Copyright © 2007 IEEE This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.

Abstract — In recent years, IT governance has become a key

concern issue for senior IT decision makers across various in-

dustries. When appropriately implemented, IT governance can

play the role of a central nervous system effectively ensuring

the wellbeing of the organizational system. The health of the

organizational system ultimately contributes to the health of

the distributed business ecosystem in which the organization

co-exists with other organizations. The underlying goals for

adopting formal IT governance practices are improvement of

business performance and conformance with regulations. This

exploratory study examined how IT governance is imple-

mented in four Australian institutions of higher education

through a number of IT governance structures, processes, and

relational mechanisms. This paper discusses the importance of

these practices as these institutions increasingly compete and

collaborate with each other, various government agencies and

other research institutions in the digital economy.

Index Terms—business ecosystems, governance, IT govern-

ance processes, Australian higher education ecosystem

I. INTRODUCTION

IT governance has emerged as a vital issue for organiza-

tions across the world. This paper examines how formal IT

governance processes are implemented in four Australian

higher education institutions in the digital economy. A lit-

erature review of business ecosystems and IT governance

issues in the Australian higher education domain is pre-

sented in Section II. Section III discusses the research ques-

tions and methodology. The case study institutions are de-

scribed in Section IV. A discussion of IT governance proc-

esses in each institution is presented in Section V and a

summary in Section VI. Section VII discusses the evolu-

tionary status of the Australian higher education ecosystem

and the significance of IT governance practices in this con-

text with a conclusion in Section VIII.

II. LITERATURE REVIEW

A. Business Ecosystems

The term ‘ecosystem’ refers to a collection of organisms

living together with their environment and functioning as a

loosely interconnected dynamic unit [24]. The concept of a

‘business ecosystem’ was a strategic planning concept first

introduced by Moore [16], who wrote: “I suggest that a

company be viewed not as a member of a single industry

but as part of a business ecosystem that crosses a variety of

industries. In a business ecosystem, companies co-evolve

capabilities around a new innovation: they work

cooperatively and competitively to support new products,

satisfy customer needs, and eventually incorporate the next

round of innovation.” The elements of a business

ecosystem are: 1) governance, regulations and industrial

policy, 2) human capital, knowledge and practices, 3)

service and technical infrastructure, and 4) business and

financial conditions [9]. Nachira [9] describes the term

‘digital business ecosystem’ (DBE), as shown in Fig. 1, as a

complex ecosystem comprising of a business ecosystem

layer supported by a multilayer digital ecosystem.

D IG IT A L B U S IN E S S E C O S Y S T E M

D IG IT A L E C O S Y S T E M

NETWORK INFRASTRUCTURE

DIGITAL ECOSYSTEM

OPEN SOURCE KNOWLEDGE

AND SERVICE-ORIENTED

PLATFORM

DIGITAL ECOSYSTEM

COMPONENTS AND

SERVICES

BUSINESS ECOSYSTEM

Fig. 1 Multi-layer digital business ecosystem (after Nachira [9])

Although the Australian higher education ecosystem can

be discussed in terms of elements in all four layers of the

digital business ecosystem model in Fig. 1, this paper fo-

cuses on an important element associated with the top layer

(ie. business ecosystem layer) of the DBE – governance,

specifically IT governance. The wellbeing of the individual

enterprise can affect the wellbeing of the larger business

ecosystem in which it co-exists with other organizations.

Appropriate governance mechanisms therefore need to be in

place in individual enterprises to ensure that harmony in the

larger business ecosystem is maintained.

B. Corporate and IT governance

Corporate governance has become important worldwide,

especially in the wake of the Enron and MCI WorldCom

incidents in the US. The Australian Stock Exchange Corpo-

rate Governance Council defines corporate governance as

“… the system by which companies are directed and man-

aged. It influences how the objectives of the company are

set and achieved, how risk is monitored and assessed, and

how performance is optimised” [1]. IT governance has be-

come a key area under the umbrella of corporate govern-

ance because of the pervasive influence of information sys-

tems (IS) and the associated technology infrastructure in

every area of an organization’s activities. The IT Govern-

ance Institute describes IT governance as an integral part of

the corporate governance which consists of “the leadership

and organizational structures and processes that ensure an

organization’s IT sustains and extends the organization’s

Jyotirmoyee Bhattacharjya 1 and Vanessa Chang

2

1, 2 School of Information Systems, Curtin University of Technology, Perth, Australia

e-mail: j[email protected] ; [email protected]

The Role of IT Governance in the Evolution of Organizations in the

Digital Economy: Cases in Australian Higher Education

428

strategy and objectives” [12].

