The final three areas where the effect of the pandemic highlighted vulnerabilities in schools’ risk management both at a strategic and operational level are outlined in this article.

Schools with these vulnerabilities were less resilient (and are still perhaps less resilient) as they continue to address these vulnerabilities.

• Insufficient investment in systems for managing risk and compliance left schools vulnerable
• Schools that had well-developed systems for supporting frontline staff in risk and compliance were more resilient
• The risks associated with failures and underperformance in school governance are greater than ever.

In addition to a brief description of each of these three vulnerabilities, we have also provided some suggested responses for each and questions for schools to consider.

Insufficient investment in systems for managing risk and compliance left schools vulnerable

While this relates to vulnerability number one (Schools had significant gaps in their risk management systems which left them vulnerable in the heightened risk environment of the pandemic), the focus of this area is the systems and processes for managing risk. The greater focus on risk management that the pandemic brought with it has meant that schools have had to consider the ways in which they may have managed and reported on risk in the past and consider investing in what is generically known as ‘GRC software’.

The decision to invest in risk management software and systems and exactly what software and systems to use are critical strategic issues for school leaders and governing bodies. Schools should consider how this software and these systems can support the effective management of operational and strategic risk and increase organisational resilience.

There are many systems that can support and assist in risk management. They have common features such as:

• incident and issue reporting and management
• health and safety hazard reporting and management
• risk registers
• compliance registers
• compliance task automation
• online risk assessments
• dynamic linking of risk and compliance data to risk and compliance registers
• risk analysis and reporting
• risk control registers
• checklists
• audit tools
• reporting and analytics
• complaints and feedback forms and registers.

Some systems also have capability for policy management, policy delivery and online training.

These systems are widely used in business environments and are becoming more widely used in schools. The purpose of these systems is to build an enterprise level risk management and compliance system rather than have risk and compliance silos in various operational areas within the organisation with little overall visibility as to how well risks are being managed or the extent to which compliance requirements are being met. School governing bodies are also expecting the school to have risk management systems that will enable them to receive meaningful risk management and compliance reporting.

Some Suggested Responses

• Ensure that the school governing body and school leadership team understand the benefits of enterprise risk and compliance systems
• Consider the resourcing required to effectively implement a GRC system within acceptable timeframes
• Plan and implement a change management strategy for the introduction of new GRC systems
• Ensure that key influencers within the organisation are aware of, and are able to articulate, why these GRC systems are important
• Undertake due diligence processes on available systems and identify non-negotiable key system capabilities.

Some Key Questions to Ask

• Are we able to capture and report key data with respect to organisational performance such as risks, compliance breaches, injuries and complaints?
• Do our current systems and processes provide assurance that the school is compliant with laws and regulations?
• Will a new software-based GRC system enhance our ability to meet strategic goals and objectives and to effectively manage and report on operational and strategic risk?

Schools that had well-developed systems for supporting frontline staff in risk and compliance were (and are) more resilient

The people working at the frontline of organisations have been termed the “human firewall”.

The concept of the human firewall is explained by Rasmussen:

“The weakest area of any governance, risk management, and compliance (GRC) strategy is humans. Humans make mistakes, they do dumb things, they can be negligent, and they can also be malicious. ….. Nurturing corporate culture and behavior is absolutely critical. The Human Firewall is the greatest protection of the organization. At the end of the day, people make decisions, initiate transactions, and they have access to data and processes.”

Rasmussen suggests a number of ways that organisations can protect and support the human firewall. They are:

• policies that are well-written and easy to understand and apply to the operational context
• policy delivery and engagement that enables policies to be easily accessed when needed, and that are easy to find and read
• training that is focused on learner needs, is engaging, accessible when needed and provides clear guidance on what is required in related policies
• ssue reporting to enable frontline staff to report and alert management when things go wrong or have the potential to go wrong. This includes incidents, hazards, compliance failures, risk control failures and complaints handling.

Rasmussen also makes the point that any business is part of an ‘extended enterprise’ and is reliant on third parties such as suppliers and in the school context also volunteers to all work together to manage risk and enable compliance. These people are all part of the extended enterprise human firewall.

The pandemic and lockdowns highlighted difficulties for schools that relied on people being present on school premises for systems and services to work. Schools that had invested in resources such as IT infrastructure and software systems to actively support the ‘human firewall’ in more flexible, online accessible ways, were able to better deploy these resources when staff and students were teaching and learning at home.

Policies and training are crucial in communicating and enforcing workplace behaviours, guiding conduct and therefore protecting the organisation. They are an important risk control. Many schools have been reliant on the on premises delivery of policies, procedures and training and lacked the capability to deliver these in an online environment that was accessible anywhere, anytime. Systems for reporting issues and incidents were also often on premises dependent, using paper-based or in person methods for reporting. Onboarding of new staff was likewise often heavily dependent on in-person, on premises sessions and training.

