Risk Management: Bolted On or Built In?

13 February 2020

The International Federation of Accountants recently released an enterprise risk management (ERM) thought leadership white paper called “From Bolt-on to Built-in-Managing Risk as an Integral Part of Managing an Organization”.

Two of the key points made are that:

  • neither risk management nor internal controls are objectives in themselves; instead, they are an integral part of setting and achieving an organisation’s objectives
  • there is no such thing as risk culture. Instead, there is organisational culture, in which managing risk should be an obvious, integrated action.

Understanding ERM

These statements are designed to provoke organisations to understand ERM as not an ‘end in itself’ but a significant way in which organisations can achieve their strategic goals and objectives by considering ‘uncertainties’ that may prevent their achievement. ISO 31000 of course defines “risk” as “the effect of uncertainty on objectives”.

So are schools using risk management proactively as a way to assist schools to achieve their strategic goals and objectives or are they still treating ERM as a “bolt on” characterised by:

  • static organisational risk registers that are updated infrequently using limited supporting data
  • little or no engagement of senior staff in enterprise risk management (ERM) across the organisation
  • review of key organisational risks rarely being part of executive meeting agendas
  • risk management not being seen as essential to achieving strategic objectives?


ERM and Strategic Objectives

From this writer’s experience, while many schools are using risk management as an effective tool for controlling specific operational risks, for example, child protection risk, only a few schools are making the link between this activity and the positive impact effective ERM can have on the achievement of strategic objectives.

It is actually quite easy to see this link if you consider how a school’s strategic objectives can easily be ‘derailed’ by significant and ongoing failures to manage key operational risks in a school. The obvious example to illustrate this would be failure to manage child protection risk, but, equally, it might be student bullying or the management of key stakeholders such as parents and alumni.

Looked at this way the effective and wholistic management of key operational risks is therefore extremely important to the achievement of short and long-term strategic objectives. Viewing operational risk management in this way substantially raises the importance of it to organisational success and turns it from an ‘add on’ to a ‘built in’ or as the quote above calls it - ‘an obvious integrated action’ that is central to school operations.



It is not surprising therefore that ‘Integration’ of enterprise risk management is one of the six key elements of the ISO 31000 risk management Framework and also one of the eight ISO 31000 Principles.

The Framework has at its heart ‘Leadership and Commitment’. Integration can, of course, only occur with a substantial ‘top down’ commitment to integrating risk management throughout the organisation, which as we all know is easier said than done.

It should also not go unnoticed that the eight Principles of ERM set out in ISO 31000 have ‘Value Creation and Protection’ at their centre with Integration being key to the achievement of value creation and protection.


Identifying Specific Risks

Using risk management to support the achievement of strategic objectives requires schools to ensure that specific risks that could prevent achieving strategic objectives are identified at the time the strategic plan is being developed. Risk in fact has a dual role to play here.

From one perspective identified “risks” actually drive strategy and a school’s strategic plan is designed to address these identified risks. For example, a school suffering from the risk of lack of enrolments may decide to change from being single sex to coeducational, or provide free transport from outlying catchment areas, and whatever is decided would then be embedded into its strategic plan. From another perspective, once a school’s strategic plan has been agreed, its implementation may also create new risks that will need to be managed on an ongoing basis.

Given that “strategic risk” is often considered to be the domain of a school’ governing body members and “operational risk” to be the domain of a school’s executive, to make this distinction clear, some schools are now presenting two separate risk registers to their governing body:

  • an Operational Risk Register that allows the board to monitor the fact that the school executive is adequately managing key operational risks
  • a Strategic Risk Register that allows a board to clearly identify and manage risks relating to the formulation and execution of its strategic plan.


Benefits of ERM

The Built-in-Not-Bolt-On approach argues that ERM is key to enabling organisations to:

  • achieve their strategic goals and objectives
  • understand the level, nature, and amount of risk that they want to assume in pursuit of those objectives
  • develop the controls required to support achieving their objectives.

We will finish with a quote from The Built-in-Not-Bolt-On publication which describes risk management:

As a highly relevant and useful process for decision and execution support, and as a process that boards and management naturally use to ensure their organization makes the best decisions and achieves its objectives.

If your school is not getting value from its ERM program, maybe it’s time for a review.

Jonathan Oliver

Jonathan is a Principal Consultant working with CompliSpace education clients. He has more than 10 years experience in the school sector as a teacher, compliance and legal adviser and more recently as a Business Manager. Jonathan has been a solicitor for nearly 30 years and worked in both private practice and community legal centres.