VIABLE DIAGNOSIS OF ICT POLICY MANAGEMENT IN THE CONTEXT OF HIGHER EDUCATION

Information and Communication Technology (ICT) policy is a code that clarifies the duties, responsibilities and rights of technology stakeholders and specifies acceptable and efficient ICT utilization. ICT policy is very fluid and rooted in a fast changing technology generating new issues and requirements. The study of ICT policy requires the organization to continuously adapt without having to make dramatic structural changes and with keeping long term focus. ICT policy life cycle encompasses four main processes which are: development, implementation, monitoring and evaluation. In many cases, the processes that form the life cycle of ICT policy usually stopped or failed at starting phase(s), including the case study in this research. Failures in ICT policy management may compromise ICT security, control and strategy in addition to incurring unnecessary expense. This study explored the challenges and issues in managing ICT policy in one of the Malaysian Public Institutions of Higher Education. An in-depth analysis and elaboration is performed using Viable System Model (VSM) and Hermeneutics method to diagnose and identify weaknesses, mismatches and viable requirements. The case documented here underlines the vast potential of the VSM in ICT policy analysis due to its flexibility and robustness that are a prerequisite in fast-changing environments. The evidence documented here represents the power of VSM through the application of its systemic functions and organizational structure that accommodates environmental dynamism, encourages sustainable development and provides sound theoretical platform. The paper demonstrates practical application of the VSM in diagnosing the organization that contribute towards the maturation of the field.


INTRODUCTION
This section briefly discusses the ICT policy significances, issues, challenges and problem background that also reflects the importance of the study. The Australian Standard for Corporate Governance of ICT (2008), AS8015, defines corporate governance of ICT as "The system by which the current and future use of ICT is directed and controlled". It involves the directing and evaluating of ICT plans to support, organize and monitor ICT use in order to ensure the plans success. ICT governance includes ICT strategy and policies for using ICT within an organization [1]. However, policy is the instrument of strategy [2] and nowadays organizations cannot compete without ICT strategy [3]. Therefore, an ICT policy is the instrument to execute a strategic ICT plan which directs and controls an organization"s ICT. In other words, ICT governance is mainly achieved through ICT policy. ICT governance is also a subset of "Corporate Governance" which can be accomplished by means of positioning a deliberate plan of action to guide activities and decisions, and achieve rational outcomes [4]. In addition, ICT policy is a constituent of knowledge society that encompasses social, ethical and political dimensions; it seeks to ensure ICT is put into service that enables rather than disables [5,6]. ICT policy is also a crucial element of academic computing [7].
It is worth noting the ICT policy issues and challenges that have potentially appeared as a result of the problem background. ICT policy issues and challenges also provide insights and motivation into this research work. Although the current ICT policy researches have been conducted in different countries from different continents such as Africa and Europe, they more or less reflect common issues and challenges. One of the significant shortcomings or issues that can be identified with current ICT policy is that it is mostly uninformed and revolves around the everyday lives of citizens and their ICT perspectives or perceptions [8]. Olsson claimed that the evaluations of ICT policy success are often times merely in the form of computer and internet access statistics. They require closed examination with consideration of day to day situations [9]. There is often a difference between the designers or decision-makers of ICT policy and the community"s ICT perception [10]. However, there are arguments about how to strengthen ICT policy initiatives [6] because current ICT policy is mainly developed with either minimum or no consultation with affected people, and that is the foremost reason for the policy to not take into account the requirements of the community [11]. It is common practice in many countries to blame governments for considering ICT policy very low on the agenda, or for lacking an explicit ICT policy [12]. There are also other issues that negatively affect ICT policy management such as; low level community literacy, lack of ICT awareness, inadequate results produced by current ICT programs, inadequate ICT infrastructure, inappropriate ICT policy formulation [11] and under-estimation of ICT policy political implications by considering ICT policy as unambiguous and technical. Therefore, policy makers often rely on very poor, inaccurate, incomplete and outdated data [13]. Other ICT policy challenges are mainly: to implement ICT policy since it is a complex process and influenced by various agents at different levels and scales [14], to implement the ICT projects and management of the organization on the ground, to adjust policy over time [15], to scan the environment to ensure user satisfaction or needs fulfillment in order to add value to the community [11] and to scrutinize policy documents on an ongoing basis [16].
It is necessary to identify the background of the problem that has led to all existing ICT policy issues and challenges. In fact, ICT policy issues and challenges are potentially founded by the current and relevant requirements or shortcomings. The concept of Governance has only recently entered the field of social science [17] and the topic of Corporate Governance is ill-defined and blurred [18]. However, after years of research efforts and publications there are still unconsidered aspects. With regards to ICT governance (the sub-set of Corporate Governance) there have been several frameworks formulated and published by practitioners based on the experience, some of which have been used by industry and became standards. To name a few, the two most widely used or globally accepted ICT governance frameworks are ITIL and COBIT. However, the aforementioned and other available ICT governance frameworks excluded certain aspects such as ICT policy management [19]. Therefore, many countries are currently facing the difficult task of formulating the national ICT policy development framework that could enable and benefit equally all stakeholders [13]. However, [20] discussed the significances, issues, challenges and problem background of ICT policy management in more detail.

