IT Governance Framework Western Illinois University September 2013 Developed by: Subcommittee on IT Governance of the University Technology Advisory Group v8.7 2 11.6.2013 TABLE OF CONTENTS EXECUTIVE SUMMARY ........................................................................................................................................ 3 OBJECTIVES ............................................................................................................................................................ 4 FRAMEWORK MODEL ......................................................................................................................................... 5 PRINCIPLES ............................................................................................................................................................ 6 DIAGRAM OF PROCESS FLOW AND MEMBERSHIP .................................................................................... 6 PROCESS FLOW ..................................................................................................................................................... 7 OWNERSHIP OF THE IT GOVERNANCE PROCESS ....................................................................................... 8 IT GOVERNANCE COUNCIL MEMBERSHIP .................................................................................................... 9 MEMBERSHIP OF THE ALLIANCES .................................................................................................................. 9 IMPLEMENTATION TIMELINE ....................................................................................................................... 10 WORKS CITED ..................................................................................................................................................... 11 v8.7 3 11.6.2013 Executive Summary Governance “is the single most important factor in generating…value from IT,” and it is a critical success factor for the University. It engages the entire University community as a fullfledged partner in IT decision making. Through the governance process, major IT decisions are made in light of all technology needs throughout the University. Properly implemented, it cuts across all colleges and business units (eliminating technology silos) and has the authority to make decisions for IT projects that are above a certain spending threshold or meet other established and published criteria. Given limited resources and the current economic landscape, significant technology investments need to be thoroughly vetted against the backdrop of the IT priorities of all the colleges and University business units. Recommendations are made to the owner of the governance process, who has the final decision regarding implementation. If the owner accepts a proposal, he/she is responsible for its implementation (Weill and Ross, p. vii). Existing IT committees, such as the University Technology Advisory Group (UTAG) and the Technology Cabinet, have helped to increase communication about and visibility of IT initiatives. These committees, however, were not charged nor structured to implement true governance. We should not inhibit the implementation of IT governance at Western Illinois University based on currently implemented structures. Throughout the spring, summer and into the Fall semester of 2013, a subcommittee of UTAG and others have been working on an IT governance proposal that includes elements of other universities’ implementations, adapted for implementation at Western Illinois University. The committee envisions that all segments of the University will be represented in the governance process. All meetings will be open, and each IT governance committee will publish their minutes so that the process of decision-making is transparent. While the UTAG’s subcommittee has specified the positions that will serve on the IT governance committees (called Alliances), senior administration will determine who will be on the Council (the decision making IT governance group) and who the owner of the IT governance process is. The subcommittee recommends that either the President or the CIO assume the ownership role. Implementation of this governance plan is contingent upon the Board of Trustee’s approval of the new 2013-2018 IT Strategic Plan, which calls for the creation of IT governance. In the meantime, processes and forms are being developed and refined. Members of the IT governance will be recruited with assistance from the President’s Cabinet, the Faculty Senate and the student government associations. The first meetings of the IT Governance groups are planned to take place at the start of the Spring 2014 semester. v8.7 Objectives 4 11.6.2013 This proposal seeks to establish an IT governance model at Western Illinois University to improve consistency in how IT decisions are made across campus while fostering communication and transparency. The proposed structure is designed to promote efficiency and flexibility across all University constituencies. This document, however, does not specify all aspects of the proposed governance process; those will need to be vetted prior to implementation. It is also anticipated that the plan will evolve as the University gains experience with IT governance and improves its processes. Governance separates the decision making process from the