Schools have faced many risk management challenges during the pandemic and some of these challenges will continue for some time. Vulnerabilities in the way that schools have managed risk prior to the pandemic left many schools unprepared for what they have had to deal with over the last few years. Schools with these vulnerabilities were (and are) less resilient in the face of threats and challenges whether these are internal or external.

The three articles in this series highlight six key things that schools can learn about risk and resilience from the pandemic and discusses key trends, issues and influences that are part of the risk and compliance environment in which schools now operate.

Introduction

In John Rapley’s essay “Plagues and Empires’” he says: “An exogenous shock must encounter a vulnerability to bring down a regime”. As they emerge from the pandemic all organisations are asking questions such as:

• What vulnerabilities in our operations and strategy highlighted by the pandemic could have brought us down?
• How do we become more resilient?
• Is our pre-pandemic strategy still relevant now?

The second and third articles in this series will highlight the six key things that schools can learn from the pandemic about managing risk and developing resilience.

However, it is essential to develop the context by discussing the four areas that are part of the risk and compliance environment (or context) in which schools now operate. The four areas are:

1. The governance, risk and compliance (GRC) landscape has been changed by the pandemic
2. The International Risk Management Standard maintained its relevance
3. Risk and resilience
4. The increasing importance of environmental, social and governance (ESG) risk management.

Context (I): The governance risk and compliance (GRC) landscape has been changed by the pandemic

A recent report of a survey of risk and compliance professionals from a range of industries published by the Open Compliance and Ethics Group (OCEG) highlighted just how much the pandemic has changed the, governance, risk and compliance (GRC) landscape. The report’s introduction discussed the perceptions of rapid change in the GRC landscape and the unpreparedness for some organisations to deal with this change:

“Perception of an increasingly volatile world and an expectation of no return to a previous normal, along with an active regulatory landscape, has placed substantial stress on already inundated GRC professionals and their programs… Companies that have not adjusted their GRC programs to the disruptions of the last few years and are not prepared for or adapting to this new reality will see challenges mounting.”

And:

“So, what does it mean to be prepared?... Are your GRC functions dispersed or siloed? Are you using a manual approach to managing governance, risk, and compliance activities? What kind of technology are you using – spreadsheets, point solutions, or integrated software solutions?”

85 per cent of survey respondents confirmed that there have been significant changes to their GRC universe in the last two years. Two key challenges identified were:

• employees working remotely
• increased data privacy and cyber security concerns.

Despite broad consensus among the survey respondents that the GRC universe had changed:

• only 55 per cent had a greater focus on risk management
• only 42 per cent had a greater focus on compliance and governance
• 20 per cent have not acted or can’t report any changes in their programs in response to the broadly-acknowledged increases in risk
• 25 per cent are still using siloed, spreadsheet-based technologies
• more than 15 per cent have no standard GRC structure.

If OCEG had surveyed school leaders for the report, one wonders what the results would be. Readers can make up their own minds. This writer would expect that the results would be similar with perhaps a much higher number of respondents still using spreadsheet-based, siloed risk practices and many more than 15 per cent having no standard GRC structure in place.

School leaders would also no doubt agree that the GRC landscape has changed substantially especially during times of remote teaching and learning, and where all staff worked from home. Systems and processes that relied heavily on being delivered on the premises had to be adapted or new ways of working and teaching developed. There were also many increased risk and compliance challenges related to staff and student welfare and wellbeing as well as privacy and data security challenges.

Context (II): The International Risk Management Standard maintained its relevance

This is an important context for any discussion of risk and the pandemic as the International Risk Management Standard ISO 31000 (2018) Risk Management Guidelines (International Risk Management Standard) should, in theory, provide the primary guidance and theoretical framework for managing pandemic risk. But can the theoretical framework be applied to the pandemic – a real life risk scenario? Yes, it can.

The introduction to the International Risk Management Standard makes this statement:

“Organizations of all types and sizes face external and internal factors and influences that make it uncertain whether they will achieve their objectives.” 

The International Risk Management Standard defines “risk” as: “(the) effect of uncertainty on objectives”.

After the definition, some notes to the definition are provided. The first two are:

“Note 1 […] An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.

Note 2 […] Objectives can have different aspects and categories and can be applied at different levels.”

Applying this to what schools have experienced during the course of the pandemic:

• the pandemic was a clear example of the “effect of uncertainty” in the form of an external event that impacted schools’ ability to continue doing what they were doing and achieve their operational and strategic objectives
• the pandemic was a deviation from what was expected that resulted in both threats and opportunities.
• some of the negative effects (threats) included:
  • impacts on the health and safety of staff and students and the mental health of all
  • the inability to continue to teach when not done in the traditional way
  • the inability to continue with current extra-curricular activities, excursions, camps and sports
  • a greater risk of cyber-attacks
  • increased risk to data security and privacy
  • the inability to easily identify and monitor students at risk
• some of the positive effects (opportunities) included:
  • the increased effective use of IT in education
  • fast forwarding of IT infrastructure investment
  • the creation of resources and infrastructure to enable learning from anywhere any time
  • increased IT competency of staff
  • providing confirmation (in some cases) that off premises remote operations were relatively effective
• the pandemic impacted many school objectives and activities – from strategic objectives (for example, new teaching programs, building master planning or increasing the intake of overseas students) to all aspects of day-to-day operations (such as spending on casual and relief teachers and the costs of IT systems)
• the pandemic clearly demonstrated that risks can affect all types and sizes of organisations (educational institutions big or small) and create uncertainty as to whether objectives will be achieved.

