Many colleges and universities still treat IT risk as just one piece of operational risk, often coordinated within technology leadership and reported periodically alongside other risks. However, that approach no longer reflects how technology shapes the institution.
While chief information officers (CIOs) or chief information security officers (CISOs) can play an important role in identifying and managing technology-related risks, they are not the sole owners. Technology now supports nearly every core function, from instruction and student services to research administration and financial operations. As a result, IT risk requires shared ownership across leadership teams.
With technology embedded across the university, IT risk no longer fits cleanly within a single enterprise risk management (ERM) category. It acts as a cross-cutting element that shapes how institutions identify, assess, and respond to risk across the board.
IT Risk’s Reach
Traditional ERM programs organize risk into domains such as strategic, operational, compliance, legal, reputational, and financial. That structure still has value, but what has changed is how deeply technology now runs through each one.
- Strategic risk is increasingly tied to technology execution, including digital transformation and emerging technologies such as artificial intelligence (AI).
- Operational risk depends on system availability, data integrity, and technology-enabled processes.
- Compliance risk relies on IT controls, particularly for data protection, privacy, and regulatory reporting.
- Legal risk often stems from technology failures such as data breaches, vendor disputes, or research security gaps.
- Reputational risk can occur after cyber incidents, outages, or poor digital experiences.
- Financial risk is increasingly tied to technology investments, system failures, ransomware events, and reliance on vendors.
IT risk connects these categories by linking dependencies and consequences that can shape the institution’s overall risk profile.
Why Does IT Risk Behave Differently?
A few characteristics set IT risk apart from many traditional risks.
- It crosses organizational boundaries. Most risks have a clear owner. Technology-related risks often do not. As noted above, they span academic units, research leadership, compliance, legal, procurement, and administrative functions, requiring a coordinated response.
- It moves faster. Cyber incidents, system failures, and emerging technology risks can unfold in minutes and hours, not weeks. That leaves little time for decision making and increases the need for preparedness.
- It expands institutional exposure. Reliance on cloud platforms, vendor ecosystems, and research collaborations can increase the number of entry points and their potential impact. A vendor issue can quickly become an institutional problem.
Why Does the Shift Matter Now?
The growing focus on IT risk reflects a broader shift in how institutions operate. Since technology is woven into teaching, research, student services, finance, and administration, when it fails, the impact is immediate and felt across the whole institution. That’s why IT risk isn’t simply a subset of operational risk. It’s a foundational part of enterprise risk, shaping how institutions identify, assess, and respond to risk across the board.
Institutions that recognize this shift are better positioned to strengthen coordination, improve visibility into emerging risks, and align risk management with their priorities. At that point, who owns the risk matters less than whether the institution is equipped to manage it.
Board Oversight & Risk Governance
As technology becomes more central to institutional outcomes, governance expectations are changing.
Institutions can align ERM oversight with board-level structures, often through audit or risk committees, with regular reporting to the full board. Technology leaders contribute subject matter insight, but discussions are framed around institutional impact.
We are seeing that boards are increasingly focused on:
- Accountability across leadership roles
- Visibility into emerging risks and reliance on external vendors
- Timeliness of risk escalation and reporting
- Alignment between risk exposure and institutional priorities
IT risk is a governance issue tied to enrollment, academic continuity, financial performance, and reputation.
What Does This Mean for Oversight & Governance?
As technology has become more interwoven into institutional strategy and operations, oversight models that treat IT risk as an individual technical issue may be more exposed to risk.
For example, when institutions managed technology risks within IT, they escalated periodically and were reviewed alongside other operational issues. That model is less effective today, when a cyber event can disrupt registration, a third-party outage can interrupt instruction, or weak governance over research data can create legal and reputational consequences. Effective oversight needs a more integrated approach.
First, IT risk must be framed in enterprise terms. Oversight bodies are more focused on institutional impact than technical detail, including enrollment disruption, research data exposure, regulatory consequences, and reputational damage. This requires translating technology risk into the language of enterprise risk rather than seeing it as a separate discipline.
Second, governance must reflect shared accountability. No single function owns the risks associated with data, systems, or emerging technology. Responsibility should be distributed across academic leadership, research, compliance, legal, and technology functions. Oversight structures need to recognize and reinforce this shared ownership.
Third, visibility must extend beyond institutional boundaries. Technology use now includes cloud platforms, research collaborators, and third-party providers. Oversight can’t stop at internal controls. It must account for vendor ecosystems, data sharing arrangements, and external risk exposure.
Finally, oversight must keep pace with change. The speed of technology risk, from cyber incidents to AI adoption, now outpaces traditional periodic review cycles. Institutions need more continuous insight into risk conditions, control effectiveness, and emerging exposures.
How Forvis Mazars Can Help
Managing IT risk as part of enterprise risk requires clear ownership and coordination across leadership. It also takes a practical understanding of how technology-related exposures affect institutional outcomes.
Forvis Mazars works with higher education institutions to help translate technology risk into enterprise terms and align it with governance and strategy. We help assess ERM structures, strengthen cross-functional coordination, and improve reporting for leadership and boards.
Our approach aligns to each institution’s starting point. The goal is to support better decisions with a clear view of how technology-related risk affects the institution. Connect with our professionals today to learn more.