By Kerry Ace, Policy advisor, CIPFA
For any organisation, including academies, risk can be defined as the uncertainty that an event or an action will adversely affect their ability to achieve their objectives and to execute successfully their strategies. Risk is not only about adverse events, it is also about ensuring that an institution is in a position to minimise its lost opportunities.
A risk management system for an academy must be concerned with looking at the measures they have in place to identify and manage key risks, and then recommending the actions that need to be taken to control those risks more effectively.
The role of the governing body
The governing body has ultimate responsibility for ensuring there are effective risk management arrangements in place. These should include :
- defining the institution’s risk management strategy and risk appetite
- integrating the process for managing risk into the institution’s overall strategic management, planning, systems, reporting, policies, values and culture
- receiving regular reports on risk management actions in order to monitor the institution’s key risks
- clearly identifying a person responsible for strategic risk management within the institution.
The risk management process
All academies face a range of uncertain internal and external factors that may affect the achievement of their objectives. Risk management and internal controls should be aimed at ensuring that the institution achieves its objectives, aims and targets in the most effective manner. The key risks that an institution faces will be those that would prevent it achieving those objectives, aims and targets. The institution’s risk register and risk management action plan should, therefore, be linked to the institution’s strategic plan. The institution needs to consider all areas of its operations and what might impinge on their success.
Identifying risk and establishing controls is an ongoing cycle. The cycle might be:
The governing body needs to ensure that risks assessments are performed on a continuous basis. Risks should be prioritised and ranked to capture the institution’s risk profile. The number of risks should be kept to a manageable level. To enable effective strategic risk management, the number of significant business risks should be limited to those that are considered business critical – say the ten to 20 top risks. Above this, it becomes more difficult to manage and monitor risks effectively. The risks need to be organised into broad categories and prioritised into a manageable order. The governing body should only be concerned with those risks that threaten the continued existence of the institution and the achievement of its key objectives.
Ultimate responsibility for ensuring effective risk management arrangements are in place in an academy falls to the governing body of an academy, though it is the role of management to develop and implement such arrangements. Senior management must identify and prioritise the risks associated with non-delivery of the academy’s objectives and associated plans.
Once risks have been identified and prioritised the institution needs to decide how they are going to be managed and the action that needs to be taken in terms of mitigation or control strategies. Management must match key controls to these risks to minimise them and must monitor them accordingly.
An important part of the risk management process is to document the findings. This is achieved by establishing a risk register. The risk register captures the key aspects of the risk management process and should be reviewed and updated on a regular basis (approximately monthly). Such a register should be accessible, straightforward to amend and simple to follow. It needs to be readily understood by a number of audiences including the governing body, the senior management team and departmental managers who will use it for different purposes.
Embedding risk management
Institutions must have confidence in the capacity of their governance processes to identify and manage major risks. A key element in the success of risk management is to ensure it is embedded within an organisation, and is an integrated part of all decision making. Risk management and internal control must be incorporated within the institution’s normal governance and management processes ensuring some consistency. They must not be treated as a separate compliance exercise. Therefore assessing and managing major risks and monitoring their associated controls must be carried out on a continuing basis and not regarded as an annual event.
In order to embed a culture of positive risk management, the governing body will need to:
decide on the values and behaviours that it wishes to promote across the institution and to ensure that they are communicated effectively.
- Ensure that the culture is and is seen to be set by the governing body and that the head teacher/principal is personally involved.
- ensure that it has the appropriate skills, knowledge, experience and support to ensure that it can appraise the major risks to the institution and to act effectively. If it does not, the governing body will need to plan on how such gaps can be filled. ensure that there is sufficient time at its meetings to discuss risks to the institution and to assess their impact on the institution’s risk profile. The governing body should agree the frequency of such discussions. The governing body should also ensure that ‘horizon scanning’ is undertaken across the institution so that longer-term risks as well as unexpected or unusual risks are identified.
Financial reporting of risk
Academies are required by their funding body to prepare a governance statement and to include it with the financial statements/annual report. In relation to risk, institutions need to cover the way in which leadership has been given to the risk management process and confirm that risks have been reviewed together with the controls implemented to mitigate those risks.
The accounts direction requires that the annual governance statement should be signed by the chair of the governing body and the accounting officer.
As part of its role, governing bodies need to seek assurance that the controls in place are being monitored to ensure that they work effectively in practice. This is done by the academy’s management, but will also need to be undertaken by an independent person , someone that has not been involved in either the setup of the control mechanisms or their operation. Independent assurance is usually provided by an academy’s internal audit provider or equivalent and the institution’s external auditor. The academy’s audit committee or its equivalent also has a role in supporting the governing body by providing an opinion on the adequacy of the academy’s risk management arrangements.
Understanding Strategic Risk Management in Academies and Further Education (CIPFA, 2014)
 The term ‘governing body’ refers to the group with primary responsibility for overseeing an entity’s strategic direction, operations and accountability. In an academy, this is normally called the board, the academy trust board or the board of trustees. It operates on behalf of the academy trust, which is the legal body (charitable company) responsible for running the academy or academies within the multi-academy trust.
 In an academy, the principal or head teacher is designated by the funding agreement as the ‘accounting officer’ responsible for the financial and administrative affairs of the institution.