AN OVERVIEW OF ICT POLICY MANAGEMENT PRACTICE
This paper analyzes the current practice of the case study in ICT policy management through application of the VSM. Analysis took place by measuring organizational levels, their activities and corresponding roles and responsibilities in ICT policy management. The paper also reflects the pros and cons in ICT policy management. However, a brief introduction to the organization and its history in ICT policy is provided for better understanding of the situation. The analysis was conducted at one of the oldest and largest engineering and technological public universities in Malaysia (Universiti Teknologi Malaysia, UTM). The university currently has 14 faculties, 14 residential colleges and 6 schools serving more than 20,000 students with the help of about 2000 lecturers. The university has long been deploying ICT services and facilities. The number of ICT systems developed and utilized for various purposes is increasing every year and there are many computer laboratories and Wi-Fi zones all over the campus. The majority of operations and functions are performed using ICT facilities and services. Therefore, in such a huge organization success is important in the regulation, controlling and direction of the ICT through ICT policy. The Computer and Technology Center is the main university department responsible for managing ICT services and operations. The department has been developing and purchasing various ICT systems or software. It consists of several units and each one is responsible for certain activities or services. There are also various task forces and training units responsible for conducting ICT surveys, analysis and education. The Computer and Technology Center formed a committee and performed the policy development process. The university ICT policy mainly covers: (1) maintenance, (2) procurement, (3) rent, (4) disposal, (5) backup and disaster recovery, (6) content and information and (7) safety and security. The university ICT policy handbook also introduced eight ICT rules which were agreed in the policy. The ICT rules are: (1) Internet usage rules, (2) E-mail usage rules, (3) Charging rules and publishing content on the Web, (4) Regulations pertaining to the distribution of computers to staff, (5) Computer lab usage rules, (6) ICT Equipment rental rules, (7) Regulations on disposal of ICT equipment and (8) ICT safety and security regulations.
In addition, other ICT policy related activities have been performed in the university. The Vice Chancellor (VC) announced the conception of ICT policy in the monthly assembly and the Computer and Technology Center distributed copies of ICT policy handbook among a number of staff and uploaded an electronic copy to the university"s portal. Survey and interview were conducted among a sample of students, lecturers and ICT policy legislators (i.e. CIO, IT Managers, IT Officers and Deans). The aims and scope of the survey and interview were to: (1) measure the existing situation of ICT policy in the university, (2) research the compatibility and effectiveness of ICT policy, (3) research the accountability level and structure of ICT policy, (4) research existing tools used to manage, administer and enforce the ICT policy among all end users and (5) research the weaknesses and contributing factors in ICT policy management. In brief, findings of the survey showed (1) the low level of ICT policy awareness among the community members, (2) the poor community understanding or comprehension of ICT policy, (3) the current ICT policy weaknesses, (4) lacking or required guidelines in ICT policy management, (5) the ill-structured ICT policy development process and (6) the people responsible in ICT policy management. In addition, it was identified that there was no ICT policy enforcement by the authorities and the ICT policy has never been reviewed or evaluated since the development process. Improper policy dissemination was identified as the main factor that contributed towards the low level of ICT policy awareness and comprehension. The next section briefly discusses the rationale for choosing the analysis method (VSM) and then represents its application in analyzing the ICT policy management of the case study. [21] stated that what enables VSM to adapt and survive in a changing environment is its dynamic structure determining the adaptive connectivity of the parts of the organization or organism. However, the approach also helps practitioners and researchers distinguish right from wrong in organizational questions [22] and reach a universal model [23]. According to Reynolds and Holwell, VSM can be used to: (1) identify weaknesses, mismatches or missing elements in diagnosing a problem, which is achieved through its comparison against an actual organization, (2) model a framework for organizational design to resolve a diagnosed problem and / or (3) design from a clean-sheet. However, five key concepts that underpin the VSM are: viability, variety, recursion, autonomy and transduction [24]. As a diagnostic tool to (re-)design organizational processes, VSM is considered to be "the most usable and developed organizational cybernetics expression" [25]. The VSM"s intention is to develop functions within an organization that enable it to survive in its given environment [26]. It is recursive, reduces variety and is quick on the draw and adaptive. The VSM seizes its opportunities, which guarantees its survival. The diagnostic power of the tool has been proven worthy, and has been determined through its application to all kinds of organizations [27]. VSM is flexible and robust, two advantages that are a prerequisite in fastchanging environments [28]. [29] stated that the VSM and its application to IT governance have proven to be a comprehensive blueprint for designing viable organizations and IT governance arrangements. [22] categorized the value of the VSM from two viewpoints: value in the language of the users as well as the managers. Accordingly, management of the organization through application of the VSM can distinguish right decisions or policies from wrong ones, adapt to the complex and dynamic ICT environment and enable linkage between ICT policy, strategy and culture. Therefore, management can end ICT and policy conflicts and prepare and organize the organization for the future. However, [30] discussed the methodology utilized in conducting this study in more detail.

