Keywords

1 Introduction

Information technology (IT) is becoming an essential part of businesses and organizations and their boards expect to benefit from it. However, the results were not always what was expected and the board recognized the need for governing IT. IT governanceFootnote 1 is no longer an option because directing and controlling your IT assets is better than ignoring them and fixing problems later. IT governance should be part of the corporate governance of every company including universities but unfortunately adopting practices for implementing good governance is still limited. To better align business needs and strategies with IT several frameworks mean trying to adopt practices to get more value from IT. In the particular case of universities, adoption is still scarce, a situation prominent in universities in developing countries. Although the standardization has provided solutions guidelines and frameworks for implementing IT governance in various fields, some knowledge is required before applying such existing frameworks.

COVID-19 has shown that university is increasingly depending on IT and therefore, changes in organization models, major disruptions of processes, and true digital transformations enabled only by new technologies, must be achieved quickly. For those reasons, IT must not only be managed but governed, i.e., good IT governance and good IT management are essential (Piattini & Ruiz, 2020; Van Grembergen & De Haes, 2009).

Today’s universities must survive in an environment full of volatility uncertainty complexity and ambiguity. Finding an organization capable of fully functioning in the event of a possible problem with its IT services is a daunting task. As a result, universities strive to invest significant capital in their IT assets to support their staff and other stakeholders to improve the effectiveness and efficiency of their IT operations and resources, as well as maintain corporate sustainability (Nolan & McFarlan, 2005; Van Grembergen et al., 2004; Weill & Ross, 2004).

However, investments in information technology may not have the expected impact on learning outcomes or tangible research benefits. The importance a university places on IT should not be reflected in isolation and cost alone but as an integral part of a university‘s competitiveness strategy. Universities need to consider whether their IT capabilities improve their competitiveness in their research and learning processes and whether their IT investment goals are seen as a strategic priority, whether they are using IT effectively according to the governing body strategy and board members should be aware of their responsibilities, relating to direction and control of IT or what is delegated to IT managers and if IT projects are sustainable and produce the expected results, among other controls; in short, whether the organization is achieving acceptable value for its IT investments (Fernández et al., 2022).

The purpose of this chapter is to assist boards, rectors, presidents and delegated committees, and other key stakeholders in assessing the capability and maturity of the arrangements for the governance of IT in the universities as Higher Education Institutions (HEIs).

The chapter provides an objective approach for determining whether the university is appropriately governing IT, as well as examples of the practices, pieces of evidence, and beneficial outcomes of the good governance of IT. The results of the assessmentFootnote 2 can be used to assist the University authorities to determine where and how the governance of IT can be improved in its organization. To summarize, this chapter helps to plan and conduct an evaluation of universities’ governance of IT.

The chapter is organized as follows: first, it is reviewed the concepts, definitions and standardization and the benefits of governing IT at any organization or company; second, it is presented the assessment of the governance of IT considering the family of standards ISO/IEC 38500; third, the experiences in IT governance are focused on Universities; fourth, the evaluation of IT governance for universities is presented as an adaptation of the assessment method of the ISO/IEC 38500 standard (this is possible since the corresponding author is also one co-editor of the ISO/IEC 38503 standard) and fifth, some of the IT governance evaluation approaches at Universities are reminded with special attention in the ITG4U projects implemented in almost 30 universities in Spain, Tunisia and Albania; and finally, the solutions, recommendations, future research and conclusions are presented.

2 Governance of IT: Concepts, Definitions, Standardization and Benefits

According to the governance of IT standard, ISO/IEC 38500 (2015, p. 5), IT governance is a component of corporate/organizational governance, and is a “system by which the current and future use of IT is directed and controlled”. Venkatraman et al. (1993, p. 141) indicated that IT governance is the “selection and use of mechanisms for obtaining the required IT competencies.” Other authors focused on IT governance on authority and responsibility for IT decisions: “IT governance arrangements refers to the patterns of authority for key IT activities in business firms, including IT infrastructure, IT use, and project management” (Sambamurthy & Zmud, 1999, p. 261), “IT governance extends the board’s mission of defining strategic direction and ensuring that objectives are met, risks are managed, and resources are used responsibly” (Guldentops, 2002, p. 116), “IT governance describes the distribution of IT decision-making rights and responsibilities among different stakeholders, and the procedures and mechanisms for making and monitoring strategic decisions regarding IT.” (Peterson, 2004, p. 7).

All these definitions indicate that good corporate IT governance has a direct implication in the alignment of business objectives with IT objectives. IT must be oriented to achieve institutional objectives, i.e., a strategic role must be assigned to IT. Because IT is becoming an essential part of the business and the board is expecting to obtain value from it, IT must not be a mere support tool for users. Thus, IT only increases the performance of those organizations that can govern them adequately (Weill & Ross, 2004).

IT governance is no longer an option; The results did not always live up to expectations and the board recognized the need to manage IT y paying more attention to directing and better controlling its IT assets (Juiz & Toomey, 2015).

The concept of IT governance has evolved as has its definition in an attempt to incorporate the new visions and models explained above. The concept of IT governance is not new as it has attracted interest since the 1960s although it was only in the late 1990s that it began to be known by this name (Sambamurthy & Zmud, 1999). Although the different authors have provided solutions guidelines and frameworks for implementing IT governance in different fields the definition of IT governance is generally very complex because there is no consensus on the terminology used. Terms used or their interpretation because it is a topic handled y experts from different fields: auditing strategic planning systems management, security, risk, etc. (Piattini & Ruiz, 2020). Table 1 presents a shortlist of definitions of IT governance.

Table 1 Some IT governance definitions
Full size table

According to Table 1, IT governance includes different issues to different experts, e.g., locus of authority, business-IT alignment, IT support business strategy, maximum return from IT and business value creator, decision rights, risks control, prioritization and justification of IT investments, accountability, performance evaluation, etc. Definitions highlight different aspects depending on the researcher’s profile, e.g., business, IT, information systems (IS), risks, audit, etc., but most of them are more focused on processes, structure, and strategy than the behavioral part of good governance (Juiz & Toomey, 2015). Fortunately, since 2008 there is an international standard for the governance of IT.

2.1 IT governance Standardization

The IT governance standard ISOIEC 38500 was the first international standard to provide differentiated guidance on IT governance. The standard was introduced in 2008 based on the 2005 Australian standard AS8015 (Toomey, 2009), revised later in 2015, and now ISO plans to prepare the third publication in the next few years. This standard is the development and consolidation of most of the authors and researchers in IT governance shown in Table 1. The standard model is based on the need to standardize best practices and behaviours in governing the current and future use of IT in any organization regardless of its environment, and what mechanisms or frameworks they have adopted. Different organizations may adopt different approaches under ISOIEC 38500 and therefore governance frameworks may differ in design between different organizations (Juiz, 2011). In fact, for a long time, some organizations have confused IT governance with IT management. This error can be attributed to the blurred line between governance and management and has thus caused some de facto IT management standards to attempt to include certain governance mechanisms (Toomey, 2009). The conceptual model of IT governance is shown in Fig. 1.

Fig. 1
An illustration of a standardized governance model to perform 3 tasks, direct plans or policies, evaluate proposals and monitor performances.

