On 27 August 2020, CompliSpace held the webinar “The Forgotten Risks of Risk Management” (Webinar), presented by Principal Consultant Jonathan Oliver and National Education Lead Craig D’cruz. The Webinar was the second in a five-part series about navigating enterprise risk management.

Specifically, the Webinar focused on the following:

• how operational risks and strategic risks can overlap
• the eight forgotten risks of risk management – strategic planning, talent management, policy management, privacy, complaints handling, child protection and child safety, excursions and enterprise risk management itself.

This article summarises and provides the key takeaways from the Webinar. This article does not contain all the information in the Webinar and does not seek to act as its substitute.

Click here to request the webinar recording by completing the form at the bottom of the page.

Operational and Strategic – Same Area of Risk

Jonathan began the Webinar by defining operational risks and strategic risks. An operational risk is one that emanates from the day-to-day operations of a school and often relates to the adequacy of internal work practices, systems, procedures or a breakdown in a school’s internal controls. A strategic risk is one that emanates from a school’s strategy and relates to changes in a school’s business environment, or from poor decision making, improper implementation of decisions, inadequate resources allocation or a lack of responsiveness to change. While each school will be different, in general, strategic risks are often developed and closely monitored by school boards. 

While many risks are easy to categorise as either operational or strategic there are always risks that may be placed in either category depending on your point of view. Each school should classify risks as operational or strategic and not spend time debating whether a risk is one or the other.

A key issue for schools is that they often fail to identify both the operational and the strategic risks associated with a particular risk area. Jonathan used the example of COVID-19 risks to illustrate that there are both operational and strategic risks associated with this risk area.

The strategic risks include:

• Failure to review strategic plans in the light of the changed circumstance brought about by COVID-19.
• Failure to review current operations and strategic objectives using a range of scenarios as to future work, school operations, building design and planning, online learning, excursion management, overseas student enrolment exchanges and overseas tours and excursions.

The operational risks include:

• Failure to develop a business continuity plan that takes into account the nature and complexity of the school and the nature and complexity of the potential disruption to business continuity.
• Failure to monitor and enforce compliance by the entire school community with the new procedures and measures in place to minimise infection transmission risk.

The First Forgotten Risk – Strategic Planning

Craig explored strategic planning as the first forgotten risk of risk management. Schools should identify their strategic risks and then use those risks to develop their strategic plan. Many schools develop their strategic plans without first considering their strategic risks. In addition, schools often do not identify operational or strategic risks that may prevent the school achieving its strategic objectives. These can be identified at the time the plan is developed.

The strategic risks associated with a school’s strategic plan include:

• Failure to establish and communicate to key stakeholders (students, parents, staff and members of the wider school community) the school's strategic plan and effectively monitor the execution of the strategic plan over its term.
• Failure to incorporate an analysis of key strategic and operational risks in the development of the school’s strategic plan.
• Failure to ensure the strategic plan is capable of effective implementation and contains measurable outcomes.
• Failure to set realistic strategic goals that are capable of effective implementation and are measurable and achievable and to provide sufficient resources to enable the goals to be achieved.

The operational risks associated with a school’s strategic plan include:

• Failure to have systems and processes to gather data and measure the implementation of the strategic plan and provide regular reports to the board on implementation progress.
• Failure to provide information to staff on the strategic plan and engage with key staff and the school executive to support and implement the plan.
• Failure to develop a plan for implementing the strategic plan that contains details as to how the plan will be implemented, responsibilities and accountabilities for implementation and timeframes and key milestones.

Some common failures regarding operational risks associated with strategic plans include having a plan that is simply a marketing tool, having the wrong people involved, and pressing on regardless of whether the plan is still relevant. Craig also noted that plans that discuss school values, aspirations and other lofty statements, should not be considered a strategic plan.

The Second Forgotten Risk – Talent Management

Craig moved on to the second forgotten risk of talent management. Staff are a school’s greatest asset. However, schools may not properly contemplate the risks associated with their talent management. Talent management is more than a compliance issue. It involves a lot of risks associated with things such as school culture, codes of conduct, child safe recruitment and selection, internal grievance procedures, and board reporting. Moreover, talent management is crucial in the current age, with increasing concerns regarding staff retirement, taking extended leave, and workplace stress particularly associated with teaching both online and face-to-face. Due to the age of many current school leaders, a large number will retire in the next three to five years. This makes talent identification and retention and succession planning key risks for schools to address.

The strategic risks associated with talent management include:

• The school's human resources infrastructure for teaching and non-teaching staff (e.g. HR policies and procedures, recruitment, induction, performance reviews, ongoing training, remuneration and reward mechanisms, discipline and termination policies etc) fails to support the development of a high-performance team.
• Failure to establish and effectively implement policies and procedures to monitor and evaluate the performance of the School Executive team.
• Failure develop succession plans to manage the retirement or resignation of Executive Staff members.

