How Boards Engage in Digital Strategy and Oversight

Boards of directors (BoDs) are ultimately accountable for strategic decision-making and control in organizations. Financial and legal matters dominate the agendas of board meetings, which is often reflected in board composition. But what about IT-related matters? This is a prominent question in an era in which IT is a crucial contributing factor to the competitiveness of many organizations. Indeed, more and more organizations are very dependent on IT for the creation of their business value. Digital disruption is all around and a vast number of organizations worldwide are actively thinking about digital transformation, yet empirical evidence seems to indicate that BoDs are not as involved in IT-related strategic decision-making and control, often referred to as IT governance, as they should be.

Board members often recognize the need for more board-level engagement in digital strategy and oversight to make sure that their organization can foster the full potential of digital transformation. However, many boards’ members are seeking guidance and advice on how to realize this type of board-level engagement. How have organizations established certain governance mechanisms to (partly) tackle this challenge? By examining these experiences, board members can learn from their peers and translate best practices of other organizations to their own context and environment.

The Case of the University of Antwerp

The goal of this analysis is to enable board members to learn from their peers on how to engage in digital leadership and oversight. Therefore, from a purposive sampling strategy, an organization was selected that has initiated several actions to increase the level of board involvement in IT governance.

The University of Antwerp (Belgium) is a relatively young university, founded in 2003, combining three separate university institutions that date back to 1965. Currently, the university is responsible for the education of 20,367 students of 116 nationalities. The university staff consists of 5,398 people, including professors, assistants, researchers, education staff, and administrative and technical staff. Its three core tasks are research, education and services.

The central governance structure (figure 1) at the University of Antwerp consists of the rector, three central governing bodies and nine central advisory bodies. The rector is the university’s highest academic official. He is appointed for a four-year term by the BoD after universitywide elections. The central governing bodies include the BoD, the executive board and the board of administration. The latter is responsible for the daily management of the university. These governing bodies are supported by the central advisory bodies, including the education board, the research board and the academic council for service to society.

The IT department of the University of Antwerp maintains, manages and develops the IT infrastructure at the university. It provides solutions to support the three core tasks of the university—research, education and services—but it also facilitates secondary processes such as administration and management. In addition, it provides direct support to end users and attends to the maintenance of the infrastructure.

Methodology

This case study intends to contribute to answering the broader research question: “How can boards of directors operationalize their role in digital strategy and oversight?”

The case study design was based on this definition of IT governance:

IT governance is an integral part of corporate governance and addresses the definition and implementation of processes, structures and relational mechanisms in the organization that enable both business and IT people to execute their responsibilities in support of business/IT alignment and the creation of business value from IT-enabled business investments.¹

Hence, this study focused on the governance structures, processes and relational mechanisms that were implemented at the top level of the organization. Enterprise governance of IT structures include organizational units and roles responsible for making IT decisions and for enabling contact between business and IT management decision-making functions (e.g., IT steering committees). This can be seen as a kind of blueprint of how the governance framework will be structurally organized. Enterprise governance of IT processes refers to the formalization and institutionalization of strategic IT decision-making and IT monitoring procedures, to ensure that daily behaviors are consistent with policies and provide input back to decisions (e.g., portfolio management). Finally, the relational mechanisms are about the active participation of, and collaborative relationship among, corporate executives, IT management and business management and include job rotation, announcements, advocates, channels and education efforts. Some examples of these structures, processes and relational mechanisms are provided in figure 2.

The case analysis and description are scoped down toward addressing only the governance practices at the strategic board level. Practices at the tactical and operational levels were present in this case, but are not described in this article.

To truly understand the reason for the establishment of IT governance practices at the board level and how these practices work at the University of Antwerp, multiple data sources were combined. Five stakeholders (the rector, the chair of the board of administration, the two heads of the IT department, and the head of the department of research and innovation) were interviewed using a semi-structured interview protocol. These stakeholders were actively involved in the establishment of the new IT governance practices. In addition, documents such as the meeting minutes of the board and the IT governance committee were examined, as were business cases and the scoring model for IT-enabled investments.

Why Did the University of Antwerp Initiate Board-Level Involvement in Digital Strategy and Oversight?