Diagnosing ICT Policy Management at System One (Faculty IT Unit)
System one is the management of a basic subsystem [31]. According to [27], system one of the VSM or division is the sub-system of the viable system responsible for carrying out the value adding tasks. System one or the "Implementation" function or level is responsible for the primary activities in the production of the products or services of the organization, which is at the core of the model. He stated that, the management of system one is the responsibility of the "Divisional Directorate". This is achieved through planning, controlling, monitoring and in general managing divisional activities or routine responsibilities with consideration of instructions and policy of upper levels. However, "Divisional Regulatory Center" is the management tool of the "Divisional Directorate". Therefore, the case study"s system one contains the "Faculty Directorate" and its ICT management tool is the "Faculty IT Unit". The IT unit was formed by an IT manager and an IT officer (a technical person) to assist him or her. The Faculty IT unit was responsible for managing all ICT related affairs of the faculty and its departments. The IT unit was responsible for all ICT affairs of the faculty but the content, decision and instruction were decided by the faculty management. There were 20 IT managers in the university and they were assisted by the Computer and Technology Center to some extent. An IT manager"s criterion was that they should be a lecturer with a background in any IT field. The IT manager position calls for a two year term which could be extended for an additional period. The IT manager was also the representative of faculty and its departments at the university IT Technical Committee.
The VSM is recursive, which means that every level is itself a viable system. Figure 1 represents the recursive structure of VSM at the faculty level. According to Figure 1, there are a set of operational sub-activities (departments) within the operations" circle of system A (faculty A) where each one is a viable system with exactly the same systemic needs and structure as the whole. In other words, there is a viable system (the university) made up of viable systems (faculties) which are made up of viable systems (departments) and all use the same systemic architecture. Therefore, system one (faculty A, B…) alone can be considered as a viable system controlled by the university meta-system (1"). As represented in Figure 1, departments of faculty A are controlled by the faculty meta-system (1 A ). Subsequently, faculty A"s directorate chaired by the dean is the faculty A"s system five (S5). Faculty A"s system five (dean) is connected to the university"s system five (executives) via University Management Group (UMG) explained later. Faculty A"s system four (S4) is the IT manager who is also a member of university"s system four (IT Technical Committee). Faculty A"s system three (S3) is the faculty IT unit mainly supported and monitored by university"s system three (Computer and Technology Center). Faculty A"s system two (S2) is formed by the heads and technical staff of departments and system one (S1) is represented by its (faculty A) departments. However, recursive analysis is only represented for system one in order to save the space and keep the focus on issues associated with each system.

