risk management in schools and academies

Risk Management for Academies and Schools – “Keeping it simple”

Is it any wonder that risk management processes fall apart when the required research is complex, overwhelming and varied? A quick Google search on risk assessment will throw up a plethora of guidance from Academics, Professional Bodies and Regulators, often seeming to be a one-size-fits-all solution, but that’s not the case!

The Academy Trust Handbook 2023 states that every Trust must maintain a risk register covering the full activities of the organisation. Risk management is clearly the responsibility of the Board of Trustees, but as every organisation is pretty much unique, a decision regarding how risk management may be best deployed in your organisation whilst meeting the expectations of the Regulator must match both the risk environment and the monitoring and reporting expectations of the Board of Trustees against a consideration of time commitment and the costs involved.

All too often, the task of implementing and administering an appropriate framework falls on a single manager, resulting in a spreadsheet-based system which is unwieldy and produces basic and often out-of-date or inappropriate information upon which governance-related decisions depend.

Getting it right from the start is essential, as embedding a system quickly fails if users find it onerous and irrelevant to day-to-day responsibilities.

Some of the fundamentals which must be addressed in implementation are therefore:

  • Who will lead as the Administrator and hopefully Risk Champion; it’s a good idea to identify a manager who is at least interested in risk;
  • At what level do you need to allocate responsibility for managing risk; certainly, the Senior Management Team need to be involved, but do they need routine involvement as risk owners, or should their role be in a supervisory capacity? Managing overload is critical;
  • Is risk awareness required throughout the organisation; should it be system-driven through automated software, or is it more relevant to achieve through training and regular discussion at meetings;
  • Select a framework that works for you:
  • The structure may allow for reporting regarding corporate objectives, departments, business units (and more), and what you need. Smaller organisations benefit most from being concise. A significant decision within the academy sector relates to whether analysis and monitoring of risk at an individual school level is necessary.
  • How many levels of risk impact and likelihood do you want to use? Choosing a matrix of 3×3, 4×4, or 5×5 is the most common. It is evident that 3×3 is often too simple, 5×5 unnecessarily repetitive and therefore 4×4 is most appropriate as this also prevents management abstention by choosing the ‘middle ground’. Remember what your Board and Management need to know is – do you think th impact significant and is it likely to happen, these are the events you must capture on the risk management system.
  • Which risk categories will you use? Generally, 5 to 8 are sufficient; using more has a tendency to over-complicate the process of analysis and assessment and
  • Don’t forget to guide staff regarding what the board risk appetite is by defining within each risk category what you think is relevant at each level of risk impact, setting out examples of what may be critical and significant in particular.

The ideal solution, in most cases, is to manage significant risk in real-time by ensuring that relevant managers are engaged. Using spreadsheets is, therefore, cumbersome and time-consuming, often resulting in a mass purge just before a meeting.

Demonstrating the point that managers do not routinely think in terms of risk and view updating a spreadsheet as an additional task.

Using automated risk management software should bring advantages in this respect if the organisation selects software that is appropriate to its needs in terms of costs and complexity.

All budget holders will welcome cost-effectiveness, and introducing a user-friendly software solution that can be easily integrated into routine administration and management reporting will be desirable and, therefore, promote likely acceptance.

The degree to which ‘Keeping it simple’ is achieved will be judged by factors such as:

  • Does the software work in real time?
  • Is access straightforward?
  • Does the system prompt me to review the risks I am responsible for?
  • Can further mitigating actions be tracked through the system?
  • Is there instant access to view risks for which I am responsible as an ‘Owner’ or as a Departmental Manager?
  • Can ‘Exception Reports’ be generated to reflect the needs of different meetings at a Team, Audit and Risk Committee or Board level as outlined in the ‘Schedule of musts’ accompanying the Academies Handbook?

Choosing the appropriate software will provide this, greater sophistication comes at a premium so before you commit consider – is that really required?

The best advice, therefore, is to do your research by:

  • Asking for a demonstration;
  • Take a free trial if on offer, then go back and follow up on any issues; remember, advice at this stage is free of charge;
  • Looking at what support is provided and whether there is a charge;
  • Seeking references regarding implementation and use; and
  • Verifying data security and downtime standards.

Time invested early will be time well spent and will most likely lead to the implementation of a successful risk management solution.