IT Governance model on the ISO/IEC 38500 standard. (Source: Juiz and Toomey 2015)

Full size image

Therefore ISO/IEC 38500 is built on good governance practices providing a smooth and transparent communication structure between governance and management (Juiz and Gómez, 2021). These practices are based on three main tasks (Toomey, 2009):

  • Evaluate: to examine and judge the present and future use of IT, including strategies, proposals, and supply agreements (internal and external).

  • Direct: directing the preparation and implementation of plans and policies and assigning responsibilities to the purpose. Ensure the correct transition of projects to production, considering the impacts on the operation, business, and infrastructure. Promote a culture of good governance of IT in the organization.

  • Monitor: through measurement systems, monitoring the performance of IT and also the conformance of IT, ensuring that is adjusted to plans, norms, rules and regulations.

The goal of ISO/IEC 38500 is to maintain the flow of communication that forms between the IT management and operations layers when performing these three tasks. The governing board should direct evaluate and monitor IT management concerning the organization’s use of IT establish policy and strategy and monitor management implementation and compliance with the rules and regulations. Regulation (Juiz & Toomey, 2015). However, some aspects of these duties are delegated to IT managers while the board ensures that responsibility is properly delegated and dedicates certain aspects such as evaluation, and approving strategy and investment decisions, defining IT usage policies and its formal oversight, ensuring that complete and reliable information is available. Thus, the standard is addressed not only to the governing body and administrators of the organization but also to managers as well as other internal and external partners involved.

In addition, the ISO/IEC 38500 standard defines six general principles of IT governance which represent desirable behaviour to guide IT decision-making.

These six general principles are:

  1. 1.

    Responsibility: all members of the organization must understand and accept their responsibilities in both the supply of and demand for IT. Responsibility for actions carries with it the authority to implement those actions.

  2. 2.

    Strategy: the business strategy of the organization considers the current and future capabilities of IT. IT strategic plans meet current and projected needs derived from the business strategy.

  3. 3.

    Acquisition: IT acquisitions are made for valid reasons based on an appropriate and ongoing analysis, with clear and transparent decisions. There is an appropriate balance among benefits, opportunities, costs, and risks in both the short and long term.

  4. 4.

    Performance: IT is dimensioned to support the organization, providing services with adequate quality to meet current and future needs.

  5. 5.

    Conformance: IT function complies with all applicable laws and regulations. Policies and practices in this regard are clearly defined, implemented, and required.

  6. 6.

    Human behavior: IT policies, practices and decisions demonstrate respect for human behavior, including the current and emerging needs of all people involved.

By following three tasks and six principles the standard applies to any organization i.e. the standard has been designed in such a way that it can be applied by any organization regardless of the type, shape or size of that organization, including universities. For this reason, it does not guide specific processes to be performed, controls to be implemented, or structures or even roles to be defined. Thus, standard presents both opportunities and burdens; the ability to freely apply what works best for each organization assuming that there are mechanisms in place that would facilitate IT governance (if the organization were to follow those mechanisms) and the burden of setting them up, design and define a specific IT governance approach for each organization.

In this sense the activity of a governance body to direct and control IT activities and to build decision-making models combined with the activity of an IT management structure to develop and support systems processes and procedures reflected in the development of the IT Governance Framework (Holt, 2013). However, as mentioned above, the line between IT governance and IT management are blurred leading to some concepts that share aspects. On the one hand IT governance is the direction and control of IT-related activities in an organization and oversees all IT matters (Juiz, 2011). On the other hand, from an IT governance perspective, IT management is mainly about implementing policies processes and procedures building projects and maintaining services (Juiz et al., 2018).

But the IT management practices in building and supporting IT assets are based on the process approach popularized by Deming i.e. the Plan-Do-Check-Act (PDCA) cycle. As a result management standards and best practices are determined based on this iteration which runs the cycle over and over again and further expands management knowledge.

However, IT governance activities are different as the governing body is responsible and accountable for strategic direction (Direct) evaluation of business-oriented proposals in IT governance (ISO/IEC 38500, 2015). In ISO/IEC 38500 the governing body is supposed to require IT managers to define processes and procedures for planning building and managing an IT-based organization and implement it, perform actions under the direction of the governing body but at the same time under the control of the governing body. This implicit nature of the relationship between IT governance and IT management in standardization can cause misunderstandings about “who is responsible for what” and “why”. But IT governance when implemented has got returns not reached with only managing IT.

2.2 Benefits of Governing IT

In all cases, IT governance involves appropriate behaviours on the part of the governance body and management to create and maintain a governance framework for the use of IT that delivers the most lasting value, consistent with stakeholder expectations including (ISO/IEC 38503, 2022):

  • continuous innovation in services markets and business;

  • clear accountability and responsibility for both IT supply and demand in achieving the organization’s strategic goals;

  • ensuring business continuity and sustainability through IT;

  • realize the expected return of each IT investment;

  • comply with relevant obligations (regulatory, legislative, common law, and contractual);

  • effectively control IT risk management;

  • constructive relationship and effective communication between the business and IT management as well as with external partners.

All of these benefits are realized when the IT governance framework is fully implemented and enforced within the terms of the assessment as further explained in the following assessment section.

3 Assessment of the Governance of IT

Even though there are one de facto framework and one de jure standard, COBIT 2019 (2018) and ISO/IEC 38500 (2015), respectively, it seems that organizations are still dealing with the implementation of IT governance from the scratch. According to Piattini and Ruiz (2020), the great challenge of IT governance is still the alignment of business processes with IT, and it is not fully solved. The difficulties that organizations have in implementing IT governance may be due to several causes, which are extensible to universities (see Table 1):

  • There are many definitions of what IT governance is and how is it different from IT management, each with different approaches (Ko & Fink, 2010; Robb & Parent, 2009).

  • It seems that there are more popular topics/concepts in the definitions depending on the interests or needs of the author/researcher, showing no consensus (Robb & Parent, 2009).

  • Several empirical studies show the theory-practice gap in implementing IT governance in organizations (Buchwald et al., 2014; De Maere & De Haes, 2017; Smits & Van Hillegersberg, 2018; Teo et al., 2013b).

  • Some barriers to the implementation of IT governance are related to social aspects such as lack of communication between IT governance and IT management (Juiz et al., 2019a), lack of understanding and trust, and different executives’ perceptions of IT business value (Buchwald et al., 2014; Parry & Lind, 2018; Phiri & Weiguo, 2013; Rahimi et al., 2016; Teo et al., 2013a; Yudatama et al., 2017).

Problems in IT governance are not particular to a given country or continent. IT governance artefacts can be common in almost all countries in the world. Organizations can experience a wide variety of challenges, which can prevent them from achieving the desired outcomes from their efforts at governing IT (ISO/IEC 38503, 2022), including:

  • the governing body and executive managers delegating the responsibility for the governance of IT to those responsible for implementing technology;

  • the lack of policies and frameworks clarifying the relationship between the governance of IT and management of IT;

  • dependence on organizational processes, rather than effective decision making, appropriate behaviours, proper communication and suitable human interactions;

  • difficulty monitoring and measuring behaviours and expected outcomes, including:

    • ensuring that IT objectives are aligned to the organization’s purpose and objectives;

    • ensuring that IT risks are known and mitigated;

    • stewardship of enterprise assets, resources and continuity planning;

    • conformance by the organization with established and expected norms of behaviour;

    • holding IT accountable for the delivery of services and solutions;

    • evolution of business models through the use of information and the adoption of new technologies.

