Six areas where the effect of the pandemic highlighted vulnerabilities in schools’ risk management both at a strategic and operational level are outlined in this article and the third article in this three-part series.
Schools with these first three vulnerabilities were less resilient (and are still perhaps less resilient) as they continue to address these vulnerabilities.
In addition to a brief description of each of the first three vulnerabilities, we have also provided some suggested responses for each and questions for schools to consider.
The introduction to the International Risk Management Standard says at points 3 and 4:
“3. Managing risk is part of governance and leadership and is fundamental to how the organization is managed at all levels. It contributes to the improvement of management systems.
4. Managing risk is part of all activities associated with an organization and includes interaction with stakeholders.”
Considering these in a school context, many schools do not demonstrate in practice that risk management is a fundamental discipline necessary for the effective governance and management of a school at all levels. Some observations of what this vulnerability looks like in practice include:
Many schools have few people with a detailed understanding of end-to-end, enterprise-wide risk management (as opposed to experience in completing a risk assessment for a hazard or excursion).
People with the knowledge and skills to implement a ‘whole of enterprise’ approach to managing risk is not something that is a key priority for schools. Often there is one person with a title such as the ‘risk and compliance manager’ given the task of looking after risk and this is a huge benefit. However, sometimes the person in that role is given all of the risk and compliance responsibilities, so the rest of the leadership team don’t have to have any responsibilities in relation to risk management. This one-person risk silo is the opposite of what is required to implement risk management in a way that is consistent with the Standard. The risk and compliance role should coordinate and support the leadership to manage risk, not be the sole owner and person responsible.
The Victorian Auditor-General’s office in their February 2022 report “Business Continuity During COVID-19” under the heading “What is BCM?” states:
“All businesses, whether government or non-government, need to ensure that they can anticipate, prepare for, respond and adapt to change and sudden disruptions to continue their operations. This is known as organisational resilience. Business continuity is a key element of organisational resilience.”
An Allianz survey in 2021 of more than 2700 risk management experts asked them about their top corporate concerns. 62 per cent said initiating or improving business continuity management was their top concern.
The goal of a business continuity management plan (BCMP) is to support and enhance organisational resilience. Resilient organisations are able to maintain or quickly restore critical operations so that there is minimal disruption to the business.
Failure to develop and stress test a BCMP is a significant strategic risk for schools. Some schools, even when they had a well-developed plan, found that it was inadequate for the multi-faceted and long term nature of the pandemic’s disruption. This was mainly because the BCMP had focused on tangible disruptions such as fire and flood rather that intangible disruptions like the pandemic. Often business disruptions had been identified and planned for in isolation. What the pandemic showed was that some causes of disruption result in concurrent interruptions with widespread impact on operations and objectives and also involve multiple external events at a national and global level that can impact a school.
Business continuity planning has become more, not less, difficult, as a result of the pandemic. Economic volatility, seemingly fragile global supply chains and the potential for complex and hard-to-plan-for disruptions seem much more likely than pre-pandemic. Whether this is the case, only time will tell.
One of the key steps in developing a BCMP is to identify the threats or interruptions that may impact business operations and critical objectives. This is called a Business Impact Analysis (BIA). It can be surmised that very few schools had undertaken a BIA for a pandemic or considered that a pandemic would require long periods of time where teachers and students were off premises but were still required to undertake teaching and learning. As a result, critical issues were missed such as the IT infrastructure needed for whole of organisation off premises operations.
Another crucial aspect of a BCMP is ensuring that there is sufficient risk-based decision-making capability and expertise within the organisation. For example, some organisations struggled to make defensible, risk-based decisions when applying public health advice to day-to-day operations. To successfully do this, organisations need risk management expertise and an appropriate risk management methodology and process.
According to the Allianz report “Scenario Planning for Future Disruptions” the pandemic has fast forwarded the digitalisation of everything and the digital dependence of individuals and businesses. At the same time, it has increased vulnerabilities to risks such as cyber attacks, system failures, phishing, and the potential for data losses and data breaches that breach privacy laws and result in substantial reputational damage.
Schools that had well-developed IT systems and IT infrastructure were better able to manage off premises operations. Those that didn’t found it challenging to provide the same level of operations and services.
Looking to the future, what is now clear is that insufficient investment in IT is a significant strategic risk that all schools must address. Old ways of working that required IT solutions to be on premises dependent are no longer appropriate. There are increasing long term expectations that staff can work from home on a regular basis and that students who cannot attend school for whatever reason can genuinely participate in learning through online teaching resources.
In the third and final article of this three-part series, Jonathan will focus on the shift in mindset during the pandemic towards ‘people first’, increased environmental, social and governance concerns, and the relevance of the International Risk Management Standard ISO 31000 (2018) Risk Management - Guidelines to the pandemic.
See also Part 1 of this series here.