implementation process. It can be defined as “Specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT” throughout the organization (Weill and Ross, p. vii). The COBIT and VAL IT framework states that the “purpose of IT governance is to direct IT endeavors, to ensure that IT’s performance meets the following objectives: • Alignment of IT with the enterprise and realization of the promised benefits • Use of IT to enable the enterprise by exploiting opportunities and maximizing benefits • Responsible use of IT resources • Appropriate management of IT-­‐related risks” (IT Governance Institute, p. 3) In general, most members of the University community have little insight into the operations of IT, and they may question the return value of the University’s investments in technology. In this respect, IT governance improves transparency and communication. In addition, it can provide efficiencies in software licensing and the acquisition of hardware through streamlining and standardization. As noted above, the need for risk assessment and compliance are also driving factors for IT governance. Given the current fiscally challenging times, competing IT priorities across the University must be vetted and prioritized by involving the campus community in the process of IT decision making. The IT governance model outlined in this proposal was developed by UTAG. The subcommittee gratefully acknowledges George Kahkedjian, Vice Chancellor of IT, for sharing how Maricopa Community College implemented their IT Governance model. v8.7 Framework Model 5 11.6.2013 The model envisioned, graphically depicted on page 7, has similarities to the Faculty Senate’s governance at many universities. It consists of one overarching IT Governance Council (Council) with a few subcommittees called Alliances. The Council, which has authority to make recommendations and identify funding, is co-­‐chaired by the Owner of the IT governance process and another member of the Council. The Alliances are working groups representing different major interests within the University as they relate to information technology. Each Alliance chooses whether to reject or approve requests for technology-­‐related improvements that it receives from the University community via the Executive Committee. Upon approving a request, the Alliance collaborates with the college, department or student entity to complete a formal proposal for eventual consideration by the Council. Each Alliance may be working on multiple proposals at once. Each Alliance has two co-­‐chairs elected by the membership of the Alliance. One of these co-­‐chairs is designated to represent the Alliance on the Executive Committee. Alliances are relatively small in size. Alliances may form subcommittees as needed to help make informed decisions and help ensure invested groups are involved in the process. One of the co-­‐chairs from each Alliance also serves on the Executive Committee. This coordinating body schematically sits between the Council and the Alliances. It serves as a single point of contact for the University community to submit proposals and screens proposals to ensure that the required information is codified. The members of the committee elect a chair. The Executive Committee does not make decisions regarding any proposal and serves to channel proposals to the appropriate Alliance. It also accepts completed proposals from the Alliances; ensures the form(s) are complete; and after receiving input regarding security and support issues, forwards them to the Council for consideration. The Executive Committee is also charged with creating temporary Alliances as necessary. The Executive Committee can also make recommendations to the Owner to improve IT governance processes, including what types of requests do not need to be vetted. The Owner is the person for which IT governance is instituted. He or she is responsible for information technology at the University and makes the final decision on whether to implement each of the prioritized recommendations of the Council. The Owner is responsible for the implementation of anything he/she accepts. The Owner has the prerogative to implement an IT initiative without formal recommendation by the Council. All University constituencies should have representation in one of the Alliances or the Council. IT staff members in any capacity (including those in University Technology) work with the Alliances or Council in advisory capacities. v8.7 6 11.6.2013 Principles There must only be one IT Governance Council for both academic and administrative processes. • The President must sanction IT governance in order for it to be effective. • This governance must cut across all University areas and address major IT needs that affect the University. • Some aggregation of IT funding across the VP divisions may be required in order to achieve efficiencies. In order to be vetted through the IT governance process, requests from the University community for technology-­‐related improvements should meet at least one of the following criteria. • It impacts the University significantly from a directional, policy, services, systems, security, financial process, operational or strategic perspective. • It requires significant funding. IT expenditures exceeding a designated threshold of $15,000 will be vetted through the IT governance process. • It integrates with one or more existing