPAC), did exist to oversee the IT function. However, a second review by internal audit into ICT governance in the university in early 2005 made four key findings: 1. IPAC was not providing sufficient leadership in ICT. 2. At key points, accountability and role responsibilities were not clearly defined or designated in ICT related areas. 3. There was a lack of coordination and communication for ICT between faculties. 4. Risk assessment was incompleted and major ICT related risks had not been addressed. Based on the audit report, the DVC responsible for ICT concluded that user needs, at all levels, were not being met. There was also widespread duplication of ICT related resources and in many areas conflicting architecture and services. As a result of this second review into ICT governance issues, the university has begun to implement major changes in its IT governance structure. The focal point for the changes has been a major restructuring and adoption of a shared services model. Central features of the new structure were the following initiatives: 1. Chief information officer (CIO) position created with responsibility for all ICT university wide. 2. Establishment of an ICT strategy and planning committee (SPC) to oversee and guide ICT across the university. 3. Membership of the SPC to include representatives from all faculties and business areas, as well as the DVC responsible for ICT and the CIO. 4. Establishment of an enterprise architecture subgroup. 5. Establishment of an ICT projects subgroup. 6. Establishment of faculty subgroups each with a representative on the SPC.

4.1 Key Attributes of IT Governance

The personnel interviewed were each asked a number of questions that referred specifically to the effectiveness of IT governance as it related to their position and associated duties. The responses are discussed under the identified themes in the analysis, user relationship management, management support, IT governance mechanisms, strategic alignment, and use of IT resources, IT risk management, performance measurement, and future directions.

User Relationship Management: The CIO and the DVC are both aware of the importance of a good relationship with the user areas, not just as clients of central IT, but also to ensure the ongoing success of the implementation of the revised IT governance structure. This is done, specifically, by avoiding dysfunctional behavior such as acquiring IT assets and resources outside the guidelines established. The 106 M. Hicks, G. Pervan, and B. Perrin university has approached this in three ways: first, through communicating IT issues and plans direct to all levels of users; second, by securing user involvement in decision making; and third, by creating a better client experience. Richness, extent, and types of communication mechanisms established between business management and IT management is an important component of IT governance. Not so recognized is the importance of communication to the lower levels of users, which was evident in the case study. The interviewees representative of users below management level largely believe they are well informed and the effectiveness of the dissemination of IT related plans and information is clear from comments such as: "It came from the various IT people at the Center that we're doing this [adopting one staff email system] and this is why we're doing it. That information was transmitted and received successfully [by the area]" (DF). The CIO is cognizant of the importance of user consultation in ongoing IT operations as is evidenced by his plans to expand and formalize further user consultation, as suggested in the following quote: "I've created a director of client services and that directorate is responsible for beginning to develop a client service mechanism of feedback across all areas and to identify and adopt best practices in any one faculty." The degree of knowledge sharing between management, user groups, and the IT area within the university was another theme that evolved from the analysis relative to IT governance. Representatives from the corporate services and research and development areas, however, were critical of the reluctance of some central areas to share knowledge and data that the user areas required to service their ongoing business needs. These central areas were not under the ambit of central IT, but controlled data sources that were proprietary to their particular area of responsibility. This included the student services and finance areas. A typical example of this is the comment by the director of a corporate services area in relation to information held by the student services area There was also some dissatisfaction with the lack of consultation before designing and implementing corporate applications. An instance of this was a corporate system implemented by the finance area which drew derisive comments such as: "There was no regard to how schools operate or consultation with the main users. A lot of changes had to be made to the system because most schools could not work with the system that they brought in that they thought would be good for the area" (DCS). The dissatisfaction in the area of user consultation is supported by the survey responses to the following two statements included in the survey: (1) The effectiveness of IT in teaching would be improved by increased consultation with academic staff before decisions are made. (2) The effectiveness of IT in research would be improved by increased consultation with academic staff before decisions are made. Responses show that 57 percent agreed or strongly agreed in relation to teaching and 63 percent agreed or strongly agreed in relation to research. Although the interviews indicated lower-level support for the changes, it is clear from the survey results that the base level users are not participating to any large extent in the IT related decisions that directly affect their key responsibilities of research and teaching. This would appear to support the major concerns of the faculties about the increased centralization that was a major feature of the proposed restructuring of IT within the university; namely, that there would a substantial loss of responsiveness and flexibility that would directly impact faculties and individual users. A Case Study of Improving Information Technology Governance 105 The CIO is realistic in his assessment of the relationship with users and acknowledges this approach still needs further maturing, as illustrated in the following comment: "Do we look at user expectations? Not yet. We're probably not that mature." This indicates that decision making has not diffused to the lower levels of the organization. Given that research within the university largely rests with individuals, this is an impediment to meeting the technology needs of researchers. Such an obstacle to the diffusion and adoption of technology to meet researchers IT needs is also an impediment to the alignment of IT with the organization's key objectives related to research and teaching and learning.

