Risk Maturity Survey Results

Published
24 September 2020

CompliSpace has created a Risk Maturity Survey for non-government schools. If you’d like to assess your school’s risk maturity before reading this article (as the article may influence your responses), please click here to take the 5-minute Risk Maturity Survey.  

Risk maturity is a term being increasingly used as a way of discussing the level that an organisation has reached in the implementation of an enterprise risk management system. Risk maturity is often represented in diagrams and tables that describe various levels of maturity. Often these diagrams have a staircase leading upwards to higher levels of maturity.

 

Leadership and Commitment

Moving towards risk maturity requires leadership and commitment. In the Survey questions, the results and the commentary that are discussed below, it will become clear that a school will not be able to move towards a greater state of risk maturity without leadership and commitment.

The International Risk Management Standard ISO 31000 (2018) has three elements: Principles, Framework and Process. At the centre of the Framework is “Leadership and Commitment”. The other elements of the Framework are “Integration”, “Design”, “Implementation”, “Evaluation” and “Improvement”. None of these can occur unless there is leadership and commitment at every stage. This means that school leaders must understand the importance of enterprise risk management and how implementation of a ‘whole of enterprise’ approach to risk management can add significant value to the school and support all school operations and decision-making. They must also drive and resource the implementation.

 

The Risk Maturity Survey

We surveyed attendees of our recent webinar “The Forgotten School Risk (that can come back to bite you!)", and asked them to answer a 10-question ‘Risk Maturity Survey’. You can download the Survey and steps descriptors here. The Survey score enabled users to consider their level of risk maturity against ‘stairs’ or levels of risk maturity.

The Survey had 10 questions that could be answered with “Yes” or “No” or “In Progress”. Answers scored one for “Yes” and zero for “In Progress” or “No”.

 

The Survey Questions

1. Have you developed and implemented an enterprise risk management policy that addresses a broad range of operational and strategic risks?
2. Do you have a document at the school which outlines the relevant risk roles and responsibilities of the Board, the Principal, the School Executive, and general staff?
3. Have you developed a risk register that is reviewed at least annually by the Board/Executive?
4. Are the school's risks currently recorded, assessed and reported using an online risk management software?
5. Does the identification and assessing of risks regularly form part of the decision- making process for significant operational and strategic initiatives?
6. Is there a process in place for the Executive to regularly (at least twice per year) review key operational risks?
7. Does your existing risk management policy ensure that the school’s senior management team actively engage in risk identification, risk management, risk review, and risk reporting?
8. Has the school Board implemented a strategic planning process that includes the identification of risks that may prevent the school from achieving its strategic objectives?
9. Does the school Board receive regular risk reports and have a process for reviewing the risks in the report?
10. Is reporting data or other information available to the executive team so they can determine whether key risk areas are effectively managed?

 

The Risk Maturity Steps

The four steps on our risk maturity staircase were: Beginning, Developing, Maturing, Optimising.

Asset 1-1

Step Levels in Detail

Beginning (score of 0-2)

This level is characterised by some risk assessments being conducted without any planned approach to integrating risk management across the school. Typically at this level, schools would be using risk management for some activities and excursions and little else. From a management perspective, there would be little or no discussion of risk and no ‘whole of enterprise’ approach to risk management or the development of enterprise-wide risk registers. Risk issues do not feature in school decision-making and strategic planning at this level.

 

Developing (score of 3-5)

At this level, the school leadership is more aware of the importance of risk management to school operations. There may be a risk register or even several risk registers that capture a wide range of risks - with some of these being reported to the Board/Executive. Executive responsibilities and accountabilities regarding risk are loose and ill-defined, and, at this level, there is no overarching risk management system that outlines how risk management is integrated across the school, although this may be ‘in planning’. At this level the capture of data to assist in risk management (for example to verify that risk controls are working as planned) is recognised as important but these systems are developing or in planning or not capable of delivering the substantial data and other information to be used to inform risk reviews.

 

Maturing (score of 6-8)

In a school that is at the “Maturing” level, there is active engagement of the school leadership in a ‘whole of enterprise’ risk management system with key roles and accountabilities defined together with an overarching document that sets out the approach to enterprise risk management. Data is available that provides information on the effectiveness of risk controls and this is used in risk review processes. Risk controls for key operational and strategic risks have been identified and are being monitored for effectiveness. The Executive Team is responsible for reviewing all significant operational risks and has developed a process for reviewing risks and for considering the effectiveness of risk controls. Risk controls are openly discussed and debated by the Executive, and, where necessary, additional controls are implemented. Regular and detailed reports that show risk movement are provided to the Executive and to the Board. Reports may include the grouping of risks according to the adequacy of the current risk controls matched to their overall risk rating.

