This is the second part of a two-part series which explores enterprise risk management (ERM) in a school context, why it is important and some key concepts and suggestions to make it easier to understand and implement. This second part will discuss key issues in ERM such as common problems with School Enterprise Risk Registers, inherent vs residual risk benefits and issues, establishing a common risk language, risk granularity and a discussion of strategic and operational risk, and appropriate risk review and reporting.
Some of the common problems with school ERM registers include:
Perhaps one of the most common errors when managing risk within a school is the failure to establish a risk classification system that is robust enough to identify all key risk areas within the school. The fact is that schools are usually good at managing the risks that they can clearly identify, however, they often fail to capture those risks that are less obvious. A robust classification system ensures that all risks within a school are considered.
Many schools in their activity or excursion-based risk assessments use a process that involves rating both the inherent and the residual risk of an activity. In ERM there are passionate arguments for both approaches. In a school context there are good reasons for just rating residual risk. If one imagines one rock climber who is free climbing and another rock climber climbing the same route using rope and anchor points to provide protection:
While the above analogy is a little simplistic, it highlights the fact that in a school context, schools are already controlling a number of their key risks. The benefit in undertaking a risk assessment using residual risk methodology is to interrogate the risk control strategies that are already in place and ask the question: Could we/should we reasonably do more to control this risk? Residual risk assessment is a real-world exercise and ensures there is a proper analysis of the existing risk controls already in place.
The advantages of, and issues with, a qualitative or quantitative approach are:
Not all risks need to be reported to the school board. Many risks are lower level "micro" operational risks (e.g. slips & trips) that are managed on a business as usual basis by school management. A key exercise is to decide which risks should be owned and managed at what levels in the school hierarchy. Recognising the granularity of risk is key to reporting the right risks to the right people within the school. Boards and executive management generally review “macro risks” such as “failure to comply with workplace safety standards” whilst operational staff deal with the detailed “micro” risks.
Similarly, it is useful to distinguish between operational risks (the domain of the executive) and strategic risks (the domain of the board). All too often, boards are presented with one register that includes micro and macro operational risks as well as strategic risks. Creating separate “macro operational” and “strategic” risk registers for the board can go a long way to providing clarity for board members who should not lose sight of key strategic issues as a result of getting bogged down in operational issues.
An ERM Program should never be static but must take account of the best available information relevant to the risk. There is a wide range of internal data that a school could use to inform the review of their risk assessments. Last year’s risks may not necessarily be the same as this year's so regular review is crucial if ERM is to add value.
For more information on ERM in schools see the videos on Enterprise Risk Management in the School Governance Video Resources section here.