Information Technology Handbook
Section 1.0: Information Technology (IT) Governance
Section 1 Introduction
Achieving strategic alignment between the Information Technology (IT) organizations and the enterprises they serve is an important goal for any organization. Attaining and maintaining this alignment requires a process to assure that investments in IT projects and assets are directed toward achieving the organization’s strategic vision, goals, and objectives. Without alignment of purpose, intent, and actions, the IT organization will not contribute purposefully to the overall mission and while accidental success is not necessarily a bad thing, something more than chance is needed to reach a high level of sustained accomplishment.
Alignment is achieved through a variety of means, but two essential elements that should be formally prescribed, and are described in this section, are:
A well-defined and understood role for the organization’s Chief Information Officer (CIO); and,
A well-defined and adopted working relationship between the CIO and the other Chief Officers [CxOs, such as the Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Business Officer (CBO), etc.], also known as a governance structure.
1.1 Chief Information Officer Role and Responsibilities
A CIO in a higher education institution must be operationally sound and a skilled leader of staff, of peers, and of causes. The CIO position must act as a fundamental partner with the other CxOs of the organization, and must anticipate the organization’s needs. Therefore, regardless of the reporting structure within the organization, this position must be a contributing member of the leadership team; understand the organization’s mission, purpose, and intent; and provide a sound operating platform on which to launch new initiatives. The CIO may not be the subject matter expert on all things that the organization requires information technology to support, improve, or launch. He/she will not be the perfect combination of all who rely on him/her: a professor, a researcher, an accountant, a librarian, a scientist.
While the requirement for a strong leader is paramount, projects to achieve business objectives should not be led solely by the CIO. The CIO must be an advisor, a consultant, and a co-leader of projects to achieve strategies, but is not the sole person in the organization that should be advocating for an implementation of an IT solution. The implementation of any new IT solution must be sought to create, resolve, or improve some business, academic, or research function, and therefore should be led by the CxO responsible for that function.
While a well-defined and adopted working relationship between the CIO and other CxOs is paramount, the CIO must also have similar business relationships with key institution non-CxO-level management, such as human resources, legal counsel, audit and risk management, accreditation, compliance, campus police, deans, etc., as well as local authorities. For example, the CIO should be included directly in conversations and assessments of legal acts that impact IT operations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Electronic Communications Privacy Act (ECPA), the Family Education Rights and Privacy Act (FERPA), and other similar federal and state legislation.
1.2 Governance Structure
Information Technology can be leveraged to advance the organization and to enable achievement of business goals. To best advance the organization’s priorities, there is the need for greater accountability for decision-making around the use of IT in the best interest of all stakeholders.
Effective IT governance is the prescribed relationship between the IT organization and its customers through established operational processes of communication and decision making. Only through these prescribed relationships and processes will replicable and predictable alignment of resources to the organizational goals be achieved. A governance structure should be established and function appropriately to foster partnership of business and IT leadership.
Typically an effective IT governance framework includes defining organizational structures (reporting relationships, advisory committees, etc.) , processes, leadership, roles, responsibilities, and other attributes to ensure that the organization’s IT investments are aligned and delivered in accordance with established strategies and objectives.
Enterprise governance and IT governance should be strategically linked, leveraging technology and organizational resources to increase the competitive advantage of the enterprise. IT governance activities should also be integrated with the enterprise governance process.
1.2.1 Shared Governance Framework
The IT governance process should be defined, established, and aligned with the overall organization governance and control environment. The framework is a shared governance model and should be founded on service management principles where all stakeholders (other CxOs) are identified and participate actively in processes that prioritize how IT resources are allocated for the organization’s maximum benefit, and these stakeholders are collectively engaged in the shared responsibility of assuring that resources are aligned with needs.
Without the collective participation and interchange among the stakeholders about the priorities for the IT organization, customers relinquish control to the CIO by putting him/her in the position of making decisions on the priorities of where to assign resources. When resources are plenty and there is no competition among customers with regard to what gets done first, this might not be a problem. However, when demand outpaces supply, the collective group needs to assist with the prioritization across the institution.
1.2.2 Strategic Alignment
The framework will lead to the collective understanding of how IT resources are deployed as well as the potential opportunities for their use. This information can then be used to determine the best use of these resources for the maximum institutional benefit. Priorities should be informed by not only the operational requisites, but also by organizational strategic plan and goals using a disciplined approach to portfolio, program, and project management. The organization must have a methodology and set of practices to demonstrate prioritization of IT services and initiatives.
1.3 IT Organization, Roles and Responsibilities, and Processes
The IT organization must be defined by considering the requirements of the primary organization it serves. Its placement within the overall structure should be considered based on the scope and breadth of services it is expected to provide to the organization. The organization should have a reporting structure that incorporates IT into planning and decision making at the leadership level.
The CIO should be a regular contributing member of the executive leadership team in order to participate in relevant decision processes of the stakeholder groups in order to adequately anticipate technology resource needs, offer advice on technology enabled opportunities, and respond to emergent requirements. Decisions about staffing levels, skills, functions, accountability, authority, and supervision should be derived from these expectations.
