Content

A Scottish, Post-92 Institution

Institution is a post-92 university located in the centre of a large city. The University has quickly established a reputation for providing innovative, career-focused programmes. It has a student population of over 14,000 FTEs and a staff complement of 2,000. The University is recognised for its quality of teaching, research and its promotion of social inclusion and community engagement.

Following the appointment of a new principal the University is undergoing considerable change in order to realise the new Mission and opportunities presented.

As in all Higher Education establishments, the University faces pressures of funding and is therefore diversifying its activity base in order to generate more income to cover any potential funding shortfall. Efficiencies within operations are also being sought and therefore there are opportunities presented currently for reviewing business processes from scratch and for deciding how best to conduct professional support activities in future.

Summary

Within the Pilot project the University has assessed its status with regard to the recommendations of the Toolkit, created and began working on a structured project plan and has reassessed its status after significant University changes. There have been several key achievements including

getting a detailed understanding of what is expected to be in place to meet the requirements of good governance
understanding how to better structure the Toolkit so that it is more constructive and easier to use for future adopters
obtaining buy-in at Executive level of the University to participate in the pilot and to carry out the changes required in order to improve our status
defining what we want to put in place which will meet our University requirements for the future.
taking positive action to address key areas where we currently consider ourselves to be deficient in process and performance.
setting out clearly defined goals and targets
understanding that getting progress is difficult when many things have to change – but by structuring the change into smaller portions it is easier to achieve.

Although progress has been significantly more difficult to achieve than was originally envisaged because of changes in the University and trying to do too many things at once, the process embarked on has been extremely valuable to the University and will continue until the aims of the project have been achieved.

Introduction

IT Services

The Information Technology Services Department was formed by the PVC Learning and Information Services just prior to 2000. All the IT staff from the University, located in Schools and Departments, were converged into one service. A new IT staff structure was developed and staff encouraged to apply for suitable opportunities within the new structure. This process was difficult – with staff from the Schools having to be transferred who all previously had different jobs, different training levels and very different skill levels. Previously there was no coherent career pathway for the IT Staff. The changes were designed to offer real opportunities for development and progression.

A new Director of Services was the final appointment and the post created (Director of Learning Resources) had responsibility for IT Services, Audio Visual Services and procurement, deployment and management of the resources within the Library (books, journals, electronic resources etc). The purpose in creating this post was to allow the services to operate together as a team as the synergies between them were significant.

The IT Governance processes prior to 2000 were few – the Schools and Departments operated as independent units and although there was a small core team (Information Services Group) the difficulties in getting agreement between the areas to carry out University-wide IT projects were significant. The networks were fragmented – with some still on coaxial cable; the systems were independently developed, managed and operated as were the staff. The only system at the time which was University wide was the telephones system.

During the development of the new structure, new Governance processes were also put in place. These included

A new University committee with responsibility for overseeing the IT agenda comprising representatives from across the University (Learning Services Group) to replace the Information Services Steering Group
Formal planning processes – detailed planning documents, with short and long term objectives for services and projects
Formal requests for capital including generation of a business case demonstrating business benefits
Formal reports to the committee regarding how the investments were proceeding
Formal committee discussions regarding the University priorities and how to prioritise resources

A number of projects were satisfactorily completed – including introduction of a Helpdesk System, installing CAT5 cabling network throughout the University so that there was a coherent network infrastructure, installing a staff e-mail system as well as other smaller systems for delivery of a variety of requirements across the University.

During 2003 and 2004 it became clear that some of these processes were not working particularly well for some of the major projects, particularly the larger management information system projects. The University formed a Programme Board with specific responsibility for these projects (the Management Information Systems Steering Group). This group ensured the satisfactory delivery of the first stages of Oracle Finance and Oracle HR – using standard project management (PRINCE2) and programme management techniques, by employing suitably qualified project managers and by investing sufficient resources in staffing to allow the projects to be carried out. These projects were completed during 2004 – 2006 successfully. Further development of the use of these products is continuing. The group also approved the initiation of the replacement student records system project.

Review Process

The Governance Pilot

The notification that there was to be a pilot of the new Toolkit for IT Governance arrived at a very opportune moment for the University. The new Principal took the opportunity to change the Executive structure and responsibility. Learning Resources became the responsibility of the University Secretary. Learning Services was disbanded and the different areas within the larger group were assigned to different Executive Members in order to realign the services with the mission of the University. The committee responsible for IT issues across the University was disbanded, with a view to creating something different. The Management Information Systems Steering Group stayed as it was, continuing to monitor the progress of the HR and Finance changes and continued to lead the first stage of the Student Records System replacement project (definition of requirements and procurement).

