Questions about IT Governance, Risk, and Compliance Answered

Joanna Grama is director of Data, Research, and Analytics Operations and the IT Governance, Risk, and Compliance and Cybersecurity Programs for EDUCAUSE.

In their discussions this year, the EDUCAUSE IT-GRC advisory committee members highlighted the importance and difficulty of addressing IT governance, risk, and compliance (IT GRC) issues in higher education. Formed to recommend strategic direction for EDUCAUSE IT GRC activities, the group spent the past year discussing issues, reviewing IT GRC frameworks at other institutions, and trying to define the most common elements of IT GRC programs in higher education.

The committee's work has not been easy. Often, even defining the concepts underlying GRC can be difficult. A 2014 EDUCAUSE Center for Analysis and Research Study on IT GRC programs in higher education¹ generally defined GRC as follows:

• Governance: How a higher education institution is organized for the purposes of decision making and resource allocation, and how the varying parts are managed in a way that promotes the institution's mission.
• Risk management: How an institution determines its appetite for risk, as well as how it develops and enforces risk controls and mitigation strategies for any given endeavor across the enterprise.
• Compliance: The effort to ensure that users comply with laws, regulations, and the institution's own policies, and that compliance efforts are coordinated institution wide.

Even when the concepts are clearly defined, establishing IT GRC programs in higher education is hardly straightforward. The 2014 ECAR study found that about half of the institutions surveyed had a formal IT governance program, but that "IT risk management and compliance programs are the exception rather than the rule."² The study also showed that higher education institutions have taken a varied and sometimes casual approach to IT GRC programs; only 12 percent had a formalized IT GRC program.³

Figure 1 illustrates the study's findings. As the grey circle (all institutions) shows, one-third have no formal IT GRC program in place. The overlapping red, turquoise, and orange ellipses represent the remaining 67 percent of institutions as follows:

• red represents the institutions with a formal IT governance body,
• turquoise represents those with a formal IT risk management program, and
• orange represents those with a formal IT compliance program.

The other shaded areas represent the degree of overlap between institutions with these programs. All percentages in the graph add to 100 percent.

To offer their insights into the difficulties and opportunities inherent in IT GRC programs in higher education, I asked members of the advisory committee to tackle some key questions for EDUCAUSE readers. The responding committee members are

• Cathy Bates, Associate Vice Chancellor and Chief Information Officer, Appalachian State University
• Mike Chapple, Senior Director, IT Service Delivery, University of Notre Dame
• Michael Corn, Deputy Chief Information Officer, Brandeis University
• Steve McDonald, General Counsel, Rhode Island School of Design
• Peter Murray, Chief Information Officer and Vice President for IT, University of Maryland Baltimore
• Marty Ringle, Chief Information Officer, Reed College

Why are IT GRC programs important for higher education institutions? How has this evolved in the higher education space? Where is there opportunity for IT GRC programs?

Bates: IT GRC programs give the IT organization a framework for engaging the institution in determining strategic direction, understanding and addressing technology risk, and collaborating to meet compliance requirements. When they work well, these programs create a collaborative, organizational framework to ensure that people and financial resources are used strategically and in alignment with the institution's strategic plan.

Corn: IT governance programs help institutional leaders understand that IT can indeed be strategic and can be a differentiator for an institution.

McDonald: Even when these programs don't work particularly well, it's better than when they don't exist at all. Not paying attention to these issues won't make them go away; it will almost certainly make them worse.

Murray: An IT GRC program is most effective when decisions regarding IT priorities and resources are made at the executive cabinet level, ensuring that IT activities are supported and aligned with an institution's broader goals. Resources are needed for undertaking IT initiatives, mitigating IT risks, and addressing IT compliance items. An effective IT GRC program gives the executive cabinet enhanced direction-setting and decision-making capabilities regarding resourcing institutional IT priorities as well as aligning technology resources and services with academic and business needs, opportunities, and innovations.

Ringle: Higher education's consideration of IT GRC is still in the formative stage. Even though examples of IT governance have been around for a long time –– and many models have been discussed during the past decade –– IT governance strategies have yet to reach maturity. Being able to converse with colleagues and see case studies of what other institutions have done is therefore extremely helpful.

Do you have an IT GRC program or program components on your campus? How mature is it?

Bates: We have a newly formed IT governance framework. Our framework is organized by service portfolio committees based on our campus-wide technology and application service catalog. The committees were formed this year and are beginning to manage their service portfolios. We are developing maturity, but certainly have a long way to go. Likewise, we have several compliance programs based on federal regulations. Some are more mature than others, but we lack a holistic approach to technology compliance. IT risk is addressed in many ways, but not as a cohesive program.