Therefore, to evaluate the level o maturity of the IT governance in an organization, the governing body shall define the scope and requirements and objectives of the assessment. The governing body shall also identify those stakeholders which require, or might benefit from, the results of an assessment of the governance of IT. For these stakeholders, the needs and expectations shall be taken into consideration when designing the assessment.

In establishing the scope, focus and priority of the assessment, consideration shall be given to evaluating issues of the highest importance to the organization to achieve the greatest benefits and not waste resources. This can take into account the level of operational reliance on IT, the existence of assurance inputs, as well as any specific strategic initiatives of importance and priority to the organization.

Table 2 shows areas related to the implementation of governance of IT, as described in ISO/IEC TS 38501, that shall be considered when defining the scope of the assessment.

Table 2 Areas for implementation of the governance of IT
Full size table

Thus, observing the implementation model of the standard, there are three main areas of the implementation of the governance of IT: establishing and sustaining enabling environment, the action of governing IT and finally, reviewing continually the IT governance framework (ISO/IEC 38503, 2022). Eventually, all three areas may be considered by the evaluation process.

It is important, therefore, for organizations to adopt a structured method to assess whether their governance of IT arrangements is achieving the desired outcomes and the key benefits (ISO/IEC 38503, 2022), including:

  • assisting with the development of the framework for the governance of IT;

  • determining the strengths and weaknesses of the current governance of IT capability;

  • helping to determine improvement actions that need to be taken;

  • improving the levels of engagement between executive managers and the governing body as regards expectations and outcomes related to the governance of IT;

  • creating awareness in the governing body of their roles and responsibilities as regards the governance of IT;

  • assisting organizations with IT conformance;

  • providing feedback to the governance stakeholders and support staff.

4 IT Governance in Universities

Higher Education Institutions (HEIs) are a key element in the modernization of society for the fundamental teaching and learning process that allows the dissemination of the most advanced knowledge to students and for the research function of the university. It focuses on creating knowledge which is the basis for solving problems of companies and organizations (Brooks, 2005).

IT has long been just a tool in universities, but the role of technology in higher education is focusing on the following aspects: cost management, online learning, financial health, affordability and digital equity, information security, student success, equitable access to education, institutional culture, technology alignment, technology strategy, and enrollment and recruitment (Grajek, 2020).

The higher education sector is not a pioneer in implementing IT governance solutions. Although the first signs of interest in IT governance stem from the strategic alignment model of Henderson and Venkatraman (1993). Although, the use of IT in universities increased their interest was mainly focused on effective management of their technology resources, as a fundamental support for the rest of the university‘s services.

Therefore, in general, universities carried out IT governance implementation initiatives on their own. For example, some American universities used COBIT to implement an IT governance model, such as South Louisiana Community College (Council, 2006). Other universities designed their own IT governance models based on the literature. Thus, the University of California included in its IT Strategic Plan elements of an IT governance model (University XE "Universities" of California, 2008); Ridley (2006) proposed an IT governance model for the University of Guelph based on Weill and Ross (2004); and in South Africa, Pretorius (2006) designed a model for Petroria University. In Canada, the University XE "Universities" of Calgary (2007) designed their model which only applied to the administration area and included the design of an architecture based on the creation of several committees, the assignment of responsibilities and roles related to IT, risk management, and the use of an excellent methodology for project management. In U.K. Coen and Kelly (2007) designed a benchmark model (JISC, 2007b) and a self-assessment toolkit (JISC, 2007a) that helped universities to clarify the complex tangle of governance-related elements of their information systems. In fact, the JISC model inspired the ITG4U model applied in Spanish universities (Fernández, 2009; Fernández et al., 2011, 2012; Fernández & Llorens, 2009; Llorens & Fernández, 2008). It is worth highlighting the Australian higher education institutions, where several of them have implemented IT corporate governance systems (Bhattacharjya & Chang, 2006, 2007).

Meanwhile, McCredie (2006) proposed starting IT governance implementations by promoting the IT manager (CIO). The CIO had to move from dealing only with technical issues to gaining presence in the strategic planning of the institution. He also stated that if the university did not have an IT manager, they had to create one, and if they did have one already, but did not deal with strategic issues, they had to redefine such a role to do so. Furthermore, according to Yanosky and McCredie (2007) and Yanosky and Borreson Caruso (2008) studies, two-thirds of universities had created a high-level committee (IT Steering Committee) that oversaw the organization’s IT policies and initiatives, but only 22% of universities had a subcommittee of the Steering Committee dedicated to designing IT strategy and policies.

Since then and to date, numerous studies have focused on the concept of IT governance applied to the university and higher education sector, highlighting various aspects, e.g., security issues (Kwon, 2008; Liu et al., 2020), business-IT alignment (Martins et al., 2009; Seman & Salim, 2013) through IT project portfolio (Juiz, 2011; Juiz et al., 2012; Ngqondi & Mauwa, 2020; Valverde-Alulema & Llorens-Largo, 2019) or using BSCs (Jairak & Praneetpolgrang, 2013), best practices guidelines and processes (Caetano Borges & Sanches Miani, 2018; Hicks et al., 2010; Juiz et al., 2014; Knahl, 2013), theory-practice gaps (Ko & Fink, 2010), methods and maturity models (Bianchi & Sousa, 2015; Hontoria et al., 2011; Kosasi et al., 2017; Montenegro & Flores, 2015; Pereira et al., 2018; Putri & Surendro, 2015; Subsermsri et al., 2015; Torres Bermúdez et al., 2014; Valencia-García et al., 2013), standard and frameworks adoption (Erfurth & Erfurth, 2014; Gerl et al., 2021; Gómez et al., 2017; Juiz et al., 2014; Khther & Othman, 2013; Musa et al., 2014; Nugroho, 2014; Nugroho & Surendro, 2013; Rijati et al., 2017; Sabatini et al., 2017; Serrano et al., 2017; Valencia-García et al., 2014; Valverde-Alulema, Mejia-Madrid, & Meza-Bolaños, 2017), and its mechanisms (Bianchi et al. 2017a, b; Bianchi et al., 2021), among others. Furthermore, several systematic literature reviews (SLRs) were developed focusing on some of the abovementioned aspects applied to HEIs.

On the one hand, Khouja et al. (2018) provided an overview of the state of the art of IT governance in HEIs. They analyzed 49 studies about IT governance implementations from 23 countries, where Australia, Indonesia, Malaysia, Thailand, the U.S., and Canada presented the most results. The literature review showed differences among the IT governance situations: several countries had the support of the top-level government with regulatory frameworks and laws about introducing IT governance in higher education institutions, such as Ecuador, South Africa, or the U.K.; others focused on the spread of IT governance culture, e.g., the U.S., Australia, or Malaysia. The study also showed non-consensus on the IT governance framework or standard used as the institutions implemented solutions based on COBIT, ISO/IEC 38500, or their framework. However, what they had in common as best practices were establishing a committee structure for IT assets, establishing effective communication among IT (Juiz et al., 2019b), the business, and the involved stakeholders, achieving institution-IT strategy alignment, and using a balanced scorecard as a monitoring and measuring model.

