IT GOVERNANCE FOR SCHOOL BOARDS

Introduction

This article is based on a speech given to the 2019 AIS ICT Leadership and Management Conference at the Gold Coast Convention Centre on 1 Aug 2019 

A Board’s eyeview

Boards are responsible for the school’s performance in ensuring students transform information into knowledge.  A performance-focused board will seek to have oversight and insight into the corporate governance of both information and technology.   A compliance-focused board would only be interested in the size of the IT budget.

The purpose of the paper is to explore how CEOs and CIOs can provide the tools and mechanisms to enable boards to fulfill their responsibilities in governing information and technology without constraining the school’s performance.

What’s so important about information

Educational institutions are in the business of information.

Schools collect information from parents to enable the children to be enrolled as students.

Parents send their children to school to learn.   Teachers are employed to transmit information to the students in such a manner that students develop knowledge. The information is transmitted via a number of channels, including, in the main, humans, but also via technology.  This technology is no longer just about providing access to information depositories; but is utilizing technologies such as VR and AR to deliver the information to students.

Schools periodically gather data on students’ knowledge as evidence of the efficacy of the School’s processes for students to transform this information into knowledge.  This is the essence of school performance – how the school can demonstrate its “value-add”.

The main reason for information and data, is to make evidence-based decisions.

If the Board’s job is, in part, to ensure there is adequate governance of the generation, use and subsequent disposal of information, it is useful to define governance.   The next section answers the question: “What is corporate governance?”

What is corporate governance?

Corporate governance has been defined as the structures and processes that describe how power is exercised and controlled in institutions.[1]

The directors are responsible for the overall management of the educational institution.   Whilst the day to day management is usually delegated to a principal/head/ceo, the board is still ultimately responsible.  A competent director will understand what the school does and how it operates.  

For many school boards, the pool from which directors are drawn is mainly enthusiastic, volunteer parents.  Their knowledge of the business quite often rests on the fact that they too went to school during their childhood.

Information is pivotal to how schools operate. Given that exposure of that information (say via a data breach) can have an adverse effect on the school’s reputation and affect its ability to attract enrolments, IT governance should have greater prominence on the board agenda.

Why IT Governance?

IT governance is a subset of corporate governance.  Effective governance of IT will ensure alignment of IT with business needs.  If you can demonstrate this alignment to your business manager, there is a fair chance next year’s budget request will receivable favourable consideration.

IT is a fundamental business tool. Effective governance IT will ensure business continuity and sustainability. 

IT expenditure is a significant cost centre.   Good governance enhances the efficient allocation of resources, and plans for the actual realization of the expected benefits from each IT investment.

Good governance includes risk management.   Specific IT risks include breach of privacy, malware and ransomware, intellectual property rights.

There are six principles underlying good governance of IT:

  • Responsibility
  • Strategy
  • Acquisition
  • Performance
  • Conformance
  • Human behaviour

This session addresses how the organisation can apply/address these principles in establishing the framework for IT Governance to cover the acquisition of hardware; the use of the hardware; and the creation, use and security of information.  I will be explaining what it is that boards and executive leadership need.   In the second half of the session, Bill as the Manager Information Services, will be explaining how he will deliver it (no pun intended).

Principle 1: Responsibility

Management are delegated the responsibility to ensure that IT delivers value for the organisation.  But to what extent is your management technology-literate?, or are they users who just want it to work; IT should be seen and not heard.  

The data cycle needs to be understood.  The data cycle in any organisation can be broken down into a number of steps:

Create/collect -> store -> process-> interpret -> archive -> delete

Data has no use/value to the organisation unless it is accessible and available when required.

Data is of no use to the organisation unless it is used to enhance the value proposition of the school. 

What processes do you have in place to analyse the data on student achievement and well-being to design interventions that enhance student learning? The main reason for having data, is to make decisions.   The value of the data lies in how it improves the decisions that are made. 

Data accountability ensures that responsibility and authority are delegated to the right level in the organisation. 

For example, there may need to be different levels for the collection and/or creation of the data, other levels for the storage of the data (who is responsible for putting it into the system), for the extraction of the data (the use of APIs), the analysis of the data, the reporting to parents, the design of interventions, and, to “close the loop” the review of the effectiveness of those interventions.

However, no matter the delegation hierarchy, it is important that a culture of trust and transparency exist so that issues can be escalated as required. Making problems visible early will enable remediation to happen prior to them threatening the project or business process.  For example, one staff member of a school with which I am familiar, purchased VR goggles and suggested that IT should enable them on an open network.   After IT raised concerns that they should operate behind the firewall, the offered defence was that there was no porn on Youtube and 14-15 year old males wouldn’t be looking anyway.  I have no doubt this school has probably changed its purchasing delegations. 

