Six areas where the effect of the pandemic highlighted vulnerabilities in schools’ risk management both at a strategic and operational level are outlined in this article and the third article in this three-part series.

Schools with these first three vulnerabilities were less resilient (and are still perhaps less resilient) as they continue to address these vulnerabilities.

• Schools had significant gaps in their risk management systems that left them vulnerable in the heightened risk environment of the pandemic
• Business continuity planning was inadequate for pandemic disruption
• Insufficient investment in IT and infrastructure was a strategic risk for schools.

In addition to a brief description of each of the first three vulnerabilities, we have also provided some suggested responses for each and questions for schools to consider.

Schools had significant gaps in their risk management systems which left them vulnerable in the heightened risk environment of the pandemic

The introduction to the International Risk Management Standard says at points 3 and 4:

“3. Managing risk is part of governance and leadership and is fundamental to how the organization is managed at all levels. It contributes to the improvement of management systems.
4. Managing risk is part of all activities associated with an organization and includes interaction with stakeholders.”

Considering these in a school context, many schools do not demonstrate in practice that risk management is a fundamental discipline necessary for the effective governance and management of a school at all levels. Some observations of what this vulnerability looks like in practice include:

• risk and compliance is siloed into key risk areas such as health and safety and excursions, with little integration of risk across all aspects of the organisation
• no overarching system and framework and no common definitions and taxonomy to enable senior management to have visibility of risk management everywhere
• little proactive validation that risks are being effectively managed and reviews of risk controls is mostly reactive i.e. only occurring when something goes wrong
• little investment in risk systems and automation of risk functions, risk reporting, risk and compliance assurance, incident capture and management
• little investment in infrastructure to support the management of frontline risks (the human firewall) such as policy management and policy engagement, training and issue reporting.

Many schools have few people with a detailed understanding of end-to-end, enterprise-wide risk management (as opposed to experience in completing a risk assessment for a hazard or excursion).

People with the knowledge and skills to implement a ‘whole of enterprise’ approach to managing risk is not something that is a key priority for schools. Often there is one person with a title such as the ‘risk and compliance manager’ given the task of looking after risk and this is a huge benefit. However, sometimes the person in that role is given all of the risk and compliance responsibilities, so the rest of the leadership team don’t have to have any responsibilities in relation to risk management. This one-person risk silo is the opposite of what is required to implement risk management in a way that is consistent with the Standard. The risk and compliance role should coordinate and support the leadership to manage risk, not be the sole owner and person responsible.

Some Suggested Responses

• Review the expertise within the organisation to understand and manage risk and invest to increase organisational risk competency
• Undertake an analysis of existing risk management practices to determine what risk management is being undertaken already and what systems, processes and methodology are being used
• Determine the risk reporting and analysis requirements of the executive leadership team and the governing body
• Determine what data, including safety incidents, risk control failures, accidents, near misses and compliance failures is available to support risk management
• Decide on a methodology for risk that includes a common risk language and definitions and a common risk assessment and analysis process
• Create a risk classification system that separates strategic, operational risks and high level risks from very granular risks. 

Some Key Questions to Ask

• What sort of risk management culture do we have now and what can we do to positively impact the culture?
• What are the risks if we do not invest and improve our risk management systems and risk competency?
• How do we strengthen our capacities, capabilities and resources to manage and recover from significant risks in the future?
• Do we have the right people, systems and software to do risk better?
• Would investment in risk systems, processes and people make us more resilient?

Business continuity planning was inadequate for pandemic disruption 

The Victorian Auditor-General’s office in their February 2022 report “Business Continuity During COVID-19” under the heading “What is BCM?” states:

“All businesses, whether government or non-government, need to ensure that they can anticipate, prepare for, respond and adapt to change and sudden disruptions to continue their operations. This is known as organisational resilience. Business continuity is a key element of organisational resilience.”

An Allianz survey in 2021 of more than 2700 risk management experts asked them about their top corporate concerns. 62 per cent said initiating or improving business continuity management was their top concern.

The goal of a business continuity management plan (BCMP) is to support and enhance organisational resilience. Resilient organisations are able to maintain or quickly restore critical operations so that there is minimal disruption to the business.

Failure to develop and stress test a BCMP is a significant strategic risk for schools. Some schools, even when they had a well-developed plan, found that it was inadequate for the multi-faceted and long term nature of the pandemic’s disruption. This was mainly because the BCMP had focused on tangible disruptions such as fire and flood rather that intangible disruptions like the pandemic. Often business disruptions had been identified and planned for in isolation. What the pandemic showed was that some causes of disruption result in concurrent interruptions with widespread impact on operations and objectives and also involve multiple external events at a national and global level that can impact a school.

