Indiana University Enterprise Risk Management Tools

Enterprise Governance, Risk, and Compliance (EGRC) 

A Governance, Risk, and Compliance (GRC) tool is an enterprise system used for the integration and alignment of those three areas necessary to avoid conflicts, wasteful overlaps and gaps. Through coordination, communication, and workflow processes, IU’s Enterprise Governance, Risk and Compliance (EGRC) assists with:

  •  collecting information about regulatory, legal, and institutional policies and standards safeguard obligations;
  •  orchestrating compliance activity, assessing risk and compliance adherence, and identifying control weaknesses; and
  •  providing feedback to units and administration, typically through a "dashboard," such that they can prioritize risk and align resources in a more effective manner.

As a means to achieving the aforementioned benefits, the EGRC is built upon a solid foundation that includes: compliance management, risk management, process governance, incident management, privacy, and vulnerability management. Powerful enterprise statistics and analyses can be completed and provided to university executive administration and other appropriate areas such as compliance officers, legal counsel, and internal audit. This will enhance university-wide compliance planning and enable offices to more effectively identify where to focus awareness, education, and resources.

Existing activities and initiatives

Compliance Obligation Tracking  

Compliance Officers (CO) and Subject Matter Experts (SME) throughout the university have direct compliance responsibilities in communicating obligations to the IU community.  These COs and SMEs are surveyed, at least annually, to provide an inventory of external obligations in which they assume responsibility for.  In addition, new obligations can be submitted throughout the year as new regulations take effect or awareness of an obligation is made.   Currently identified COs and SMEs are part of IU’s Compliance Exchange (http://protect.iu.edu/compliance/IU#exchange).This better enables the Chief Compliance Officer to support university compliance responsibilities and efforts.

HIPAA Privacy and Security Compliance Assessment 

This assessment process (questionnaire) is led by the Interim University HIPAA Privacy and Security Officers based on HIPAA Privacy and Security Compliance obligations and risk management.  This process includes the automation of the assessment, remediation cycle and email reminders.  Each assessment is assigned a score based on responses pro