Management Support: The VC (vice chancellor) accepted the necessity to review the IT governance structure in 2005 due to a widely publicized systems failure that had occurred a few years prior. As a response to the system failure, the current DVC responsible for IT was assigned the IT responsibility with a clear mandate to find out what was wrong and fix it. The degree of support given to IT governance by the VC and other executive management was considered important to effective IT governance. The support has been ongoing and the IT area has established a high level of credibility with both the university executive and the individual faculty executive. The support from the executive has continued and the CIO is confident that whatever resources are required they will be allocated. For example, "When I went to the P&MC [Planning and Management Committee], I had six papers up. The VC called me in and said we are not going to overrule you on anything. That sent the right message. If you put up a paper they would say fine. If I went in and said I need three million for this and our recommendation is to go ahead with this, I think we would get it." The increase in IT spending transparency has also assisted in getting executive level support for IT changes. The CIO attributes the increase in credibility and ongoing executive support, at least in part, to the visibility of where IT funding is going and, conversely, being able to identify where savings are able to be made.

Governance Mechanisms: Since the adoption of the shared services model, a number of mechanisms to enact good IT governance have been implemented. One of the first steps under the new structure was to appoint a CIO with university-wide responsibility for IT resources and services. The only major exception to his ambit is the library information service and this is subject to review in the next stage of the restructure. The CIO is a senior level position answerable directly to the DVC academic services, although this will also be changed shortly to make the CIO, as well as the CFO and Executive Director Properties, answerable to the Vice President Corporate Services. An IT steering committee was also established, consisting of representatives from all user areas, as well as from the IT area, and chaired by a representative from the university executive, being the DVC responsible for IT services. The membership of the body also helps to ensure efficient allocation of resources and provides an avenue for feedback to the user areas.

Strategic Alignment: The alignment of IT and business goals was a key issue raised in the study which has a strong link to IT governance as illustrated by Weill and Ross. The recognition of the importance of alignment is illustrated by a comment from the DVC responsible for ICT: "The university works on three year plans. We're about to go to five. Once the strategic plan goes to five, so will the ICT plan. 106 M. Hicks, G. Pervan, and B. Perrin The ICT plan is completely aligned with the strategic plan. That's essential." As a result of the IT governance review, several mechanisms have been developed to assist in the alignment of IT and business goals. These have occurred at the strategic level to ensure university-wide alignment, and at the faculty level to ensure that faculties retain a voice in the IT planning process, as well as to assist in the alignment of IT with the goals and strategies of the individual faculties. The principal mechanism is the inclusion of the faculty ICT representatives on the ICT steering committee as well as a student representative. Both the CIO and the DVC responsible for ICT are also on the committee, the latter as the chair. The membership of the ICT steering committee is in accord with that recommended by Penrod and in itself should assist alignment. Although aware of the ICT steering committee and its role, representatives from all areas indicated that they prefer to contact the CIO or DVC direct to raise issues. Problem resolution, even for strategic ongoing matters, was most likely to lead to circumvention of the formal reporting mechanism to the ICT steering committee. Typical of the reasons for this was the perceived time delay and chance of success of a submission to the ICT steering committee, as illustrated by the comment given by the corporate applications area: "I'm not waiting for a committee to decide whether I need the information or not" (DCS). The DVC sits on the University Council, the strategic business decision-making structure for the university, and the Planning and Management Committee (PMC). The CIO has a standing invitation to sit on the PMC but has so far chosen not to attend due to his confidence in the DVC to represent IT at that forum. As suggested by Penrod and by Sheehan, this cross membership of IT and business strategic planning committee's helps in alignment. The ICT enabling plan was construed as another opportunity to assist alignment of IT with the individual faculty strategies. This was done through focus groups using representatives from all areas and faculties across the university. This process has been followed since the decision to move to a shared services model. The ICT enabling plan has been reviewed several times by the ICT steering committee and progress against outcomes monitored and reported on. Its practicality and usefulness is shown by the CIO's statement: "It's a real plan...it's quite a reasonable living document." The strategic business plan has key objectives related to increasing research quality and output as well as improvements to teaching and learning. In these areas, as the survey results have indicated, alignment may not have been optimized as key participants at the individual level believe that there is not sufficient consultation with them prior to IT decisions in these areas being concluded. Generally there appears to be strong alignment at the higher levels in the university but much weaker alignment at the lower, operational levels.