Business continuity planning has become more, not less, difficult, as a result of the pandemic. Economic volatility, seemingly fragile global supply chains and the potential for complex and hard-to-plan-for disruptions seem much more likely than pre-pandemic. Whether this is the case, only time will tell.

One of the key steps in developing a BCMP is to identify the threats or interruptions that may impact business operations and critical objectives. This is called a Business Impact Analysis (BIA). It can be surmised that very few schools had undertaken a BIA for a pandemic or considered that a pandemic would require long periods of time where teachers and students were off premises but were still required to undertake teaching and learning. As a result, critical issues were missed such as the IT infrastructure needed for whole of organisation off premises operations.

Another crucial aspect of a BCMP is ensuring that there is sufficient risk-based decision-making capability and expertise within the organisation. For example, some organisations struggled to make defensible, risk-based decisions when applying public health advice to day-to-day operations. To successfully do this, organisations need risk management expertise and an appropriate risk management methodology and process.

Some Suggested Responses

• Review existing BCMPs or get started on one
• Review long term IT infrastructure planning to ensure that off premises operations, ecommerce and other critical business functions are not on premises dependent
• Undertake business interruption scenario planning and scenario-based exercises
• Conduct a business continuity impact analysis
• Identify minimum resource requirements for continued operations
• Ensure that the governing body and senior leadership team understand their role in maintaining business continuity, critical incident responses and the activation of the BCMP
• Develop a business continuity management risk register that assesses and reports on business continuity risks and risk controls.

Some Key Questions to Ask

• Have we undertaken a BIA for all the potential impacts on our operations from the business interruption scenarios that we have identified?
• Do we have a structured, risk-based, decision-making process supported by individuals with the appropriate expertise?
• What additional resources are required to increase our level of resilience to business interruption incidents?
• Is our business continuity planning granular enough?
• Do we have a thorough understanding of the impacts of a business interruption on individual parts of the business and on the business as a whole?
• Have we analysed the failure of third parties and suppliers as a potential business interruption?
• Have we identified the critical resources that would need to be available to quickly recover from a business interruption incident? (For example, critical resources could be important records such as student and staff contacts, access to operating procedures manuals and IT recovery plans, a clear understanding of authorities and delegations for emergency payments, lists of key external contacts and suppliers or a detailed telecommunications response plan.)

Insufficient investment in IT and infrastructure was a strategic risk for schools

According to the Allianz report “Scenario Planning for Future Disruptions” the pandemic has fast forwarded the digitalisation of everything and the digital dependence of individuals and businesses. At the same time, it has increased vulnerabilities to risks such as cyber attacks, system failures, phishing, and the potential for data losses and data breaches that breach privacy laws and result in substantial reputational damage.

Schools that had well-developed IT systems and IT infrastructure were better able to manage off premises operations. Those that didn’t found it challenging to provide the same level of operations and services.

Looking to the future, what is now clear is that insufficient investment in IT is a significant strategic risk that all schools must address. Old ways of working that required IT solutions to be on premises dependent are no longer appropriate. There are increasing long term expectations that staff can work from home on a regular basis and that students who cannot attend school for whatever reason can genuinely participate in learning through online teaching resources.

Some Suggested Responses

• Ensure that IT resourcing is included in strategic planning and that there is a long term IT strategy for the school to increase capacity to learn from anywhere and teach from anywhere
• Conduct a ‘retrospective’ on the use of IT in relation to your school during the pandemic that identifies issues and weaknesses and proposed solutions
• Review long term levels of investment in IT and determine what additional infrastructure and systems are necessary to support organisational resilience through IT
• Review all cyber security measures, identify weaknesses, invest in software and train staff to identify security issues and suspicious emails etc
• Develop improved IT policies and procedures, communicate them and train staff in relation to them.

Some Key Questions to Ask

• Does our induction and ongoing training of staff cover cyber security issues?
• Are there clear policies in relation to IT security measures when working from home?
• Have IT risks been identified and risk management strategies implemented?
• Is there sufficient knowledge spread among enough people so that IT systems and processes are not overly reliant on one or two key individuals?
• To what extent should school governing bodies receive reports on IT planning and strategy, systems outages and disruptions and potential system vulnerabilities?
• Is data on IT systems failures, security breaches etc collected and reported?
• Is there an understanding of staff competency requirements in IT and online learning, and how will the school develop competency levels?

Concluding Comments

In the third and final article of this three-part series, Jonathan will focus on the shift in mindset during the pandemic towards ‘people first’, increased environmental, social and governance concerns, and the relevance of the International Risk Management Standard ISO 31000 (2018) Risk Management - Guidelines to the pandemic.

See also Part 1 of this series here.