Fig 1: Recursion at System One (Herring and Kaplan, 2001)
However, there were various issues identified at this level (see Table 1):

Issue No Description
1 Faculty"s system five (dean), system four (IT manager) and system three (IT unit) were not involved in ICT policy management.

2
IT unit was formed by two people (an IT manager and an IT officer). That is not enough personnel for an IT unit in a big faculty consisting of various departments with many students, lecturers and staff. Therefore, they were very limited in terms of human resource and support.

3
IT managers were also questioned about their placement incentives. The majority of IT managers stated that they have been chosen by their deans because other lecturers refused the post. That is because this administrative obligation is not considered in their appraisal.

4
IT managers did not have the necessary skills for their position such as IT knowledge and administrative experience because most of the faculties did not possess such an individual.

5
IT managers did not possess a strong administrative and authoritative position among faculty members.

6
IT managers were not provided with their job specifications and they were not instructed to be involved in ICT policy management.

7
IT managers were not provided with any guideline specifying methods or tools in ICT policy monitoring.

8
ICT policy awareness was very low among students, lecturers and staff. ICT education was not conducted and enforcement was not performed.

9
ICT policy monitoring cannot be performed if the implementation is not carried out.

10
ICT policy implementation and monitoring are very challenging, costly and effort consuming because they require additional activities such as publication, training, workshop and developing or purchasing software application, monitoring system or device.

11
It was very challenging to monitor closely and in a real time, especially in huge organizations. The issue of the community size was intensified by people resisting and refusing to be monitored or observed while exploiting ICT services or facilities. In the absence of monitoring, the balance between ICT flexibility and freedom in contrast with ICT regulation, security and control could not be maintained.

12
The current ICT policy was a very general guideline and did not cover the overall scope of ICT. Ill-formulated ICT policy can have a negative impact on its implementation and monitoring. In other words, gaps were created by the policy itself.
Weaknesses identified at the faculty level led and caused the failure of ICT policy management at this point. Therefore, the viable system failed at this level. ICT policy management at system one missed various supports in terms of human, financial, technical as well as direction and management. Accepting an IT manager position unwillingly and without promotion can negatively affect the ICT policy implementation and monitoring as well as the whole performance of an IT unit. Another weakness was that ICT issues and requirements could not be identified thoroughly because IT managers were not involved in any ICT policy processes. Therefore, developed ICT policy did not address all ICT issues and requirements of the entire community, which in turn, resulted in low consideration or acceptance of formulated ICT policy. Such circumstances could come at the expense of an appreciation of ICT potential, excellent ICT performance and the ICT autonomy of the faculty. The faculty IT unit is part of the organization that is close to customers -the students and lecturers. Subsequently, it is capable of conducting awareness campaign, education and enforcement if prepared, instructed and supported. It is also capable of performing ICT policy monitoring even better than Computer and Technology Center. The Faculty IT unit can perform comprehensive observations, conduct wide range surveys, collect feedback and produce comprehensive ICT reports.

