managing risk in academies

By Kerry Ace, Finance and Policy Manager, CIPFA

On 3 March 2014, approximately 500,000 children in England heard if their application to their first choice of secondary school had been successful. My son was one of those half a million. 

Many parents like me are constantly impressed by academies. Their facilities are amazing: my local academy features a dance studio, a newly opened conference centre, a recording studio with a vast array of musical instruments and a huge range of extra-curricular activities, with the local sports centre offering the school first option for any time and facility.

I should also mention the impressive exam results, with the children at these schools seeming to be regularly in our local newspapers. However, worryingly stories of governance failures, mismanagement of funds and even fraud at various academies continue to appear in the national newspapers. Sadly, despite good work going on at so many academies, there is a serious risk that such instances could taint the whole sector. So what lessons can academies, free schools and other stakeholders learn from these problems?

Risk management

As we know, academies have freedoms that other schools don’t. They have influence over the curriculum taught, flexibility regarding the use of their funding, including salaries paid to staff, and overall, greater control of the school’s strategic direction and ability to innovate. This has come about through the transfer of these powers from local authorities. However this relinquishment of local authority control comes with added risk. As a result, academies no longer have direct access to the expert advice, systems and processes previously made available to them by councils, unless they pursue this directly as an option. 

Academies also no longer benefit from economies of scale with regard to procurement and need to negotiate their own contracts. With this in mind and whatever the governance structure in place (single converter or a more complex multi academy trust model), it is essential that governing body members understand their role in ensuring that risk and risk management is taken seriously and is part of their accountability to parents, the wider public and other stakeholders. Indeed, the Education Funding Agency requires academies to have in place a sound system of internal control and risk management processes.

For any organisation, including academies, risk can be defined as the uncertainty that an event or an action will adversely affect their ability to achieve their objectives and to execute successfully their strategies. And risk is not only about adverse events, it is also about ensuring that an institution is in a position to minimise its lost opportunities. A risk management system for an academy must be concerned with looking at the measures they have in place to identify and manage key risks, and then recommending the actions that need to be taken to control those risks more effectively.

Strategic objectives

All academies face a range of uncertain internal and external factors that may affect the achievement of their objectives. This means that at the highest level, risk management must be closely aligned with  the academy’s strategic objectives, ensuring that there is a clear focus on the significant risks that would prevent it from achieving its key aims. 

An example of such a risk could include a failure to take account of emerging competition from other education providers that could potentially threaten the sustainability of the institution in the longer term. A means of mitigating this risk might be to ensure an effective marketing campaign clarifies the benefits of the education provision within the academy and ensures that differences – the academy’s unique selling points – are brought to the fore. 

Another significant area of risk for academies is reputational risk. For example, if an academy fails to safeguard adequately the school’s pupils at risk of harm, the result could cause significant damage to an academy’s reputation and pose possible problems in the future recruitment of students. The management of all such risks should be a part of the ongoing focus of the management team and governors of any academy.

Operational risk

Recently, another area for which a series of academies have come under significant scrutiny has been operational risks – the management of risk associated with the ongoing systems and procedures that academies use in their day-to-day administration and operation. Stories in the media have abounded, especially in relation to poor financial management and control of funds. Some academies have had the risk of having inadequate procedures, such as those dealing with expense claims and invoice processing cruelly exposed, leading to such schools being vulnerable to fraud, by external contractors, professional fraudster and unfortunately their staff. 

These stories have been clear demonstrations of the need for robust controls over expenditure authorisation policies and practices at the heart of all academies to mitigate these risks. Some academies have also unfortunately demonstrated the risks of having inadequate expertise in dealing with procurement issues – such as those associated with renewing IT or reprographic facilities for pupils - with schools receiving poor value-for-money for years to come as a result of mistakes made.

At the heart of mitigating these types of risk is ensuring that sound professional advice regarding all contracts is both sought and followed. Proper internal control is also an integral part of an institution’s risk management arrangements. Controls are a means to an end - they are a dynamic and fluid set of tools which evolve over time as an academy’s objectives, environment, technology and corresponding risks change.

Governing body responsibility

Ultimate responsibility for ensuring effective risk management arrangements are in place in an academy falls to the governing body of an academy, though it is the role of management to develop and implement such arrangements. Senior management must identify and prioritise the risks associated with non-delivery of the academy’s objectives and associated plans.  Management must then match key controls to these risks to minimise them and must monitor them accordingly. But they must be pragmatic – it is not the aim of the process to eliminate all major risks – some element of risk will always remain and will need to be managed.  

To undertake its role successfully, the governing body of any institution must ensure that it has the appropriate skills, knowledge, experience and support so that it can appraise the major risks to the academy and act effectively. If it does not have the appropriate skills, the governing body must plan on how such gaps can be filled. Members must ensure that there is sufficient time at meetings to discuss risks to the institution and to assess their impact on the institution’s risk profile. The governing body should also ensure that ‘horizon scanning’ is undertaken across the institution so that longer-term risks as well as unexpected or unusual risks are identified.

As part of its role, governing bodies need to seek assurance that the controls in place are being monitored to ensure that they work effectively in practice. This is done by the academy’s management, but will also need to be undertaken by an independent person , someone that has not been involved in either the setup of the control mechanisms or their operation. Independent assurance is usually provided by an academy’s internal audit provider or equivalent and the institution’s external auditor. The academy’s audit committee or its equivalent also has a role in supporting the governing body by providing an opinion on the adequacy of the academy’s risk management arrangements.

Keep it simple

However, there are a few more lessons worth bearing in mind. Academies must avoid ‘over control’. Implementing extensive risk management procedures that far outweigh the benefits to the academy clearly should be avoided. Policies and procedures should be kept simple. An academy should concentrate on a limited number of significant risks – for example ten to 20, as any more becomes unwieldy to manage. Risk management should not be regarded as a separate compliance process - it should be integrated in the academy’s governance and management processes. For example, to be effective, there must be a clear link between the academy’s objectives and its key risks. Risk management must therefore be embedded in the planning process.

Clearly the governing body needs to ensure that a positive risk management culture is established across the academy. This culture – ensuring that all staff are aware of the risks that the institution faces and the impact they can have on these risks in their own roles and their own responsibilities in the process – must be seen as being driven by the head teacher, but with significant support and challenge from the governing body. Effective risk management helps to minimise events which might result in financial losses, service disruption, bad publicity, threats to the safety or health of students and other stakeholders, or claims for compensation. It enables the type of opportunities for academies that all involved parents, teachers, governors and, most importantly, pupils need. If our academy sector is to continue to thrive and educate our children to take the risks and opportunities that life presents them, then the sector must also learn to succeed by better mitigating and managing the risks that it faces.

  • CIPFA’s guide to ‘Understanding Strategic Risk Management in Academies and Further Education Colleges’  will be published in Autumn 2014
  • This article originally appeared in Education Business magazine.