On the other hand, Kajo-Meçe et al. (2020) investigated the overall adoption of IT governance frameworks in HEIs, providing a deep insight into the level of integration of IT governance in universities worldwide. They analyzed 40 studies from 23 countries where Australia and Malaysia presented the most results. They noticed that the adoption of IT governance frameworks was still scarce as most universities were evaluating their IT governance maturity level before proposing a framework adoption, while others were facing challenges in implementing them, such as resistance to change and communication issues among parties. Although COBIT was the most adopted framework by the analyzed HEIs, most of them preferred to build their framework. Nevertheless, the benefits reported were improved quality of service and user satisfaction, and better alignment of IT investments with the university‘s business goals.

According to Buchwald et al. (2014) practitioners have difficulties in understanding IT governance and thus managers resist being governed. Such a situation gets worse in developing countries as they are facing several challenges implementing IT solutions. Because they are less mature in IT aspects, they are also less mature regarding IT governance concepts and importance, while they are struggling to be competitive in the higher education sector (Aasi et al., 2017, p. 14).

As explained before, providing a unique definition of IT governance is difficult due to the differences in perceptions of IT governance objectives, properties, and responsibilities. The available IT governance recommendations and guidelines are diversified and, in some cases, based on lengthy and complicated methods (Bin-Abbas & Bakry, 2014). For this reason, among others, specific models in emerging countries have been developed, instead of directly adopting the existing ones. For example, in Thailand, Jairak and Praneetpolgrang (2011) studied the state of IT governance in Thai HEIs revealing their universities were in an initial stage and their IT executives were not familiar with the IT governance principles. Afterwards, they implemented several initiatives to improve their IT governance situation by using BSCs (Jairak & Praneetpolgrang, 2013), and a set of IT governance best practices based on the ISO/IEC 38500 standard (Subsermsri et al., 2015). Similarly, in Malaysia, Seman and Salim (2013) developed a business-IT alignment model for their public universities, while Ahlan et al. provided an IT governance decision-making support framework (Ahlan et al., 2014; Arshad et al., 2014). Furthermore, Musa et al. (2014) presented their own IT governance framework applied to a Malaysian HEI. More recently, Mukhlas et al. (2017) studied the IT governance maturity in Malaysian HEIs to identify and address areas of improvement, and Liew et al. (2018) identified challenges and barriers faced in IT governance implementations such as lacking IT governance awareness and support from the board.

In Brazil, Bianchi and Sousa proposed an IT governance model and IT governance frameworks adapted to HEIs (Bianchi & Sousa, 2015, 2018), a study about IT governance structures archetypes appropriacy for HEIs (Bianchi, Sousa, Pereira, & Luciano, 2017b), and how culture affects IT governance mechanisms in HEIs (Bianchi et al., 2019). Zaneti-Putz et al. (2017) provided an overview of the IT governance in Brazilian HEIs focusing on its strategic alignment and its developed actions in identifying threats and opportunities. Caetano Borges and Sanches Miani (2018) identified IT governance best practices implemented in Brazilian HEIs while several authors assessed its state showing a lack of business-IT alignment (R. S. Almeida & de Souza, 2019), IT services portfolio not supporting the business (Ceratti et al., 2019), and lack of adoption and communication absence between IT and the organizational management (Franklin Frogeri et al., 2020). Otherwise, in Ecuador, researchers and practitioners focused on IT governance models and frameworks, including its assessment, based on COBIT and the ISO/IEC 38500 standard (Espinoza-Aguirre & Pillo-Guanoluisa, 2018; Montenegro & Flores, 2015; Valverde-Alulema et al., 2017; Zambrano-Vera & Molina-Sabando, 2017), while in Indonesia, researchers assessed their IT governance state using the ISO/IEC 38500 standard (Putri & Surendro, 2015) and COBIT (Kosasi et al., 2017, 2019; Sabatini et al., 2017; Wijayanti et al., 2017), and provided strategy alignment models based on BSCs (Herdiansyah et al., 2014) and on both the ISO/IEC 38500 standard and COBIT (Rijati et al., 2017). Some efforts of alignment and COBIT implementation were developed in Morocco (Ahriz et al. 2018a, b), Egypt (El-Morshedy et al., 2014), and Brunei (Seyal et al., 2016). Furthermore, studies about the IT governance situation were developed in Colombia (Marulanda Echeverry et al., 2017), Ghana (Yaokumah et al., 2015), and Mexico (Castañeda De Leon et al., 2018). Although interest in IT governance in developing countries’ HEIs is growing, the state of their practices and frameworks is still in incipient phases, as highlighted by Kajo-Meçe et al. (2020) in their systematic mapping review.

5 Evaluation of IT Governance in Universities

IT is not only a very important aspect for organizations and enterprises as it plays a very important role in business activities but also a competitive element and of wide social impact. In this sense, universities do not fall behind, because, in their three main activities, i.e., teaching, research, and administration, IT is present and most needed. Recently, not only managing but also governing IT is getting attention from the practitioner and research sides, given the need to align the organization’s strategy and objectives with IT. IT governance helps to set clear expectations, gain participation, open communications, establish accountability and provide executive management oversight. Furthermore, IT governance and the alignment with business strategy in HEIs are gaining importance (Khouja et al., 2018).

However, special needs in the deployment of IT governance frameworks are purely local (i.e., dependent on the university teaching portfolio, the ownership of the HEI, the level of knowledge on the topic, the local governance rules, the governance culture, etc.). For this reason, already implemented approaches in IT governance for universities in developed countries can be used as inspiration for a “Glocal” initiative. Previous success case studies and current competence on the topic will lead to a better IT governance setup.

5.1 Early Signs of Not Governing IT at Universities

When governing of IT is not even considered at universities several problems are common in these institutions as observed by several practitioners implementing IT governance frameworks from the scratch (Gómez et al., 2017):

  • No IT governance process, structure, or communication: Governance of IT does not exist at all and either the board or the IT staff is not aware of its necessity. Thus, no process for controlling the IT staff from the board is ever implemented formally. The result of this absence of a control process means having no regular agenda for directing or controlling the IT management. There is not any structure or committee to communicate the board strategy, either.

  • Outsized power of IT management in IT decision-making: The consequence of no control over the IT staff is the outsized power of the IT function in the institution, e.g. the IT department negotiates the project portfolio directly with the stakeholders and the IT investments with the CFO.

  • CIO and CTO roles not clarified: Since IT managers may be acting as CIO and CTO, the creation of the CIO office (as a brand new governing structure) usually provokes fighting in a turf battle between the CIO and the IT managers.

  • Absence of reporting, control and accountability: Since there is no formal communication for the IT-business alignment from the board, the IT function remains uncontrolled and then there is no motivation for IT staff for building accountability processes, either.

  • Lack of confidence in IT assets and IT staff by the board: The absence of formal and proper communication between the board and the IT staff always causes low confidence from board members in any situation in which IT assets are involved. Every activity of the IT department is ever under the suspicion of bad performance from the board viewpoint.

  • No strategy for IT, just short-term tactics: Due to the lack of communication and confidence from the board to the IT department, the latter implements its vision of IT assets, resulting in biased decisions about the IT deployment at the institution.

  • IT investment based on cash-flow availability for infrastructure: IT management spends most of the time fighting for money with the CFO or other stakeholders with their own IT budget.

  • The architecture of data and processes decisions are based on IT staff knowledge, neither user interests nor institutional strategy is considered: Architecture decisions are usually delegated to IT managers, but these decisions must be supervised and controlled by superior layers of the organization.

