IT Governance, Risk, and Compliance in Higher Education

Governance, risk, and compliance (GRC) issues increasingly pervade higher education information technology. As institutional investment in IT and reliance on information systems have grown, so has the need for reliable structures and measures to ensure success and minimize failure.

Higher education IT GRC programs are in the development stage. Few institutions have all three programs in place, and many institutions are unclear where they should start when instituting or maturing their IT GRC programs. In addition, they are often uncertain as to whether GRC programs should be developed in parallel or separately.

The 2014 ECAR study on IT GRC contains the results of a survey of 246 institutions. The report describes the current landscape of IT GRC programs in higher education; identifies aspects of the IT GRC environment that will help CIOs, CISOs, and other leads make decisions about IT GRC initiatives; and outlines steps institutions can take to become more mature in their IT GRC programs. The study supports the EDUCAUSE focus on IT governance, risk, and compliance in higher education.

Key Findings

• Formal enterprise or IT risk management and compliance programs are the exception rather than the rule. More common are informal processes and procedures for dealing with risk management and compliance.
• Most institutions have a formal institutional governance body in place. About half have a formal IT governance body.
• There are significant gaps between the perceived importance of specific risks and the effectiveness with which they are being addressed. Information security is viewed as the most important risk to address, yet the perceived effectiveness with which it is addressed does not match its importance.
• Maturity in risk management is associated with stronger governance and compliance efforts and processes. In addition, those with more mature IT risk management programs have a greater influence on institutional leadership decisions.
• Those with an IT governance body in place are more likely to involve others—particularly faculty, students, and alumni—in both IT budgeting and other IT governance decisions. This increased involvement may facilitate or enhance communication of IT GRC issues across the institution.
• When embarking on IT GRC initiatives, priority should be given to establishing or strengthening the risk management program. Maturity in risk management is associated with stronger IT compliance and governance processes.
• CIOs have the opportunity to leverage their positions as IT governance leads to convey the importance of initiating and developing formal IT risk and compliance programs. Formal programs in risk and compliance are associated with more investment and better practices in IT risk and compliance.