Schools have faced many risk management challenges during the pandemic and some of these challenges will continue for some time. Vulnerabilities in the way that schools have managed risk prior to the pandemic left many schools unprepared for what they have had to deal with over the last few years. Schools with these vulnerabilities were (and are) less resilient in the face of threats and challenges whether these are internal or external.
The three articles in this series highlight six key things that schools can learn about risk and resilience from the pandemic and discusses key trends, issues and influences that are part of the risk and compliance environment in which schools now operate.
In John Rapley’s essay “Plagues and Empires’” he says: “An exogenous shock must encounter a vulnerability to bring down a regime”. As they emerge from the pandemic all organisations are asking questions such as:
The second and third articles in this series will highlight the six key things that schools can learn from the pandemic about managing risk and developing resilience.
However, it is essential to develop the context by discussing the four areas that are part of the risk and compliance environment (or context) in which schools now operate. The four areas are:
A recent report of a survey of risk and compliance professionals from a range of industries published by the Open Compliance and Ethics Group (OCEG) highlighted just how much the pandemic has changed the, governance, risk and compliance (GRC) landscape. The report’s introduction discussed the perceptions of rapid change in the GRC landscape and the unpreparedness for some organisations to deal with this change:
“Perception of an increasingly volatile world and an expectation of no return to a previous normal, along with an active regulatory landscape, has placed substantial stress on already inundated GRC professionals and their programs… Companies that have not adjusted their GRC programs to the disruptions of the last few years and are not prepared for or adapting to this new reality will see challenges mounting.”
And:
“So, what does it mean to be prepared?... Are your GRC functions dispersed or siloed? Are you using a manual approach to managing governance, risk, and compliance activities? What kind of technology are you using – spreadsheets, point solutions, or integrated software solutions?”
85 per cent of survey respondents confirmed that there have been significant changes to their GRC universe in the last two years. Two key challenges identified were:
Despite broad consensus among the survey respondents that the GRC universe had changed:
If OCEG had surveyed school leaders for the report, one wonders what the results would be. Readers can make up their own minds. This writer would expect that the results would be similar with perhaps a much higher number of respondents still using spreadsheet-based, siloed risk practices and many more than 15 per cent having no standard GRC structure in place.
School leaders would also no doubt agree that the GRC landscape has changed substantially especially during times of remote teaching and learning, and where all staff worked from home. Systems and processes that relied heavily on being delivered on the premises had to be adapted or new ways of working and teaching developed. There were also many increased risk and compliance challenges related to staff and student welfare and wellbeing as well as privacy and data security challenges.
This is an important context for any discussion of risk and the pandemic as the International Risk Management Standard ISO 31000 (2018) Risk Management Guidelines (International Risk Management Standard) should, in theory, provide the primary guidance and theoretical framework for managing pandemic risk. But can the theoretical framework be applied to the pandemic – a real life risk scenario? Yes, it can.
The introduction to the International Risk Management Standard makes this statement:
“Organizations of all types and sizes face external and internal factors and influences that make it uncertain whether they will achieve their objectives.”
The International Risk Management Standard defines “risk” as: “(the) effect of uncertainty on objectives”.
After the definition, some notes to the definition are provided. The first two are:
“Note 1 […] An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.
Note 2 […] Objectives can have different aspects and categories and can be applied at different levels.”
Applying this to what schools have experienced during the course of the pandemic:
Risk and resilience are closely linked. The OECD defines resilience as “the ability of households, communities and nations to recover from shocks”, whether internal or external, and known or unknown.
The Australian Disaster Resilience Knowledge Hub (part of the National Recovery and Resilience Agency) defines resilience as:
“The ability of a system, community or society exposed to hazards to resist, absorb, accommodate, adapt to, transform and recover from the effects of a hazard in a timely and efficient manner, including through the preservation and restoration of its essential basic structures and functions through risk management.”
You will notice that, in the definition of resilience above, it states that it is “through risk management” that communities (and organisations) “resist, absorb, accommodate, adapt to, transform and recover”.
Gibson and Tarrant state that resilience is “founded upon good risk management”. [An organisation’s] “approach to developing resilience will be based upon the sound assessment, treatment and monitoring of, and communication about risk”.
Most organisations can operate effectively in routine environments that are stable and predictable (Gibson and Tarrant). Greater levels of organisational resilience can be achieved by the identification and effective management of risks that pose a threat to ongoing operations and to the achievement of organisational objectives.
Some parts of an organisation can demonstrate a high degree of resilience at the same time as other parts demonstrate much lower levels of resilience. This means that the identification and control of risks that could impact operations and the achievement of objectives should occur across the whole organisation so that risk management and risk resilience is not siloed.
Not all risk events can be easily identified or anticipated, and many would argue that the pandemic falls into this category. Even though not all risk events can be anticipated, an organisation that has a structured approach to identifying potential adverse risk events, and implements risk controls for these, will be much better prepared for any unanticipated risk events as well as those that can be anticipated.
It is perhaps stating the obvious that schools that had well-developed risk management systems and processes had a much greater capacity to absorb and adapt to the pandemic and its consequences and were therefore much more resilient.
So much is being written about the increased significance to people of environmental, social and governance (ESG) issues and the need for companies and organisations of all types to address and invest in ESG risk management.
“Environment” refers to the environmental impacts of a business including energy use and emissions, carbon footprint, waste management and pollution. “Social” includes an organisation’s relationships and reputation and the impacts on, and the treatment of, the people and communities that are part of a business ecosystem including employees, volunteers and contractors and those in the supply chain. “Governance” is the internal systems, controls and practices related to the strategic and operational decision-making, including transparency and accountability, compliance, ethics and culture.
The concept of ‘build back better’ is driving social attitudes and influencing corporate culture. Speaking of the ESG trend, global law firm White and Case states:
“The pandemic has accentuated this trend and emphasized more starkly than ever the interconnectedness of society and the fragility of our world, building awareness of key ESG issues”.
The International Monetary Fund published an article: “Six prominent thinkers reflect on how the pandemic has changed the world”. Some of the reflections related to ESG issues included:
The care economy includes the paid and unpaid labour required to care for and educate children, meet people’s physical and mental health needs and the needs of individuals who require assistance for daily living because of illness, age or disability.
Schools are part of the care economy and, as a result, there is increased scrutiny on their activities as the costs to government of supporting the care economy require effective and transparent use of government funds.
ESG issues will continue to increase in importance around the world, for example, climate change, modern slavery, and ethical supply chains. This means that no organisation can expect to have an unrestricted licence to operate without addressing ESG issues in their operations and within their broader organisational ecosystem. Schools will need to be proactive rather than reactive to these issues.
In the next two articles of this three-part series, Jonathan will identify and describe the six key things that schools can learn about risk and resilience from the pandemic including gaps in school risk systems and processes, business continuity planning, the shift in mindset during the pandemic towards ‘people first’, increased environmental, social and governance concerns, and the relevance of the International Risk Management Standard ISO 31000 (2018) Risk Management - Guidelines to the pandemic.