The operational risks associated with talent management include:

• Failure of the board and senior executive management to provide appropriate leadership to allow the school to meet its goals and objectives.
• There is a lack of accountability among staff members with respect to their particular roles and responsibilities and their leadership roles within the school.
• Failure to establish and effectively implement an internal training program for staff which provides updates with respect to key legal and regulatory changes.

The Third Forgotten Risk – Policy Management

Jonathan then explored the third forgotten risk of policy management. Policy management is critical for good risk management on the ‘front line’. The staff involved in the day-to-day management of business operations are any school’s best defence and most important risk management tool Schools should ensure these staff know what to do. This requires clear and accessible up-to-date policies and staff training.

Jonathan discussed some myths of policy management such as that having a policy is sufficient for compliance purposes even if it is not implemented. Another myth is that it is okay for policies to be borrowed and rebadged without sufficient contextualisation. Good policy management requires an ongoing investment in a system that makes the documents accessible and includes the ability for staff to be trained in those policies and for compliance to be monitored.

The strategic risks associated with policy management include:

• Failure to resource an overarching policy management program that addresses key organisational operational and strategic risks and receive regular reports on the effectiveness of the program.
• Failure to resource policy implementation systems that include single location accessible policies, staff training, monitoring of policy compliance and reporting.

The operational risks associated with policy management include:

• Failure to establish and effectively implement a policy management system through which the school maintains a comprehensive set of policies designed to ensure compliance with key legal and regulatory obligations and through which the school ensures that all policies and procedures are maintained up-to-date, with effective version control, and are readily accessible by staff from one central location.
• Failure to measure the effectiveness of policy implementation systems in changing behaviour and managing risk.

The Fourth Forgotten Risk – Privacy

The fourth forgotten risk is privacy, which Jonathan discussed. The context for privacy risks in schools is complex because schools are dealing with a large group of stakeholders, such as past, future and current students and parents, and outdoor education providers, large numbers of staff and former staff including many casual or part time staff, all of whom will manage data that is subject to the Privacy Act 1988 (Privacy Act) requirements.

Privacy compliance with the Privacy Act and the Australian Privacy Principles should be considered as part of the bigger concept of information governance. Information governance encompasses the overall strategy and systems for managing information across the whole organisation. This includes:

• having an overall strategy for information
• ensuring legal and regulatory compliance with the Privacy Act and other legislation
• governing all aspects of the school information environment
• providing clarity for both staff, particularly frontline staff, and the school community as to how information is held, used and secured.

The COVID-19 pandemic has added a new layer of complexity to privacy and information governance, particularly in relation to working from home. This has enlarged schools’ digital footprints and therefore increased the potential for data breaches and cyber attack.

The strategic risks associated with privacy include:

• Failure to develop an overarching information governance program that ensures legal and regulatory compliance, is transparent and provides a framework for the school in handling data which includes security, archiving and storage, and risk management.
• Failure to ensure systems and processes are in place to notify the board in the event of a notifiable data breach.

The operational risks associated with privacy include:

• Failure to manage the personal information of individuals (including current, prospective and former students and their parents/carers) in accordance with the 13 Australian Privacy Principles.
• Failure to identify personal information that may have been held by staff during the COVID-19 lockdown and ensure that any personal information, including sensitive personal information, is returned to the school or securely destroyed and not retained in any form at staff homes or on staff home computers and storage devices.
• Failure to train staff as to the requirements of the 13 Australian Privacy Principles and the school procedures in place to comply with the Principles including the school Privacy Act compliance procedures that apply in situations of home isolation and online teaching from home.
• Failure to review all elements of the school’s online learning environment to ensure that any online safety, data security and Privacy Act compliance issues are identified and measures are put in place to prevent recurrence should there be further periods of online learning in the future.

The Fifth Forgotten Risk – Complaints

Craig went through the fifth forgotten risk of complaints. Schools should review their current complaints handling policies and procedures to abide by legal obligations and protect their reputation.

Complaints handling should be embedded within a school’s culture. It includes having things such as parent-facing policies on the school’s public website, a complaints capture process, and a complaints investigation process.

The strategic risks associated with complaints handling include:

• Failure by the board to receive regular reports regarding complaints that may impact on the achievement of strategic objectives or result in a review of current objectives.
• Failure to develop and support a school culture of openness, transparency and continuous improvement.
• Failure to manage key stakeholder relationships and community partnerships effectively due to lack of information regarding key stakeholder concerns and complaints.

