Continue the Conversation: IT Risk Register

min read

This blog post is one of a series of posts designed to "continue the conversation" after the 2016 EDUCAUSE Security Professionals Conference, held April 18–20 in Seattle, Washington.

This year's conference, "Data, Intelligence, Risk, and Value: Security and Privacy in Higher Ed," included a number of formal and informal networking events, from organized birds-of-a-feather sessions to the famous "hallway track," where members can chat informally with their peers about information security issues.

A traditional networking event at the conference is lunchtime roundtable discussions. At the roundtable, participants can network with those who share similar interests or responsibilities and discuss topics of particular interest. One conference attendee hosts each roundtable and facilitates the discussion. Roundtable topics are preannounced in the conference program and this year included items such as attracting and retaining staff, using endpoint security, protecting research data, and learning about IT risk registers. This blog post summarizes the "IT Risk Register" roundtable discussion.

Six people joined the lunchtime conversation; professional roles represented included CIOs, CISOs, and other information security professionals. The conversation centered on the following themes:

  • IT risk is a business issue that the institution must address — IT cannot be the only entity addressing IT risk
  • An IT risk register can be used to roll up operational risks into broad categories of IT risk
  • Institutional leaders are in a better position to understand broad categories of IT risk, as opposed to granular operational risks
  • A strategic IT risk register can be used as a starting point for IT risk discussions with institutional leaders

That an IT risk register could have a strategic purpose was one of the most interesting points made during the lunchtime discussion. Participants at the table acknowledged that the traditional risk management process of identifying assets and listing the individualized IT risks that pertain to those assets is an important operational need. That operational need, however, does not translate well to educating institutional leaders about larger categories of IT risk. Strategic IT risk registers are necessary for this task. A strategic IT risk register looks at IR risks at a higher level in business terms (according to IT domain or institutional risk categories as opposed to individual discrete risks) and categorizes those risks according to consequences that an institution can expect to face if those risks were realized. An example might be a lack of shared understanding by IT and business units that affects IT service delivery and projects. One CIO at the table said that a strategic IT risk register is just the type of tool that she needs to help her institution's cabinet understand that IT risks, if left unaddressed, can have a profound impact on the institution's reputation.

While there are a number of risk management resources and risk registers that institutions can use, one resource that was discussed during lunch was the EDUCAUSE IT Risk Register.

This risk register tool was created by the EDUCAUSE IT Governance, Risk, and Compliance program advisory committee. It was created to help institutional IT departments get their strategic IT risk management programs off the ground, and is a sortable checklist that identifies common strategic IT risks and catalogues those risks according to common risk types and IT domains. Lunchtime participants familiar with the EDUCAUSE IT Risk Register described how they were using it at their institutions with ideas ranging from project management practices to conversations with cabinet.

To continue the conversation on IT risk, join the EDUCAUSE IT GRC discussion list.

The 2017 EDUCAUSE Security Professionals conference will be held May 1–3, 2017, in Denver, Colorado. The call for proposals for the 2017 conference will be released this fall. If you have ideas for lunchtime roundtable topics at the 2017 conference, please e-mail [email protected].


Cathy Bates is the Associate Vice Chancellor and CIO at Appalachian State University. She is also one of the co-leaders of the Higher Education Information Security Council.

© 2016 Cathy Bates. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.