C. Previous research in IT governance

The term IT governance, started to appear in the litera-

ture towards the late 1990s, with its main proponent being

the IT Governance Research Institute [19]. Since then, the

need to implement and improve IT governance is recognized

by senior IT management across the world. However, im-

plementing IT governance is a complex undertaking (eg.

[5],[23],[15],[18],[20],[19]). A survey of top 10 priorities

for senior IT management by Gartner Inc. in 2003, found

the need to improve IT governance to be included for the

first time [20]. In 2003, the IT Governance Institute con-

ducted a survey through PricewaterhouseCoopers of 335

CEO/CIO level executives around the world to determine

their IT governance priorities [12]. The survey found while

75% executives recognized the requirement for implement-

ing IT governance only 40% were taking any action in this

direction.

De Haes and Van Grembergen [21] propose that IT gov-

ernance, as listed in Table 1, can be implemented through a

framework of structures, processes and relational mecha-

nisms. Structures include the existence of well defined roles

and responsibilities and IT steering committees. Processes

involve strategic IS planning and the use of various IT gov-

ernance frameworks which provide the IS organization with

the means to examine its activities and value to business.

Relational mechanisms include shared learning and strategic

dialogue between business and IT.

Key Elements in the implementation of IT governance

Structures: Roles and responsibilities, IT organisation structure, CIO on

board, IT strategy committee, IT steering committee(s)

Processes: Strategic information systems planning, Balanced IT score-

cards, Information Economics, Service Level Agreements, COBIT and

ITIL, IT alignment/governance maturity models

Relational mechanisms: Active participation and collaboration between

principle stakeholders, Partnership rewards and incentives, Business/IT

collocation, Cross-functional business/IT training and rotation

Table 1. Structures, process and relational mechanisms for

implementing IT Governance (De Haes and Van Grembergen [21])

D. IT governance frameworks and standards

A number of IT best practice frameworks and standards

such as Control Objectives for Information and Related

Technology (COBIT), ISO17799, IT Infrastructure Library

(ITIL) and Capability Maturity Model (CMM) are available

to IT organizations to help them improve their accountabil-

ity, governance, and management. COBIT is designed by the

IT Governance Institute as a high-level “umbrella” frame-

work for IT governance and it works well with frameworks

like ITIL and ISO17799 which focus on specific aspects of

IT management [8]. It contains 34 high-level control objec-

tives and 318 detailed control objectives defined for four IT

domains: planning and organization, acquisition and im-

plementation, delivery and support, and monitoring. ITIL is

the de-facto standard for IT service management and is or-

ganized around five areas: business perspective, application

management, infrastructure management, service delivery,

and service support. ISO17799 provides guidelines for

managing the security aspect of IT.

A recent Forrester Research survey of 135 IT managers

in North America revealed that about 20% rely on COBIT

while another 20% use ITIL [6]. These frameworks are not

necessarily mutually exclusive and increasing the value of

IT from a business perspective requires an understanding of

their strengths, weaknesses and focus [4]. IT governance

frameworks are being increasingly adopted because they not

only assure conformance with regulations but also help in

ensuring performance [17]. Organizations may benefit from

adopting what they find useful from each framework rather

than just adopting a single one [8].

In addition to these frameworks and standards, Austra-

lian organizations have 3 local standards available to guide

their IT governance and management practices [22]. These

are AS 8015-2005 (ICT governance standard), AS 8018.1-

2004 (specification for ICT service management) and AS

8018.2-2004 (code of practice for ICT service manage-

ment). The information and communication technology

(ICT) governance standard, AS 8015-2005, provides a set

of principles for business decision makers regarding the ef-

fective and efficient use of ICT within their organizations,

irrespective of the industry sector. The ICT service man-

agement standard, AS 8018.1-2004 adopts the British stan-

dard BS 15000-1:2002, and specifies the requirements for

delivering an acceptable quality of managed IT services.

The related standard, AS 8018.2-2004 adopts BS 15000-

2:2003 and recommends a common terminology for IT ser-

vice providers.

E. IT governance in Higher Education Domain

Higher education is a multi-billion dollar industry in

Australia, and as such, is importance to the country’s econ-

omy [10] [2]. It is a major consumer of IT products and ser-

vices as well as a major provider of services using ICT. IT

has helped the improvement of a range of activities includ-

ing research, teaching, learning and administration. Signifi-

cant developments have been made in the area of online

teaching and learning. The demand for IT based products

and services has also increased in the last 15 years due to a

rapid increase in student population.

