On 7 August 2020, CompliSpace held the webinar “Practical Tips for Implementing an Enterprise Risk Management Program in Your School” (Webinar), presented by CEO and Co-Founder James Field. The Webinar was the first in a five-part series on enterprise risk management in schools.

Specifically, the Webinar focused on the following:

• what enterprise risk management is and why it is important for schools
• key enterprise risk management concepts
• integrating enterprise risk management within schools
• reasons why enterprise risk management may not work at your school.

The Webinar recording has been converted into a professional learning course in CompliLearn and is available at no cost. Instructions on how to access the course appear at the end of this article.

This article summarises, and provides the key takeaways from, the Webinar. This article does not contain all the information in the Webinar and does not seek to act as its substitute.

What is Enterprise Risk Management and Why is it Important for Schools?

James began the Webinar by defining enterprise risk management. James defined enterprise risk management as a structured process which assists schools to predict future events that may impact on their activities, and allows them to take appropriate action to address the likelihood of the event happening, and/or the impact of the event should it occur. It is an all-encompassing concept for which a school governing body has oversight but for which school management has responsibility. The International Risk Management Standard ISO 31000 is an internationally accepted blueprint for implementing enterprise risk management in any organisation. It includes a set of principles, a framework and a process.

There is an inter-relationship between risk and compliance. Risk is about looking into the future to determine what may happen. Once something does happen, it becomes a compliance obligation. As risk profiles are constantly changing, so are compliance profiles.

Effective enterprise risk management is important for several reasons, including the following:

• it allows schools to ensure that students can undertake different activities that would otherwise be deemed too risky
• it can ensure that school reputation is maintained, particularly when schools span multiple generations through students, parents, grandparents and alumni
• it can help ensure that legal obligations are met.

Key Enterprise Risk Management Concepts

James also explored the following seven key enterprise risk management concepts:

• inherent risk vs. residual risk
• risk control effectiveness
• risk granularity
• risk articulation
• key risk indicators
• risk maturity
• the three lines of defence.

The first concept is the distinction between inherent risks and residual risks. These are different methodologies that schools can use to assess risks on a day-to-day basis. Determining inherent risk involves assessing risk when there are no controls in place, looking at the effectiveness of controls, and doing a second risk assessment to determine the residual risk. This tends to be used by quantitative risk analysis industries. Residual risk involves looking at the effectiveness of existing risk controls prior to determining the likelihood and consequence of a risk and plotting this on a risk matrix. This tends to be used for more qualitative broad analysis and is used by enterprise risk management practitioners.

The second key concept is risk control effectiveness. Schools often do not analyse how well a risk is being controlled on a day-to-day basis. They may do it in general terms, but specifically measuring it will provide the information needed to make appropriate decisions and ensure risk control effectiveness. This should be undertaken prior to determining the likelihood and consequence.

The third key concept is risk granularity. This involves classifying and sorting risks on the basis of whether they are a ‘micro risk’ or a ‘macro’ risk or a strategic risk. These three ‘levels’ or classifications assist enormously in dealing with the very large number of risks that a school must effectively manage. Using health and safety as an example, a micro risk is ‘failure to ensure systems and processes are in place to for effective and safe traffic management around the school’. This might also be called a health and safety hazard. A typical school may have upwards of 80 of these health and safety hazards as part of a hazard register. A health and safety macro risk would be ‘failure to ensure compliance with health and safety laws and create a safe work culture in the school’. The macro risk is big picture, the micro risk is ‘little picture’ and above these there are strategic risks. In general macro risk would be managed and reported at the school executive level with periodic reports to the governing body. A micro risk would generally be managed and assessed by persons within the school who have day-to-day operational responsibility for these risks. Strategic risks would be developed by the school governing body but probably managed at an executive level.

The fourth key concept that James explored is risk articulation. Risk should always be articulated as a future event with respect to which the likelihood of the event occurring can be measured as well as the potential consequences if the risk event was to occur. The articulation of the risk as a future event should not be confused with articulating the consequence of that risk.

The fifth key concept involves having key risk indicators. These are metrics used by organisations to provide an early signal of increasing risk exposures in various areas of the enterprise, such as injury registers and child protection reports. Schools should record this information because it provides important data that can be used to review and re-assess the risks and instigate risk treatment plans, which often involve improving the effectiveness of existing controls or adding additional risk controls. If a particular risk area is rated as low risk but has numerous recorded incidents, this would show the school that they need to go back and re-assess the risk.

The sixth key concept is risk maturity. Building an effective risk program within a school can take many years. Generally, the timeline for a risk program will see it going from being ad hoc to basic to defined to improving and, finally, optimised. The final optimised level involves a fully integrated risk management system that is agile and builds on lessons learned to ensure that there is continuous improvement.

