Overview
The University of Alaska system faced unique challenges in implementing a governance, risk, and compliance (GRC) program across its vastly dispersed campuses. With millions of miles of coastline, connectivity challenges, and a decentralized organizational structure, establishing a cohesive GRC function required careful planning and the right technology partner. This case study explores how the University of Alaska leveraged ZenGRC to build its compliance capabilities from the ground up, despite limited resources and geographical challenges.
About the University of Alaska System
The University of Alaska System, established in 1917, comprises three separately accredited universities across 19 campuses, serving nearly 30,000 students with 400 unique degree programs. Their compliance requirements include HIPAA, PCI, and numerous other regulations typical of “a small city,” necessitating an approach focused on simplicity and effective remote collaboration.
The Need for a GRC Solution
Three years ago, the University of Alaska found itself in a critical position. After years without a formalized GRC approach, mounting compliance pressures and organizational challenges made it clear that a structured solution was essential.
A Geographically Dispersed Institution
The University of Alaska System operates in one of the most challenging geographic environments in the United States. With 19 rural campuses spread across a state that encompasses millions of miles of coastline, the distances between locations can be staggering—some campuses are separated by more than 400 miles with limited transportation options.
Raina Collins, Senior IT Risk & Compliance Analyst, emphasizes this challenge: “We have struggles with our rural campuses having connectivity and basically supporting them just because of how Alaska is situated.” These geographic factors fundamentally shaped their approach to compliance, driving a need to “make it easy and communicate across vast distances.”
Complex Compliance Requirements
As a state university system, the University of Alaska must manage an extensive array of compliance obligations:
- HIPAA regulations for health-related programs
- PCI compliance for payment processing
- Federal cybersecurity frameworks including NIST 800-171
“Our compliance covers everything like HIPAA, PCI – basically anything that a small city would be required to be compliant with, we’re the same,” explains Collins.
Need for a Central Method
With GRC efforts having evolved at the university in just the past three years, the team recognized a critical need for structure and centralization. “In between all of this activity we needed a central method to help us manage compliance,” Collins states.
This need for centralization drove their search for a GRC solution that could accommodate their distinctive operational context while bringing structure to their compliance efforts across the geographically dispersed university system.
Selecting ZenGRC
The Evaluation Process
The University conducted a thorough evaluation of potential solutions, demonstrating and assessing six different GRC platforms. Their primary focus during this process was on usability and the logical structure of compliance elements, with careful consideration of implementation requirements given their limited resources.
Key Decision Factors
Several factors led to their selection of ZenGRC:
Responsive support team: The ZenGRC team demonstrated consistent receptiveness to helping address questions and challenges.
Intuitive user experience: The platform provided a comfortable user experience with a logical layout of compliance objects.
Logical compliance structure: The organization of compliance elements within the system made sense for their needs.
Vendor risk management capabilities: As a critical early need, ZenGRC’s vendor functionality offered immediate value.
Adaptability to maturity level: The platform could be configured to match their early-stage GRC maturity.
“Zen had the best most logical layout. It’s easy to navigate and understand, and it’s a really good organizational tool for all of the compliance measures.”
– Raina Collins,
Senior IT Risk & Compliance Analyst
Current Implementation and Beyond
Strategic Focus on Vendor Risk Management
The University’s implementation journey began with a strategic decision to focus on a specific high-value area: vendor risk management. As Collins explains, “The biggest impact is in your vendor module. Because we didn’t ever have a software for vendor management and third-party vendor risk management became critical very soon.”
This targeted approach allowed the University to:
- Collect and manage vendor documentation in a single location
- Configure and standardize risk assessment processes
- Establish a foundation for expanding to other compliance areas
Building Team Capacity
A critical turning point in the University’s GRC journey came with the expansion of their compliance team. After three years with Collins working solo on implementation, the addition of Kira Avery, an IT Risk and Compliance Analyst with healthcare compliance experience, has transformed their capabilities.
Avery found ZenGRC’s learning curve manageable despite coming from a different sector, saying it was “easy to navigate and understand.” This accessibility enables faster onboarding and allows the growing team to make rapid progress.
This staffing enhancement has not only accelerated implementation but also brought valuable industry perspective to their program. Avery’s healthcare compliance background provides insights into structured documentation and evidence management that complement Collins’ institutional knowledge. Together, they represent the university’s commitment to building a sustainable compliance program that can scale across their unique geographic challenges.
Future Vision with ZenGRC
As the University of Alaska’s GRC program matures, the team has a clear vision for how ZenGRC will continue to enhance their compliance capabilities.
The team aims to transform ZenGRC into a comprehensive central repository for all compliance activities across the university system.
A key priority is developing departmental-specific views that map compliance requirements to the organizational units responsible for them. This tailored approach will make compliance more accessible and relevant for each department while maintaining a unified system-wide perspective.
Conclusion
The University of Alaska System’s journey illustrates how organizations with extraordinary challenges can strategically build effective compliance programs through thoughtful technology selection and implementation planning.
By focusing initially on vendor risk management—their most immediate need—the University demonstrated how even resource-constrained institutions can achieve meaningful compliance improvements with ZenGRC. Their modular, phased approach offers a practical roadmap for other organizations embarking on similar GRC journeys.
As Avery summarizes, they feel that ZenGRC is “a really good organizational tool for all of the compliance measures and to really make sure that everything’s being done appropriately.”
Looking ahead, the University plans to expand their ZenGRC implementation to encompass more compliance frameworks and departments. They aim to create a compliance culture that thrives despite geographic dispersion—where distance no longer dictates their ability to maintain consistent standards across campuses.
For the University of Alaska, ZenGRC has become more than just a tool; it’s the foundation for a compliance program as resilient and adaptable as the state they serve.