With the myriad of responsibilities of the day to day, how can a CEO be across this?  One way is an Information Technology Steering Committee

Should this be a management committee or a board committee?

  • Membership
    • Principal ex officio
    • Chaired by IT Manager or Business Manager?
    • Head of Curriculum
    • Head of e-Learning
    • Business Manager
    • Data Analyst
  • Terms of Reference
    • Advisory committee to the Principal
    • CIO seldom on the Executive Team so ITSC is a forum for their voice to be heard directly by the Principal, if they turn up.
    • Is you CDO on the Committee – how are you using your student assessment and wellbeing data to design the interventions.

Principle 2: Strategy

Strategic thinking should consider the current, ongoing and future trends.  Is your Board, or perhaps more importantly, is management giving information to the board on the potential for digital disruption in schools.  Workflow automation is one thing.   But what about the impact of AI in the delivery of lesson content and even in marking.  To what extent were schools ready to go remote as a result of COVID-19? Livestreaming lessons is not AI.   But parents will have a taste of things to come.   Will schools “snap-back” (a phrase being used by the Australian Prime Minister to speak of life after COVID-19) to talking heads in front of a classroom? 

The difficulty of course, is that management in schools in mainly comprised of educators who need to guard against confirmation bias of the status quo. 

The strategic thinking adopted by the Board will set the priorities for which projects are advanced.   The strategic horizon of school boards can be somewhat stunted where the board is predominately composed of parents, either of current students or past students

The terms “vision”, “purpose”, “mission” and “values” have different meanings depending on your professional paradigm.   The definitions used in this paper are:

  • Purpose – why we do the things we do
  • Mission – the things we do
  • Vision – what will be the impact if we do the things we do, well
  • Values – the way in which we do the things we do

In order to develop an IT Strategic Plan, the School must first establish its own strategic direction.  Common definitions and understanding of these concepts throughout the organisation will help determine the business objectives for IT and to prioritise resource allocations.

According to ISO 38502 Information technology – Governance of IT – Framework and model, the Board should provide leadership and develop strategies for obtaining value from the use of IT.  However, it seems that the only time that the Board regularly gets interested in IT is when there needs to be a server refresh or the like; or of course, if there has been a data breach.

It comes to management to assist the Board in developing these strategies.

IT Strategic Plan

Two major questions need to be answered by the IT Strategic Plan:

  • How does the technical vision support the business vision.
  • How does the technical infrastructure support the business function.

Does the IT renewal programme support the corporate strategy.   For example, if you are a BYOD school, why do you need computer labs. 

 A key message:  TECHNOLOGY WITHOUT BUSINESS APPLICATION HAS NO VALUE. (It’s NOT about the toys)

Harvard Business Review reckon there are 6 decisions which should not be left to IT management (although they are involved): key questions for ITSC should be involved in.

  • How much should we spend on IT?(the Business Manager needs to be on the ITSC)
    • The spend needs to match the strategy – not industry benchmarks.  A competent Business Manager will know that, while it is about the money, it is not JUST about the money.   How does this expenditure help in delivering students and organisational outcomes?
  • Which business processes should receive our IT dollars?
    • Focus – not hocus pocus
    • Automation can easily replace paper–based business processes.
    • Whilst current technology enables the remote delivery of information (as we have seen through the response to COVID-19), it will be a little while before it reduces the number of teachers.  Two main reasons:
      • The importance of the teacher-student relationship in nurturing the desire to learn;
      • The unions.
  • Which IT capabilities should be firmwide/systemwide?
    • QLD Govt and SAP -v- Director-General responsibility for outcome delivery
    • There are three independent schools in Mackay (that’s ½ way between Rockhampton and Townville for the geographically challenged) – do we need 3 IT managers
  • How good do our IT services need to be?
    • What Dashboard KPIs can you provide
    • Every payday – payroll and internet access (for banking files) are mission critical.
    • Disaster recovery plan
  • What security and privacy risks will we accept?
    • Do you have a Notifiable Data Breach response plan – regardless of the level of security, the reputation implications of a breach require a response plan as the minimal mitigation strategy.
  • Who takes responsibility for an IT initiative failure (sorry – opportunity to learn)
    • Not Me is usually the most productive employee in any organisation
    • However, a functioning ITSC will shoulder the responsibility.

How does the technical infrastructure support the business function?

You don’t have to buy everything in the trade exhibit.It’s not just about the toys – but how does this fit with the vision of the school, the Why we do the things we do question?   How does this contribute to student outcomes? Start with the user in mind – what does it actually need to do.

Although it might be fun, ferreting around in the box, trying to figure out what went wrong and getting it working again – the real client is the human, who, is thumping the keyboard in frustration, or who is working around or outside of the corporate systems.

