Governance, Risk and Compliance Team

Governance Risk and Compliance measures and reports on digital risk, which refers to all of the potential impacts upon the university that arise as a result of using technology to accomplish its teaching and research mission.

We provide university administration, faculty and staff with an understanding of their position to enable more informed decisions. Ultimately, final decisions regarding risk and risk response are up to authorized university leadership, which, depending on the risk, could be a Dean, Vice Chancellor, Chief Information Officer, or an officer of the university responsible for compliance with a particular security or privacy requirement. GRC assesses to determine if something falls into acceptable risk as determined by the university.

GRC works with the university system Chief Digital Risk Officer and the Enterprise Risk Management Office to align our analysis and reporting with a broader system view of risk by university executives and facilitate that view at the campus level.

If you are unsure who can officially accept certain risks, what the applicable processes look like, who the data stewards for certain data types are or who the risk holder might be for an existing gap, GRC can help.

How we help

  • We can help you complete a risk assessment of your business processes, data handling and data management.
  • We review contracts with third parties to ensure vendor compliance with university guidelines and acceptable risk policies.
  • We provide specialty consultation for complicated risk scenarios.
  • We work with unit leaders to understand assigned risk and the risk acceptance process.

Contact us at digitalrisk@illinois.edu to begin.


Risk assessment

Using a three-step process, all units and departments can make measurable improvements to their information security–with a corresponding measurable reduction of their information risks.

  • Assess information risks
    Begin by identifying and prioritizing risks to your data. Identify all the data you work with according to the four data classification levels: high risk, sensitive, internal and public. More detail on these levels can be read on the Data Classification page.
    Second, consider the risks imposed by your data exposure. Are you at risk for internet hacking, stolen laptops or do regulations cover your data? Use this risk level assessment to assess your information risk, https://go.illinois.edu/risklevel
  • Implement the Information Security Program
    The goal of this step is to reduce or eliminate the risks identified in step one. The focus is on business risk and not on the latest available technology. The Illinois Security Standards map to risk levels for the purpose of implementing the university security program in your unit. 
  • Verify compliance with both the Information Security Program and applicable laws and regulations
    This step assures the business owners that information risks are being managed. The university conducts assessments to evaluate current compliance and to discover where additional resources are needed. 

Risk acceptance vs. assignment

Risk assignment is based on the concept that all university units already own all of the risk contained in all of their business processes. This differs from “risk acceptance” in that the risk has already been assigned to the unit, regardless of whether anyone in the unit has officially signed off on and agreed to accept the risk of those processes. GRC works with customers and university decision-makers to mitigate risk into one of the predefined acceptable risk categories (moderate, low, very low).

Assigned risk is owned risk

In practice the university primarily bills costs of a negative security event or incident event to the unit itself. The unit can expect to receive a bill from the university that begins in the thousands of dollars for a relatively small security compromise with no data breach involved and goes up from there. It is vitally important that units understand they already own all that risk.

Acceptable risk

Some risk is considered by the university to be “Acceptable Risk”. Business processes that are compliant with all university standards and legal/regulatory requirements are considered by the university to be acceptable risk and no risk action is necessary.

If unit processes are non-compliant, the university Enterprise Risk Management (ERM) office standards dictate the type of response that must be taken to protect the university from that risk. See the chart https://www.vpaa.uillinois.edu/enterprise_risk_management/resources_and_tools/

Very high risk (high risk data, or sensitive data in a highly critical business process)

  • Requires essential and immediate allocation and organization of resources to manage/mitigate the risk; establish plans and countermeasures

High risk (sensitive data, or public/internal data in a highly critical business process) 

  • Requires priority allocation of resources for management and/or mitigation; establish plans and countermeasures

What if a specific business process cannot be made compliant?  

University policy makes allowance for this eventuality through an exception process.  

  • If the risky item violates university security standards, that risk can be accepted by the unit executive (Dean, Vice Chancellor, or the university CIO) whose budget would be impacted by the costs of a security compromise.  
  • If the risk violates compliance standards the same official will sign off, as will (after consulting University Counsel) the Chief Information Security Officer, and the university official responsible for compliance with that law/requirement.

Enlisting help with information risk – consulting

We provide university administration, faculty, and staff with an understanding of their position to enable more informed decisions. Ultimately, final decisions as to risk and risk acceptance are up to authorized university leadership.

Reach out to digitalrisk@illinois.edu for help with any of these assessments or reports.

Risk assessment / compliance review & reportingWritten review, gap report, recommendations
1-business week pick-up for requests
90-day turnaround
Third Party Risk ManagementWritten review and consultations
1-business week pick-up for requests
90-day turnaround
Risk and compliance consultingConsultation, Subject Matter Expert input
1-business week response to requests
3-week lead time
TBD turnaround (per needs)
Risk acceptance/acknowledgement process facilitationRegistered risk acceptance with the Chief Privacy and Security Officer, 1 year duration
1-business week pick-up for requests
1-business week turnaround, assuming immediate response from risk owners
Policy Curation and Policy Exceptions ManagementMaintain body of Policies, Management of Policy Exceptions
1-business week pick-up for requests
1-business week turnaround, assuming immediate response from risk owners