Enterprise Risk in Schools (Part Two)
This is the second part of a two-part series which explores enterprise risk management (ERM) in a school context, why it is important and some key concepts and suggestions to make it easier to understand and implement. This second part will discuss key issues in ERM such as common problems with School Enterprise Risk Registers, inherent vs residual risk benefits and issues, establishing a common risk language, risk granularity and a discussion of strategic and operational risk, and appropriate risk review and reporting.
Common Problems with School Enterprise Risk Registers
Some of the common problems with school ERM registers include:
- They are often developed by the executive identifying what they consider key risks with little consultation and without reference to other sources of data to determine key risks, such as staff consultation, or key historical data on incidents and hazards.
- There is frequently no system or taxonomy for the classification of risks. Are the risks strategic or operational? Are they internal or external? Alongside this, there are often no clear reporting structure and review processes and no person allocated responsibility for the risk.
- There is often confusion between inherent and residual risk and no differentiation between quantitative and qualitative assessment methodologies.
- There is a failure to recognise “risk granularity” with the result that “micro operational risks” are being reported to boards and executive teams that should be considering a smaller number of risks at a “macro level”.
- The lack of differentiation between operational risks (the domain of the executive) and strategic risks (the domain of the board) with the result that boards get bogged down in operational issues whilst losing sight of key strategic issues.
Establishing a Common Risk Language
Perhaps one of the most common errors when managing risk within a school is the failure to establish a risk classification system that is robust enough to identify all key risk areas within the school. The fact is that schools are usually good at managing the risks that they can clearly identify, however, they often fail to capture those risks that are less obvious. A robust classification system ensures that all risks within a school are considered.
Rating Inherent and Residual Risk or Just Residual Risk?
Many schools in their activity or excursion-based risk assessments use a process that involves rating both the inherent and the residual risk of an activity. In ERM there are passionate arguments for both approaches. In a school context there are good reasons for just rating residual risk. If one imagines one rock climber who is free climbing and another rock climber climbing the same route using rope and anchor points to provide protection:
- Inherent risk is the risk to the school in the absence of any control measures being in place to manage that risk. (No rope, not tied on)
- Assessing inherent risk requires a school to imagine that no controls are in place for any particular risk. (Imagine there is no rope)
- Schools never open their doors until they have many risk controls in place. (We always use a rope)
- Residual risk is the assessment of a risk after considering the controls that are in place in the school already. (Will the rope break? Are the knots strong? Do we have to climb? Is there an alternative?)
While the above analogy is a little simplistic, it highlights the fact that in a school context, schools are already controlling a number of their key risks. The benefit in undertaking a risk assessment using residual risk methodology is to interrogate the risk control strategies that are already in place and ask the question: Could we/should we reasonably do more to control this risk? Residual risk assessment is a real-world exercise and ensures there is a proper analysis of the existing risk controls already in place.
A Qualitative or Quantitative Risk Assessment Process?
The advantages of, and issues with, a qualitative or quantitative approach are:
- Schools operate in an environment that involves the interaction of people including the very young and the very old. It is an imprecise, generally non-technical environment and exact quantification of risk is often impossible.
- Qualitative assessments are easily understood by people not familiar with more technical approaches to risk assessment and who use descriptive measures for likelihood and consequence that cover the widest possible range of consequences, not just numerical / monetary consequences.
- Quantitative risk assessments are better suited to engineering and manufacturing applications or specific financial applications where definitive risk data is available. Units of measure (such as dollars) are often used in quantitative risk assessments. Quantitative risk assessments also often use detailed frequency measures (that differ depending on the industry or circumstances) per number of operational hours of use (e.g. flying hours).
Recognising Risk Granularity and Distinguishing Between Operational and Strategic Risk
Not all risks need to be reported to the school board. Many risks are lower level “micro” operational risks (e.g. slips & trips) that are managed on a business as usual basis by school management. A key exercise is to decide which risks should be owned and managed at what levels in the school hierarchy. Recognising the granularity of risk is key to reporting the right risks to the right people within the school. Boards and executive management generally review “macro risks” such as “failure to comply with workplace safety standards” whilst operational staff deal with the detailed “micro” risks.
Similarly, it is useful to distinguish between operational risks (the domain of the executive) and strategic risks (the domain of the board). All too often, boards are presented with one register that includes micro and macro operational risks as well as strategic risks. Creating separate “macro operational” and “strategic” risk registers for the board can go a long way to providing clarity for board members who should not lose sight of key strategic issues as a result of getting bogged down in operational issues.
An ERM Program should never be static but must take account of the best available information relevant to the risk. There is a wide range of internal data that a school could use to inform the review of their risk assessments. Last year’s risks may not necessarily be the same as this year’s so regular review is crucial if ERM is to add value.
For more information on ERM in schools see the videos on Enterprise Risk Management in the School Governance Video Resources section here.
About the Author
Jonathan Oliver is a Senior Business Consultant at CompliSpace. He can be contacted here.