Context (III): Risk and resilience

Risk and resilience are closely linked. The OECD defines resilience as “the ability of households, communities and nations to recover from shocks”, whether internal or external, and known or unknown.

The Australian Disaster Resilience Knowledge Hub (part of the National Recovery and Resilience Agency) defines resilience as:

“The ability of a system, community or society exposed to hazards to resist, absorb, accommodate, adapt to, transform and recover from the effects of a hazard in a timely and efficient manner, including through the preservation and restoration of its essential basic structures and functions through risk management.”

You will notice that, in the definition of resilience above, it states that it is “through risk management” that communities (and organisations) “resist, absorb, accommodate, adapt to, transform and recover”.

Gibson and Tarrant state that resilience is “founded upon good risk management”. [An organisation’s] “approach to developing resilience will be based upon the sound assessment, treatment and monitoring of, and communication about risk”.

Most organisations can operate effectively in routine environments that are stable and predictable (Gibson and Tarrant). Greater levels of organisational resilience can be achieved by the identification and effective management of risks that pose a threat to ongoing operations and to the achievement of organisational objectives.

Some parts of an organisation can demonstrate a high degree of resilience at the same time as other parts demonstrate much lower levels of resilience. This means that the identification and control of risks that could impact operations and the achievement of objectives should occur across the whole organisation so that risk management and risk resilience is not siloed.

Not all risk events can be easily identified or anticipated, and many would argue that the pandemic falls into this category. Even though not all risk events can be anticipated, an organisation that has a structured approach to identifying potential adverse risk events, and implements risk controls for these, will be much better prepared for any unanticipated risk events as well as those that can be anticipated.

It is perhaps stating the obvious that schools that had well-developed risk management systems and processes had a much greater capacity to absorb and adapt to the pandemic and its consequences and were therefore much more resilient.

Context (IV): The increasing importance of ESG risk management

So much is being written about the increased significance to people of environmental, social and governance (ESG) issues and the need for companies and organisations of all types to address and invest in ESG risk management.

“Environment” refers to the environmental impacts of a business including energy use and emissions, carbon footprint, waste management and pollution. “Social” includes an organisation’s relationships and reputation and the impacts on, and the treatment of, the people and communities that are part of a business ecosystem including employees, volunteers and contractors and those in the supply chain. “Governance” is the internal systems, controls and practices related to the strategic and operational decision-making, including transparency and accountability, compliance, ethics and culture.

The concept of ‘build back better’ is driving social attitudes and influencing corporate culture. Speaking of the ESG trend, global law firm White and Case states:

“The pandemic has accentuated this trend and emphasized more starkly than ever the interconnectedness of society and the fragility of our world, building awareness of key ESG issues”.

The International Monetary Fund published an article: “Six prominent thinkers reflect on how the pandemic has changed the world”. Some of the reflections related to ESG issues included:

• the fragility of the human situation has come sharply into focus
• the mismatch between the social value of ‘key workers’ and the low wages that they receive
• the increased focus on the inequalities and injustices that existed before the pandemic which the pandemic brought into sharp focus
• the post-pandemic is an opportunity to solve the problems and bring about fundamental change (‘build back better’)
• the digital economy and the future of work arrived faster as did the challenges that came with it
• public investment in the ‘care economy’, education and climate change solutions is now a top priority.

The care economy includes the paid and unpaid labour required to care for and educate children, meet people’s physical and mental health needs and the needs of individuals who require assistance for daily living because of illness, age or disability.

Schools are part of the care economy and, as a result, there is increased scrutiny on their activities as the costs to government of supporting the care economy require effective and transparent use of government funds.

ESG issues will continue to increase in importance around the world, for example, climate change, modern slavery, and ethical supply chains. This means that no organisation can expect to have an unrestricted licence to operate without addressing ESG issues in their operations and within their broader organisational ecosystem. Schools will need to be proactive rather than reactive to these issues.

Concluding Comments

In the next two articles of this three-part series, Jonathan will identify and describe the six key things that schools can learn about risk and resilience from the pandemic including gaps in school risk systems and processes, business continuity planning, the shift in mindset during the pandemic towards ‘people first’, increased environmental, social and governance concerns, and the relevance of the International Risk Management Standard ISO 31000 (2018) Risk Management - Guidelines to the pandemic.