Merri Beth Lavagnino

Chief Risk Officer

Enterprise Risk Management
535 West Michigan Street
Indianapolis, IN



Merri Beth Lavagnino is Chief Risk Officer for Indiana University. She directs the Enterprise Risk Management program, which involves coaching executive and senior management to improve strategic risk management skills; collating risk information from across the university to better inform decision-making; and connecting risk owners, subject matter experts, and others to collaboratively address cross-functional enterprise risks.

Lavagnino has more than 30 years of experience working in higher education in medium and large universities, both public and private, and a regional consortium. She has worked in a variety of roles including support staff, faculty, and administrator; and in many disciplines including libraries, information technology, learning technology, security, policy, privacy, compliance, and risk. She enjoys contributing to the profession through speaking, teaching, writing, and service activities both locally and nationally.

Honors & Awards

Presentations and Publications

  • "Enterprise Risk Management from a CIO's Perspective," EDUCAUSE Annual Conference, October 2015
  • "Enterprise Risk Management," Fiscal Officer Development Series Alumni Session, October 2015
  • "Enterprise Risk Management Panel," CACR Cybersecurity Summit, September 2015
  • "Enterprise Risk Management Panel," Institute of Internal Auditors, Indianapolis Chapter, February 2015
  • Lavagnino, M.B. (2013). Privacy Revealed. EDUCAUSE Review, 48, no.1.
  • "Enterprise Risk Management Panel," Institute of Internal Auditors, Indianapolis Chapter, October 2013
  • "Is There a Tool for That? Tools Supporting Privacy Programs," IAPP Indianapolis KnowledgeNet, May 2013
  • "Managing Information Privacy Risk: A Multi-Institutional Panel Discussion," EDUCAUSE Security Professionals Conference, April 2013
  • "Privacy Officers Around the Virtual Water Cooler," EDUCAUSE Data Privacy Month Webinar, January 2013
  • "Is There a Tool for That? Tools Supporting Privacy Programs," Indiana Security and Privacy Network (INSPN), November 2012
  • "Building an Information and IT Compliance Program," EDUCAUSE Security Professionals Conference, May 2012
  • "Governance, Risk, and Compliance (GRC) Systems in Higher Education," EDUCAUSE Security Professionals Conference, May 2012
  • "Launch of Data Privacy Month in Higher Education," EDUCAUSE Live!, January 2012
  • Lavagnino, M.B. (2010). Policy as an Enabler of Student Engagement. EDUCAUSE Review, 45, no.5: 104-105.
  • "Prepare to Come About: What to Do When Privacy Goes Adrift," Burton Group Catalyst North America Conference, July 2010
  • "Treating IT Incidents Within an All-Hazards Approach," Institute for Computer Policy and Law, July 2010
  • "Pioneering Information Privacy in Higher Education," CACR Higher Education Cybersecurity Summit, March 2010
  • "Expert Discussion: Legal and Compliance Issues," EDUCAUSE Annual Conference (Online Only), November 2009
  • "Web Site Privacy and Security: Is Your Site Working Against You?," Indiana University <eduDEV> Conference, October 2009
  • "Supporting, Managing, and Protecting an Organization’s Data Assets," CA Data Management Roundtable, July 2009
  • "Managing Sensitive Data in an Academic Environment," Technology in Business Schools Roundtable (TBSr) Conference, June 2009
  • "Policy and Privacy," EDUCAUSE Advanced CAMP: Registering, Discovering, and Using Distributed Services in Academia, June 2008
  • "Data Privacy and Security: Some Considerations for University Purchasing Departments," National Association of Educational Procurement, Indiana Regional Conference, October 2007
  • "Dialogue: Does the Cornell Policy Process Play in Peoria?," EDUCAUSE Annual Conference, October 2007
  • "Revising Existing IT Policies: Tales from the Trenches," Institute for Computer Policy and Law, July 2007
  • "Policy Issues for Incident Detection and Vulnerability Scanning," Institute for Computer Policy and Law, July 2007
  • "Incident Response at Indiana University," Big 10 Audit Conference, June 2007
  • "Preparing for Data Protection Laws: How to Earn an A+ from Your Attorney General," EDUCAUSE Security Professional's Conference, April 2007
  • "Sensitive Data Exposure Risks & Response," Association for Financial Professionals of Indiana, March 2007
  • "Responding to Sensitive Data Exposures at Indiana University," Indiana School of Business Information Management Affiliates, November 2006
  • "Exposing Students to Legal Downloading Services," ACUTA Annual Conference, July 2005
  • "Streamlining IP Registrant Identification, Notification, and Blocking for Threats in the Wild," EDUCAUSE Security Professionals Workshop, April 2005

Other Activities