Diagnosing ICT Policy Management at System Two (ICT Policy Management System)
System two of the VSM or the "Coordination" function or level is an essential interface to coordinate the operations of subsystems in order to carry out the value adding tasks [27]. In other words, a coordination mechanism is necessary between the value adding functions and primary activities embedded. That is the coordination between support functions and autonomous units achieved through the design of an effective communication mechanism. Coordination includes the information channels and bodies which ensure that the primary activities of system one work harmoniously in coordination [33]. The coordination mechanism is to avoid oscillation, direct competition or blind operation of divisions with each other. This is where ICT systems or software is helpful in avoiding direct and intrusive human intervention [28]. An ICT system or software could play the role and provide functions where all Divisional Regulatory Centers and system three are connected for communication and mutual adjustment in order to coordinate in harmony and achieve synergy. According to [34], "System two also includes a great deal of tacit knowledge of how things are done around here which is expressed as attitudes toward safety, confidentiality and other informal controls." The author indicated the types of information that tend to be the responsibility of system two as: administrative protocols and practices, maintenance records, schedules and security precautions and the knowledge and documentation of the communications systems and infrastructure.
In the case study IT managers were supposed to play the main role at this level in order to ensure that the primary activities of IT units worked harmoniously in coordination. However, according to the analysis of system one and four, coordination was difficult to achieve through IT managers. Therefore, this level was mainly analyzed from the perspective of service(s) that may come under system two, in other words, ICT policy management service(s) that could provide support (information channels) to IT managers (information bodies). ICT systems or software also could be used at this level to manage and disseminate information. Information in this case is the ICT policy. Mediums used in storing ICT policy were identified as: (1) ICT policy"s guide book, (2) staff guide book and (3) meeting minutes. ICT policy distribution channels were: (1) the university"s portal, (2) the faculty"s websites, (3) ICT guide book and (4) notice boards. In addition, informal control can be performed at this level by linking system one and system three through system two. This is where communication between IT units and the Computer and Technology Center is supposedly established. Therefore, system three can monitor system one. Monitoring at this level can be defined as small groups having their communications under controlled access in order to obtain, archive and keep track of ICT policy related information. Keeping track of information can be best achieved through archiving in categories. Electronic communication between IT units and the Computer and Technology Center was performed through an electronic mailing group in the case study. However, there were various issues identified at this level (see Table 2): One of the misconceptions contributing towards failure in ICT policy implementation was the majority of people thinking of ICT policy as a lengthy context kept confidential. However, authorities understood that their responsibility was to provide good and stable methods, software or procedures to the users because they realized that was one way to increase the community"s tendency and desire to know and follow the ICT policy. They also mentioned that if any special-purpose technology is to be used attempt has to be made to cover all levels of the university because it is necessary to implement ICT policy everywhere.
14 ICT policy handbook (PDF file) was accessible through university"s portal and there was no ICT system or service especially intended for managing ICT policy and related contents and activities. First, downloading a very massive file (27.3 MB) containing 44 wordy pages and reading through all would be very inconvenient for customers. Second, quick and convenient search for a specific or desired policy through such a handbook was very difficult. Third, publishing an ICT policy handbook was not very effective because there was a need for collecting the community"s feedback about ICT policy.

15
There are different ICT issues, requirements and policies therefore, concurrent discussions are possibly among authorities on different subjects. There is also the need to keep track of conversations and their related information. In other words, it can come to a point where authorities need to manage different categories of conversations in order to archive and keep track of the information. It is also a requirement at this stage to trade messages (make mutual adjustment) with other members. For the above reasons, e-mail may not be an appropriate choice of communication platform. For instance, it can be very inconvenient to keep up with the events when frequent e-mail messages addressing different subjects are being exchanged. Therefore, in this situation using e-mail as the communication platform can lead to ignore the conversations or avoid commitment in the long run.
A non-existing guideline that specified the method for keeping, storing and disseminating ICT policy has led to ineffective ICT policy distribution, which also created difficulties in its implementation. Inconvenient methods of ICT policy exposure and feedback collection were the strong reasons the community ignored the ICT policy. In addition, IT managers (information bodies) were not well supported by appropriate ICT service(s) (information channels) at the coordination level. Therefore, exposing or disseminating ICT policy to the community, conducting ICT policy informal control and monitoring and establishing extensive communication to achieve coordination has not been performed through technology utilization successfully. In other words, ICT policy management at system two missed technological contribution in order to disseminate ICT policy to the entire community conveniently, collect ICT feedback constantly and establish communication extensively.

