There is no room for complacency for risk management in any school with new risks emerging all the time with the recent COVID-19 pandemic risk being a good example. A recent publication highlighted the top six operational and strategic risks facing schools in 2020.

Many schools have traditionally siloed their risks and, sometimes, even their policies. Each part of the school or even each department or faculty could have their own risks and their own controls (policies) to mitigate those risks. The lack of an overarching approach to risk management will mean risk management will be ineffective.

Schools frequently have a risk register containing a large number of risks. These registers are often poorly organised and lack a classification methodology. The risks are also often poorly articulated. Many of these risk registers may contain very ‘micro’ risks such as driveway or traffic risks as well as something like a competition risk which is a very ‘big picture’ or strategic risk.

Enterprise Risk Management

The best way for schools to effectively implement a risk management program in their school is to embrace an enterprise risk management (ERM) approach to risk management. ERM can bring all of the individual and siloed risks into a coherent ‘whole of school’ approach to risk management.

Risks are often interdependent on others and a failure to manage risks in a more holistic manner could mean that possible risks could ‘fall through the cracks’ with the result that students or staff could be hurt or the school could be in breach of any number of laws. A fully integrated ERM approach to risk management coordinates the response to various types of risk (it accounts for interdependence of some risks), resulting in a more efficient process, as well as allowing the school to gain a better view of the risks facing the entire school. Where a school is not seeing the whole picture, it is possible that its response to a particular risk may be inadequate.

ERM also assists governing body members, principals and executive staff in schools to predict future events that may impact (positively or negatively) on their school’s activities and allows them to take appropriate actions to address the impact of these events.

Where to Begin?

Schools sometimes have had little or no experience of enterprise risk (in contrast with activity-based risk assessments for excursions or health and safety risk assessments), so, for many, it is hard to know where or how to begin.

Here are some suggestions for implementing ERM in your school:

• ensure that there is an overarching policy framework for your approach to risk management. The International Risk Management Standard ISO 31000 (ISO 31000) provides a high level guide for schools in developing their own risk management policy framework.
• ERM cannot work without the process being led from the top down. When school leaders fail to take the lead in developing and implementing ERM, it inevitably fails.
• ERM requires integration. ERM by definition is a ‘whole of enterprise’ approach to risk management. Risk management should be integrated into all activities and all decision making across the organisation and used to monitor performance and identify future risks and opportunities.
• ERM should be dynamic and subject to continuous improvement. Many schools develop a risk register and then don’t do anything with it other than review the register annually. Instead of this ‘set and forget’ approach, risk management should be used as a management tool to control risks. This can only happen if there is robust evaluation of the effectiveness of risk controls and a regular review of the overall risk rating for risks based on that evaluation.
• ERM should enable and support strategic planning. ISO 31000 defines risk as the effect of uncertainty on objectives. What are the risks that will impact the school achieving their strategic objectives.? How can we identify and control those risks?

The Benefits of ERM

Schools that embrace ERM, and effectively implement an integrated ERM program, can expect to experience some (if not all) of the following benefits:

• a significant increase in the likelihood of achieving strategic goals and objectives
• avoidance of ‘fire fighting’ as reactive management gives way to proactive decision making
• an enhanced ability to identify and manage future threats and opportunities
• an enhanced ability to comply with legal and regulatory obligations
• avoidance of adverse risk events, or at least a minimisation of the impact, if these events are to occur
• establishment of a reliable basis for decision making and planning as key non-financial information becomes readily accessible by management and school governors alike
• improvement of operational effectiveness, business processes and controls
• the ability to allocate internal resources more effectively
• minimisation of business complexity and optimisation of transparency
• enhanced reputation management
• increased shareholder/stakeholder value.

Risk Management and School Registration

For many years now, school regulators have been looking to see that schools have systems and processes in place for the identification and management of risk. This usually includes a risk management framework and overarching risk management policy, a risk register or registers, evidence that risk controls have been implemented and risks have been regularly reviewed and updated.

The regulators also want to know whether school governing bodies and school executives have been engaged in the risk management processes through, for example, receiving reports, examining operational and strategic risks and reviewing the effectiveness of risk controls.

However, while ERM is not an explicit obligation for non-government schools in every state and territory, it is quite clear that there is a general trend within the education sector to embrace continuous improvement processes and that ERM, compliance and incident management programs are considered to be central components of these processes.

Summary

The effective management of risk is about understanding the risks that a school faces, determining which risks are worth taking and which should be prevented or reduced, so that the school can achieve its outcomes. ERM is key to enabling schools to manage those risks effectively and allowing them to:

• achieve their strategic goals and objectives
• understand the level, nature, and amount of risk that they want to assume in pursuit of those objectives
• develop the controls required to support achieving their objectives.

How to Learn More - Free Webinar and Free Online Course

Free Webinar

James Field, CEO of CompliSpace will be presenting a risk management webinar on Friday 7 August for schools. It is designed to be a practical webinar on implementing ERM in your school. The webinar will expand on many of the matters mentioned in this article.

Free Access to CompliSpace’s Introductory Enterprise Risk Management Online Course

To learn more about Enterprise Risk Management and the International Risk Management Standard ISO 31000, we recommended that you complete CompliSpace’s introductory ERM course that we have made available for free through our CompliLearn professional learning lists site.

This introductory Enterprise Risk for Schools course takes approximately 1 hour to complete and provides an overview of the International Risk Management Standard ISO 31000.

To access the course:

1. Simply visit complilearn.com and sign up for a Free Individual Explorer Account using the orange button at the top of the page
2. Once you log in, type “risk management” into the search bar and select Enterprise Risk Management for Schools (Part 1). Follow the prompts to begin the course.

About the Authors

Jonathan Oliver

Jonathan is a Principal Consultant working with CompliSpace education clients. He has more than 10 years experience in the school sector as a teacher, compliance and legal adviser and more recently as a Business Manager. Jonathan has been a solicitor for nearly 30 years and worked in both private practice and community legal centres.

Craig D’cruz

With 37 years of educational experience, Craig D’cruz is the National Education Lead at CompliSpace. Craig provides direction on education matters including new products, program/module content and training. Previously Craig held the roles of Industrial Officer at the Association of Independent Schools of WA, he was the Principal of a K-12 non-government school, Deputy Principal of a systemic non-government school and he has had teaching and leadership experience in both the independent and Catholic school sectors. Craig currently sits on the board of a large non-government school and is a regular presenter on behalf of CompliSpace and other educational bodies on issues relating to school governance, school culture and leadership.