Governance, risk, and compliance (GRC) issues increasingly pervade higher education information technology. As institutional investment in IT and reliance on information systems have grown, so has the need for reliable structures and measures to ensure success and minimize failure.
Approaching the complexity of an IT governance strategy can be daunting. Here are four things to consider to get started.
4 Considerations for IT Governance
1. Set the Goal
Debbie Carraway: There's the higher education IT governance checklist, which gives you a nice "here are the to-dos" and the things that you need to consider when you're starting IT governance. But some of the things that you need to consider to start with are, what do you want IT governance to do? You know, we talk about IT governance, and it can be anything from people use it for portfolio management so we have projects and hours and we're deciding which projects to do, given the amount of money and hours that we have for those resources, or IT governance can operate at a strategic level so that we're having broader conversations about what IT initiatives need to tap in in order to facilitate teaching and learning and research and the business of university. So decide what you want. Either one of those answers is okay if you know what your institutional goals are—what you want IT to do for your institution.
2. Is Everybody Ready?
Juan Garza: You have to start thinking about the organizational culture. Is it mature enough? Is it ready? Are the proper players, stakeholders, prepared to be able to take something on, because it's going to fundamentally shift the nature of what people perceive as power, voice, and input. So, one of the first things you have to look internally. Is my organization ready for it? Then do an internal assessment.
Matt Morton: Just knowing where you're at so that your expectations are appropriate. I think a lot of people get disenfranchised, sometimes, because they don't have the right expectations. They're expecting it to be done in six months and it may take years before you actually learn that, right?
Debbie Carraway: Don't create your governance to reinforce your current level of maturity. Be a little aspirational. You don't have to be wild and crazy, but move things forward a little bit. So, if you're not used to having a lot of input from non-IT stakeholders, get the non-IT folks in there. If you're not used to having decisions discussed before they're made, work on that.
3. Keep Fears Under Control
Cathy Bates: You know, I think central IT, in the past, has been somewhat nervous about really wading into the shared governance area. There's a fear of loss of control. Some worst-case scenarios about what's gonna happen when you get into IT governance and you've allowed that shared process, right? And then I think, for the other folks who are coming in, they're giving up their own decision-making powers as well, because they've been used to making decisions in silos. So, you're really bringing everyone together and if you don't have benefits for everybody to be part of that process, if they all don't see what they're gonna get out of it, then you lose that momentum. You lose that enthusiasm for it.
Juan Garza: Because it's really now talking and bringing people to the table to tell IT what they really want so they can enact those needs and move the organization forward, based on what the stakeholders want. It becomes difficult in having those dialogues because a lot of people think, "Well, we're gonna invite everybody to come tell us what to do." That's not really the case. It's about having everybody having voice so you understand what they want, so then you can go forth and do it. In some respects it makes it easier because you've got 50 different organizations or 50 different groups all pushing for, "Hey, this ERPs not working. We need to go to a new system." It makes it easier to basically go to your presidents and your boards and say, "They've all come together and said this isn't working for us as a community."
4. Show the Benefits
Matt Morton: The interesting thing about IT governance, and it's not any different than security in some respects or compliance or any of these other supporting processes, is that when you do it well, you're actually optimizing your spend. And when you optimize your spend, which is part of the governance process, right?, you're doing everybody a favor. You're making sure that they can hire more faculty to ensure that that academic mission is delivered like they want. The deans have more flexibility to do what they're doing.
Srinivas Gotety: The other thing I suggest is actually if there is any low-hanging fruit. If people know there are some projects, some research, actually everybody's looking forward to it, everybody wants that kind of stuff. Part of that gives actual visibility to the whole university to pick it up as the first initial projects or initiatives, so that way people can see, like, okay, so we started this occurrence and then we see the results.
Cathy Bates: Everybody needs to see the benefit of coming in to do IT governance together, so IT needs to see the benefit, central IT needs to see the benefit, users need to see the benefit.
Christine Miller: Even if with a good plan and good goals, it takes sustained energy to really make something successful on campus and to get that meaningful adoption that you really want. And that you have to just, you know, it's a persistent effort that you have to keep returning to the table and continuing to make progress.
Also, on the screen that lists the 4 points, it looks like "goal." and "ready?" are bolded (as below). Is that intentional?
1. Set the goal.
2. Is everybody ready?
IT GRC programs develop a framework for the leadership, organization, and operation of an institution's IT programs. This framework can be used by IT staff to ensure that their programs support and enable the institution's strategic objectives. The EDUCAUSE IT GRC program provides resources that help you define and implement IT GRC activities on your own campus. T
Join the IT Governance, Risk, and Compliance Community Group, an EDUCAUSE e-mail discussion list