The operational risks associated with complaints include:

• Failure to effectively implement systems and procedures to manage complaints and feedback from parents and the wider community in a structured, timely and consistent manner.
• Failure to develop mechanisms for receiving parent and community feedback and complaints to assist the school to maintain a culture of continuous improvement.
• Failure to support staff in dealing with feedback and complaints from parents, leaving staff exposed to further, more difficult conversations and increased workplace stress.

The Sixth Forgotten Risk – Child Protection and Child Safety

Craig also explored the sixth forgotten risk of child protection and child safety. Child safety is the umbrella term that encompasses child protection. UNICEF Australia defines child protection as the program, measures, and structures to prevent and respond to abuse, exploitation, neglect, and violence affecting children in all sectors, contexts and across all environments. However, this is different to child protection systems, which are laws, policies, regulations, and services that we need across all sectors to support child protection and to respond to child protection related risks.

Although teachers practise child safety and child protection on a daily basis, the question is whether schools have a holistic program with policies and procedures in place that document the practices that are actually occurring in order for the school to be a child safe organisation. This is a massive paradigm shift for schools as schools are being asked to move from a compliance mindset, to becoming a child safe organisation.

If schools want to effectively deal with the risks associated with child safety, they should show how they are abiding by the National Principles for Child Safe Organisations (National Principles), and how their policies and processes are practised by their staff.

The strategic risks associated with child safety and child protection include:

• Failure by the board to understand, plan for, and adequately resource the people, systems and processes necessary to effectively implement the National Principles for Child Safe Organisations
• The board fails to review current child safety strategies and develop new strategies that align with and support the full implementation of the National Principles in the school.
• Failure to establish and effectively implement strategies and initiatives to develop and maintain a school culture that is reflective of the school's values, mission statement and objectives and aligns with the National Principles.

The operational risks associated with child safety and child protection include:

• The school fails to establish and effectively implement policies and procedures to ensure that it meets its legal and regulatory obligations in relation to child protection and develop a child safe culture within the school.
• Failure to fully implement the National Principles within the school and to verify compliance with each standard by mapping all of the school systems, processes, policies, procedures, staff recruitment and training systems against each standard.
• Failure to implement information gathering and reporting systems to provide assurance that each of the standards are being effectively implemented.
• The school executive fails to interrogate the effectiveness of measures within the school to create a child safe organisation in line with the National Principles.

The Seventh Forgotten Risk – Excursions

Jonathan discussed the seventh forgotten risk of excursions. COVID-19 has added a whole layer of complexities around excursions.

The strategic risks associated with excursions include:

• The board fails to review current strategies and programs that position the school as offering a wide variety of academic enrichment and extra-curricular excursions and activities in the light of potential continuing pandemic restrictions.
• Failure to undertake planning and provide sufficient resources to enable academic enrichment and extra-curricular excursions to continue to operate when restrictions allow.

The operational risks associated with excursions include:

• Failure to effectively develop and implement infection control policies for conducting school excursions and incursions.
• Failure to take all steps that are reasonably practicable to reduce COVID-19 infection transmission in the school community while conducting school excursions and incursions.
• Failure to communicate new excursion infection control policies and procedures for excursions with the school community.

The Eight Forgotten Risk – Enterprise Risk Management

Jonathan explored how the eight forgotten risk is enterprise risk management itself. This risk relates to the fact that schools often do not actually have a detailed overall program to engage in a proper risk management process. This is not surprising given that enterprise risk management is a relatively new concept.

Schools are under pressure to have enterprise risk management embedded in their operations. This is for a variety of reasons, including:

• governing bodies increasingly asking for reports relating to risk that show how the school is managing their risks
• pressure to give students access to more opportunities rather than wrapping them in bubble wrap
• community expectations that schools will have systems and processes in place for managing risk
• schools being at varying levels of risk maturity with some just beginning that risk maturity journey.

This eighth forgotten risk (which can be categorised as a strategic risk) can be articulated as:

• The school fails to establish, and effectively implement, an enterprise risk management program through which the governing body and management team are able to identify, assess, review, manage and report on organisational risks.

Key Takeaways

The key takeaways from the Webinar:

• strategic and operational risks can arise from the same area of risk and both should be identified.
• the eight risks discussed in the Webinar are frequently forgotten particularly the strategic risks associated with these risk areas.

If you are interested in learning more about these topics in our upcoming three webinars, please click here to learn more and register:

• “School Risk Management through Good Policy Management – Essential for Managing Risk” Webinar by Jonathan Oliver and Craig D’cruz on 15 October 2020. 
• “Reporting – Verifying that Your School Risk Controls are Working so you can Sleep at Night” Webinar by Jonathan Oliver and Craig D’cruz on 29 October 2020. 
• “Child Protection Risk in 2021: Managing Risk Under the National Principles for Child Safe Organisations” Webinar by Deborah de Fina on 12 November 2020.