Chapter 2 - Enterprise IT Governance in Practice: A review of the States
IT governance is a sorting process operating in an environment that generates an ongoing stream of demands and opportunities for IT development and use. The governance process responds to these demands and opportunities by identifying the issues to be resolved and distributing them for decision making at different levels of government: individual agencies, federations of agencies acting in consort, or a central state-level organizational unit. The normal conduct of IT use in government requires this constant stream of decisions and responses to changes in the environment. Each decision or response requires resolving certain issues: Who should decide and act? By what means? According to what rules and criteria? With what resources? How will results be assessed? and so forth. The resulting decisions generate operational actions in the various levels, which in turn produce results that flow back into the environment in the form of services, benefits, policies, resources, or other products of government action. Figure 1 shows three levels of distribution of the issues, roughly reflecting the current governance process in New York and elsewhere. Similar representations could include different levels, but follow the same basic principles.
Figure 1 - Enterprise IT Governance as a Sorting Mechanism
This representation is useful in classifying and identifying the locations of the actions and decisions that make up a governance framework. How each organization implements governance, of course, varies to some degree; however, our review of the states supports Sambamurthy and Zmud’s11 claim that there are three prevalent ways of distributing authority over decision making for enterprise IT:
This chapter presents a summary of an environmental scan used to inform the recommendations regarding enhanced enterprise IT governance for New York State (See Appendix B for information regarding the approach and methodology used to conduct the environmental scan). A considerable diversity in patterns of authority, practice, and scope can be seen in the implementation of these three general IT governance structures.12 Our summary presents trends in three components of state IT governance: patterns of authority, functions of the state-level IT office, and coordination mechanisms.13 Each component is listed below with illustrative examples from the states. The summary is followed by enterprise IT governance design advice offered by CIOs and IT officials from the eleven states who participated in the interviews for this project.
-
A centralized IT governance structure distributes authority and decision making power solely within a central body.
-
A decentralized IT governance structure distributes all authority and decision-making power to individual business units (or state agencies).
-
In a federated IT governance structure, authority over decision-making is distributed between a central body and individual organizational units (or a state-level IT office and state agency CIOs).
Patterns of Authority
All of the thirteen states in our structural profiles have created a state-level CIO and IT office; however, the scope, roles, and responsibilities granted to the state-level CIO, the IT office, and the agency CIOs differ from state to state. The position of the state-level CIO within the state hierarchy varies, but this placement is independent of their scope. For example, the state CIO may be a member of the governor’s cabinet, may be in charge of his or her own cabinet-level agency, or may be in charge of a unit or division for IT as part of another executive agency (most commonly a department of administration). An exception to this is Kansas, which has multiple state-level CIOs in the executive, legislative, and judicial branches.
Of the thirteen states in our structural review, two states—Michigan and Maine—characterized themselves as having a centralized IT governance structure. In both instances, the state-level CIO was the head of the state-level IT office; however, the position of the state-level CIO and the state IT office within the larger state hierarchy was different. Michigan’s state-level CIO has a cabinet-level position and the state IT office is a stand-alone agency. The Michigan approach differs from Maine, where the state CIO reports to an agency head rather than to a cabinet-level official or governor. However, both states use some form of agency liaison to coordinate between the state-level IT office and the agencies. In comparison with states that have federated IT governance, both make minimal use of external boards, councils, or committees to involve other stakeholders.
Eleven of the thirteen states use a federated governance structure (see Table 2). Within the eleven states, differences in the relationships among the state-level CIO, the state-level IT offices, and individual agency CIOs emerged. California had a state-level CIO at the cabinet level, but the State CIO did not oversee the state-level IT services office, which was embedded in another agency.14 As stated previously, Kansas has multiple state-level CIO type positions that span the executive, legislative, and judicial branches. Like California, the other nine states have one state-level CIO, but he or she has responsibility for both policy and service functions. All eleven states use a variety of external committees, boards, and councils to aid coordination and collaboration between stakeholders.
Functions of the State-Level IT Office
Generally, there are two main functions performed by the state-level IT office: (1) policy and planning and (2) provision of IT services. In our review, the majority of state-level IT offices, regardless of centralized or federated structure, performed both functions. From the state profiles, only two states, California and Florida, had established separate offices for those functions; when reviewing the additional states included in the interviews, Oregon was the only state that also separated these two functions. In those three states, the State CIO was in charge of policy and planning only and this function was completed in cooperation with agency-level CIOs and IT offices, which also provide their own policy, planning, and IT infrastructure. As of this publication, both California and Florida have made changes to consolidate these two functions into a single state-level IT office led by the State CIO.