The decision was taken to pilot the governance Toolkit and the Director of Learning Resources conducted a preliminary assessment in order to discuss the Toolkit at Executive level. The Executive were supportive of the use of the Toolkit .

The scope of the exercise was defined as all critical systems which are considered within the University business continuity plan. All significant investments were deemed within scope – and these were defined as

Capital investments greater than £10,000
Major system investments > £50,000
Hardware Replacement investments > £10,000

The intended audience for the review was the University Secretary initially and others as appropriate. As the review was to concentrate on IT systems, the managers of the IT Services were involved in order to obtain their views on the governance processes. However as many of the established processes operated at Director level and above, the experience of the managers or indeed users was of limited impact during the assessment phase.

The Governance Toolkit was supplied to the University during April 2006. The first assessment was carried out during June 2006 and it was identified that we were compliant in about 70% of the areas.

The principal areas of compliance were:-

Governance: Vision
Governance: Assurance
Services: Projects

The other areas considered - other areas of Governance, Resources, Organisation and Services – needed to be considered further.

Using the assessment documentation Strategic, University wide (operational) and IT Local (operational) aspects were identified which required improvement.

Strategic

The strategic aspects identified which required improvement e.g. development, agreement and publication of the key strategies were identified as Executive responsibility, although they would clearly be informed through consultation with key personnel throughout the campus in each of the areas .

The key areas of activity identified were

development of the Information and Knowledge Management Strategy,
development of the International strategy
agreement of the Research Strategy,
agreement of the Learning and Teaching Strategy and
review of the E-learning strategy;
alignment of the expenditure for IT systems with the Information and Knowledge Management Strategy

University Wide (operational)

Other aspects could be proposed, consulted upon across the University then ratified by the University Executive. These activities included

defining the activities of the new Information and Knowledge Services Steering Committee so that this Committee would be fully effective in leading the delivery of the Information and Knowledge Management Strategy.
development of the Knowledge and Information Services strategy
Revision of the IT Security Policy;.
development of a policy describing the rights relating to devolved IT and information systems for lab equipment, connection to the network, local networks, procurement and physical and digital security

IT Local (operational)

These were aspects identified which could be addressed locally within IT services. They included:-

Training Needs assessment for all IT Staff
Business process review; review of the processes used to support systems and delivery services in order to ensure continued appropriateness; systems review
Staffing requirements: to production of a staffing plan, describing essential skill-sets which would be required in order to deliver the Information and Knowledge Management strategy
Putting in place formal reporting mechanisms for service levels, unplanned service disruption, security breaches to the new Information and Knowledge Services Steering Committee
Production of standardised annual reports on expenditure on all Information, communication and IT systems across the institution,
Development of a portfolio of measurements to allow definition of the effectiveness of IT Investment.
Development of formal forensic procedures and improved Business Continuity procedures
Production of standard reports on performance of systems, delivery of services and performance against stated service levels.

A list of actions based on the aspects for improvements identified were proposed and documented. Responsibilities for activities and timescales in which such activities should be achieved have been proposed. The formal draft project plan is being submitted to the University Executive for discussion.

In the meantime, however, significant progress has been at all levels to address areas of concern because some of the aspects are acknowledged to be of general benefit, not only part of this project.

Progress so Far

There have been a number of achievements during the short time of the pilot project including:

Strategic

The former committee called Management Information Systems Steering Group has been re-assigned to take responsibility for all IT and Communications Services as well as IT and Management Information System projects. The new committee (IT Implementation Group) is being chaired by the University Secretary. The University secretary is taking responsibility for defining the constitution of the committee including remit and membership. The committee will report formally to the Executive through the chair.
A number of strategies have been developed, consulted upon and ratified including the Research Strategy and the Learning and Teaching Strategy which will inform the information and knowledge management strategy
The University has developed a new mission for 2015. All academic and professional support departments are being aligned with the new mission.
A team has been formed and has begun work on the Knowledge and Information Management Strategy.

University Wide Operational

· The IT security policy has been revised and has been submitted to the Executive for comment.

