Sunday, April 26, 2015

ICT Risk Management in Schools

Thinking about Risk Management has been the impetus for several of the posts I have already published and is likely to be in the future.

This subject probably needs a book written to cover all of the significant risks ICT adoption presents for Schools.  These risks will continue to evolve as technology changes and more technology exists in the classroom.  The risks have grown exponentially with the increase in connectivity in the classroom, especially when there is no-one tasked with analysing and recommending how to manage and minimise that risk.

From Wikipedia;

Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events[1] or to maximize the realization of opportunities. Risk management’s objective is to assure uncertainty does not deviate the endeavor from the business goals.[2]

I am not sure what Risk Management philosophy schools in general take, as I have never been involved in the process of risk management within a school.  As the Manager of ICT Operations I did expect to be involved but it didn't happen.  At my previous employment, Risk Management was a significant management expectation and assets were liberally applied to identifying risk and reducing potential impact.  At various times I have been involved in a Risk Management task force, Risk Management Committee and Business Continuity Planning group.  I was also tasked with writing many of the Risk Management policies for ICT at my previous employment.

Without formal acknowledgement of the potential for risk there will never be any effort spent on true assessment and reduction processes.  I know this isn't core business for Schools and has never been part of the process, however, we have now started creating organisational and personal risk from deploying technology.  The worst part is we have been slowly increasing this risk for many years and at no time stopped and analysed that risk.

I was going to list the risk schools are exposed to but think I will save that for my next post on the subject.  Instead, I will propose some examples which are real.  I won't acknowledge either the schools or staff involved in these examples, however I will point out the risk exposure a real business would have to address.  The first is a legal risk within the bounds of new privacy laws; the second is operational risk associated with running highly complex ICT environments without sufficient succession planning.

The Lighthouse Teacher

I know those of us who promote the constructive and adventurous use of technology in the classroom seek to develop the Lighthouse teacher.  They are adapting technology in their classroom to achieve the best outcomes possible.  However, they're the ones who could potentially be exposing their Schools to the greatest risk.  I know of one such teacher who was putting together lessons on edmodo, then setting up Google accounts for students and linking to many web sites which were able to fit very well into thelesson plan for those students.  Sounds great doesn't it?
Who was taking the due diligence on the sites to ensure the students privacy was being protected?
As the teacher was creating the accounts used for this exercise should they have been ensuring everything was suitably secured?
Should the teacher have been checking the policy for every site to ensure everything they were trying to achieve was within their guidelines?
Did the teacher know and understand the legal implications of signing up for these 'free' on line services?

Of course the teacher was blissfully unaware of any implications of their actions.

The School was blissfully unaware of the teachers actions and hence the implications.

The busy ICT Manager in the medium sized school

This is a person who has come into an educational setting with a wealth of industry experience and is the only ICT support person on staff.  He picks up on the poor quality of hardware previously deployed and uses his abilities to build a fantastic infrastructure package for the school.  He then leads them through a deployment of significant numbers of devices.  Now he is the only full time support person supporting technology in a school with more than 600 deployed student devices and all of the supporting infrastructure.  

The work is overwhelming, however, the school doesn't need to worry as this person is fantastic he makes things seem simple.  Unfortunately for the school he is the only one with any knowledge of the very complex environment and has pointed out to school leadership the risk this poses but no-one seems to care.  

This significant operational risk is easily mitigated by having a company come in to audit and document the infrastructure.  However, this isn't seen as a risk so no action is taken.

Final word

I know that risk around ICT exists in schools.  How schools monitor and address that risk without impact on teaching and learning will be an interesting exercise.