Risk management in academies

For any organisation or education institution, including academies, risk can be defined as the uncertainty that an event or an action will adversely affect their ability to achieve their objectives and to execute successfully their strategies. Risk is not only about adverse events, it is also about ensuring that an institution is in a position to minimise its lost opportunities.

A risk management system for an academy must be concerned with looking at the measures they have in place to identify and manage key risks, and then recommending the actions that need to be taken to control those risks more effectively. 

Benefits of risk management

Effective risk management better enables an academy to achieve its objectives whilst operating effectively, efficiently, ethically and legally. Key benefits include:

  • providing institutions with a means of improving strategic, operational and financial management
  • helping to maximise realistic opportunities and to achieve and even exceed plans
  • helping to minimise events which might result in financial losses, service disruption, bad publicity, threats to the safety or health of students and other stakeholders, or claims for compensation.

Good risk management has the potential to change the whole ethos of an institution.

Funding body requirements

The Academies Financial Handbook issued by the Education Funding Agency (EFA) requires that academy trusts have in place sound internal control and risk management processes. The trust must : “assess the risks arising from its operations (eg financial loss). This assessment should include the likelihood and materiality of each risk. The trust must maintain a register of these risks showing how they are managed, mitigated, and review this regularly”.

Roles and responsibilities in relation to risk management

The role of the governing body 

The governing body has ultimate responsibility for ensuring there are effective risk management arrangements in place. These should include:

  • defining the institution’s risk management strategy and risk appetite
  • integrating the process for managing risk into the institution’s overall strategic management, planning, systems, reporting, policies, values and culture
  • receiving regular reports on risk management actions in order to monitor the institution’s key risks
  • clearly identifying a person responsible for strategic risk management within the institution.

The role of the audit committee or similar body

The audit committee or similar body assists the governing body in its duties by providing an opinion on the adequacy and effectiveness of the institution’s risk management.

Internal audit or alternative process

It is the responsibility of the governing body to ensure that the institution’s arrangements for risk management and internal control are monitored. However, someone sufficiently independent from those responsible for the system, such as the internal auditor, should provide additional assurance regarding the adequacy of the risk management framework and of the internal controls implemented to manage risk. 

Senior management

The governing body needs assistance in carrying out its risk management responsibilities. It should delegate the responsibility to design, implement and monitor risk management action to management through the principal/head teacher.  Senior management must identify and prioritise the risks associated with non-delivery of the institution’s objectives and associated plans.  Management must then match key controls to these risks to minimise or avoid them altogether and must monitor them.

Departmental managers

Managers should be the accountable risk owner within their areas of control unless it is appropriate to delegate (for example where another member of staff has greater control in managing the specific risk). They should be responsible for identifying, assessing and monitoring risks at department and service level.

The risk management process

All academies face a range of uncertain internal and external factors that may affect the achievement of their objectives. Risk management and internal controls should be aimed at ensuring that the institution achieves its objectives, aims and targets in the most effective manner.  The key risks that an institution faces will be those that would prevent it achieving those objectives, aims and targets.  The institution’s risk register and risk management action plan should, therefore, be linked to the institution’s strategic plan. The institution needs to consider all areas of its operations and what might impinge on their success.

Identifying risk and establishing controls is an ongoing cycle. The cycle might look like this :
Risk Chapter

The governing body needs to ensure that risks assessments are performed on a continuous basis. Risks should be prioritised and ranked to capture the institution’s risk profile. The number of risks should be kept to a manageable level. To enable effective strategic risk management, the number of significant business risks should be limited to those that are considered business critical – say the 10 to 20 top risks.  Above this, it becomes more difficult to manage and monitor risks effectively. The risks need to be organised into broad categories and prioritised into a manageable order.  The governing body should only be concerned with those risks that threaten the continued existence of the institution and the achievement of its key objectives.