systems. (Example: A new system requires interfaces with an existing financial module.) While the Council may need to meet only once or twice a semester, the Owner may call it into session whenever deemed necessary. Alliances will need to meet more frequently, however. Because the Owner does not abdicate the responsibility for IT decision making, the Executive Committee may request that the Owner make a decision regarding a proposal if it is not possible to convene the Council before a time-­‐critical deadline. Transparency is critical. The IT Governance Council, the Executive Committee and each of the Alliances keep notes or minutes of their meetings. To foster transparency, all meeting notes are published to a website for the campus community to view. The Council and Alliances also use standard forms for proposals and other paperwork. Proposals are short, consisting of a couple of pages. In addition, the campus community may attend any of the meetings of the IT governance groups. Diagram of Process Flow and Membership The following diagram depicts the flow of a request/proposal through the IT governance groups as well as specifying the membership of the Executive Committee and the Alliances. Recommendations for the membership of the IT Governance Council are presented beginning on page 9 of this proposal. v8.7 7 11.6.2013 Process Flow The following steps outline the flow of requests and proposals through the IT governance framework. The numbers in the following explanation correspond to the numbers in the diagram above. 1. Requests from the University community for technology-related improvements are injected into the IT governance process by submitting them to the Executive Committee. The Executive Committee, which serves as a single point of contact, acts as a clearinghouse to ensure that requests flow through the governance process from start to finish. The Executive Council also ensures that the request meets the criteria delineated on page 6 of this proposal and that the same request is not being worked on by more than one Alliance. The Executive Committee, comprised of one of the co-chairs from each of the Alliances, determines which Alliance is best suited to consider and work on the request. A request is routed to the Instructional/Scholarly, Administration, or Marketing/External Alliance (but not more than one Alliance). v8.7 8 11.6.2013 The Executive Committee tracks requests and therefore can avoid duplicate efforts among the Alliances. Before submitting the request to the appropriate Alliance, the Executive Committee ensures that all required information is codified in the proper format. 2. The Alliance receives a request from the Executive Committee. The decision on whether to purse the request is based on decision criterion, including core versus context, importance versus cost, and alignment with the University and the IT strategic plans. If the Alliance elects to pursue the request, it may ask additional information from the original submitter and/or conduct its own research in collaboration with its advisory resources and other interested parties. Although not depicted in the diagram on page 7, the requestor may appeal to the Owner of the governance process if the Alliance rejects the request. The Owner has the option of asking the Alliance to do research and make a proposal. On the other hand, if the Owner denies the request, the decision is final. 3. The Alliance submits the completed proposal to the Executive Committee. 4. The Executive Committee distributes copies of the proposal to technical, security, risk, liability, legal, ethical, regulatory, policy, procedural, and other accountability reviewers. These reviewers are asked only to consider potential risks and issues. Their comments will become part of the proposal as it moves forward through the process. 5. Each of the reviewers submits a form to the Executive Committee indicating whether there are any issues or concerns with the proposal. As noted above, concerns may be related to IT security, capacity, support or legal/regulatory issues. 6. The Executive Committee submits the completed packet containing the proposal and any issues or concerns to the IT Governance Council. Alternatively, the Executive Committee may send the proposal back to the Alliance for additional work if issues and concerns identified by the reviewers warrant such action. 7. The IT Governance Council considers proposals and decides which ones to recommend to the Owner of the IT governance process. The Council ranks those proposals based on specified criteria, including core versus context and importance versus cost models. It then formally submits the rank ordered list of proposals to the Owner. The Owner is responsible for information technology at the University and does not abdicate this responsibility because of the IT governance process. He/she decides which proposals to pursue and becomes responsible for the implementation of those. The owner communicates these decisions to the Council and the decisions are published for transparency. Ownership of the IT Governance Process The owner of the IT governance is the person who is responsible for technology on campus. He/she co-­‐chairs the Council and is the individual who makes the final decision regarding v8.7 9 11.6.2013 whether proposals are implemented. This individual, designated by the President, is