There is a growing expectation that flexible work arrangements involving work from home opportunities will be available to school staff in some form whether or not a pandemic or similar disruption requires it. Best practice delivery of policies and procedures, incident and issue reporting and other supports and supervision for frontline staff requires investment in technology solutions to remove the need for these to be delivered on premises or in person.

Some Suggested Responses

• Review the overall staff training and induction training that occurred during the pandemic and determine if flexible, online learning systems would have enabled greater levels of access and easier delivery
• Analyse the current systems for delivery of policies and procedures to determine if there are ways that can increase flexible, easy access for staff
• Consider alternative methods for issue reporting through online forms and customisable workflows
• Understand the scope of school policies and identify policy gaps.

Some Key Questions to Ask

• How accessible and easy to read and understand are out current policies and procedures?
• Is there a communications and training program for policies and procedures?
• Do our current policy management and communication systems enable cross-referencing and linking of related policies?
• Are policies centralised so that all staff can access them when required and management have full visibility of the school ‘policy universe’?
• Do our policies and procedures and training provide the necessary guidance so that frontline staff know what to do when managing risks and ensuring compliance?
• Do we have systems for recording issues, incidents, feedback and complaints, and can we aggregate and report on this data?

The risks associated with failures and underperformance in school governance are greater than ever

School governance failures can occur for a wide range of reasons. They can arise from poor decision-making, lack of transparency and accountability, a failure to develop and implement appropriate strategy, poor relationships with internal and external stakeholders, lack of identification of strategic risks and lack of effective strategic risk control.

In the current environment and context, more is expected and required of school governing bodies and school leaders. School boards and school leaders are being held to account more than ever by school regulators and by governments. This accountability for school operations includes the behaviour of students and staff and the expectation that governing bodies will ensure that the National Principles for Child Safe Organisations are being implemented. See for example the role of governing authorities in implementation of the Victorian Child Safe Standards which say:

“independent schools must ensure their governing authority understands the obligations of Ministerial Order 1359 and approves the policies and procedures it requires”.

Expectations on governing bodies also include ensuring that expenditure decisions are appropriate and passing the ‘pub test’. There is ongoing media scrutiny of independent schools’ capital expenditure.

Risk management is fundamental to good governance of any organisation. The introduction to the International Risk Management Standard contains six points. While all points relate in some way to the importance of effective governance as part of managing risk, points 2 and 3 are particularly relevant to governing bodies.

They are:

“2.  Managing risk is iterative and assists organizations in setting strategy, achieving objectives and making informed decisions.

3. Managing risk is part of governance and leadership, and is fundamental to how the organization is managed at all levels. It contributes to the improvement of management systems.”

Some, perhaps many, school governing bodies would not use risk management as an effective tool to support good board decision-making and strategy development and would not understand or be able to articulate why effective risk management is fundamental to how a school should be managed. A whole of school approach to managing risk cannot succeed without top down commitment and leadership.

Some Suggested Responses

• Undertake an evaluation of governance processes to determine if the current processes meet governance needs and requirements
• Review the skills and experience of governing body members, identify gaps and plan for recruiting members to fill gaps
• Review delegations and authorities to determine if they remain suitable and meet current regulatory requirements
• Consider and discuss the extent to which governing body time is spent on management and operations versus strategy and governance
• Evaluate the extent to which the school operates in accordance with legal and regulatory ESG requirements and community expectations and undertake further actions as required
• Instigate a review of school operations to determine how the school can build organisational resilience.

Some Key Questions to Ask

• Have we undertaken a deep review of our strategic risks and our current strategy in light of what we have learned from the pandemic?
• How can we operate in a more inclusive and transparent way that demonstrates an understanding of stakeholder needs?
• Which areas of school operations has the pandemic shown to be under-resourced?
• What information do we have to validate that operational and strategic risks are being effectively controlled?

Concluding Comments

These three articles have not attempted to cover all of the risk issues and challenges that schools continue to manage. However, it is hoped that they will encourage school governing bodies and school leaders to ask the key questions such as how schools can build resilience, how they can become more risk mature and whether they have the right people and resources to support moving to a more risk mature state.

The pandemic is an opportunity for schools to reassess priorities and strategy, to consider the current use of technology, to undertake a review of the governance, risk and compliance capabilities of the school and to understand the needs of, and implement new ways of supporting, frontline staff.

At the same time, schools will need to adjust to and understand new post pandemic realities such as increased regulatory scrutiny and accountability, increased community expectations concerning transparency and address community and stakeholder views related to environmental, social and governance issues.

See also Part 1 and Part 2 of this series.