  • No consideration for compliance, just defensive tactics based on technical issues: IT department may be usually concerned with conformance issues, but only as a defensive argument in new projects or services demanded by the institution stakeholders.

  • No participation by users, business units, board members or any stakeholder in IT-related decisions in strategic project portfolio and prioritization. The project management and governance methodology are based on ad hoc processes and decisions without using any kind of standardization for the stakeholders’ participation in projects. Thus, sponsors of the projects together with IT staff decide on a biased direction of the IT innovation instead of implementing a general strategy.

  • Communication with stakeholders by demand or by claim: The communication of IT staff with the stakeholders is reactive and defensive. Firefighting activity in the IT department remains the busiest task for the IT function, leaving no time for tactics and even less for strategy issues.

  • Non-IT departments view the IT staff as an obstacle to their mission: The reactive communication and the absence of control of the IT staff collaborate on seeing them as sidelined employees from the institution’s concerns.

These are just some examples of the situations encountered in the author’s experience coordinating several EU projects of IT governance for universities in several countries and his own experience as a practitioner and researcher about the governance of IT.

5.2 How to Assess the IT Governance at Universities

To be able to evaluate the governance of IT in Universities, the model foreseen by the ISO/IEC 38500 standard should be followed, adapting it to this type of educational and research organization. The governance of IT practice areas represents the key areas of focus for the organization when effectively governing IT. Seven practice areas have been identified, with the first being derived from ISO/IEC TS 38501 and ISO/IEC TR 38502. The other six practice areas are derived from the six principles in ISO/IEC 38500. The governance of IT practice areas represents the key areas of focus for the organization when effectively governing IT. Thus, seven practice areas have been identified, with the first being derived from ISO/IEC TS 38501 and ISO/IEC TR 38502. Examples of what to be evaluated in any practice area should be:

  • Enabling mechanisms: the governing body at the University monitors those appropriate mechanisms for governance of IT are established and regularly evaluates the organization’s internal conformance to its framework for the governance of IT.

  • Responsibility: the governing body at the University directs that plans should be carried out according to the assigned IT responsibilities, monitors the performance of those given responsibility in the governance of IT (for example, those people serving on steering committees or presenting proposals to the Univerity governing body and evaluates the options for assigning responsibilities in respect of the organization’s current and future use of IT.

  • Strategy: The governing body at the University evaluates options for assuring effective, timely decisions about the use of IT in support of business goals, directs the preparation and use of strategies and policies that ensure the organization benefits from developments in IT and monitors the extent to which IT supports the business.

  • Acquisition: The governing body at the University evaluates options for providing IT to realize approved proposals, balancing risks and value for the cost of proposed investments, monitors the extent to which allocated resources and budgets are prioritized according to business objectives and directs that IT assets (systems and infrastructure) be acquired appropriately, including the preparation of suitable documentation, while ensuring that required capabilities are provided.

  • Performance: The governing body at the University evaluates the plans proposed by the managers to ensure that IT will support business processes with the required capability and capacity, evaluates the proposals to address the continuing normal operation of the organization and the treatment of risk associated with the use of IT and also evaluates the risks to the continued operation of the business arising from IT activities.

  • Conformance: The governing body at the University directs that policies are established and enforced to enable the organization to meet internal obligations in its use of IT, monitors IT activities, e.g. disposal of assets and data, to ensure that relevant obligations are met and regularly evaluates the extent to which IT satisfies obligations (regulatory, legislation, contractual), internal policies, standards and professional guidelines.

  • Human behaviour: The governing body at the University evaluates IT activities to ensure that human behaviours are identified and appropriately considered, directs that IT activities are consistent with identified human behaviour and monitors IT activities to ensure that identified human behaviours remain relevant and that proper attention is given to them.

These are only some important examples of what to consider in the assessment framework for the seven practice areas of the governance of IT at Universities. Evaluators shall engage with the governing body at Universities and senior management to understand their specific governance of IT current situation and then customize it to suit their particular organizational circumstances and practices. Indicators can be qualitative or quantitative but should aim to be specific, relevant, realistically achievable and measurable.

However, each action, tasks, and practices of these seven areas contain should be deepen evaluated to see whether the governing body of the University is not only establishing and sustaining the mechanisms of governance of IT through these actions, tasks, and practices with the six principles but also if they get proofs of them and if they get some beneficial outcomes. Therefore each of these areas should be evaluated into three categories of indicators or characteristics, as defined in the core standards, namely: governance tasks and practices (evaluate, direct and monitor), evidence of success (deliverables indicating the achievement of beneficial outcomes), and beneficial outcomes (organizational objectives achieved through IT). The first issue is doing the tasks, then having pieces of evidence and finally getting results. Thus, the contents of Table 3 are implemented from left to right, usually.

Table 3 Areas for assessment of the governance of IT
Full size table

In Table 4, an example of enabling mechanism practices is shown. In the example, the governing body monitors that a complete IT governance framework is established and there is at least an IT governance steering group resulting that IT is administered and led. In Table 5, an example of responsibility is also shown, where the governing body at University is directing that planning is carried out for executive university managers (governance directs management) to implement IT solutions producing value, quality, effective and efficient services, including change management in the core processes of the higher education institution business.

Table 4 Example of one enabling mechanism at the University and the three areas of evaluation
Full size table
Table 5 Example of one responsibility practice at the university and the three areas of evaluation
Full size table

5.2.1 Assessment Method of the Governance of IT at Universities

Following the ISO/IEC 38503 standard, the assessment method for the governance of IT is defined by applying a measurement model of governance of IT for each practice area. To simplify the evaluation of the governance of IT, the measurement model is applied to the overall three areas of governance of IT. Thus, the result of measuring the three areas results in a maturity model for the evaluation of the governance of IT at Universities. The implementation of the three areas may be different in several universities to suit their particular organizational circumstances.

The progress and evolution in IT governance expected to be observed in the different Universities to be evaluated should follow these incremental criteria:

  • Not having a formalized governance of IT at the University means a low level of governance of IT maturity;

  • To improve the level of maturity, the governing body at the University should first undertake appropriate governance of IT tasks and practices (first column in Table 3);

  • Then, this implementation can lead to lead to improved deployment and use of IT in the organization, as demonstrated by pieces of evidence of success (second column in Table 3);

  • Therefore, the IT governance implementation can support and enable the achievement of planned and unexpected beneficial outcomes for the organization (third column in Table 3).

ISO/IEC TS 38501 defines a measurement model that is more qualitative than quantitative since principles-based standards focus on the achievement of outcomes, rather than the means of achieving outcomes.

The measurement model from ISO/IEC TS 38501 has been adopted in ISO/IEC 38503 with minor amendments to include the evaluation, direct and monitor (EDM) tasks and practices. The standardized rating scale is maintained (left-hand column), with specific measures being defined for each of the three categories of governance of IT.

This is shown in Table 6.

Table 6 Measurement rating scale for the assessment of practices areas in IT Governance
Full size table

Thus, the evaluation method’s goal is to assign different levels of maturity at universities depending on the measurement of the three areas of governance of IT. The contents of Table 7 try to illustrate how increasing deployment of the three areas of practice gives an increasing score in maturity for universities governing IT.