The seventh key enterprise risk management concept involves the three lines of defence for risk management. The first line is the business front line, whereby risks in schools are managed primarily on the front line by teachers and other staff. In all organisations this front line is crucial if risks are to be managed effectively. Schools should therefore ensure that all staff are training in policies and procedures and are given the tools and resources to manage risk effectively at the front line. A recent survey of 400 non-government schools showed that 88 per cent of schools do not train their teachers on excursion risk management, yet those staff are in the front line. The second line is the more general oversight by the school often by managers and the school executive. The third line involves internal and external audits and reviews by governing body members to determine if risks are being properly managed.

These seven key enterprise risk management concepts provide practical assistance to schools to assist them in implementing an enterprise risk management program.

Operational v Strategic Risk

James discussed the concepts of operational and strategic risk. This is actually another key concept but one deserving of a longer discussion. An operational risk is one that emanates from the day-to-day operations of a school and often relates to the adequacy of internal work practices, systems, procedures or a breakdown in a school’s internal controls. A strategic risk is one that emanates from a school’s strategy and relates to changes in a school’s business environment, or from poor decision making, improper implementation of decisions, inadequate resources allocation or a lack of responsiveness to change.

Schools should have a risk classification system that includes classifying risks as operational and strategic. Without a classification system it is very hard to have a sensible conversation about risk. Classifying risks as operational or strategic should be central to that classification system. This closely aligns with the concept of risk granularity where ‘macro’ operational risks are the domain of the school executive and strategic risks are for the most part developed by the school governing body in consultation with the executive.

Integrating Enterprise Risk Management Within Schools

James also discussed how enterprise risk management can be integrated within schools. It should involve the following process:

• policy management
• staff training
• monitoring risks through data capture and analysis
• management reporting.

The first part of the integration process is policy management. Policy management involves writing policies on risks so that those risks can be managed. Enterprise risk management policies should work with policies in other areas to effectively manage risks.

The second part of the integration process is staff training. Staff should be trained appropriately, with an emphasis on high risk matters.

The third part of the integration process involves ensuring that risks are monitored through effective data capture and analysis on a continuous basis. At the most basic level, schools should record their risks in a risk register. They should also capture data and report on incidents and accidents which will provide data for reviewing a number of key risks – for example health and safety risks. Making note of key risk indicators can also help schools effectively monitor risks.

The fourth part of the integration process is management reporting. This is a crucial step because risk management will not work if acquired information is not appropriately reported. The third key risk concept of granularity becomes particularly important when reporting risks. This is because to effectively report risks, schools should report separately on operational risks and strategic risks. This can help the school governing body to focus primarily on the strategic risks facing the school. There are many operational risk areas that schools should be effectively reporting include child protection, complaints handling, health and safety and financial reporting. Some of the strategic risks that schools should be effectively reporting include building staff capacity and maximising student engagement.

Reasons Why Enterprise Risk Management May Not Work at Your School

Enterprise risk management may not work at your school for the following reasons:

• lack of leadership within the school with no clear vision of enterprise risk management
• no clear understanding of the enterprise risk management value proposition
• poorly designed risk framework
• no enterprise risk management roll out plan
• no ownership of the enterprise risk management function
• once a year risk management which does not facilitate the dynamic process of risk management.

Key Takeaways

The Webinar introduced how schools can begin navigating enterprise risk management.

The key takeaways from the Webinar are:

• effective enterprise risk management is important for schools for several reasons, including the fact that it can allow students to engage in activities that would otherwise be deemed too risky
• the seven key enterprise risk management concepts come together to provide practical assistance when implementing an enterprise risk management program
• enterprise risk management can be integrated within schools by following a clear integration process
• enterprise risk management may not work at a school if the school has barriers that do not permit its effective implementation.

Access the Webinar Recording 

This webinar was converted into a free professional learning item available in CompliLearn. To access the course:

1. Simply visit complilearn.com and sign up for a free Individual Explorer Account using the orange button at the top of the page (or log in using the login button at the top right if you already have one).
2. Once you log in, type “risk management” into the search bar and select Enterprise Risk Management for Schools (Part 2). Follow the prompts to begin the course.
3. NOTE: Enterprise Risk Management for Schools (Part 1) is also a free professional learning course available via the free Individual Explorer Account. It provides an overview of the International Risk Management Standard ISO 31000 and is a good course to do prior to ERM (Part 2).

If you would like to view the Questions and Answers document for the "Practical Tips" webinar, please click here.

Learn more about the 5-Part School Risk Webinar Series and Register

If you are interested in learning more about these topics in our upcoming four webinars, please click here to learn more and register:

• “The Forgotten School Risks (That can come back to bite you!)” Webinar on 27 August 2020.
• “School Risk Management through Good Policy Management – Essential for Managing Risk” Webinar on 15 October 2020. 
• “Reporting – Verifying that Your School Risk Controls are Working so you can Sleep at Night” Webinar on 29 October 2020. 
• “Child Protection Risk in 2021: Managing Risk Under the National Principles for Child Safe Organisations” Webinar by Deborah de Fina on 12 November 2020.