Main Nav

IT Governance, Risk, and Compliance in Higher Education

ECAR RESEARCH HUB
Co-Author: Jacqueline Bichsel, Senior Research Analyst, EDUCAUSE
Co-Author: Patrick J. Feehan, Director of IT Privacy and Cybersecurity Compliance, Montgomery College
Published June 4, 2014

 

Governance, risk, and compliance (GRC) issues increasingly pervade higher education information technology. As institutional investment in IT and reliance on information systems have grown, so has the need for reliable structures and measures to ensure success and minimize failure.

Higher education IT GRC programs are in the development stage. Few institutions have all three programs in place, and many institutions are unclear where they should start when instituting or maturing their IT GRC programs. In addition, they are often uncertain as to whether GRC programs should be developed in parallel or separately.

The 2014 ECAR study on IT GRC contains the results of a survey of 246 institutions. The report describes the current landscape of IT GRC programs in higher education; identifies aspects of the IT GRC environment that will help CIOs, CISOs, and other leads make decisions about IT GRC initiatives; and outlines steps institutions can take to become more mature in their IT GRC programs. The study supports the EDUCAUSE focus on IT governance, risk, and compliance in higher education.

 

Resources

The survey instrument is open access. All other materials are available to ECAR subscribers only for the first five months after publication.

Subscribe to receive all ECAR research and analysis about IT in higher education.

 

 

Key Findings

  • Formal enterprise or IT risk management and compliance programs are the exception rather than the rule. More common are informal processes and procedures for dealing with risk management and compliance.
  • Most institutions have a formal institutional governance body in place. About half have a formal IT governance body.
  • There are significant gaps between the perceived importance of specific risks and the effectiveness with which they are being addressed. Information security is viewed as the most important risk to address, yet the perceived effectiveness with which it is addressed does not match its importance.
  • Maturity in risk management is associated with stronger governance and compliance efforts and processes. In addition, those with more mature IT risk management programs have a greater influence on institutional leadership decisions.
  • Those with an IT governance body in place are more likely to involve others—particularly faculty, students, and alumni—in both IT budgeting and other IT governance decisions. This increased involvement may facilitate or enhance communication of IT GRC issues across the institution.
  • When embarking on IT GRC initiatives, priority should be given to establishing or strengthening the risk management program. Maturity in risk management is associated with stronger IT compliance and governance processes.
  • CIOs have the opportunity to leverage their positions as IT governance leads to convey the importance of initiating and developing formal IT risk and compliance programs. Formal programs in risk and compliance are associated with more investment and better practices in IT risk and compliance.

 

Related Resources

The EDUCAUSE IT Governance, Risk, and Compliance Program helps you define and implement IT governance, risk, and compliance GRC activities on your campus. Learn More >

Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.