Many schools have a risk register that seeks to identify organisational risks, rate those risks and set out the control measures that are in place to manage the risks. Schools are very aware of the benefits in identifying and managing key operational and strategic risks.
Whether a school has an enterprise risk management system, or a more basic risk register or series of registers, key questions to be addressed include:
- How do we know whether everyone is doing what is required of them to manage organisational risk?
- How can we provide our governors and executive with assurance that the school’s risk controls are being implemented effectively?
The Importance of Assurance
The Institute of Chartered Accountants in England and Wales (ICAEW) defines assurance as “an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management and control processes for the organisation”.
In ‘enterprise risk management speak’, ‘assurance’ refers to the systems and processes that a school has in place to collect data that evidences whether or not risks controls are working effectively. This includes:
- incident reporting (complaints, injuries, near misses etc)
- compliance and risk control task allocations and returns
- staff training records
- ensuring that organisational policies are in place and up-to-date
- internal and external audits
- upward reporting systems.
To generate and report this assurance data manually is a time-consuming process and schools now use a range of software systems that are purposefully designed to automate some of these assurance processes.
Assurance software should at a minimum enable the capture and reporting of risks, hazards and incidents as well as task allocation, automated workflows, alerts and notifications. Critically, assurance software should enable a school to generate a wide range of reports suitable for line managers, a school executive and a school’s governors.
School leaders should consider what evidence is available to them to be assured that risk control processes are being undertaken effectively.
Interrogating and validating the quality and effectiveness of the controls is an essential step if a school is really to understand whether the risk controls are actually working as intended.
It is our experience that, while most schools are very active in developing a range of risk controls, they can be quite ‘passive’ when it comes to determining whether these controls are working effectively and have little in the way of assurance systems or processes. Sometimes they only find out that the risk control systems are not working after a serious incident occurs.
In order to develop a comprehensive assurance process schools may wish to consider the ‘three lines of defence’ model. ICAS UK, the professional body for chartered accountants stated that “the Three Lines of Defence model can enhance clarity regarding risks and controls and help improve the effectiveness of risk management systems”.
The three lines of defence are set out briefly below.
First Line of Defence – Front Line Staff
The first line of defence sits with the managers and staff of a school who are responsible for identifying and managing risk on a daily basis. They must have the knowledge and skills to do this. In a school context, key issues to address to ensure that the first line of defence is working effectively are:
- clear guidance through accessible plain English policies
- staff training with respect to high risk compliance areas
- effective management supervision.
Second Line of Defence – The Risk & Compliance Function
The second line of defence sits with the individuals responsible for overseeing a school’s risk and compliance management systems. In smaller schools this may be the principal and members of a school’s leadership team. Larger schools may have a dedicated risk and compliance management function.
The second line of defence is responsible for overseeing the effectiveness of the first line of defence and often carries out this task with the assistance of software systems designed to manage policy publication and maintenance, staff learning and assurance.
Third Line of Defence – Independent Review
The third line of defence is independent review. In larger schools and education groups this may be undertaken through an internal audit function. In smaller schools (that typically do not have internal audit functions) the second line of defence can often be extended with a “Chinese wall” to include the conduct of targeted spot compliance audits. The main role of the third line of defence is to ensure that the first two lines are operating effectively and to make recommendations for improvement.
Ideally the third line of defence will utilise data obtained from the second line of defence to target high risk areas.
Actively engaging in assurance activity should be a key task of school leadership and should not be regarded as something to do ‘when time permits’. It is impossible to properly assess an organisation’s operational risks unless there is information available to validate the quality and effectiveness of the risk controls that the school leadership has implemented.