The final three areas where the effect of the pandemic highlighted vulnerabilities in schools’ risk management both at a strategic and operational level are outlined in this article.
Schools with these vulnerabilities were less resilient (and are still perhaps less resilient) as they continue to address these vulnerabilities.
In addition to a brief description of each of these three vulnerabilities, we have also provided some suggested responses for each and questions for schools to consider.
While this relates to vulnerability number one (Schools had significant gaps in their risk management systems which left them vulnerable in the heightened risk environment of the pandemic), the focus of this area is the systems and processes for managing risk. The greater focus on risk management that the pandemic brought with it has meant that schools have had to consider the ways in which they may have managed and reported on risk in the past and consider investing in what is generically known as ‘GRC software’.
The decision to invest in risk management software and systems and exactly what software and systems to use are critical strategic issues for school leaders and governing bodies. Schools should consider how this software and these systems can support the effective management of operational and strategic risk and increase organisational resilience.
There are many systems that can support and assist in risk management. They have common features such as:
Some systems also have capability for policy management, policy delivery and online training.
These systems are widely used in business environments and are becoming more widely used in schools. The purpose of these systems is to build an enterprise level risk management and compliance system rather than have risk and compliance silos in various operational areas within the organisation with little overall visibility as to how well risks are being managed or the extent to which compliance requirements are being met. School governing bodies are also expecting the school to have risk management systems that will enable them to receive meaningful risk management and compliance reporting.
The people working at the frontline of organisations have been termed the “human firewall”.
The concept of the human firewall is explained by Rasmussen:
“The weakest area of any governance, risk management, and compliance (GRC) strategy is humans. Humans make mistakes, they do dumb things, they can be negligent, and they can also be malicious. ….. Nurturing corporate culture and behavior is absolutely critical. The Human Firewall is the greatest protection of the organization. At the end of the day, people make decisions, initiate transactions, and they have access to data and processes.”
Rasmussen suggests a number of ways that organisations can protect and support the human firewall. They are:
Rasmussen also makes the point that any business is part of an ‘extended enterprise’ and is reliant on third parties such as suppliers and in the school context also volunteers to all work together to manage risk and enable compliance. These people are all part of the extended enterprise human firewall.
The pandemic and lockdowns highlighted difficulties for schools that relied on people being present on school premises for systems and services to work. Schools that had invested in resources such as IT infrastructure and software systems to actively support the ‘human firewall’ in more flexible, online accessible ways, were able to better deploy these resources when staff and students were teaching and learning at home.
Policies and training are crucial in communicating and enforcing workplace behaviours, guiding conduct and therefore protecting the organisation. They are an important risk control. Many schools have been reliant on the on premises delivery of policies, procedures and training and lacked the capability to deliver these in an online environment that was accessible anywhere, anytime. Systems for reporting issues and incidents were also often on premises dependent, using paper-based or in person methods for reporting. Onboarding of new staff was likewise often heavily dependent on in-person, on premises sessions and training.
There is a growing expectation that flexible work arrangements involving work from home opportunities will be available to school staff in some form whether or not a pandemic or similar disruption requires it. Best practice delivery of policies and procedures, incident and issue reporting and other supports and supervision for frontline staff requires investment in technology solutions to remove the need for these to be delivered on premises or in person.
School governance failures can occur for a wide range of reasons. They can arise from poor decision-making, lack of transparency and accountability, a failure to develop and implement appropriate strategy, poor relationships with internal and external stakeholders, lack of identification of strategic risks and lack of effective strategic risk control.
In the current environment and context, more is expected and required of school governing bodies and school leaders. School boards and school leaders are being held to account more than ever by school regulators and by governments. This accountability for school operations includes the behaviour of students and staff and the expectation that governing bodies will ensure that the National Principles for Child Safe Organisations are being implemented. See for example the role of governing authorities in implementation of the Victorian Child Safe Standards which say:
“independent schools must ensure their governing authority understands the obligations of Ministerial Order 1359 and approves the policies and procedures it requires”.
Expectations on governing bodies also include ensuring that expenditure decisions are appropriate and passing the ‘pub test’. There is ongoing media scrutiny of independent schools’ capital expenditure.
Risk management is fundamental to good governance of any organisation. The introduction to the International Risk Management Standard contains six points. While all points relate in some way to the importance of effective governance as part of managing risk, points 2 and 3 are particularly relevant to governing bodies.
They are:
“2. Managing risk is iterative and assists organizations in setting strategy, achieving objectives and making informed decisions.
3. Managing risk is part of governance and leadership, and is fundamental to how the organization is managed at all levels. It contributes to the improvement of management systems.”
Some, perhaps many, school governing bodies would not use risk management as an effective tool to support good board decision-making and strategy development and would not understand or be able to articulate why effective risk management is fundamental to how a school should be managed. A whole of school approach to managing risk cannot succeed without top down commitment and leadership.
These three articles have not attempted to cover all of the risk issues and challenges that schools continue to manage. However, it is hoped that they will encourage school governing bodies and school leaders to ask the key questions such as how schools can build resilience, how they can become more risk mature and whether they have the right people and resources to support moving to a more risk mature state.
The pandemic is an opportunity for schools to reassess priorities and strategy, to consider the current use of technology, to undertake a review of the governance, risk and compliance capabilities of the school and to understand the needs of, and implement new ways of supporting, frontline staff.
At the same time, schools will need to adjust to and understand new post pandemic realities such as increased regulatory scrutiny and accountability, increased community expectations concerning transparency and address community and stakeholder views related to environmental, social and governance issues.
See also Part 1 and Part 2 of this series.