Table 7 Governance of IT maturity model for universities based on ISO/IEC 38503
Full size table

5.3 IT Governance Evaluation Approaches at Universities

Considering that dependence on IT in developing organizations is increasing, in several regions such as the African continent and the Balkans the penetration of IT governance is weak (Kajo-Meçe et al., 2020; Khouja et al., 2018). Thus, in this sense, through the universities, IT governance concepts spreading can be achieved and influence society directly. However, several IT governance-related research tends to focus more on developed countries, and thus the viability of these established IT governance artefacts in developing economies is unclear as they might be generic and might require considerable effort and cost in customizing to a specific context (Nfuka & Rusu, 2011).

In recent studies, for instance, Subsermsri et al. (2015), the three main obstacles to IT governance implementation in universities are (1) lack of clear IT governance principles, (2) budget limitations and (3) lack of a method for selecting the IT governance framework. Some of these inhibitors are still affecting organizations today: the little relationship between IT and the business, not adequately prioritizing IT investments, IT does not get support or commitments, IT does not understand the business, top management does not support IT, IT managers lack leadership. Aasi et al. (2017, p. 14) studied IT governance in public organizations in developing countries. They interviewed the CIO belonging to a public university who stated that the implementation of IT was slower than in developed countries and therefore they are less mature in terms of IT governance. However, they feel the urge to be competitive quickly. The literature also showed problems when directly implementing existing frameworks and standards, e.g., ISO/IEC 38500 standard and COBIT, in developed countries (Phiri & Weiguo, 2013; Steuperaert, 2016). Dahlberg and Kivijärvi (2006), Pereira and da Silva (2012), and Racz et al. (2010) posed that COBIT and ITIL are too complicated to implement. They also highlighted a lack of process prioritization, addressed also by Steuperaert (2016). Trying to reduce such difficulties, specifically in developing countries, El-Mekawy et al. (2015) focused on helping and facilitating practitioners’ tasks when implementing business-IT alignment in any organization, adapting solutions and frameworks from the literature.

IT governance applies to any type of organization, regardless of its size, age, location, purpose, or public or private nature (ISO/IEC 38500, 2015). Thus, the application of IT governance to the university environment becomes not only a possibility but a necessity, as a mechanism to generate value for the entire university community and the society in which its activity is framed. However, according to Weill and Ross (2004), the managers of non-profit organizations, such as universities and higher education institutions (HEIs), had difficulties when they tried to implement existing frameworks. Those frameworks had been designed to improve organizations with the intention of profit, companies in general, where the measures of performance and both the value of the stakeholders involved and of the company were clear. Thus, non-profit organizations’ leaders needed a different governance implementation than the model suggested by the ISO/IEC 38500 standard to better suit their specific situation.

In 2007, the EDUCAUSE Center for Analysis and Research (ECAR) promoted the IT Governance Study 2007, which was based on general concepts of IT governance but surveyed at the university level. 438 IT managers from universities around the world participated in the study (Yanosky & Borreson Caruso, 2008; Yanosky & McCredie, 2007). The respondents stated that the reasons for implementing a formal IT governance system at the university are first, business-IT strategy alignment (73.5%), second, promoting the existence of an institutional vision of IT (50.5%), and third, promoting and collecting common information (38.1%). It should be noted that the reduction in costs and the increase in efficiency ranked fifth out of nine, with 25.1% of the responses. In contrast, the IT governance implementation barriers at the university (Yanosky & McCredie, 2007) were informal/decentralized culture (41.6%), lack of participation of the necessary agents and their subsequent support (40.4%), insufficient government coordination (30.8%), and lack of adequate funding (28.3%).

As discussed in the second chapter, some universities used COBIT to implement an IT governance model, such as South Louisiana Community College (Council, 2006). Other universities designed their own IT governance frameworks and models based on IT governance concepts. Thus, for example, the University of California included an IT Strategic Plan using an IT governance model (University XE "Universities" of California, 2008); Pretorius (2006) designed it for the University of Petroria its model; Ridley (2006) proposed it for the University of Guelph an IT governance model based on Weill and Ross (2004) aspects; and the University XE "Universities" of Calgary (2007) designed a model including the creation of several committees, the assignment of responsibilities and roles related to IT, risk management, and a methodology for project management. Perhaps the university reference framework was the work of Coen and Kelly (2007) who designed the JISC model (JISC, 2007b) with their self-assessment toolkit that helped universities to clarify the complex tangle of elements related to IT governance.

All these past experiences served as a reference for the design of an own solution that was adjusted to the needs of Spanish universities.

The IT governance situation in Spanish universities was not clear because there was no institutional role to support it. In 2003, the CRUE (Spanish acronym for Spanish Universities Rectors Conference) established the commission CRUE-TIC (Spanish acronym for the Sectoral Commission for Information and Communications Technologies) led by a rector, which was born from a working group within the CRUE, concerned and sensitized about the role that these technologies were already playing in the Spanish institutions. In 2008 and 2009, CRUE-TIC surveyed the Spanish universities regarding their IT governance situation whose results were a low IT governance maturity in the Spanish HEIs (Fernández, 2008; Llorens & Fernández, 2008). Thus, to improve the situation they supported the implementation of the IT governance for universities (ITG4U) model, which was crucial to getting the participation of the universities.

The ITG4U model is based on and fully respects the IT governance model proposed by the ISO/IEC 38500 standard. Furthermore, it provides several tools to easily implement it in a university environment. The final goal would be that the university that implements the ITG4U model will also, in the future, easily become certified with the ISO/IEC 38500 standard (Fernández, 2009). Between the years 2010-and 2014, CRUE-TIC promoted the implementation of an IT governance system in Spanish universities. Specifically, 10 IT governance pilot projects were carried out. As a result of this process and based on the obtained experience, CRUE-TIC was able to identify which were the IT governance best practices that these universities satisfied and establish the aspects to consider when determining the desired level of IT governance in universities. Furthermore, they detailed how the participant universities were at an incipient level of maturity, although with a firm commitment to improving in the short term, which served to encourage other universities to participate (Fernández et al., 2014; Hontoria, 2014).

In parallel to the implementation of the pilot projects, other Spanish universities were also implementing their frameworks, e.g., dFogIT: detailed Framework of Governance for Information Technology. dFogIT is an IT governance framework that has also been implemented based on an ISO/IEC 38500 standard model extension (B. Gómez et al., 2017; Juiz, 2011). The framework is a layered model, as known as transformation layers, connected by interlayer connection instruments. The IT governance framework has four layers, the two central layers represent Management and Governance and are equivalent to the standard, and two others have been added: one above, Institutional Strategy, and another below, Operation. The dFogIT framework enables smooth and gradual adoption, without major disruptions to the company’s business culture, but solving communication problems and the common lack of IT governance maturity.

One of the aspects highlighted by both the ITG4U and dFogIT models is that IT governance is the responsibility of the board members and top executives of the organization. This is an important issue, stemming from the inclusion of IT governance within corporate governance, and which suggests that the management of an IT department or the simple provision of IT services in organizations is not being discussed here (Céspedes, 2010). Although JISC (2007b) was one of the first to implement an IT governance model for British universities, they started the project from middle management and failed to move from pilot projects (in their study) as they lacked support from senior management. Because in studies by Weill and Ross (2004), (Van Grembergen and De Haes (2009), Nolan and McFarlan (2005), among others, agree on the importance of gaining top management support, in the ITG4U and dFogIT frameworks the focus is top-down, rather than bottom-up (as it was in the British case). For this reason, the introduction system of these frameworks in Spain was first training senior managers (rector and vice-rectors involved) in the importance and need of having a good IT governance system, so that the support was transmitted to the next layers and a culture of good governance and better fight against change resistance could be promoted. Furthermore, the fact that both frameworks are based on ISO/IEC 38500 shows that the standard is being used as a reference (Fernández et al., 2012).