The functions performed by the state-level and agency-level IT offices vary. In our review, we concentrated on the state-level IT offices. Those fulfilling the policy and planning functions ranged in scope to include preparing state IT strategic plans, focusing on process improvement and consolidation, or setting enterprise architecture and security standards or statewide IT procurement guidelines. Many of the states create strategic plans that are updated annually. In Kansas, however, the state-level IT office works on a state-level strategic plan that provides a long-term directive (five-year span) for the state as a whole. This long-term directive in turn informs agencies’ three-year IT plans, which are updated annually. From these plans, agencies create individual project plans that are submitted for budget consideration, which feed back into the state strategic IT plan. Similarly, Virginia creates its strategic plan to cover a four-year timeframe.
In contrast, the two states with centralized IT governance have a very different strategic planning and budgeting process in which all IT planning, IT operations and IT policy creation is subsumed under the state-level IT office. The state-level IT offices solicit agency feedback about their IT needs as they pertain to agency-specific business goals. Essentially, the state IT strategic plan encompasses IT goals for the entire state.
Similarly, the services provided by state-level IT offices vary in scope. Most state-level IT offices are generally responsible for areas such as service management, technical services, infrastructure and operations, shared services, program management, applications development, or systems development. Georgia and Virginia are two states that use public-private partnerships to deliver IT infrastructure services to state agencies.
Finally, many state-level IT offices have created units or departments for enterprise-wide functions. The most common entities are enterprise project management units or enterprise infrastructure units whose goal is to promote state-wide uniform project management practices or provide a common state-wide infrastructure to all state agencies.
|
Table 2. Federated Approaches*
|
|||
|---|---|---|---|
|
State
|
State level CIO
|
IT Offices
|
Coordination Mechanisms
|
|
CA |
|
|
|
|
FL |
|
|
|
|
GA |
|
|
|
|
KS |
Multiple state-level CIO Positions
|
|
|
|
KY |
|
|
|
|
MN |
|
|
|
|
NC |
|
|
|
|
NY |
|
|
|
|
PA |
|
|
|
|
TX |
|
|
|
|
VA |
|
|
|
|
*State data is based on the governance frameworks in operation as of January 2009.
|
|||
A coordination mechanism is defined as “any administrative tool for achieving integration among different units within an organization.”15 Within the states reviewed, there are a range of mechanisms that integrate and coordinate diverse stakeholder views. These coordination mechanisms all exhibit structural, functional, and social integration capability.16 Some states use only one or two types of mechanisms, while others use a variety of interrelated coordination mechanisms. The participants involved in these coordination mechanisms were drawn from four main sources: (1) control agencies such as administration, budget, or general services; (2) the private sector; (3) agency CIOs, and (4) the general public. The variation can be seen in (1) where they were positioned within the state hierarchy (level), (2) authority granted and by what means (i.e., legislative, executive order, etc.), (3) scope, roles, responsibilities, and (4) membership. Four coordination mechanisms were consistently found across the states:
-
External committees, councils, and boards outside the control of the state-level IT office. The state-level CIO or agency CIOs may have roles in these bodies either as a chair or participant. These coordinating mechanisms are generally created for a host of different purposes with different levels, authority, scope, and responsibilities.
-
Communities of Practice (CoP) in which people with like needs come together to solve problems relevant to the community. Some CoPs have formalized their own IT governance activities and some have been recognized as part of the larger state IT governance picture. However, the majority appear to be informally created and thus not necessarily identified in official documents.
-
Enterprise oriented offices, divisions, or units within the state-level IT office have a sole responsibility to look across the state for opportunities where individual agencies or the state as a whole can benefit from an enterprise approach to IT.
-
Agency liaison staff are used to elicit the needs from the state agencies and gather feedback from them. The state-level IT offices create agency service units with liaison relationships to each state agency or a cluster of agencies perceived as being part of the same domain.
Pennsylvania provides an example where multiple coordination mechanisms work together. The Pennsylvania Enterprise Governance Board is made up of the state-level CIO, secretaries of Administration, Budget, and General Services, and the Governor’s Chief of Staff. The Board has the power to approve IT plans and direct IT investments of individual agencies; it also formally recognizes the Communities of Practice (CoPs). In 2002, Pennsylvania adopted CoPs as an integral part of the Pennsylvania’s IT/business integration strategy. The activities of Pennsylvania’s CoPs are important to its larger picture of IT governance at the state-level. The CoPs bring together a cluster of agencies with similar missions and needs to promote integrated technology solutions. Although most states do have community of practice groups, usually centered around GIS or public safety, the commonwealth of Pennsylvania is the only one to formalize this concept and make it visible in its description of state-level IT governance strategy.