Diagnosing ICT Policy Management at System Three (Computer & Technology Center)
System three or the "Corporate Operations Directorate" is responsible for stability of the internal environment and corporate synergy, which is achieved through transmitting policies and instructions to divisions [27]. In addition, this system processes information and plans, controls and manages the internal environment. System three collects, filters and reports to the upper levels information about the internal environment achieved by system three star through system two. [35] stated that the management functions of systems one, two, three and three star account for the inside of an organization operating in the present tense. The Department of Computer and Technology Center manages the ICT operations and policy at the organizational level, and is therefore known as the "ICT Operations Directorate". System three star or "Corporate Regulatory Center" is under the authority of system three. According to Leonard, typical functions provided by system three star are: financial audit, energy audit, security audit, IT compatibility audit, study of customer complaints, sporadic employee satisfaction surveys and needs analyses. System three star or the position of "ICT Policy Administrator" has not been assigned to any person or group of people in the case study.
Computer and Technology Center was directed by the CIO and had about 128 employees. There were various units, groups and task forces in this department. Units were managed by deputy directors. The department was responsible for ensuring that staff and students had access to teaching, learning and research resources by: (1) providing ICT infrastructure of the university, (2) acquiring, developing and supporting new and emerging systems and technologies and (3) by providing access to millions of digital resources across the university. According to the CIO, the overall ICT policy process was the responsibility of Corporate Planning Unit. The ICT policy development was the responsibility of Quality System Unit. The ICT Security Group was responsible to implement the ICT policy. The Human Capital Development possessed required data about all staff and was responsible for educational activities. In addition, a training center was mitigated for daily training of all staff (e.g. clerical staff, office assistants, technicians and top management). In developing ICT policy, the department had formed a technical committee. The committee consisted of six people from Computer and Technology Center, two people from Faculty of Computer Science and three research assistants. However, there were various issues identified at this level (see Table 3): Computer and Technology Center purchased Network Admission Control (NAC) from Cisco worth of approximately $US 670,000 in order to enforce network policy and improve its operation. However, the challenge that this department faced in implementing the NAC was to achieve the acceptance and adoption of the community and some technical issues caused by the system (ICT infrastructure and compatibility issues). For example, the current network bandwidth and configuration did not support smooth implementation of the system and there were some incompatibility issues with MAC and Linux operating systems. Second, in compliance with ICT security policy the department has also purchased the university official antivirus to provide a mechanism for computer security. However, the community always complained about the university official antivirus. The official antivirus had weaknesses in effectiveness, compatibility and user friendliness. Therefore, the second official antivirus was purchased from a different company shortly after the purchase of first antivirus. Third, the distribution of software application licenses was performed among different faculties and departments based on an "unwritten policy". In other words, mutual agreement had to be made on those situations between Computer and Technology Center and IT units which were hardly achieved. Therefore, there were so many obstacles in ICT policy enforcement at this level.

17
There were many different ICT systems and services deployed throughout the campus. Each ICT system or service could possibly have a policy addressing different aspects of the technology and its stakeholders. Different ICT policies required different tools or mechanisms for implementation. In addition, the demand for time, effort and resource was very much higher in ICT policy implementation. Therefore, ICT policies were difficult to implement all together at one stage. Diversity issue can be considered as one factor causing the delay or even disregard of ICT policy implementation.

18
Computer and Technology Center was not able to continuously provide full support to all faculties. For instance, there were different generations of people in the community with different ICT perceptions. It was necessary to continuously educate all levels of the organization on ICT. However, education would require a large budgetary commitment in such a huge organization. The department was also supposed to play an advisory role and send ICT policy implementation and monitoring guidelines to the faculties. Therefore, faculties needed to manage their ICT affairs on their own to some extent. However, some faculties or departments preferred to fully operate on their own. In addition, there were other departments that should monitor or be involved in the implementation process so that proper procedures were followed, such as: the registrar, law and security departments. In other words, collaboration was required in the implementation and monitoring but difficult to achieve consistently. As a result, this system had difficulties in achieving full ICT control and synergy.

19
Interviewees at this level stated that monitoring is supposed to be done by the Computer and Technology Center and IT units because Computer and Technology Center can only monitor the hardware, software, stability and technical side of ICT policy but the user side such as behavior, adoption and ethics were supposed to be monitored in the faculty by its IT unit.
It was identified in the analysis of system one that developed ICT policy did not address all ICT issues and requirements because the actual input generated from faculties was missing. Therefore, ill-formulated ICT policy did not cover the overall scope of ICT and it was mostly disregarded by the community. In addition, IT units did not receive necessary support from the Computer and Technology Center. It was also identified that comprehensive and extensive ICT communication and coordination at level two was not established. ICT feedback collection from the community has been verified as inconvenient and inconsistent. However, providing a good system two (information channel) to the community was the responsibility of Computer and Technology Center. It is identified at this point that some key stakeholders like IT managers were absent from the ICT policy development process. This policy issue is due to performing the development process at system three instead of system four because system three is supposed to transmit policy and not develop them. Therefore, most of the challenges in ICT policy management originated or were generated from system three. In general, analysis revealed that ICT policy management issues at this level were mainly caused by the absence of a system two (ICT Policy Management System) and system three star (ICT Policy Administrator). [27] introduced system four as the "Thinking shop" or "Brain of the firm" that operates in real time. System four of the VSM or the "Intelligence" function or level is the link between the primary activity (viable system) and the external environment. It is fundamental to an adaptive system. It continuously provides a viable system with relevant external factors such as: feedback on marketplace conditions and technological changes necessary for making future decisions. According to Beer, System four or the "Development Directorate" is where people under different bosses come together and reflect the totality they serve. At system four, representation of the autonomic conditions (system one) in combination with information filtered and ascended from system three are put together. System four"s responsibility is to respond to a variety of conditions knowing the internal situation in parallel to observing the external environment by means of research and development. However, activities or functions of this level are very vital because the organization fails where development management fails [21]. May 23 , 2015