There are many models for grouping risks, predominantly starting from either categorising risk or analysing it using a functional approach. Consideration by category for example, could include: 

Type of Risk

Potential Impact of Risks


those risks that would prevent the institution achieving its long term aims eg

Incorrect assumptions underpin the institution’s strategic plan

New competition has emerged but has not been taken into account

Failure to maintain physical assets

Failure to maintain student numbers or deliver agreed growth

Possible breach of Health and Safety Legislation

Possible prosecution regarding unsafe buildings

Difficulties in attracting students


those risks associated with ongoing systems and procedures eg

The institution’s backup procedures are inadequate

New legislation and regulation are not monitored adequately

The institution does not take advantage of innovations in IT

Loss or corruption of key data

Compliance with employment legislation may be affected

Curriculum changes are inadequately supported


those risks associated with financing

eg inadequate systems concerning

Treasury management


Cashflow problems


Poor value for money/supply failure


those risks adversely affecting an institution’s reputation eg

Intense media scrutiny revealing bullying or examples of poor teaching

The institution cannot attract key staff of appropriate quality and experience


loss to the institution through deception eg

Through staff submitting dishonest travel expense claims

Financial loss to the institution

Ultimate responsibility for ensuring effective risk management arrangements are in place in  an academy falls to the governing body of an academy, though it is the role of management to develop and implement such arrangements. Senior management must identify and prioritise the risks associated with non-delivery of the academy’s objectives and associated plans. 

Once risks have been identified and prioritised the institution needs to decide how they are going to be managed and the action that needs to be taken in terms of mitigation or control strategies. Management must match key controls to these risks to minimise them and must monitor them accordingly.

An important part of the risk management process is to document the findings.  This is achieved by establishing a risk register.   The risk register captures the key aspects of the risk management process and should be reviewed and updated on a regular basis (approximately monthly). Such a register should be accessible, straightforward to amend and simple to follow.   It needs to be readily understood by a number of audiences including the governing body, the senior management team and departmental managers who will use it for different purposes.

Embedding risk management

Institutions must have confidence in the capacity of their governance processes to identify and manage major risks. A key element in the success of risk management is to ensure it is embedded within an academy, and is an integrated part of all decision making.  Risk management and internal control must be incorporated within the institution’s normal governance and management processes ensuring some consistency. They must not be treated as a separate compliance exercise. Therefore assessing and managing major risks and monitoring their associated controls must be carried out on a continuing basis and not regarded as an annual event.

In order to embed a culture of positive risk management, the governing body will need to:

  • decide on the values and behaviours that it wishes to promote across the institution and to ensure that they are communicated effectively.
  • Ensure that the culture is and is seen to be set by the governing body and that the head teacher/principal is personally involved.
  • ensure that it has the appropriate skills, knowledge, experience and support to ensure that it can appraise the major risks to the institution and to act effectively. If it does not, the governing body will need to plan on how such gaps can be filled.
  • ensure that there is sufficient time at its meetings to discuss risks to the institution and to assess their impact on the institution’s risk profile. The    governing body should agree the frequency of such discussions. The governing   body should also ensure that ‘horizon scanning’ is undertaken across the institution so that longer-term risks as well as unexpected or unusual risks are identified.

Financial reporting of risk 

Academies are required by their funding body to prepare a governance statement and to include it with the financial statements/annual report. In relation to risk, institutions need to cover the way in which leadership has been given to the risk management process and confirm that risks have been reviewed together with the controls implemented to mitigate those risks.

The accounts direction requires that the annual governance statement should be signed by the chair of the governing body and the accounting officer[1]

Seeking assurance

As part of its role, governing bodies need to seek assurance that the controls in place are being monitored to ensure that they work effectively in practice. This is done by the academy’s management, but will also need to be undertaken by an independent person , someone that has not been involved in either the setup of the control mechanisms or their operation. Independent assurance is usually provided by an academy’s internal audit provider or equivalent and the institution’s external auditor. The academy’s audit committee or its equivalent also has a role in supporting the governing body by providing an opinion on the adequacy of the academy’s risk management arrangements.

Projects and risks

The development and implementation of any new project involves risk. New projects could include systems, courses, services or major changes to existing ones.  Institutions need to ensure that their risk management arrangements identify and take into account potential project risks at the outset. It is useful to establish a specific risk register for each project which is managed by the project manager or other responsible member of staff.

Further reading

Understanding Strategic Risk Management in Academies and Further Education (CIPFA, 2014)

Academies Financial Handbook (EFA, 2014)


[1] In an academy, the principal or head teacher is designated by the funding agreement as the ‘accounting officer’ responsible for the financial and administrative affairs of the institution.