Specific statewide or enterprise offices can be found in both centralized and federated structures. However, in centralized structures the enterprise offices or agency liaisons are likely to have a larger role. For example, Michigan created a Bureau of Agency Services to ensure that agency perspective and needs are adequately represented within a centralized structure. The office is responsible for assigning liaison staff (officially called Agency Information Officers) who are responsible for individual agencies that are large in scope, such as the Department of Health or Transportation, or a cluster of agencies considered to be part of one domain.
Enterprise IT Governance Design Advice
The following five statements summarize advice repeated throughout the interviews with the state CIOs.17 While the states we talked with were at different stages of implementation for their own enterprise IT governance strategies, there was general agreement on a set of key ideas about IT governance efforts.
-
Focus on Return on Investment (ROI). The movement toward enterprise IT governance is also being driven by the desire to maximize the organization’s return on IT investment. Along with budgetary pressures, public organizations are also dealing with increased need for interagency information sharing, an ever increasing volume of data that needs to be successfully managed, and the need for cross boundary collaboration for complex, multi-organizational problems.
-
Don’t look for a silver bullet. In their efforts to build enterprise IT governance, public managers are drawing on the experiences of other public and private sector organizations undergoing similar transformations. Throughout this process, most are finding that no one framework or strategy can simply be adopted for their state. More and more states are focused on tailoring IT governance to their own needs.
-
Recognize how IT is embedded in the institutions of government. The governance of IT at the state level is deeply embedded in the policies, problems, and structures of government. IT governance operates alongside, and in concert with, other forms of governance (e.g., financial governance). The trend toward formalizing IT governance at the state level is a relatively new expression of organizing public bureaucratic work and overlaps with the widespread adoption of other practices aimed at improving government, such as privatization, performance measurement, decentralization, or outsourcing.18
-
The CIO is central to enterprise IT governance. State-level CIOs are held accountable for IT at a state level and are typically charged with improving service delivery, achieving efficiencies, and effectively using IT and information to achieve the mission of state government.19 Thus, improving IT governance was listed as a top priority for 2009 by the National Association of State Chief Information Officers in their annual survey.20
-
Incrementalism is key to successful implementation. Most states spoke very clearly about the need for an incremental implementation strategy. The states that faced the most challenges or pitfalls were the ones that attempted a total and immediate revamping of their current structure. The strategy should also recognize that the needs for and demands on an IT governance structure will remain in flux. Therefore adjustments and review of IT governance should be a permanent part of the framework.
11Sambamurthy & Zmud, 261-290.
12Sambamurthy & Zmud, 261-290.
13 Helbig, N., Hrdinová, J., and Canestraro, D. (2009). Enterprise IT governance at the state level: An emerging picture. In the Proceedings of the 10th International Digital Government Research Conference (dg.o), p.172-179.
14As of May 2009, California initiated the Governor's IT Reorganization Plan (GRP), which consolidates the Office of the CIO (OCIO), Office of Information Security and Privacy Protection (Office of Information Security), Department of Technology Services, and Department of General Services' Telecommunications Division into the OCIO. Any references to California in this report rely upon the IT governance framework in place prior to May 2009.
15Martinez, J. I. & Jarillo, J. C. “The evolution of research on coordination mechanisms in multinational research.” Journal of International Business Studies 20(3), p. 489-514, p.490.
16Peterson, R., R. Callaghan, & P. Ribbers. (2000). Information Technology Governance by Design: Investigating Hybrid Configurations and Integration Mechanisms. In proceedings of the twenty first international conference on Information systems (Brisbane, Queensland, Australia). Association for Information Systems. p. 435-452.
17For further details about the results from the interviews, see Enterprise IT Governance in State Government: Lessons Learned from the States, available at http://www.ctg.albany.edu/publications/reports .
18Considine, M, and J. M. Lewis “Bureaucracy, Network, or Enterprise? Comparing Models of Governance in Australia, Britain, the Netherlands, and New Zealand.” Public Administration Review 63, 2: (2003), 131-140.
19General Services Administration (GSA). The Role of the Government Chief Information Officer. Intergovernmental Solutions Newsletter. Vol. 21: (2008). Retrieved from www.gsa.gov/intergovnewsletter
20National Association of State Chief Information Officers (NASCIO). State CIO Priorities 2009: (2008). Retrieved from http://www.nascio.org/publications/documents/NASCIO-CIOPriorities2008-2009.pdf.
© 2003 Center for Technology in Government