Diagnosing ICT Policy Management at System Four (IT Technical Committee)
System four at the case study was the "IT Technical Committee". The IT Technical Committee was formed by IT managers of different faculties or departments. Computer and Technology Center had representatives in the committee as well. IT Technical Committee was supposed to deliver, discuss and respond to ICT issues and requirements of the organization. IT Technical Committee as a viable system four was supposed to take necessary action, which can include but is not limited to providing guidelines or instructions and making necessary adjustments. Therefore, this level of the organization is responsible for developing, reviewing and evaluating ICT policy based on the community response. However, it is identified that ICT policy was developed at level three. It is also identified that ICT policy implementation and monitoring was not performed by IT managers at faculties. ICT policy effectiveness, accurateness, vulnerability and validity are identified through implementation and monitoring. In addition, it is identified that ICT policy has not been evaluated since the development process. ICT is changing very fast and ICT policy has a validation period and can expire or become outdated over time. Several issues were identified as the main causes to unsuccessful ICT policy management at this level (see Table 4): There were ad-hoc meetings with the last meeting held four months ago and usually about 50% of the members attended the meetings. There were also issues in appointing the chairman. IT Technical Committee was previously chaired by the deputy director of Computer and Technology Center but it was difficult to achieve collaboration among members and make a decision. Therefore, the position has been assigned to the CIO. However, some IT managers proposed that this position should rotate among the members. They stated that it is a motivation if members could have the chance to become the chairperson.

21
When developing the ICT policy, there was an urgent need to formulate the policy as soon as possible and it was difficult to gather everybody in such a short notice and limited time. However, some interviewees believed that it is not good to have everybody involved in the ICT policy development because it would make it more difficult to achieve mutual agreement and perform the process successfully and on time. On the other hand, analysis revealed that ICT policy did not meet the actual requirements of the organization because it was not formulated based on the entire ICT issues and requirements. ICT policy is supposed to be agreed upon and accepted by all divisions before endorsement, otherwise, there could be difficulties in the implementation process. Therefore, after completing the ICT policy development process IT managers were requested to review the policy and provide their feedback but some IT managers did not attend the session or provide any feedback while others sent their representatives.

22
The current ICT policy was not based on the ICT strategy. ICT policy was developed in 2006, ICT strategic plan was formulated in 2009 and the implementation of the plan started in 2010. With reference to section one, ICT policy is the instrument of ICT strategy. Formulating an ICT policy in the absence of ICT strategy can cause the development process to be performed improperly and not based on ICT strategy. ICT strategy also lacks policy support when it is formulated after ICT policy has been developed.

23
One of the reasons that the ICT policy development process was performed at system three is the lack of IT managers who are IT experts. Therefore, an "IT Technical Committee" formed by members who did not possess IT knowledge and administrative experience could not perform its responsibilities. In addition, members may not appreciate ICT potentials.
The case study has also been analyzed from the perspective of an external environment. The external analysis aimed to identify the external body with a direct impact on ICT policy of the organization. However, the external environment can cover a wide scope with regards to the topic. In general, an external analysis can include but not limited to: (1) the government, where ICT policy has to be checked against rules, regulations and strategy of the region or country, (2) the industry, which varies in scope from national and international to public and private institutions and (3)  System five is supposed to direct the organization with the service and support of system four. It is identified that system four or "Brain of the firm" has not been well established at the case study. It functioned now and then and did not receive ICT input reflecting the actual issues and requirements. It is also identified that faculty directorates were not much involved in ICT affairs. As a result, IT managers were not officially held answerable to their superiors. IT managers" commitment at the IT Technical Committee has been identified as unsatisfactory. That is as well the result of their improper appointment, missing preparation and insufficient support and direction. In addition, IT Technical Committee should have been chaired by a person who was ICT educated, skilled in administration, self-confident, good in communication and team work and possessed jurisdiction and authority to make a decision. In general, ICT lacked the buy in of strategic level and the ICT policy only covered the operational perspective of ICT. It is difficult to control and direct the ICT strategically when it is mostly considered at the operational level of the organization.

