Most higher education institutions have formal enterprise or institutional risk management systems in place, which is both prudent and in some jurisdictions mandatory.
For institutional purposes risk is often defined as the possibility that an event or action will adversely or beneficially affect an institution’s ability to achieve its stated objectives. The principal risk concerns of higher education institutions can be surmised from their 'risk registers’, for example: Sidney Sussex College, University of Cambridge.
Risk management takes risk enumeration to its logical next step, by putting in place a process to evaluate probabilities, assess likely outcomes and formulate plans to deal with these.
As risk registers show, risk scenarios might cover issues such as student recruitment, financial stability or legislative and regulatory changes and match these with the controls needed to ‘manage’ the potential scenarios.
A common approach establishes a set of scenarios focusing on the actions or events directly related to an institution’s mandate. But, some risks cut across the categories into which they are typically divided.
Overlooked by the Typical Scenarios
For most universities and colleges, the website is the most important communication channel to support and enable the core education and research activities. But, for most institutions “the website” is a collection of dozens, hundreds, thousands or even an unknown number of individual websites.
We use the term web estate, by way of analogy with real estate, to describe the collections of individual websites at higher education institutions. These sites often operate largely autonomously, with access to varying levels of resources and expertise. As a result, their content and configuration present significant risk exposures.
We classify the risks into four, business continuity, financial, legal and reputational. Our preliminary risk matrix sets out risk sources and related assessment data that we have identified. These risks are often poorly understood, because they haven't been measured, fall outside the remit of typical risk scenarios and defy convenient departmental or faculty allocation.
Tedious, but Readily Measured
Risk registers set out broader exposure categories, subjectively assigning likelihoods and outlining reasonable steps to manage or mitigate the more likely outcomes.
They are excellent tools to assist with risk management, but lack specificity. On the other hand, individual website or web estates risk exposures are readily measured.
Automated techniques can be used to review and capture data from hundreds of individual sites and the associated hundreds of thousands of pages. It just takes time (and a bit of experience). This means, for example, we can test web servers for unpatched software, determine versions of a content management system in use, see which sites haven’t implemented HTTPS or know which cookies are being loaded. Along with many other elements of site set-up or content structure that present risks.
By systematically examining and capturing data for all the sites in a web estate we can apply a classification scheme (the one in our risk matrix, or others) to map the risks these site present. We call the database holding relevant details about all the websites in a web estate a Web Estate Registry.
This approach has two clear benefits:
- we can use the registry data to risk-adjust how we apply human and financial resources to solving website issues. In other words, we can avoid applying efforts to small risk/low impact issues (because of a lack of context) and instead focus on resolving high impact problems.
- The data capture process also facilitates classifying issues so that these can be viewed within the context of other institutional projects or priorities. For example, for financial reasons we may have preferred external hosting providers, the web estate data can identify those sites that have yet to migrate and we can act to ensure the financial benefits are achieved.
Finally, the process can generate performance and configuration benchmark data across an institution's entire web estate and help identify practices that would benefit all sites.
A risk-based approach to ‘managing’ a collection of websites is consistent with good governance principles. It also supports a holistic approach to delivering an excellent experience regardless of where a visitor navigates across an institution's web estate.