184.108.40.206 Organizational Placement of the IT Function
The CIO should be placed in the overall organizational structure based on the scope and breadth of services the IT unit is expected to provide to the organization. In many complex organizations, a matrix reporting relationship among the most senior executive staff under is not unusual. In smaller and less complex organizations, such hierarchies may not be necessary and a direct reporting relationship to the CEO is feasible. The important point is that it should not matter to whom the CIO reports, as long as the position is adequately incorporated into the organization’s leadership team decision-making processes.
It is also important to distinguish between the role of the CIO and the most senior centralized “line management” function of the centralized IT function (VP, Director, etc.) Regardless of whether the IT functions are managed in a highly centralized or decentralized manner, the role of the CIO must be recognized as that of the Chief Information (technology) Officer. The responsibilities and authority of this role should span any direct reporting structures and cross over organizational boundaries to encompass any and all IT functions of the organization, so that the CIO is responsible for the organization’s total IT footprint as it relates to policy, compliance, security, and risk management of IT-enabled functions regardless of any decentralized line management of departmental IT functions.
220.127.116.11 Management Structure
Decisions about the appropriate balance of a centralized vs. decentralized resource pool of staffing and budget resources is directly related to the expectations of the organization. The centralized IT organization structure must be defined by considering the requirements of the primary organization it serves.
18.104.22.168 IT Continuous Improvement Expectations
As with all administrative and educational support functions in higher education organizations, the Commission on Colleges expects units to engage in systematic planning and assessment processes to assure institutional effectiveness [See SACS Core Requirement 3.3. Processes for planning, assessing, and improving services must be documented. IT processes and services should be periodically and systematically assessed for effectiveness, and opportunities for improvement should be incorporated into the planning process and implemented over time.
1.3.2 IT System Ownership and Responsibilities
Shared governance between a service provider and their customers requires that roles and responsibilities be established and communicated across the organization to appropriately define who is responsible for what.
At the highest level, every IT application and service should have an Executive Sponsor identified. This individual should be the senior person in the organization who “cares” whether the application or service is operable and who champions its use to provide business and/or educational value to the organization. For most infrastructure services, such as the local area network, the CIO is that Executive Sponsor. For most business and educational support systems, the CxO to whom the support function reports is normally the Executive Sponsor. This designation is usually heavily dependent on the organizational structure.
Executive Sponsors should appoint a functionally responsible designee as a primary liaison between the IT service unit and the customers served by the system or service provided by IT. For instance, the VP of Enrollment Management, who is the Executive Sponsor for the Banner Student Information System, might appoint the Registrar as the day-to-day functional liaison between customers of Enrollment Management and IT for provisioning of services and support for the tool.
1.4 IT Strategic Planning
The organization should have an IT strategic plan that is integrated with the organization’s strategic plan. The effective management of information technology services should include a strategic planning component to direct IT resources across the organization in line with the business strategy and priorities. This direction should be inclusive of all IT resources, regardless of the departmental structure (centralized or decentralized).
Within the planning effort, the CIO and other CxOs of the organization assume shared responsibility for ensuring that IT resources are expended toward a catalog of services and for projects that provide the maximum benefit to the organization. Strategic planning efforts and discussions also improve key stakeholders’ understanding of IT opportunities and limitations, provide opportunities to assess current performance, identify resource (operation and maintenance, capital, and human resources) requirements, and clarify the level of investment required.
As a goal, IT strategic planning should be a documented, living process, which is considered in business goal setting and results in discernible business value through investments in IT. Risk and value-added considerations should be periodically updated in the IT strategic planning process. Realistic long-range IT plans should be developed and regularly updated to reflect changing technology and business-related developments. Benchmarking against well-understood and reliable industry norms should take place and be integrated with the strategy formulation process. The strategic plan should include how new technology developments can drive the creation of new business capabilities and improve the competitive advantage of the organization.
1.4.1 Technology Direction Planning
Existing and emerging technologies should be analyzed to determine which technological direction is appropriate to realize the IT strategy and the business systems architecture. The planning should include identification of which technologies have the potential to create business opportunities. The planning should address systems architecture, technological direction, migration strategies, and contingency aspects of infrastructure components.
1.4.2 Standards and Quality Practices
Standards, procedures, and practices for key IT processes should be identified and maintained. Industry best practices should be used for reference when improving and tailoring the organization’s quality practices.
1.4.3 Development and Acquisition Standards
Standards for all development and acquisition that follow the life cycle of the ultimate deliverable should be adopted and maintained, and include sign-off by the CIO and Executive Sponsor, or their designees, at key milestones based on agreed-upon sign-off criteria.
1.5 IT Resource Management
The CIO must establish a process to periodically review current performance and capacity of IT resources, as well as forecast future needs based on workload, storage, and contingency requirements. This process should highlight the adequacy or lack thereof of the resources needed to support the organization.
As a goal, performance and capacity plans should be fully synchronized with the business demand forecasts, such as enrollment growth or a significant change in business process that results in the peak demand for a resource increasing significantly; e.g., an alumni radio/telethon that will tax online access to the donor management system. The IT infrastructure and business demand should be subject to regular reviews to ensure that optimum capacity is achieved at the lowest possible cost.
Trend analysis should be performed that will show imminent performance problems caused by increased business volumes, enabling planning and avoidance of unexpected issues. The CIO should adjust the planning for performance and capacity following analysis of these measures.
Information Technology Services
© Board of Regents of the University System of Georgia