IT Governance Impact Assessment Matrix
The impact level of a proposed IT investment or project directs the review process. Use the Impact Assessment Tool to determine the impact before submitting for review. The level of impact will determine how the investment is reviewed.
Data is categorized by the level of sensitivity. We need to know the classification of data that will be stored, transmitted, and accessible to vendors and also our own constituents. Use the data classification tool to know what data will be in use. Use the VCU Data Classification Tool to determine the classification of data.
The Impact Assessment Tool provides links to the required documentation from the vendor depending on impact level and data classification.
High Impact Items
Follow the full IT Governance review process, being reviewed by both the Technology Procurement Committee and the appropriate Governance Review Committee, with the final approval being made by the IT Strategic Council.
Low Impact Items
Do not go through the full IT Governance review, and follow a fast track review by the Technology Procurement Committee for review and approval.
IT Governance: Impact Assessment
If any of the following criteria are true, the investment is considered high impact. If none of the criteria are true, the investment is considered low impact.
Business Impact
Results in changes to business/administrative processes.
Requires integration with existing technology or campus data sources.
Impacts mission critical programs/services (i.e. teaching and learning, research, etc)
Financial/Resource Impact
Requires additional staff, resources or third party consulting for implementation and long term support.
Requires current IT staff and/or resources for implementation and/or long term support.
Initial and/or incremental ongoing costs or resources in excess of $50K.
User Impact
Users will need to learn new skills or undergo an new service experience.
Is available for use by a large population of users.
Available to the general public.
High likelihood of impact for persons with disabilities.
Risk Management
Utilizes, stores and/or transmits highly sensitive data.
Failure to act on project/initiative/technology purchase results in:
- Significant IT security risk
- Compliance risk
- Significant risk to mission critical systems, operations, processes, or services
- Potential legal exposure
- Adverse impact to grant funding or loss of significant opportunity costs.
High impact investment workflow
High impact investments in accordance to the decision matrix go through full committee review process. The track for these investments includes:
- Project idea or technology need
- IT Consultation
- Submit for review
- Technology Procurement Committee Review
- Governance committee review and recommendations
- Strategic IT Council issues final decision
- If approved, Procurement notified and follow up steps
- If not approved, proposal sent back for IT consultation
Low impact investment workflow
Low impact investments in accordance to the decision matrix have a fast track through the governance workflow. The track for these investments includes:
- Project idea or technology need
- IT Consultation
- Submit for review
- Technology Procurement Committee Review
- If approved, Procurement notified and follow up steps
- If not approved, proposal sent back for IT consultation