IT Risk Management: Try This Exercise at Your Institution

Throughout higher education we see an increased awareness of the need to more effectively manage IT risk and IT opportunity. To help inform risk management practices at our institutions (Oxford and Princeton), we used the EDUCAUSE Top 10 IT Issues list as a guide. Our processes identified risks that are considered strategic IT threats, which we then connected with the EDUCAUSE IT issues for 2013, as shown below. This cross-reference with a higher education industry–developed list provides a worthwhile external cross-reference to add assurance that an institution has identified a full set of strategic IT threats.

If you have recorded a set of high-level or strategic IT risks for your institution, try matching the EDUCAUSE Top 10 Issues to each risk in turn; if some of the top 10 are not matched, then you may be missing some important risks — in which case examine whether any of the IT risks noted below should be added to your list.

If you have not recorded high-level or strategic risks, find which of those from the selection below that apply to your institution, and then follow the same exercise of matching the top 10 IT issues in order to highlight missing risks and to construct a full set for your university.

Strategic IT Risks Matched with EDUCAUSE Top 10 IT Issues

• Business Continuity: If departments delivering services in partnership with central IT do not make adequate plans for continuation of their business processes in the event of an outage of IT or other utility services, then IT might not be able to deliver services required by the university. This could result in a risk of major academic disruption and potential financial loss (think Hurricane Katrina in New Orleans).
  • 2013 issue #5 — Facilitating a better understanding of information security and finding appropriate balance between infrastructure and security
  • 2013 issue #6 — Funding information technology strategically
• Emerging Technologies — Cloud Computing, Social Media, Mobility: If students, faculty, and staff use consumer-oriented and easily accessible technologies without appropriate consultation with central IT, then there could be serious information security implications: loss of control of university data, problematic contract issues, lack of attention to privacy concerns, etc. This could result in a risk to institutional data integrity, confidentiality, and availability, and thus a risk of institutional financial obligation.
  • 2013 issue #1 — Leveraging the wireless and device explosion on campus
  • 2013 issue #3 — Developing an institution-wide cloud strategy to help the institution select the right sourcing and solution strategies
• Privacy, Confidentiality, Data Classification: If departments do not understand the legal, regulatory, and university policies around categories of data, then the university might suffer from inappropriate exposure of private data, resulting in a risk of lawsuits, loss of institutional intellectual property, loss of institutional reputation, and financial penalties.
  • 2013 issue #5 — Facilitating a better understanding of information security and finding appropriate balance between infrastructure and security
  • 2013 issue #10 — Using analytics to support critical institutional outcomes
• Inadequate Investment in IT Services: If a convincing case for adequate investment in IT cannot be made, then we might not be able to deliver projects and services required by the university, resulting in a risk of failing to provide services required to run the business of the university.
  • 2013 issue #4 — Developing a staffing and organizational model to accommodate the changing IT environment and facilitate openness and agility
  • 2013 issue #6 — Funding information technology strategically
  • 2013 issue #9 — Transforming the institution's business with information technology
• Failure to Recognize and Meet User Expectations: If we fail to identify user requirements and expectations and assess the extent to which we are meeting them, then our services might not align with the university's needs. This misalignment could result in a risk of customers who have lost confidence in IT, a waste of resources, damage to the IT department's reputation, and failure to deliver services required by the university.
  • 2013 issue #8 — Supporting the trends toward IT consumerization and bring-your-own device
  • 2013 issue #4 — Developing a staffing and organizational model to accommodate the changing IT environment and facilitate openness and agility
  • 2013 issue #1 — Access demand: wireless and device explosion, new digital divide, demand for institutional mobile apps
  • 2013 issue #2 — Improving student outcomes through an approach that leverages technology
  • 2013 issue #9 — Transforming the institution's business with information technology
• Failure to Address Funding Shortages over Many Years: If we do not recognize the recurring costs of infrastructure services and resource appropriately, then there is the possibility that service improvements, including essential upgrades and enhancements, will not occur in a timely fashion — or at all. As a result, we risk service degradation or major failure and therefore compromise to university business operations.
  • 2013 issue #6 — Funding information technology strategically
  • 2013 issue #9 — Transforming the institution's business with information technology
• Inadequate Program and Project Coordination: If adequate project and program controls and management strategies are not in place, then there may be significant over-runs in budget expenditures or even failure to deliver, resulting in a risk of failure to deliver important programs and projects for the university.
  • 2013 issue #6 — Funding information technology strategically
• Failure to Manage Information Assets Securely: If we do not ensure that information assets are managed correctly and securely, then there is a possibility of information loss and corruption or of a major security breach. These could result in a risk of damage to the reputation of the IT department and the university, possible criminal or civil proceedings, and loss or corruption of information.
  • 2013 issue #5 — Facilitating a better understanding of information security and finding appropriate balance between infrastructure openness and security
• Learning and Teaching Support Inadequately Resourced: If the environment used by the university to support many aspects of learning and teaching is not resourced and prioritized adequately, then the service might not be sufficiently robust or developed to support use, demand, and user expectations, resulting in a risk of high-profile failure or widespread dissatisfaction with tools and inability of the university to deliver high-quality teaching.
  • 2013 issue #2 — Improving student outcomes through an approach that leverages technology
  • 2013 issue #7 — Determining the role of online learning and developing a sustainable strategy for that role
• Failure to Operate Capital Investment Approvals and Prioritization: If a clearly defined project and program approvals process is not followed, and a framework is not set up to define and agree on the most important capital investment areas, then projects and programs might not be prioritized correctly or adequately controlled and resourced, resulting in a risk of inappropriate allocation of resources, missed university objectives, and unnecessary expenditure and delays.
  • 2013 issue #6 — Funding information technology strategically

Effective IT risk management is increasingly important because it identifies and protects against threats and enables strategic deployment of resources, but in higher education it is a relatively immature discipline. We hope that studying our experiences at Oxford and Princeton, and coordinating with the the EDUCAUSE Top 10 IT Issues, you can develop useful tools to advance your institution's IT risk assessment perspective and methodology. We would be pleased to hear of your experiences with this exercise; please e-mail [email protected] and [email protected].