Chapple: Our IT GRC program is integrated with broader campus risk management and governance programs. We perform regular risk and compliance assessments covering a wide array of technology risks and review them with our campus Information Governance Committee. This feeds into an annual higher-level assessment by the campus-wide Institutional Risk and Compliance Committee. Our approach to IT governance prioritization is customer-centric; we have customer-led guidance councils for the major functional areas of the institution. Each of these guidance councils has IT staff resources assigned to it, and we ask our customers to prioritize the work performed by those staff members.

Corn: Like many institutions, we are just starting to address how IT GRC is relevant for us. And, like many institutions, IT GRC for us is a posture towards a constellation of ideas and issues. Critically, this posture is one that evolves as an organization's understanding and need for IT GRC matures over time. We are in the second year of an IT governance process, which (though immature) has become a structure to discuss everything from resources and implementation timetables to policy. We are encouraging partnerships across the institution that look closely at GRC issues and the roles that IT can play in understanding and responding to them.

Murray: We have an Enterprise Risk Management (ERM) program, which is an institution-wide program that includes IT risks. ERM is a mature program, having been in place for approximately four years. It also discusses more than just IT, so the program is very holistic. ERM is sponsored and led by the president and is effected by the organization's leadership. In addition, the program is developed and managed at the enterprise level with all key academic and business areas included; is designed to identify and mitigate risks that would impact strategic objectives; and provides a framework for determining risk tolerance, developing mitigating strategies, and allocating resources.

Has your IT GRC program solved a difficult issue on your campus? How?

Bates: In the absence of IT governance, technology directions at our institution were largely developed within silos, and our efforts to understand broad technology needs were ad hoc at best. Our governance program is facilitating technology collaboration across units and allowing us to work across divisional and college-level units to be more innovative and resourceful. An example of this is our web and mobile portfolio committee, which has been a highly successful cross-divisional committee of technologists, functional owners, faculty, and students. The committee members came together early in the school year to architect the environment and create software development guidelines, policies, and priorities to support campus-wide inclusion in mobile application development.

Corn: Acting as a Risk Board, our senior management team has systematically identified priority risk areas for the university and has assigned responsibility for addressing each of them. We are also raising awareness on the compliance front with the recent establishment of a records management program and the hiring of a CISO [chief information security officer] and records manager.

Murray: Our program, which includes IT risk management, has solved many difficult issues because it is led by the president; has an executive committee to help the president with decisions; has a steering committee that creates and discusses proposals; has subject area work groups for all key university areas in which risks are identified and defined; and has collaboration across the entire enterprise in getting the most important risks mitigated, reduced, and/or eliminated.

What resources are needed in higher education to improve IT GRC activities?

Bates: IT GRC programs are complex and difficult to implement. Like many institutions, we are struggling to find the best way to bring these programs to our campus. Keeping momentum with the IT governance program will be an important focus this year. Such programs require a significant time investment from functional and technical members of the campus. We do not have an organized body of best practices to guide us; we need these — along with implementation models, tools, materials, and case studies — to help us all move forward faster and more efficiently.

Chapple: Institutions need to recognize that IT GRC is a part of a larger picture. It is important that GRC efforts within technology organizations be linked with broader institutional initiatives in those areas. For example, the risk assessment process used for technology risk should be linked with the institution's broader risk assessment process. Technology risk should be assessed alongside other risks such as safety, student life, financial operations, and human resources. Performing these assessments side-by-side helps put each of these risk assessments into the broader institutional perspective.

Corn: It can be hard for institutions to grow their way into IT GRC. People are often working on GRC issues, but not always in a coordinated or well-planned way. Many of us might even feel rather lonely in these responsibilities and will respond enthusiastically to the opportunity to meet, compare notes, and work through the five stages of IT GRC grief — from denial and isolation to acceptance.

McDonald: Many schools are resource-constrained and shy away from tackling these things because they seem so overwhelming and unattainable at first glance. However, IT GRC may best be viewed as an aspiration that you are constantly working toward, rather than something that can and must be accomplished all at once. Having the time and will to implement IT GRC programs is important, but having the time and will to just start is enough in the short term.

Murray: For an IT GRC program to be most effective, it must be supported at a cabinet level. Because many governance decisions involve spending or prioritization, you need a seat at the executive table where you can submit proposals so that decisions can be made and supported.

Conclusion

The need for IT GRC systems and processes will continue to grow as our dependence on IT to contribute to institutional success grows.  IT GRC programs that help refine IT decision making, address risks to IT resources, and ensure that IT resources are used and operated within compliance requirements will help ensure that success.

EDUCAUSE provides resources that help higher education institutions define and implement campus IT GRC activities. We also invite you to contribute to this IT GRC body of knowledge for higher education. To learn more or participate, e-mail [email protected].

1. Jacqueline Bichsel and Patrick Feehan, "Getting Your Ducks in a Row: IT Governance, Risk, and Compliance Programs in Higher Education," research report (Louisville, CO: ECAR, June 2014). Key research findings are available to all readers; the full report is available to ECAR subscribers only until November 2014.
2. Ibid.
3. Ibid.
4. Ibid.