Like many organizations, the University of Antwerp has become increasingly dependent on IT. This increasing dependence on IT also entails a growing number of IT-enabled investments that need to be carried out by the IT department. The IT department began to struggle with this increased number of IT-enabled investments. No central business forum existed to decide which projects would be executed and which would not, swamping the IT department with many requests against which it could not deliver. This situation often led to frustration on the business side, a tension that was also reported to and known by some board members.

Furthermore, in 2016, a new rector came to head the University of Antwerp. The newly appointed rector strongly believes that the organization should think about long-term developments and how the university can adapt to these developments. More specifically, he stated that he thinks it is the task of the BoD to create this long-term vision, including regarding IT-related issues.

Accordingly, the University of Antwerp decided to tackle the need to (1) establish a more formal IT portfolio management process that includes all relevant stakeholders, (2) increase the involvement of the board in this process and (3) ensure a more forward-looking approach. Two committees at the level of the board were created that oversee IT-related topics, and an IT portfolio management process was established to align the IT project portfolio with the overall organization strategy.

How Did the University of Antwerp Initiate More Board-Level Involvement in Digital Strategy and Oversight?

When the University of Antwerp decided to act on the growing need for IT governance mechanisms, a set of guiding principles was agreed upon. These principles include:

• Transparency regarding investment criteria—The evaluation of proposed investments should be handled in a transparent way. Clear criteria should be created to decide whether or not to start an investment.
• Transparency regarding the investment budget—The size of the investment budget should be known at all times.
• Transparency regarding individual investments—For every investment, a business case needs to be developed according to a standard form. Moreover, a business owner is appointed to each investment, and no investments can be launched without a business owner.
• Transparency regarding the investment portfolio—All investments need to go through the same portfolio decision cycle so that a full and transparent view can be obtained.

These guiding principles were used as a basis to create the board-level IT governance structures and processes that are described in the following sections.

Governing Structures
A widely acknowledged strategy to increase and improve the involvement of the board in IT-related decision-making and control is to enhance its IT expertise.^{2, 3, 4} However, due to the nature of the BoD at the university, there are not many options to thoughtfully alter its composition.

When the University of Antwerp initiated more board-level engagement in digital strategy and oversight, only six of the 25 members of the board were external directors. The internal directors were appointed after elections among the different university entities and students. Of the six external members, the university could appoint only three. The others were selected by the minister for education, the governor of the province of Antwerp and the provincial superior of the Society of Jesus, which made it difficult to increase the level of IT expertise among board members.

As of 1 September 2017, the board is allowed to appoint three additional directors. This change provides the university with the opportunity to slightly alter the composition of the board. As the three additional members had not been appointed at the time of writing, the future will show whether this new arrangement will result in a higher level of IT expertise on the BoD.

Due to the limited level of IT expertise on the board, it makes sense to ensure this IT expertise is present and IT-related debates are held in other structures that report to or advise the board. Accordingly, committees were created that include board members and that assist the board in IT-related decision-making and control. Indeed, the creation of an IT oversight, or similar, committee at the board level is a frequently mentioned approach in academic literature to increase board involvement in IT governance.^{5, 6, 7} At the university, two such committees were created. One committee, the IT governance committee, considers rather short-term decisions and is in charge of portfolio management of IT-enabled investments. The other committee, the digital strategy think tank, considers the long term from a more outside-in perspective. Figure 3 presents an overview of the IT governance committees at the level of the board.

IT Governance Committee and Investment Office
The IT governance committee was established in 2015 and meets three times a year. The main goal of this committee is to manage the IT-enabled investment portfolio more effectively and transparently and make sure it is in line with the overall organization strategy. From the board’s perspective, the committee should provide reasonable assurance that the university’s IT-enabled investments are in line with the university strategy. Indeed, up until now, the main topic of the committee meetings has been which investments to execute. However, the interviewees indicated that, in the future, other topics such as project benefits delivery and the IT policy plan could be part of this meeting.

Not all IT-enabled investments pass by the IT governance committee. Operational investments, such as the renewal of certain academic software licenses, are not discussed at this level of the organization, as these would overburden this forum. Instead, the committee focuses on more strategic and innovative projects, which cover about 45 percent of the entire IT budget (figure 4).