responsible for implementing any project that he/she accepts. The UTAG’s subcommittee on IT Governance’s recommendation to the organization is that "if the University hired a CIO, then that individual should be utilized and held accountable as reflected in governance. Therefore, the CIO should own the IT Governance process and have the appropriate authority, responsibility, and budget to do his/her job.” In lieu of the decision to designate the CIO as the Owner, the President should assume this role. Implementation of this recommendation requires some organizational change. As a university, we should carry forward those cultural aspects that strengthen the campus and we should use governance as an opportunity to change cultural aspects that lead to improvement. The role of the CIO in this IT governance process must be clear and well defined. Otherwise, governance becomes a question of "Who is truly responsible for technology?" IT Governance Council Membership The CIO should serve on the IT Governance Council as a participating member. Legal counsel and the Budget Director should also serve on the Council in ex officio capacity. The IT Governance Council needs to meet at least once or twice a semester. For some meeting discussions, a student and/or faculty member may need to be included ex officio when issues affect their respective constituencies. IT Governance Council meetings are open to the campus community. Transparency is necessary, too. Senior administration will decide on the membership of the Council. The UTAG IT Governance Subcommittee proposes the following three scenarios for consideration: 1. The President’s Cabinet (consisting of the five vice presidents and the President), the CIO, the Budget Director and legal counsel. The meeting(s) of the Council should occur independently of normal cabinet meetings to make decisions regarding IT priorities. 2. One designee from each of the 5 VP areas and the President's area, the CIO, the Budget Director, and legal counsel. This group would need budget authority. 3. The President’s Cabinet, one designee from each of the 5 VP areas and the President's area, the CIO, Budget Director, and legal counsel (approximately 14 people). Membership of the Alliances People serving on each of the Alliances do not need to have a technology background (the advisory resources people for each Alliance serve as technical consultants). However, it is more important that the people serving on Alliances understand the business, teaching, learning and research processes and needs of the institution. v8.7 10 11.6.2013 A person may serve in one Alliance only. Term limits may vary as determined by the appointer but a staggered time approach is suggested when possible upon inception to ensure continuity during member transitions. Technical advisors may consult with any or all Alliances. Each of the Alliances will draw up their charters upon implementation of this IT Governance plan. The charters will be published to the website. There are three Alliances, which are depicted in the diagram on page 7. They are as follows: • • • Instructional/Scholarly Alliance Administration Marketing/External Instructional/Scholarly Alliance The Instructional/Scholarly Alliance’s membership includes five faculty members representing each of the colleges and the University Libraries. They are to be appointed from CIT by the Faculty Senate. In addition, one at-large faculty member who is not serving on CIT is to be appointed by the Faculty Senate. At least one of these six faculty members must be from the QC campus. A representative from the Registrar's Office (the Registrar or her designee) and a Department Chair (appointed by the Chairs' Council) also serve on this Alliance. The student government associations will collaborate to appoint a graduate and undergraduate student. At least one of the co-chairs of the Instructional/Scholarly Alliance must be a faculty member. A faculty member co-chair must represent the Alliance on the Executive Committee. Students do not serve as a co-chair. Administrative Alliance and Marketing/External Alliance Each of the other Alliances has two students (a graduate and undergraduate) appointed by the student government associations collaboratively. In addition, each of these Alliances has a representative from the President’s Office (Appointed by the President), one member from each of the five VP Areas (appointed by their respective VPs) and one faculty member (appointed by the Faculty Senate). As is the case with the Instructional/Scholarly Alliance, students do not serve as a co-chair on these Alliances. Implementation Timeline The UTAG IT governance subcommittee recommends that the President’s Cabinet, Faculty Senate and the SGAs begin appointing members after the Board of Trustees has approved the 2013-­‐2018 IT Strategic Plan, which calls for the implementation of IT Governance. In the meantime, the subcommittee of UTAG will continue to work out processes and develop forms with the intent of implementing the IT governance process at the start of the Spring 2014 semester. v8.7 Works Cited 11 11.6.2013 Weill, Peter and Ross, Jeanne W. "Preface and Acknowledgements." IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Boston: Harvard Business School, 2004. Print. IT Governance Using CobiT and Val IT: Student Book. 2nd ed. N.p.: IT Governance, 2007. IT Governance Institute. Web