Conferences & Events
Events for all Levels and InterestsStay
Jump Start Your Career GrowthStay
Get on the Higher Ed IT MapStay
Uncommon Thinking for the Common Good™Stay
IT Governance, Risk, and Compliance in Higher Education
ECAR RESEARCH HUB
Co-Author: Jacqueline Bichsel, Senior Research Analyst, EDUCAUSE
Co-Author: Patrick J. Feehan, Director of IT Privacy and Cybersecurity Compliance, Montgomery College
Published June 4, 2014
Governance, risk, and compliance (GRC) issues increasingly pervade higher education information technology. As institutional investment in IT and reliance on information systems have grown, so has the need for reliable structures and measures to ensure success and minimize failure.
Higher education IT GRC programs are in the development stage. Few institutions have all three programs in place, and many institutions are unclear where they should start when instituting or maturing their IT GRC programs. In addition, they are often uncertain as to whether GRC programs should be developed in parallel or separately.
The 2014 ECAR study on IT GRC contains the results of a survey of 246 institutions. The report describes the current landscape of IT GRC programs in higher education; identifies aspects of the IT GRC environment that will help CIOs, CISOs, and other leads make decisions about IT GRC initiatives; and outlines steps institutions can take to become more mature in their IT GRC programs. The study supports the EDUCAUSE focus on IT governance, risk, and compliance in higher education.
The survey instrument is open access. All other materials are available to ECAR subscribers only for the first five months after publication.
Subscribe to receive all ECAR research and analysis about IT in higher education.
- Formal enterprise or IT risk management and compliance programs are the exception rather than the rule. More common are informal processes and procedures for dealing with risk management and compliance.
- Most institutions have a formal institutional governance body in place. About half have a formal IT governance body.
- There are significant gaps between the perceived importance of specific risks and the effectiveness with which they are being addressed. Information security is viewed as the most important risk to address, yet the perceived effectiveness with which it is addressed does not match its importance.
- Maturity in risk management is associated with stronger governance and compliance efforts and processes. In addition, those with more mature IT risk management programs have a greater influence on institutional leadership decisions.
- Those with an IT governance body in place are more likely to involve others—particularly faculty, students, and alumni—in both IT budgeting and other IT governance decisions. This increased involvement may facilitate or enhance communication of IT GRC issues across the institution.
- When embarking on IT GRC initiatives, priority should be given to establishing or strengthening the risk management program. Maturity in risk management is associated with stronger IT compliance and governance processes.
- CIOs have the opportunity to leverage their positions as IT governance leads to convey the importance of initiating and developing formal IT risk and compliance programs. Formal programs in risk and compliance are associated with more investment and better practices in IT risk and compliance.
The EDUCAUSE IT Governance, Risk, and Compliance Program helps you define and implement IT governance, risk, and compliance GRC activities on your campus. Learn More >