Use of IT Resources: The IT Governance Institute acknowledges the optimization of costs through adoption of standardized approaches as one of the outcomes of good IT governance. For the university represented in this case study, the move to a shared services model appears to have led to a rationalization of IT resources and their more efficient use. In many faculties, this has resulted in a reduced investment for the same level of IT resources and services. Representative from all areas acknowledged the improvement in the efficient use of IT resources. In several cases, there was an indication of some increase in bureaucracy and a reduction in flexibility in using and procuring IT assets. Overall, however, the outcome was accepted as positive, as shown A Case Study of Improving Information Technology Governance 105 in the following comment from a teaching and learning interviewee: "It's a better utilization of services because now we've got [a] better load factor in our laboratories. We have to book it in advance and that sort of thing but provided you do the right thing you don't end up with a problem" (HOS). Faculties have demonstrated a cooperative attitude to centralization and better utilization of IT resources that were previously under their individual control. This is due in no small part to a consultation process that recognized the specialized needs of some faculties. The centralization of IT services under the shared services model has seen a rationalization of IT services across the university. Some of the more radical situations were illustrated in the following comment from the CIO: "We had 13 email systems. Now we have two, one for students and one for staff. We had two learning management systems, WebCT and Blackboard, we are now moving to one. We had multiples of all sorts of things, multiple servers, and multiple data centers. The staff said it was because they could never think holistically as an organization in respect of IT. I think the executive deans and the senior managers weren't prepared to deal with this and simply said we need to devolve this responsibility somewhere else." The unnecessary duplication of IT services and assets was used as one of the major selling points for the shared services model. The success of this campaign was illustrated in that each user interviewed reiterated the essence of the CIO's comment above. At an early stage in discussing the proposal to implement a shared services model with the faculties, cost savings was rejected as the principle driver of the changes. Money was saved due to rationalization but it was incidental to the improvement in IT governance. This attitude was seen by the DVC and CIO as a crucial point in gaining the support and cooperation of the faculties in the rationalization of IT resources through increased centralization. IT Risk Management: One of the principal drivers of the review of the IT governance structure was a concern about the lack of risk management in respect of IT related threats. The concern at that point was clear from the DVC's comment: "Everyone was holding me accountable and I realized I controlled 22 million, there was another 30 million [IT resources] out there of which I had no control and people doing what they want. Now [under shared services] all money and all people report through the CIO to me." Risk management is strongly supported in the literature as an essential component of IT governance. Additionally, IT governance as a component of corporate governance requires the board of directors to oversee management activities, including the risk management and internal control functions. The centralization of the control of IT resources in itself provided the potential for risk management and established clear accountability for many aspects of IT resources and services. To capitalize on the potential, a regular reviewoften facilitated by an external risk management consultant of IT related risks is undertaken. This process involves identification of the risks, strategies in place to mitigate the risk, and an assessment of the residual risk to ascertain if it is in line with the risk appetite of the university. The risk reviews have been undertaken annually since the acceptance of the shared services model and revised IT governance framework in 2005. Consideration is being given to conducting these reviews on a six-month cycle. 106 M. Hicks, G. Pervan, and B. Perrin

Performance Measurement: Appropriate monitoring mechanisms and associated metrics to monitor strategic-level IT initiatives have been associated with effective IT governance. Both the CIO and DVC have access to a wide range of metrics regularly produced from established feedback mechanisms as well as performance metrics that can be produced on demand from regularly generated and retained systems data. The range of metrics collected and regularly disseminated is being expanded to include more operational level data, such as help desk response times and user satisfaction with the outcome of a call. The metrics produced for the CIO are generated directly by the central IT area. Surveys of students and staff are conducted and measured against prior surveys to gauge whether satisfaction levels are improving and to identify areas where improvements may be necessary. The intention is to make the surveys an annual undertaking, although at the moment that has not been formalized. The DVC tends to be more concerned with strategic-level indicators such as how many minutes per year the university was visible on the web, how many minutes of downtime on student and staff systems, and how often the EFT transfer for payments was late. The metrics for the DVC are extracted independent of the central IT area by a team of three analysts that report directly to the DVC. Bench marking is used to report on systems achievements. The DVC's opinion of the performance measuring process was given in the following comment: "These are very clever ways of knowing whether your system works or not. Metrics are produced by a team of three that work independent of the IT area and answer direct to me. Data from the system performance is compared to targets."

