For any organisation or education institution, including academies, risk can be defined as the uncertainty that an event or an action will adversely affect their ability to achieve their objectives and to execute successfully their strategies. Risk is not only about adverse events, it is also about ensuring that an institution is in a position to minimise its lost opportunities.
A risk management system for an academy must be concerned with looking at the measures they have in place to identify and manage key risks, and then recommending the actions that need to be taken to control those risks more effectively.
Effective risk management better enables an academy to achieve its objectives whilst operating effectively, efficiently, ethically and legally. Key benefits include:
Good risk management has the potential to change the whole ethos of an institution.
The Academies Financial Handbook issued by the Education Funding Agency (EFA) requires that academy trusts have in place sound internal control and risk management processes. The trust must : “assess the risks arising from its operations (eg financial loss). This assessment should include the likelihood and materiality of each risk. The trust must maintain a register of these risks showing how they are managed, mitigated, and review this regularly”.
The governing body has ultimate responsibility for ensuring there are effective risk management arrangements in place. These should include:
The audit committee or similar body assists the governing body in its duties by providing an opinion on the adequacy and effectiveness of the institution’s risk management.
It is the responsibility of the governing body to ensure that the institution’s arrangements for risk management and internal control are monitored. However, someone sufficiently independent from those responsible for the system, such as the internal auditor, should provide additional assurance regarding the adequacy of the risk management framework and of the internal controls implemented to manage risk.
The governing body needs assistance in carrying out its risk management responsibilities. It should delegate the responsibility to design, implement and monitor risk management action to management through the principal/head teacher. Senior management must identify and prioritise the risks associated with non-delivery of the institution’s objectives and associated plans. Management must then match key controls to these risks to minimise or avoid them altogether and must monitor them.
Managers should be the accountable risk owner within their areas of control unless it is appropriate to delegate (for example where another member of staff has greater control in managing the specific risk). They should be responsible for identifying, assessing and monitoring risks at department and service level.
All academies face a range of uncertain internal and external factors that may affect the achievement of their objectives. Risk management and internal controls should be aimed at ensuring that the institution achieves its objectives, aims and targets in the most effective manner. The key risks that an institution faces will be those that would prevent it achieving those objectives, aims and targets. The institution’s risk register and risk management action plan should, therefore, be linked to the institution’s strategic plan. The institution needs to consider all areas of its operations and what might impinge on their success.
Identifying risk and establishing controls is an ongoing cycle. The cycle might look like this :
The governing body needs to ensure that risks assessments are performed on a continuous basis. Risks should be prioritised and ranked to capture the institution’s risk profile. The number of risks should be kept to a manageable level. To enable effective strategic risk management, the number of significant business risks should be limited to those that are considered business critical – say the 10 to 20 top risks. Above this, it becomes more difficult to manage and monitor risks effectively. The risks need to be organised into broad categories and prioritised into a manageable order. The governing body should only be concerned with those risks that threaten the continued existence of the institution and the achievement of its key objectives.
There are many models for grouping risks, predominantly starting from either categorising risk or analysing it using a functional approach. Consideration by category for example, could include:
those risks that would prevent the institution achieving its long term aims eg
Incorrect assumptions underpin the institution’s strategic plan
New competition has emerged but has not been taken into account
Failure to maintain physical assets
Failure to maintain student numbers or deliver agreed growth
Possible breach of Health and Safety Legislation
Possible prosecution regarding unsafe buildings
Difficulties in attracting students
those risks associated with ongoing systems and procedures eg
The institution’s backup procedures are inadequate
New legislation and regulation are not monitored adequately
The institution does not take advantage of innovations in IT
Loss or corruption of key data
Compliance with employment legislation may be affected
Curriculum changes are inadequately supported
those risks associated with financing
eg inadequate systems concerning
Poor value for money/supply failure
those risks adversely affecting an institution’s reputation eg
Intense media scrutiny revealing bullying or examples of poor teaching
The institution cannot attract key staff of appropriate quality and experience
loss to the institution through deception eg
Through staff submitting dishonest travel expense claims
Financial loss to the institution
Ultimate responsibility for ensuring effective risk management arrangements are in place in an academy falls to the governing body of an academy, though it is the role of management to develop and implement such arrangements. Senior management must identify and prioritise the risks associated with non-delivery of the academy’s objectives and associated plans.
Once risks have been identified and prioritised the institution needs to decide how they are going to be managed and the action that needs to be taken in terms of mitigation or control strategies. Management must match key controls to these risks to minimise them and must monitor them accordingly.
An important part of the risk management process is to document the findings. This is achieved by establishing a risk register. The risk register captures the key aspects of the risk management process and should be reviewed and updated on a regular basis (approximately monthly). Such a register should be accessible, straightforward to amend and simple to follow. It needs to be readily understood by a number of audiences including the governing body, the senior management team and departmental managers who will use it for different purposes.
Institutions must have confidence in the capacity of their governance processes to identify and manage major risks. A key element in the success of risk management is to ensure it is embedded within an academy, and is an integrated part of all decision making. Risk management and internal control must be incorporated within the institution’s normal governance and management processes ensuring some consistency. They must not be treated as a separate compliance exercise. Therefore assessing and managing major risks and monitoring their associated controls must be carried out on a continuing basis and not regarded as an annual event.
In order to embed a culture of positive risk management, the governing body will need to:
Academies are required by their funding body to prepare a governance statement and to include it with the financial statements/annual report. In relation to risk, institutions need to cover the way in which leadership has been given to the risk management process and confirm that risks have been reviewed together with the controls implemented to mitigate those risks.
The accounts direction requires that the annual governance statement should be signed by the chair of the governing body and the accounting officer
As part of its role, governing bodies need to seek assurance that the controls in place are being monitored to ensure that they work effectively in practice. This is done by the academy’s management, but will also need to be undertaken by an independent person , someone that has not been involved in either the setup of the control mechanisms or their operation. Independent assurance is usually provided by an academy’s internal audit provider or equivalent and the institution’s external auditor. The academy’s audit committee or its equivalent also has a role in supporting the governing body by providing an opinion on the adequacy of the academy’s risk management arrangements.
The development and implementation of any new project involves risk. New projects could include systems, courses, services or major changes to existing ones. Institutions need to ensure that their risk management arrangements identify and take into account potential project risks at the outset. It is useful to establish a specific risk register for each project which is managed by the project manager or other responsible member of staff.
Understanding Strategic Risk Management in Academies and Further Education (CIPFA, 2014)
Academies Financial Handbook (EFA, 2014)
 In an academy, the principal or head teacher is designated by the funding agreement as the ‘accounting officer’ responsible for the financial and administrative affairs of the institution.