The knowledge and experience obtained during this period through the pilot projects and the external experiences were the precursor of joining forces to the design, development, and subsequent implementation of specific IT governance frameworks for universities and higher education institutions in developing countries.

5.3.1 The Cases from ITG4U Projects

Under the scope of both European projects Erasmus+ KA2 granted by the European Education and Culture Executive Agency (EACEA), IT Governance for Tunisian Universities (ITG4TU) (2015–2018) and IT Governance for Albanian Universities (ITG4AU) (2017–2020), four European universities from three different countries (Spain, Germany, and Norway) adopted and adapted the ITG4U Spanish framework to four Tunisian and four Albanian universities, respectively (B. Gómez et al., 2018; B. Gómez & Juiz, 2019). After several pieces of training to set a minimum knowledge on IT governance in general, and specifically applied to universities, IT governance frameworks definition, development, and deployment for Tunisian and Albanian HEIs and its monitoring results were performed.

The IT Governance for Universities (ITG4U) project was aimed to gather a set of researchers from four European universities with a wide experience in developing and deploying IT governance activities, best practices, and framework models from three different countries (Spain, Germany, and Norway) to develop, adapt and test a new IT governance framework to be implemented in eight HEIs in developing countries. In previous and recent studies, for instance, Subsermsri et al. (2015), the three main obstacles to implementing IT governance in universities are lack of clear IT governance principles, budget limitations and lack of a method for selecting the IT governance framework. Thus, this project aimed to tackle the three obstacles by providing a set of experts from HEIs with previous experience on the topic, to jointly develop the framework with the destination country consortium.

Results of these projects included: a better governance model for IT in developing countries’ HEIs, an overall modernization of the governance processes for HEIs, and a contribution of the cooperation between Europe and each destination country.

Because projects were aimed at HEIs, the main target addressed was IT staff, managerial staff, and governance board at partners HEIs. To improve the IT governance in HEIs, all the direct stakeholders should know the existing standards, methods, techniques, and tools to implement IT governance frameworks.

The projects were divided into three different phases over 3 years and a parallel phase addressed project dissemination, each one with the necessary activities for its completion (see Fig. 2):

  • The first phase consisted of imparting IT governance training to HEIs partners. Specifically, training was prepared for future trainers (mainly professors and lecturers), IT managers and administrators, and future researchers and professionals.

  • The second phase consisted of the definition of an IT governance framework, the assessment of the current level of governance of IT for each HEI and planning its future implementation.

  • The third phase consisted of the previously planned IT governance framework deployment and monitoring of its results.

Fig. 2
A diagram for a 3-phased project with phases 1 for learning, 2 and 3 for the framework. A parallel phase for dissemination and sustainability runs throughout the project.

ITG4U Projects’ phases. (Source: Gómez and Juiz 2019)

Full size image

Finally, dissemination and sustainability of both, the project itself and IT governance concepts and the achievement of its results were grouped in a parallel phase, as it was not executed sequentially like the previous three. Thus, throughout the project and beyond it, some dissemination and sustainability activities were and are being performed to sustain the IT governance implementation in time.

As the reader may realize, the first phase is just necessary when the organization does not have a culture of IT governance or even it does not know anything about IT governance which fortunately is becoming rare in these times. Therefore, once the organization is aware of what is governing IT, is crucial to assess the current situation of the University-related activities regarding its governance of IT, although having an IT governance framework already deployed.

6 Solutions and Recommendations

In the early XXI century, before the standardization of IT governance, some governance of IT frameworks were successfully implemented in other sectors (banking, insurance, industry, etc.) different from HEIs, reaching a maturity of 2.67 out of 5 on the scale proposed by the IT Governance Institute (ITGI, 2003). Universities from all over the world were also joining IT governance, and according to Yanosky and Borreson Caruso (2008), they reached a maturity of 2.30 out of 5, which means that universities were still in a situation incipient and in the process of maturing. Only a few university institutions reported being at a high level of maturity and the remaining majority were at an acceptable level of IT governance, but room for improvement.

For this reason, EDUCAUSE (Golden et al., 2007) presented a list of proposals that may serve universities and higher education institutions (HEIs) as recommendations to improve the implementation of IT governance in their universities:

  • Facilitate collaboration between universities in the field of IT governance.

  • Develop specific IT governance models for universities.

  • Collect and disseminate case studies and good practices and develop IT governance maturity assessment tools.

  • Provide opportunities to promote the curriculum of university IT professionals in aspects related to IT governance.

Under the scope of both European projects Erasmus+ KA2 granted by the European Education and Culture Executive Agency (EACEA), IT Governance for Tunisian Universities (ITG4TU) (2015–2018) and IT Governance for Albanian Universities (ITG4AU) (2017–2020), four European universities from three different countries (Spain, Germany, and Norway) adopted and adapted the ITG4U Spanish framework to four Tunisian and four Albanian universities, respectively (B. Gómez et al., 2018; B. Gómez & Juiz, 2019). ITG4U framework is based on the standard ISO/IEC 38500, however, since the assessment standard was not developed (among others by the author) until 2022 (ISO/IEC 38503, 2022), the assessment measurement has only 5 levels (based on the COBIT).

After several pieces of training to set a minimum knowledge on IT governance in general, and specifically applied to universities, IT governance frameworks definition, development, and deployment for Tunisian and Albanian HEIs and its monitoring results were performed.

Particularly, the second phase of the project (see Fig. 2) consisted of the development and validation of a specific IT governance framework for every partner university. The major milestone in this phase was for each institution to build its own IT governance framework using the competencies and skills previously learnt. Furthermore, the expert assessors defined measurable indicators to monitor the progress of this phase, i.e., people involved in the project, managerial and IT staff integration indicators, and overall positive feedback from internal stakeholders, among others.

Thus, to advance towards this second project phase, evaluators performed initial assessments, which helped to know the current situation of each university. Based on the results of this assessment, they were able to create, their own IT governance framework adapted to their characteristics, needs and situation. Afterwards, the evaluators validated the new framework so that it was in line with the practices learnt in the training, and they plan to deploy it was acceptable in terms of the project.

The following incremental evolution methodology was performed to implement an IT governance framework. The consortium of both projects defined a set of steps to develop the IT governance framework tailored to the specific needs of the universities:

  1. 1.

    IT governance enabling environment: definition of the IT governance steering group and initial assessment (in line with the framework seen in Table 2).

  2. 2.

    IT governance practices: adaptations of the three areas of IT governance practices (similar to the ones seen in Tables 3, 4 and 5), a self-assessment of the organizational IT governance rating in practices and the review of their organizational IT governance rating in those practices (similar to the ones seen in Table 6).

  3. 3.

    IT governance maturity model: the maturity model was established in each university, the maturity level current situation and the maturity goal selection (in line with the ones seen in Table 7).

  4. 4.