IT Local (Operational)

A comprehensive training needs assessment has been carried out for all IT staff and there has been significant investment in training to support systems and improve services. This will be reviewed again during October – December 2007
A business process review has been initiated in order to understand if all processes are required, where efficiencies can be gained and how, potentially, things may be done differently to greater effect. This is required prior to the development of the staffing plan for the future as well to support the development of the Quality Systems (ISO9000 with an aim to move to ITIL compliance).
An asset register for equipment has been created and populated with up to date information. Whilst this is still in the initial stages, the database is part of the Helpdesk system and will therefore allow all records pertaining to a member of staff to be viewed when taking calls and resolving problems.
Formal Forensic investigation procedures have been put in place following consultation with the Crown Prosecution Service, Strathclyde Police and the University IT Lawyer. The procedures have been tested and deemed satisfactory to meet current needs. The procedures will be reviewed annually.
Formal reporting mechanisms have been put in place for all incidents, disruption to services, security breaches etc. These have not yet been reported to the IT Implementation Group, but will be when the committee is formally constituted
The business continuity arrangements for the critical systems have been significantly improved, including testing. There is continual activity in making systems more robust and resilient in order that we can address areas of weakness before they are manifest in a real situation.

There have been significant developments and improvements in the pre-existing governance processes and these have been assessed by the University auditors as part of the annual audit program for IT.

Reflection

Critical Learning Points

During the various processes involved in the pilot of the governance Toolkit, there have been a number of issues identified and as a consequence a number of possibilities identified for improvement. There are also considerable strengths.

The questionnaire is easy to understand – although potentially a checklist approach may be more helpful in evaluation – incorporating all the different aspects which are included in the descriptions of each of the categories.
There should be a recommendation within the Toolkit that that the governance processes are checked by internal/external auditors
The Toolkit is easy to understand; one does not need to be an expert to be able to develop systems and processes which will satisfy the aims of “good governance” if all aspects of the Toolkit are considered
The Toolkit can be easily explained at all pertinent levels – as well as the aims of governance
The results of the questionnaire will change with time. Therefore it is critical to review progress and the results as the project proceeds
Whilst the use of a project methodology in carrying out such a project is to be commended, it is not essential to monitoring progress; the repeated evaluation of the questions in the questionnaire is valuable – although clearly not as strong as using an action/project plan.
This project may require considerable change in terms of institutional practises, management and monitoring. It is important to realise this from the start and to ensure that all participants understand that change may be required.
Managing change is difficult – and compromise is often essential. It may not be possible to do things exactly as the Toolkit suggests – but what is implemented has to meet the institutions needs, and not the needs of the Toolkit!
It is vital to realise that the processes involved in implementing the full Toolkit are extensive even if one starts from a position where the internal processes are strong. The last 10% of compliance may cost more in terms of time and money than the other 90%. The institution should therefore decide whether the extra 10% compliance is necessary or whether something slightly less will do
Don’t leave it to one person – ensure there is a team responsible and that the project is owned at the highest level in the institution.
It is critical to identify early on which issues are going to be small and which are going to be larger and more problematic; review this regularly as the status may change with time and as other things happen in the institution.
Don’t try to do too much at one time. It is better to set sights at a realistic level rather than trying to sort every single problem at once. Look for small things which can be completed first; then build up to the bigger issues. Work with people, not against them; demonstrate the benefits of a new system to generate buy-in.

The Future

We will continue to build our governance processes for IT following the action plan which has been developed. We have to be realistic regarding timescales and targets for the future. However we now have strong foundations on which to build.

As the University is a constantly changing environment, the Toolkit will prove very valuable as a checklist for compliance in future. We will review our compliance with governance best practise by using the Toolkit questionnaire annually - after we have taken the action plan to completion.

The University will be reviewing the action plan within the new IT Implementation Group to ensure that all parties within the University acknowledge and understand the importance of the process as well as helping to carry out the essential actions.

Contact:

Funded By:

Content

A Scottish, Post-92 Institution

Following the appointment of a new principal the University is undergoing considerable change in order to realise the new Mission and opportunities presented.

Summary

Within the Pilot project the University has assessed its status with regard to the recommendations of the Toolkit, created and began working on a structured project plan and has reassessed its status after significant University changes. There have been several key achievements including

getting a detailed understanding of what is expected to be in place to meet the requirements of good governance

understanding how to better structure the Toolkit so that it is more constructive and easier to use for future adopters

obtaining buy-in at Executive level of the University to participate in the pilot and to carry out the changes required in order to improve our status

defining what we want to put in place which will meet our University requirements for the future.

taking positive action to address key areas where we currently consider ourselves to be deficient in process and performance.

setting out clearly defined goals and targets

understanding that getting progress is difficult when many things have to change – but by structuring the change into smaller portions it is easier to achieve.