Due to the democratic nature of the decision-making culture at the university, it is crucial to include a broad delegation of university people on this committee. Hence, the goal was to create a committee that would represent all university entities as well as possible. The result is a committee that consists of 15 voting members and 30 advisory members. In addition, the chairman and vice-chairman can invite internal or external experts to act as advisors. The rector is appointed chairman, and the chair of the board of administration is the vice-chairman. The 15 voting members are:

• Rector
• Two members of the board of administration
• Four vice-rectors
• Three members of the BoD
• Three members appointed by the council of deans
• Two heads of the IT department

The composition reveals that the board is actively engaged in the IT debate. Four directors were appointed voting members of the IT governance committee (including the rector) and all other directors are also welcome to join. Indeed, at past committee meetings, attendance ranged from four to eight directors.

As the heads of the IT department are included in the committee, a certain level of IT expertise is present. However, the goal of the committee is not to go too much into technical details, but to discuss the investments from a business perspective. Of course, the details must be considered at one point. Therefore, an additional preparatory committee was established: the investment office.

The investment office has the responsibility to prepare investments to be presented to the IT governance committee. The investment office evaluates these investments from business, technical and risk perspectives, using a scoring model. (See the governing Processes section of this article.) It does not make any investment decisions, but it can conclude that a proposed investment is not yet fully defined and matured in the current business case document. As it has a more in-depth focus, it is made up of fewer members. Still, the goal is to represent the entire university as well as possible. More specifically, the investment office consists of:

• Chair of the board of administration (chairman)
• Heads of the three core boards (the education board, the research board and the academic council for service to society)
• Coordinator of the administrative simplifications office
• Two heads of the IT department
• Professor of IT governance

Digital Strategy Think Tank
The other IT governance structure at the top level of the university is the digital strategy think tank. The current rector started his term in 2016. From the beginning of his term, he stated he wants “an organization that is agile and thinks about future needs” and, in support of that, he wants to free up the time of the board to execute this task. In light of these developments, he initiated the creation of the digital strategy think tank, which meets several times a year. (The meeting frequency is undefined; in 2017, at least four meetings took place.) The goal of this committee is to consider long-term developments that could influence the university. They consider both how emerging technologies can impact the university’s business model and strategy, and how challenges in society and markets could be addressed by leveraging new technological innovations. One of the topics discussed was the fact that, at a certain point in the future, more people will retire than enter the job market, which might trigger organizations to hire students before they have finished their master’s degrees. This development could affect the university, as it might require students to obtain their master’s degree in a more flexible way, for example, supported by e-learning. This kind of digital strategy discussion requires a certain level of IT expertise, which is reflected in the composition of the committee. The members of the digital strategy think tank are:

• Rector
• Chair of the board of administration
• Three professors with IT expertise
• A board member with IT expertise
• Four members of the IT department

Similar to the IT governance committee, the BoD is represented on the think tank: the rector and one other board member are included. The difference is that for the digital strategy think tank, they specifically opted to include a board member with IT expertise.

Governing Processes
Each IT-enabled investment must follow the process depicted in figure 5. The process consists of three stages: (1) investment description, to get a basic idea of what the investment is about, (2) investment scoring, to evaluate the investment in an objective way, and (3) the investment decision, when a decision is made on whether or not to execute the investment. The goal of this process is to create an IT-enabled investment portfolio that is consistent with the organization strategy.

Investment Description
Every investment needs to have a dedicated (business) initiator who approves the investment description. To fully grasp the idea and corresponding workload of an investment, this initiator needs to complete a standard form or brief business case (figure 6). The IT department is available to assist any applicant in completing this form, although the business initiator remains accountable to fill in the template. Even though this pre-assessment requires a certain effort, it may prevent some problems in a later stage. Moreover, the pre-assessment allows for a certain type of triage, making sure that the IT governance committee does not become overloaded. That is, if this pre-assessment reveals that an investment requires less than a month of work, it does not have to pass by the investment office and IT governance committee and will simply be executed.

Investment Scoring
When the standard form is completed, the investment is presented to the investment office. Here, the fit with the organization strategy, the risk and the expenditure will be evaluated based on a scoring model, enabling a fairly objective assessment of the investment. Investments are evaluated from a business and a technical perspective. For example, the match with the three core tasks of the university (education, research and services) is assessed. An overview of all the scoring criteria is shown in figure 7. For each of these criteria, underlying questions were developed that allow one to come to a green, yellow or red score in a consistent way. green represents a good match, yellow exemplifies a limited match and red suggests there is no match. In cases where the investment criterion is not applicable (e.g., an investment in a new online platform for education is not relevant for the education strategy), a gray score is used. At the end of this exercise, a scorecard is created, showing the benefits, risk factors and expenditure for each investment. The scores are presented using colors, as this enables the reader to evaluate the investment’s strengths and weaknesses at a glance.

