Enterprise Risk in Schools (Part One)

19 July 2018

This is the first part of a two-part series exploring enterprise risk management (ERM) in a school context, why it is important and some key concepts and suggestions to make it easier to understand and implement.

The School Risk Management Context

Many schools have little or no experience of enterprise risk as opposed to, for example, activity based risk assessments for excursions. The risk assessment tools developed for activities tend to closely follow suggested models of risk assessment. Some of these models can be overly technical and require numerical scores for likelihood and consequence descriptors and often also require both an inherent and residual risk assessment score. In other words, these systems tend to be quite complex.

School staff often do not see the value in ERM as their experience of undertaking risk assessments has been coloured by having to use the Work Health and Safety – type methodology.

Activity type risk assessments are often viewed by staff as an administrative exercise with little impact or connection with the actual safety of students. Staff frequently say that they know how to keep students safe and risk assessments don’t make it safer.

In their excursion and activity risk assessments, schools have focussed on the final score in the risk matrix as being at an acceptable level in order for the activity to proceed (for example ‘no activity can proceed unless the rating is moderate or lower’).

All of these contextual issues mean that when schools turn their attention to ERM and developing an enterprise risk register there is potential for a lot of ‘baggage’.

What is Enterprise Risk Management?

ERM is a whole-of-enterprise approach to risk management. The International Risk Management Standard ISO 31000:2018, Risk management – Guidelines (ISO 31000) defines risk as ‘the effect of uncertainty on objectives’. ERM is defined as "coordinated activities to direct and control an organisation with regard to risk”. Refer to our previous School Governance article on ISO 31000. The previous version of the International Standard - ISO 31000:2009, Risk Management - Principles and guidelines has been adopted by major regulators in Australia including the Commonwealth Government and various State governments. The 2018 version is yet to be officially adopted by regulators.

ERM identifies and manages key risks to the organisation (the enterprise) and ERM impacts on all aspects of the organisation. ERM helps manage uncertainties in achieving organisational objectives.

It integrates risk into the organisation using a structured methodology and framework and relies on organisational data to enable continuous consultation and review.

In 2009 the South Australian Government, in its risk management policy (based on ISO 31000:2009) said "the South Australian Government recognises that commitment to risk management contributes to sound management practice and increasing community confidence in government performance".

In a school context this could be reworded as ‘the school recognises that commitment to risk management contributes to sound management practice and increasing community confidence in the school's performance’.

How to Get Started With ERM in a School?

Articulate the Value Proposition and Get Key Stakeholders On Board

An essential step in starting the ERM process is to ensure that all key executive staff and school board members are committed to developing an ERM Program in their school. A key part in getting everyone on board is to articulate the ‘value proposition’. How will the ERM Program add value to our school? Make sure you have a detailed answer to that question to convince those that are carrying the activity risk assessment baggage referred to earlier.

ERM adds value because it increases the likelihood of a school achieving its goals and objectives by addressing uncertainties. Most schools have a set of strategic objectives. An example of a strategic objective may be to build resilience and self-esteem in students. A key risk associated with achieving that objective would be a failure by the school to document and implement systems and procedures to minimise incidents of student bullying and to effectively manage student bullying incidents when they arise. Or again, if an objective was to build a strong and supportive school community, a key risk is a failure by the school to implement effective procedures for managing communications with key stakeholders, such as staff, students, families and the local community.

Other benefits of an ERM Program include:

  • enabling a school to meet legal and regulatory obligations
  • reducing the likelihood of adverse risk events occurring and the consequences if they do
  • providing a sound basis for organisational decision making.

Make Sure you Have an ERM Program, Not Just a Set of Organisational Risks

An ERM Program should, where possible, be built to ISO 31000. While the updated 2018 version is yet to receive substantial regulatory attention, it is likely to become the new Australian ERM benchmark.

ISO 31000 outlines the elements of an ERM Program and includes 8 principles of risk management, a framework for managing risk and a 8-step risk management process. The benefits of building a Program to a standard such as ISO 31000 include providing a roadmap for implementation and ensuring key steps and processes are included in the Program.


Developing an ERM Program in your school is a process that will take time. It is important to start and to make sure that the first steps are undertaken with a clear knowledge of the benefits and a structured methodology in place. It is also important to start small and not attempt to introduce a system all at once,  but instead to gradually build and refine the system over time. The second part of this series will discuss key issues in ERM such as common problems with school ERM registers, inherent vs residual risk benefits and issues, deciding who is responsible for risk management in your school, the importance of a risk taxonomy and appropriate risk review and reporting.

Jonathan Oliver

Jonathan is a Principal Consultant working with CompliSpace education clients. He has more than 10 years experience in the school sector as a teacher, compliance and legal adviser and more recently as a Business Manager. Jonathan has been a solicitor for nearly 30 years and worked in both private practice and community legal centres.