Much work is required to be done by university govern-

ing bodies and policy makers in order for these universities

to tap and capitalize on emerging information technologies

to maintain their competitive positions internationally [10].

The issues range from infrastructure, applications, delivery

and services to staffing and appropriate regulatory frame-

works. Also, IT applications have not penetrated all aspects

of university teaching and effort is required to improve this

area. Despite the wide range of concerns facing IT govern-

ing bodies in Australian universities in the digital economy,

there has been very little research regarding how IT govern-

ance may be implemented in these institutions for it to pro-

vide optimal benefits to higher education.

III. RESEARCH QUESTION AND METHODOLOGY

The paper investigates the adoption of IT governance

practices in four Australian higher education institutions

and discusses the significance of these practices in the

higher education ecosystem. The research questions are:

429

1) How are formal IT governance practices adopted and

implemented within the higher education environment

in Australia?

2) What is the significance of formal IT governance prac-

tices in the context of the evolving higher education

ecosystem in Australia?

As suggested by Benbasat et al [11], the case research is

useful for addressing the “how” questions, ie., in the ex-

ploratory stage of knowledge building. This is particularly

useful for a study on IT governance in the context of higher

education institutions in Australia, where the knowledge of

researchers regarding new methods, techniques, problems

and prospects lags that of practitioners. Four leading Aus-

tralian institutions in different stages of adopting and im-

plementing formal IT governance practices were selected.

In keeping with participants’ requests for anonymity, the

institutions are referred to as Institutions A, B, C and D.

The data collected was primarily qualitative in nature. The

data was gathered from semi-structured interviews with 7

senior IT and 5 business decision makers as well as from

relevant documents obtained from interviewees and the

websites of the institutions. The interviews were recorded

and later transcribed and analyzed.

IV. THE CASE STUDY INSTITUTIONS

The four institutions all have documented corporate gov-

ernance structures and are in different stages of implement-

ing formal IT governance practices. Institutions A and C

have adopted formal IT governance practices since 2000.

Institution B has started formalizing its practices since the

beginning of 2006. Institution D has adopted formal IT

governance practices since 2004. The institutions have

revenues of between 300 to 500 million dollars and spend

between 6-10% of their revenue on IT. All four institutions

are members of the Australian Vice-Chancellor’s Commit-

tee (AVCC). While they cooperate for advancing Australian

higher education through this forum, they also compete

amongst each other for market share both locally and inter-

nationally.

V. IT GOVERNANCE FRAMEWORK

As indicated previously and also shown in Table 1, the

key elements of structures, processes, and relational mecha-

nisms are required to implement IT governance [21]. The

IT governance structures and relational mechanisms in these

institutions have been discussed elsewhere [13] [14], and

will only be discussed briefly here. The overall trend in

these institutions with IT governance structures is toward

centralization of the IT organization. IT governance rela-

tional mechanisms are directed at building closer ties with

the business. As stated earlier, IT governance processes in-

volve strategic decision making and the use of various per-

formance monitoring frameworks and tools such as Strate-

gic IS Planning, COBIT, ITIL, Balanced Scorecard, and oth-

ers [20]. This paper concentrates on the IT governance

processes in these institutions. Each institution’s strategic IS

planning is discussed first. This is followed with a discus-

sion of the adoption of various performance monitoring

frameworks and standards, and tools in each institution.

Issues surrounding the implementation of the above will

also be discussed.

A. Institution A

The institution has an overall strategic plan and follows a

balanced scorecard. IT has an ICT enabling plan, which is

regularly updated. An important issue is that this ICT ena-

bling plan is not directly associated with a budget for strate-

gic expenditures. The present budget allocation for ICT is

for staff, software licenses, site licenses, and refreshing the

IT infrastructure.

IT management decision making within the institution is

influenced by the guiding principles of the Australian ICT

governance standard AS 8015-2005 and the service man-

agement standards AS 8018.1-2004 and AS 8018.2-2004.

COBIT is adopted since the year 2000 for assessing and

improving the institution’s IT governance processes. A di-

rect effect of this has been the realization by senior IT deci-

sion makers that the effective utilization of COBIT across

the institution requires a centralized IT governance envi-

ronment. Given the size of the COBIT framework, only a

small number of processes and objectives are identified for

review each year. The objectives were initially based on a

large number of interviews conducted across the campus in

2000. In subsequent years, objectives have been identified

based on the original interviews and results of an annual

survey of student and staff satisfaction on IT issues.