    IT governance improvement plan: design and assessment of a plan and the viability of the activities, considering the resources, involved people and calendar.

Once partners had established their IT governance steering group, they were requested to submit a survey running the following procedure:

  • They were provided with a document containing an ordered and classified set of practices. They had to meet with their IT governance steering group and answer to each practice whether they have them implemented already in their institutions.

  • Once all answered, they had to organize a consensus meeting to discuss the practices with no answer or with no consensus and decide all together with a consensus for each practice.

  • The project leader in each institution had to take minutes of the problems faced by members of the group about how to answer the questions about the meaning and the development of any practices not understood.

In both projects, the evaluators used a set of best practices extracted from Spanish universities as a benchmark (Hontoria, 2014). In addition, participants could assess whether the early-stage framework was suited to the special structural characteristics of their institutions. The self-assessment helped them see which principles were covered, at their discretion, and which ones required attention. This marked a starting point that was later used in the elaboration of the plan. Finally, with the results of their self-assessment, the universities knew their current situation and were able to compare it with that obtained by Spanish universities.

As best practices were classified under the six ISO/IEC 38500 standard principles and the ISO/IEC 38503 standard was still under development in those days, the selected maturity model established a level between 1 and 5 (like ITGI and COBIT) in each principle based on the governance activities: direct, evaluate and monitor (Fernández et al., 2011). To measure the maturity level, the indicators were classified into three categories: (i) maturity indicators, to set each institution’s current maturity level; (ii) qualitative evidence indicators, to clarify whether the institution had already implemented the best practice in question; (iii) and quantitative evidence indicators, related to qualitative indicators and specifying how often, how many times, etc. (Fernández & Llorens, 2009). This process was similar to the one suggested in ISO/IEC 38503 (see Table 2) but outcomes were quantified.

Based on this maturity model provided by the evaluators, the universities were asked to adapt it so that they could adopt it in their institutions. Thus, each institution presented its current IT governance maturity level. Furthermore, they selected the goal maturity level that each university wished to be achieved. Each university selected areas to improve based on their available resources and made a realistic IT governance improvement plan considering people, resources, and time.

The IT governance plan was structured in six sections. Initiating was the first section to involve the organization’s leaders in their IT governance framework development and deployment. The second section provided a plan with the specification of purposes, goals and outcomes, deliverables, stakeholders, risks, and team. As indicated above, the action plan for the implementation of an IT governance framework in developing countries HEIs followed the methodology of incremental evolution, i.e., continuous improvements were made to each of the elements until it was reached the optimal level according to the characteristics and needs of the entity and midterm goals established previously. Thus, it was necessary to follow the evolution of each one so that through the information obtained, it was possible to take the most successful actions to the level reached.

Seeing the results of the Spanish, Tunisian and Albanian universities‘experience (a total of more than 25 universities), the main recommendations should be:

  • It is necessary to have the real commitment of the Rector or President of the University for even initiating any governance of IT implementation. The same applies to evaluating the current situation of the IT governance framework if exists.

  • A steering committee for IT governance should be created as soon as possible, led by the vice-rector, director or any other person in the governance body. The CIO may lead the committee if he/she sits at the table of governance of the University. When the steering committee is led by middle managers, governance turns out to management.

  • The objectives of governance of IT at universities should be ambitious but precise and concrete. There should be specific plans for the development of the framework conducted by managers but monitored by the governance body. The self-assessment should be formal and sincere and compared with benchmarking from other universities. External evaluators are recommended.

7 Future Research Directions

Due to the amazing changes in IT and the evolution of corporate governance over the past decade, ISO plans to prepare the third edition of the ISO/IEC 38500 standard in the coming years. On the one hand, the IT used by businesses has been revolutionized due to considerable changes in the supply and use of technology. IT is now a major business driver for organizations of all sizes, supporting not only their core business but also seamless integration with supply chains and interactions with customers. As cloud-based services have matured, the mechanisms for delivering IT and IT-based services have changed significantly.

In particular, universities must become more involved in the information technology ecosystem than under their direct control to achieve business outcomes. This was exacerbated by the consequences of the COVID-19 lockout due to changing expectations of students and professors who want to easily and smoothly collaborate with universities through IT. On the other hand, the availability of data is exploding and we need to refocus from corporate governance on its use. The university‘s governing body is also responsible and accountable for data governance, so there is no difference. There are also changes in the way IT is delivered and supported within the organization, with internal IT acting as an integrator for externally sourced systems.

All of these changes are reflected not only in the governance of IT standardization but also in the way it is implemented and evaluated. Thus, the IT paradigm as a tool that replaced IT as an asset a few years ago has evolved into IT as a business. In short, IT not only enables business strategy but also drives business strategy. Therefore, the direction of future research depends not only on how IT changes but also on how IT is currently perceived as the core of an organization’s or university‘s business.

8 Conclusion

To be able to digitally transform the University, it is a necessary but not sufficient condition to direct and control IT, i.e. govern IT. Without those basic tasks of assessing, directing and monitoring, IT becomes either a tool or a commodity, in both situations worthless. For this reason, even when there is no IT governance framework, it is necessary to plan what the senior management wants from their IT and how to control that they are achieving it. That is no different for Universities. The HEIs have to know if they promote enabling mechanisms to govern through principles of good corporate governance since the governing bodies are accountable and responsible for the results of their universities.

In this way, even before defining an IT governance framework, it is necessary to reflect on what practices are going to be carried out, collect evidence and improve until the planned outcomes are obtained. The recently created ISO/IEC 38503 standard, of which the main author is a co-editor, serves for this reflection, even for universities that have been governing themselves for some time. Maturity with IT at the university, attainable at a certain point in time, can be compromised by events such as the COVID-19 pandemic.

This chapter tries to explain where the origins come from, the problems, the benefits and the standards that apply to IT governance. For once, to cite many of the experiences of IT governance in universities, focus on its assessment, its intention and its methodology.

The authors also presented one example of implementation and assessment applied in more than 25 universities, the ITG4U framework. This framework is based on the ISO/IEC 38500 standard and therefore their best practices are classified by its six principles namely Responsibility, Strategy, Acquisition, Performance, Conformance, and Human Behavior. This includes three main steps. The first is the set of adaptations that must be made to this global framework before adopting it in each institution. Second, it is aimed to conduct a self-assessment of the current organizational level regarding the adapted best practices. Finally, and as a step to be taken by developing countries’ HEIs, it is aimed to assess both the adaptations and the self-assessment. This real example tested in many universities is very similar to the one that has subsequently been approved by ISO and serves, in this chapter, as a practical reinforcement of what the ISO/IEC 38503 standard is trying to normalize.

What is not measured cannot be improved, it is a well-known statement in the company culture. The IT governance assessment at the university is the lever towards its continuous digital transformation, directed and controlled by its governing body with the invaluable collaboration of IT management and other HEI functions.

Key Terms and Definitions

  • Beneficial outcome: achievement of a high-level objective of the organization, related to the successful deployment and use of information technology.

  • Evidence of success: observable and measurable deliverables from information technology functions/processes that support and enable the achievement of beneficial outcomes.

  • Governance practice: any action or decision taken by the governing body driving the direction and/or the control of the management in organizations.

  • Higher Education Institutions: The education sector includes only the tertiary institutions, including mainly universities, but also colleges and research institutions.