Following up on my last blog post, on governance, let me now tie in risk and compliance. CIOs certainly understand that GRC efforts and investments may not yield laudatory press releases and may not get their faces on the cover of trade magazines. So, Why GRC? Here’s why—a focus on the alignment of these three areas – on their interconnected nature—is key to staying out of less flattering headlines.
We in higher ed information technology grasp the significant dangers of risk and compliance. Risk —or, to be more exact, how we think about (or obsess about) risk—can paralyze us. We can become so preoccupied with risk (its assessment, mitigation, and management) that we fail to be occupied with providing IT enablement to the missions of our institutions and with using technology to promote innovation in the execution of those missions. And yet, failing to be appropriately occupied with risk can end in catastrophe, which has the same result (i.e., mission not accomplished). Compliance likewise has the potential to bleed us dry of resources as we spend money to ensure compliance and spend time obsessing over it (or dealing with failures). Here again, we become so focused on ensuring we’re staying between the lines that we fail to expand our institutional horizons, which simply must be expanded in this age of disruption. But if we simply ignore compliance, we run the risk of dealing with the negative outcomes of such ignorance, leading to the same sad ending (mission not accomplished).
One personal anecdote illustrates this struggle for balance. When I first arrived at Louisiana State University in Spring 2005, the head of our IT operations unit (we’ll call him “Butch”) came to see me with a proposal to make some investments of time and money in disaster recovery and business continuity planning (DR/BCP), essentially addressing a prime bit of risk. Coming as I did from the calm and quiet hills of southern Indiana and walking into a challenging need to “up the impact” of the IT organization at LSU, I told Butch that I felt we needed to make more visible investments. What he proposed was all well and good, but no faculty member or student ever congratulates the IT staff for having a well-documented BCP or expresses appreciation for IT spending on DR. Sorry, Butch. Of course, four months after this conversation, Katrina happened. Although we at LSU were not directly impacted by the storm the way our New Orleans colleagues were, it sure got my attention. After Hurricane Rita struck a few weeks later (once again grabbing my attention!), I called Butch into the office and asked: “What can we do, reasonably, to address shortcomings with DR/BCP?” The experience was sobering and served as my introduction to the fact that though I had a vision of high-reward IT investments, mitigating and managing risk (and similarly addressing compliance) had its own reward: that of surviving – so that we could continue those high-reward initiatives.
Now, aside from a careful balancing act on my part as CIO, how did we manage to not let risk (and compliance) put us in the duck soup? Governance.
Governance helped us create our IT strategic plan, which was aligned with the institutional strategy, which by the nature of our institution not only took into account those mission-specific elements of IT enablement but also recognized the need for addressing the risk. Governance – via that strategic plan and then the ongoing community model put into place to manage our stepping through the plan and to align with the institution’s culture of shared governance – ensured that we were able to strike a balance between being safe and being innovative. Governance helped us identify for our community both sides of the coin: the need to advance information technology in support of teaching and learning, research, and fundamental infrastructure and support; and the need to ensure that our environment was examining and addressing risk and carefully considering the impact of compliance (or non-compliance) so as to not lose everything for which we’d worked so hard. I have employed the same approach here at Maryland, to what will be (I am confident) a similar end.
At today’s colleges and universities, there is very little that does not have an IT component or that is not significantly influenced by information technology. As a result, there is a pressing need for those of us in the IT profession to think of how we can move beyond the IT-centric risk and compliance and extend our institutional understanding of risk and compliance into broader strategic, operational, financial, legal, and reputational arenas—and to do so beyond simply our role in operating our systems. As the common uniting element, information technology can help draw those functional areas together. Whether we actually take on the responsibility as owners of broader risk and compliance efforts at our institutions will depend on the individual cultures and situations at our institutions. Although a case can be made that other institutional leaders (e.g., senior business officers, chief research officers, legal counsel) are better positioned to spearhead such efforts, I know several CIOs who have been so anointed because information technology is the common element (and disruptive force) in these challenges. But anointed or not, we may become agents of agitation for such efforts.
As risk and compliance is out of my (current) personal skill set, I am going to rely on EDUCAUSE – and my higher ed IT colleagues – to help me grasp what it is I may need to do to be a good agitator, and/or a good anointed leader, of an institution-wide effort. I’m sure others likely feel the same. This is a critical reason why the GRC initiative is so important—and why now is the time for it.
Back at LSU, in that pre-Katrina conversation with Butch, I said we needed to focus on those things that would be visible and would help differentiate our institution. We needed to become a visible enabler of all the good things in the mission of our university – to be a part of getting to “mission accomplished” and differentiate our institution from others. However, Katrina (and data breaches, and security incidents, and campus crises, and compliance challenges, and …) taught me that some things are visible only when they are lacking at the time you need them most; how you’ve prepared to address them will also help differentiate your institution. Why GRC? To accomplish your mission by avoiding “mission not accomplished.”