Diagnosing ICT Policy Management at System Five (Executive Committee)
System five of the VSM or the "Policy" function or level gives closure to the entire system [27]. It is the policy-making function. System five mainly provides clarity about conditions, values, purposes and overall direction of an organization. However, system five is defined as low-variety in comparison with the complexity of the internal and external environment. Therefore, it highly interacts with and depends on the activities of system four. Decisions that have been carried out between system three and four are checked by system five against the direction of the organization. System three and four are complementary to one another, which means that if decisions are over-influenced by either of the two they are likely to be costly and ineffective. [21] discussed the functions of system five as: (1) governing the organization, (2) ensuring its capability to manage itself and steer a course to keep a healthy fit between the organization and its environment, (3) creating, maintaining and recreating the identity of an organization and (4) maintaining a relationship between the system in-focus and the meta-system. Authors argued that when considering system five in the context of a board and spotting their required connections, then there are three things to look at: the governance connection to maintain the balance between system three and four in formulating strategy, the governance connection into lower levels of recursion in the organization in order to receive signals that might be filtered out by management levels and the connection to wider system embedding our system-in-focus. Therefore, system five manages ICT policy by monitoring and debating ICT policy decisions made at lower levels. However, system three and four must maintain their weight in the ICT policy-making process in order to develop an economic and effective ICT policy.
The two highest levels of the university were the University Executive Committee (UEC) and Senate. The Senate was responsible for all academic affairs. The UEC was responsible for all operations such as financial, human and the management of all other resources. It was responsible for all non-academic matters, in general, more on the plans and executing those plans such as equipment and infrastructure. UEC was chaired by the VC and attended by non-academic senior management. UEC was under an external body entitled Board of Directors (BoD). BoD chairman was the government contact person and members were the representatives from various sectors such as treasury, ministry department and industry representatives. VC of the university was the BoD secretariat. Issues beyond the scope of UEC would be addressed to the BoD. In addition, UEC had a sub-committee known as the University Management Group (UMG) whose members were the deans and directors of faculties or departments. UMG was the supporting group to UEC and responsible for operational activities.
ICT policy management has been performed at the UEC to some extent. For instance, the VC has personally and closely monitored the development and maintenance policy and procedure of the university official website. The website is the main official communication channel with the entire world. It has also an impact on the world rank of the university (webometrics ranking). The university"s website has gained the second webometric ranking among public universities in 2010. According to the CIO, success has been achieved through enforcing website policy under extensive supervision of the VC. However, development and maintenance policy and procedure of the website were mainly from the category of "unwritten policy". However, there were issues identified at this level with regards to ICT policy management (see Table 5): The committee responsible for developing ICT policy was also guided by an advisory committee comprised of representatives from the Bureau of Innovation and Consultancy, Center for Teaching and Learning (CTL), Research Management Center (RMC) and the library. There were no representatives from faculties or departments (UMG) and the UEC. Therefore, the current ICT policy lacks the input or consideration of level five (strategy level).

25
According to the CIO, members of the UEC were not IT expert. It has sometimes been challenging to persuade or attract their full considerations with regards to ICT. Such a committee at the strategy level of an organization could not provide a considerable contribution in developing and evaluating ICT policy. However, the ICT policy was eventually endorsed by the UEC.

26
Information from the UEC did not flow down the organization extensively. For instance, VC announced the ICT policy at the monthly assembly. ICT policy handbooks were also distributed at that time. However, the attendance of staff at monthly assembly has not been satisfactory. Through observation the attendance was estimated between 50 to 60 percent. Therefore, no significant improvement in ICT policy awareness could be achieved.

27
The CIO also stated that UMG has not been involved and held accountable in ICT policy management at this level. In addition, there was no direct communication or interaction between the UEC and IT managers. Therefore, system-wide and interactive communication on ICT policy was not established between all management levels.