ITIL is used as the standard for service management. A

number of operational level staff members have ITIL Foun-

dation training. The current focus is on getting better at in-

cident management, change management, problem man-

agement, IT strategic planning and managing the IT archi-

tecture. Consultative, Objective and Bi-functional Risk

Analysis (COBRA), based on ISO17799 is used for facili-

tating risk management.

Since COBIT requires the use of a standard project man-

agement methodology, Project Management Body of

Knowledge (PMBOK) is selected as the guide. Based on

the perceptions of business decision makers, in the last two

years IT has shown considerable maturity in project man-

agement and delivery. This is the result of adopting a strong

project management methodology. People Capability Ma-

turity Model (P-CMM) is the standard of IT staff manage-

ment and development. However, a lot of work is required

for staff development.

The value to business from the implementation of best

practice frameworks has been in terms of reducing the num-

ber of ad-hoc processes, bringing discipline to IT support

activities and improving accountability. Whilst IT has made

significant strides since the year 2000, the IT management

recognizes that there is a long journey ahead.

One problem in implementing frameworks like COBIT

has been the shortage of adequate staff. The demand for

staff time and services are also increasing. Most of the cen-

tral IT teams find it difficult and at times challenging to

achieve their operational objectives. Staffing in the server

support area, for example, consists of about 10 people sup-

porting 300 servers of various kinds, implementing, changes

to the infrastructure and managing large applications used

430

by thousands of people. Despite this, process improvements

continue to take place because of the continued commitment

of senior IT management.

Another difficulty area is finding appropriate perform-

ance metrics measurement. Current technical measures in-

clude percentage downtime, percentage access failure, and

the number of students accessing their email on the official

communications channel. A particular measure, the number

of available desktops in the laboratories was found to be not

particularly useful. It was found that when the number of

desktops was doubled based on survey responses; the satis-

faction level was actually lower than in the previous year.

Management decision makers in the institution attribute this

to the increasing expectations from ICT facilities. The insti-

tution continues to work on developing a balanced business-

IT metrics.

B. Institution B

Institution B has an overall strategic plan and central IT

undertakes strategic IS planning under the supervision of

the IT steering committee. While Institution A has primarily

used COBIT to evaluate and improve key IT processes, In-

stitution B used COBIT to develop its overall IT governance

model and outline the various roles and responsibilities. The

development of the IT governance model has resulted in

substantial involvement of business decision makers in

making decisions regarding IT investment, risk and priori-

ties. This has made it easier for business decision makers to

appreciate the value of key decisions regarding IT. The ini-

tial problem in the implementation of the model was the

lack of IT governance concepts amongst business decision

makers and resistance to change. This is gradually over-

come and the need for accountability for IT related decision

making across the institution is better accepted. This is

achieved by communicating to business decision makers

their roles and responsibilities in IT related decision making

for the benefit of the business, without making it necessary

for them to know the technical details of COBIT.

COBIT is also used for risk assessment and management.

While ISO17799 provides guidance with security, COBIT

guides management on how these goals should be achieved.

The IT security manager is trained in ISO17799 and will

undertake the security management training program pro-

vided by the developers of COBIT.

Capability is also being built up in the project manage-

ment and business process analysis domain to reduce the

current dependence on external consultants. Service level

agreements (SLAs) are in place for hosting and managing

application systems including the student system, the facili-

ties management system, the HR and finance system. At

present there is a lack of enterprise-wide standards for infra-

structure and applications. Other issues include the lack of

standards and controls and the existence of multiple help-

desks. As part of the central IT service desk project, it is

planned to implement ITIL to handle change and incident

management. Service desk staff are required to undertake

ITIL Foundation level training.

As in the case of Institution A there is difficulty in decid-

ing on which metrics to measure. Current metrics used in-

clude the number of service calls being answered to com-

pletion, the number of network and database administrators

and the ratio of total IT cost to organizational cost. How-

ever, there is a realization that these metrics are not ade-

quate for representing the value of IT to business.

C. Institution C

Intra-industry benchmarking is important in Institution C

due to the experience of the senior IT decision-maker with

IT benchmarking practices. IT undertakes strategic IS plan-

ning regularly and maintains SLAs with its clients within

the institution. Disaster recovery planning and business con-

tinuity planning (BCP) have been undertaken since 2004.

Being able to successfully involve the business side has re-

sulted in this institution being ahead of the others with re-

spect to BCP.

At present central IT is in the process of adopting ITIL

and both management and staff have received basic ITIL

training. While incident management with ITIL has been

accomplished satisfacto