Introduction

IT Services

During the development of the new structure, new Governance processes were also put in place. These included

A new University committee with responsibility for overseeing the IT agenda comprising representatives from across the University (Learning Services Group) to replace the Information Services Steering Group

Formal planning processes – detailed planning documents, with short and long term objectives for services and projects

Formal requests for capital including generation of a business case demonstrating business benefits

Formal reports to the committee regarding how the investments were proceeding

Formal committee discussions regarding the University priorities and how to prioritise resources

Review Process

The Governance Pilot

The decision was taken to pilot the governance Toolkit and the Director of Learning Resources conducted a preliminary assessment in order to discuss the Toolkit at Executive level. The Executive were supportive of the use of the Toolkit .

The scope of the exercise was defined as all critical systems which are considered within the University business continuity plan. All significant investments were deemed within scope – and these were defined as

Capital investments greater than £10,000

Major system investments > £50,000

Hardware Replacement investments > £10,000

The Governance Toolkit was supplied to the University during April 2006. The first assessment was carried out during June 2006 and it was identified that we were compliant in about 70% of the areas.

The principal areas of compliance were:-

Governance: Vision

Governance: Assurance

Services: Projects

The other areas considered - other areas of Governance, Resources, Organisation and Services – needed to be considered further.

Using the assessment documentation Strategic, University wide (operational) and IT Local (operational) aspects were identified which required improvement.

Strategic

The strategic aspects identified which required improvement e.g. development, agreement and publication of the key strategies were identified as Executive responsibility, although they would clearly be informed through consultation with key personnel throughout the campus in each of the areas .

The key areas of activity identified were

development of the Information and Knowledge Management Strategy,

development of the International strategy

agreement of the Research Strategy,

agreement of the Learning and Teaching Strategy and

review of the E-learning strategy;

alignment of the expenditure for IT systems with the Information and Knowledge Management Strategy

University Wide (operational)

Other aspects could be proposed, consulted upon across the University then ratified by the University Executive. These activities included

defining the activities of the new Information and Knowledge Services Steering Committee so that this Committee would be fully effective in leading the delivery of the Information and Knowledge Management Strategy.

development of the Knowledge and Information Services strategy

Revision of the IT Security Policy;.

development of a policy describing the rights relating to devolved IT and information systems for lab equipment, connection to the network, local networks, procurement and physical and digital security

IT Local (operational)

These were aspects identified which could be addressed locally within IT services. They included:-

Training Needs assessment for all IT Staff

Business process review; review of the processes used to support systems and delivery services in order to ensure continued appropriateness; systems review

Staffing requirements: to production of a staffing plan, describing essential skill-sets which would be required in order to deliver the Information and Knowledge Management strategy

Putting in place formal reporting mechanisms for service levels, unplanned service disruption, security breaches to the new Information and Knowledge Services Steering Committee

Production of standardised annual reports on expenditure on all Information, communication and IT systems across the institution,

Development of a portfolio of measurements to allow definition of the effectiveness of IT Investment.

Development of formal forensic procedures and improved Business Continuity procedures

Production of standard reports on performance of systems, delivery of services and performance against stated service levels.

In the meantime, however, significant progress has been at all levels to address areas of concern because some of the aspects are acknowledged to be of general benefit, not only part of this project.

Progress so Far

There have been a number of achievements during the short time of the pilot project including:

Strategic

A number of strategies have been developed, consulted upon and ratified including the Research Strategy and the Learning and Teaching Strategy which will inform the information and knowledge management strategy

The University has developed a new mission for 2015. All academic and professional support departments are being aligned with the new mission.

A team has been formed and has begun work on the Knowledge and Information Management Strategy.

University Wide Operational

· The IT security policy has been revised and has been submitted to the Executive for comment.

IT Local (Operational)

A comprehensive training needs assessment has been carried out for all IT staff and there has been significant investment in training to support systems and improve services. This will be reviewed again during October – December 2007

Formal Forensic investigation procedures have been put in place following consultation with the Crown Prosecution Service, Strathclyde Police and the University IT Lawyer. The procedures have been tested and deemed satisfactory to meet current needs. The procedures will be reviewed annually.

Formal reporting mechanisms have been put in place for all incidents, disruption to services, security breaches etc. These have not yet been reported to the IT Implementation Group, but will be when the committee is formally constituted

The business continuity arrangements for the critical systems have been significantly improved, including testing. There is continual activity in making systems more robust and resilient in order that we can address areas of weakness before they are manifest in a real situation.

There have been significant developments and improvements in the pre-existing governance processes and these have been assessed by the University auditors as part of the annual audit program for IT.

Reflection

Critical Learning Points

During the various processes involved in the pilot of the governance Toolkit, there have been a number of issues identified and as a consequence a number of possibilities identified for improvement. There are also considerable strengths.

The questionnaire is easy to understand – although potentially a checklist approach may be more helpful in evaluation – incorporating all the different aspects which are included in the descriptions of each of the categories.