Future Directions: The CIO and DVC responsible for IT both see IT governance as an ongoing dynamic structure. In addition, they are aware that while they believe substantial progress has been made toward an effective IT governance structure, there is more that needs to be done to advance the shared services model. In this regard both have expressed dissatisfaction with some systems and are constantly reviewing what has been done and are considering future directions for all areas of IT governance (for example, outsourcing). They are continuing to advance other systems, such as the staff portal and the library information system. The ongoing and dynamic nature of the university's IT governance environment is summed up in the following comment from the CIO: Attribute of Good Governance Initiative 1 User relationship management Sharing of knowledge Communication Client service feedback Consultation with users 2 Management Support DVC championed VC supportive PM & C supportive A Case Study of Improving Information Technology Governance 105 3 Governance mechanisms CIO responsible for all IT IT steering committee Implementing governance frameworks 4 Strategic alignment Alignment of planning time frames Business representatives on IT steering committee DVC for IT on strategic business committee Faculty voice on IT steering committee 5 Use of IT resources Centralization of IT functions 6 IT risk management Clear accountability for major IT areas CIO responsible for all IT Regular risk management reviews 7 Performance measurement Regular strategic measures to DVC Regular operational measures to others

5 Conclusion

The case study university identified serious shortcomings in its IT governance structure. In response to these findings, several initiatives were implemented. These are summarized in Table 5 relative to the attributes of good IT governance. The degree of success the case study university has achieved with each of these initiatives varies and several are still maturing. In particular, lower-level user consultation and lack of involvement before acquiring technology is perceived as a severe shortcoming by many staff. This is of particular concern in organizations, such as universities, where many of the strategic objectives are highly dependent on the individual's efforts. In particular, the importance of IT governance in designing effective systems to support research and teaching through the capture, creation, and use of information may not be operating as efficiently as possible. In addition, performance measurement and appropriate metrics still lack a comprehensive and structured implementation in many important areas. These aside, it is clear from the survey and interviews that significant improvements in IT governance have been made. Conceptually the model the university is working toward is a dynamic one, where it is acknowledged that part of the process is constant review based on regular feedback from a wide range of performance measures. Enabling the ongoing development of this model of IT governance is the governanceaware attitude of key members of the executive management. Contrary to expectations, although ultimately important, high-level management support for the IT governance restructure was dependent on first securing faculty and lower-level support. Lower-level user support has also been a feature considered critical 106 M. Hicks, G. Pervan, and B. Perrin by IT management to the continued successful operation of the revised IT governance structure. This finding contributes to the existing conceptual understanding of the role of user involvement in effective IT governance. The case study also confirms prior research into the effectiveness of IT governance and supports that it can be applied to universities. The major limitation of the research is that it examined only a single university. This also means that only the shared services model, which happened to be the one the case study was implementing, was examined. Given the number and diversification of universities in Australia, this prevents any meaningful generalization of the results. It further prevents the valuable insight provided by cross-case analysis. However, the single case is still valuable and provides a rich context. In this study, the context has been established through qualitative data gathered through document searches and eight in-depth interviews of representatives from various positions in the university structure. In addition, quantitative data has been gathered through a user survey. Future research is planned by expanding the study to other cases from a wider range of universities throughout Australia and across different types as specified in the literature. Further research is also needed to ascertain whether the results of this study can be applied to other organizations, in particular those that rely on creativeness of lower-level users to drive the business, as is the case with research in universities.

Q1. What are the IT Governance Importance?

Q2.What is wrong with IT Governance Decision Structures in this case?

Q3. Explain in detail Key Attributes of IT Governance

User Relationship Management:

Strategic Alignment:

IT Risk Management:

Q4. What is the major disadvantages of case study?