This scoring model does not represent classic estimators such as return on investment (ROI) or net present value (NPV), which was a deliberate choice. One of the heads of the IT department argues that “it is more important to look at the goals of the organization and evaluate whether IT supports the attainment of these goals.” That is exactly what this scoring model is intended to accomplish.

Investment Decision
At this point, a decision needs to be made on whether or not the investment will be executed. This decision is made by the IT governance committee. The investment and its scores as developed by the investment office are presented to the IT governance committee in an understandable and nontechnical way. The investment is briefly summarized by the business owner and then discussed in the IT governance committee with reference to the investment criteria scores; however, in principle, the scores are not debated anymore. Indeed, no debate has been held on the scores of an investment during an IT governance committee meeting so far. At the end of the discussion, a go/no-go decision is reached.

Conclusion and Key Takeaways

How can boards operationalize their role in digital strategy and oversight?

The University of Antwerp established several structures and processes at the level of the BoD to increase the involvement of the board in IT governance, establish a formal and transparent IT portfolio management process, and ensure a long-term view on digital aspects.

Three new structures were created. The IT governance committee is responsible for managing the IT-enabled investment portfolio in a more effective and transparent way and making sure all IT-enabled investments are in line with the overall organization strategy. This committee is supported by the investment office, which prepares investment proposals and the investment decision process. The digital strategy think tank is tasked with discussing digital developments in the long run. Board members are included on both the IT governance committee and the digital strategy think tank.

Each IT-enabled investment follows the same portfolio management process. This process consists of three steps. First, a brief business case is created for the investment by its business owner. Second, based upon this business case, the investment office evaluates the investment from business, technical and risk perspectives, using an agreed-upon scoring model. The last step consists of presenting this score to the IT governance committee, which makes a go/no-go decision.

The University of Antwerp case is interesting as it sheds a light on how to deal with the details—more specifically, the constraints—of an organization and adapt the board-level IT governance mechanisms accordingly.

This case illustrates that even with a board consisting of primarily elected members and a culture of creating support in the entire organization before taking any decisions, the board can actively participate in the digital debate. The solution consists of the creation of two committees that include adequate IT expertise and directors as members to support the board in this task.

Additionally, it shows that the tone at the top—in this case, through the rector—can significantly impact the governance structures. The rector strongly believes that the university should be more forward-looking, thinking about long-term developments. He says, “I need to think about the university in 20 years, IT in 20 years and the society in 20 years.” This vision was also translated to IT, with the creation of the digital strategy think tank.

Acknowledgment

This research is part of a co-created research project installed by KPMG Belgium, Cegeka Belgium, Samsung Belgium, together with the Antwerp Management School and the University of Antwerp. The leadership role of the industry partners in supporting this research is focused on better understanding the crucial accountability of the board in governing digital assets and providing solutions and tools for these board members to increase their accountability.

Endnotes

¹ De Haes, S.; W. Van Grembergen; Enterprise Governance of Information Technology: Achieving Alignment and Value, Featuring COBIT 5, Springer International Publishing, Switzerland, 2015
² Jewer, J.; K. N. McKay; “Antecedents and Consequences of Board IT governance: Institutional and Strategic Choice Perspectives,” Journal of the Association for Information Systems, vol. 13, no. 7, 2012, p. 581-617
³ Parent, M.; B. H. Reich; “governing Information Technology Risk,” California Management Review, vol. 51, iss. 3, 2009, p. 134
⁴ Valentine, E.; G. Stewart; “Enterprise Business Technology governance: Three Competencies to Build Board Digital Leadership Capability,” 2015 48^th Hawaii International Conference on System Sciences, 2015, p. 4,513-4,522
⁵ Coertze, J.; R. von Solms; “The Board and CIO: The IT Alignment Challenge,” 47^th Hawaii International Conference on System Sciences, 2014, p. 4,426-4,435
⁶ Nolan, R.; F. W. McFarlan; “Information Technology and the Board of Directors,” Harvard Business Review, vol. 83, iss. 10, 2005, p. 96
⁷ Turel, O.; C. Bart; “Board-Level IT governance and Organizational Performance,” European Journal of Information Systems, vol. 23, iss. 2, 2014, p. 223-239