The data client is the one who wants the data turned into information which they can understand within their professional paradigm.

  • A simplified, unified technology platform
    • If the decision is to be an 0ffice 365 school, to what extent should IT be required to support Google Forms/Classroom
    • Don’t stop and start for the sake of teacher foibles.
    • Do you need an ERP (one system that does the lot), or specialist software, linked through APIs (provided the GUI looks the same – we need to make it easy for teachers to use)

Principle 3 – Acquisition

This section is based on AS/NZS 8016:2013 Governance of IT enabled projects

Effective governance will ensure that investments in IT (whether it be hardware, or software, or the usage thereof) contribute positively to the performance of the organisation.  To reiterate, Technology without business application has no value.

The Board, with the assistance of management, need to ensure that the decision-making processes are in place for proposals for investment in IT and associated changes to business process.  The evaluation should include the expected project outcomes.   Clearly then, before deciding what to go and buy (or rent), start with the end-user in mind.  Will this technology help them in doing their job (whilst ensure compliance with policies such as security of the system (don’t click on that link in the email)).  There needs to be an appropriate balance between benefits and opportunities, and costs and risks.

IT projects can be like construction projects; there are always variations to the original specification.   What processes do you have in place for approving variations in scope.  Greenfield implementations are always easier than decommissioning old equipment and installing new.

Principle 4 – Performance

Post-implementation review is an important part of project management:  did we actually achieve what we thought we would?  The questions that management is going to be asking in post-implementation review should guide the questions that you ask in designing the specifications for the project, as well as the project management methodology that you utilise to monitor milestone achievements.

It has been suggested that end user of the hardware/software is the chief client.   What processes are in place to ensure their needs are understood, clearly articulated, agreed upon, and prioritized.  These needs form the basis for the post-implementation review.

What are the indicators which demonstrate the success of Information Management and Technology.

KPIs for the Information technology and systems:

  • Uptime
  • Complaints
    • By type and frequency
    • Time taken to resolve
  • Security
  • Business process re-engineering (workflow automation)

KPIs for information management

  • Is data being used to design intervention for individualized learning
  • Is the data being used, relevant
  • How effective were the interventions.

Risk Management

Identification and management of risk is a key activity. 

Operational risks are one aspect: technical glitches, service outages

In the long run, some suggest that the greatest IT risk is overspending/investment (notwithstanding Moore’s Law).  IT is a fundamental to most businesses today as electricity is. As stated at the outset, the I of IT, information, is the business that we are in. 

Another aspect of Moore’s Law, is that any competitive advantage from IT innovation will be short-lived, hence it is better to focus risk management on vulnerabilities.

Data security.  ISO 38505.1 Governance of Data addresses the issue of the security of personally identifiable information. The Australian Privacy Principles apply to PII information.

Principle 5 – Conformance

Information management and technology is essential to today’s educational institution.  Some of the obligations with which the governing body must comply, include:

  • Security of the information collected, including for example, bank account details, TFNs of employees, and the converse: procedures if there is a notifiable data breach.
  • Privacy – including information collected from parents about the health and education records of their children
  • Record retention requirements.

Conformance is about compliance – as management doesn’t want to go to jail, you need to enable them to demonstrate to the board that these obligations are being met.

Principle 6 – Human Behaviour

Is the only time that IT comes to the attention of the Principal, when it breaks.   Is your school’s vision for IT such that it should be invisible, it should just happen. 

The principle of conformance includes establish appropriate policies and procedures, as well as training staff in those policies and procedures to not click on the link in that unsolicited email that they are reading at 10pm after the third glass of red wine.  However, human nature being what it is….. 

It must never be forgotten that the end purpose for IT is not about the latest and greatest toy, but about its use.  Part of any change to business processes will necessarily involve training the humans, the end user.  Ultimately, it is the end user who is the client of information technology; given that the technology is just the delivery system for the information required.

Conclusion

It is not the role of the Board to do, but rather to ensure that management does.  The board is responsible for ensuring that the School has strategies and policies to ensure that IT meets the business objectives. Competent directors will be well-read on future trends in the industry (it is part of management’s responsibility to provide them with professional reading).   The directors of Utopia College would be well-read on the current challenges, as well as the future trends in the industry.  Whilst monitoring the existing use of technology (perhaps by receiving the minutes of the IT Steering Committee), the Utopia College board would be asking its Head to investigate the impact of digital disruption on the future operations of the school:  will AI include chatbots to deliver lessons remotely, and cause the demise of the boarding school. 


[1] ASX Corporate Governance Council, 2019, Corporate Governance Principles and Recommendations 4th Edition