 

Optimising (score of 9-10)

If a school is at the “Optimising” level, this means that enterprise risk management is integrated across all parts of the school. This includes strategic planning processes and key operational decision-making. At various stages in the operational and strategic planning processes, risks are identified and controls are implemented, monitored and reported. The Executive Team continues to develop and refine their enterprise risk management systems and processes, and are committed to their continuous improvement. The school has adopted a methodology and risk classification system that enables any new risk to be classified. They have defined and agreed on a common vocabulary for risk management and reference widely-accepted standards for risk management in their approach. They regard enterprise risk management as essential to good governance. The school has developed a risk appetite statement and this is used to evaluate individual risk ratings based on whether the rating is within the school’s ‘risk tolerance’ as determined by the risk appetite statement.

 

Results

Overall Scores

  • 60% scored 5 or less out of 10, which placed them at the Beginning (20%) and the Developing (40%) levels.
  • 40% scored more than 5 out of 10, which placed them in the top two levels, with 29% Maturing and 11% Optimising.

 

Answers to Specific Questions – Lowest Scoring Questions and Commentary

Question “In Progress” or “No” %
Have you developed and implemented an enterprise risk management policy? 60%
Are the School's risks currently recorded, assessed and reported using an online risk management software program? 62%
Has the Board implemented a strategic planning process that includes the identification of risks that may prevent the school from achieving its strategic objectives? 62%
Is reporting data or other information available to the Executive Team so that they can determine whether key risk areas are being effectively managed? 63%

 

Have you developed and implemented an enterprise risk management policy? “In Progress” or “No” 60%

This is a key indicator of risk maturity. For many in the “Beginning” or “Developing” categories, the starting point is often the development of a risk register, which may contain a large number of risks. The Survey scores show that many schools lack a document that sets out how an overarching risk management system will be implemented across the school, and importantly, outlines the risk methodology and classification system to be used. All these are necessary if a school is to move beyond just having a risk register. Enterprise risk management doesn’t just happen and a detailed policy document is therefore required.

A later question asked if there was a document that outlines the responsibilities and accountabilities for risk management from the Board down. 50% answered “No” or “In Progress” to this, probably indicating that, for some, these responsibilities were written into Board charters and the position descriptions of senior staff. While the responsibilities and accountabilities are crucial, it is difficult to execute those responsibilities without a policy that provides a clear roadmap for how the school will go about implementing enterprise risk management throughout the school.

 

Are the School's risks currently recorded, assessed and reported using an online risk management software program?   “In Progress” or “No” 62%

The question itself and the scores here highlight that it is very difficult, if not impossible, to implement an enterprise risk management program without a software system to support the process. There are numerous systems available. The systems all allow for risks to be rated and reported. Often included in these systems is the ability to create and monitor risk control tasks and report on incidents and accidents and other data that may indicate a breakdown in risk controls. These systems aid and support the integration of risk management across a school and move risk management well beyond simply having a risk register that is reviewed every six or 12 months.

 

Has the Board implemented a strategic planning process that includes the identification of risks that may prevent the school from achieving its strategic objectives?   “In Progress” or “No” 62%

You would expect to see this answered “Yes” by many schools that were scored as “Maturing” and by all the schools that were scored as “Optimising. However, for schools that were “Beginning” or “Developing” the most likely response, borne out by the Survey results, would be expected to be “No” or “In Progress”. One of the ISO 31000 Principles is that, if enterprise risk management is effectively implemented, it “creates and protects value”. One of the key areas where this can occur is in operational and strategic decision-making. Risk should be considered and integrated into all aspects of the school including decision-making. In strategic planning risks should be considered at an early stage in the development of strategy and at every stage thereafter to identify the risks that may impact on the achievement of strategic and operational objectives and the control measures that should be put in place to prevent these risks from materialising.

For schools that were scored as “Beginning” or “Developing”, it may be possible to identify the relevant risks during the operational and strategic planning processes but the lack of integration of risk across the school and the lack of software systems to effectively implement and report on risk controls makes it much more difficult for risk identification to add value to the planning processes.

 

Is reporting data or other information available to the Executive Team so that they can determine whether key risk areas are being effectively managed? “In Progress” or “No” 62%

Schools that are “Beginning” or “Developing” often have very little data available to them to assist in reviewing risks. Risks are often reviewed based on the number of incidents that have occurred without much other information available to assist in the process. Unfortunately, much risk assessment is undertaken by way of ‘gut feel’ rather than having good information to support the risk review. Information on whether risk controls are working is very important in supporting a proper review of risks. Such information should include a consideration of the quality or effectiveness of the implementation of risk controls. To use a training quality example, while everyone may have been trained, the training may have been poor quality and many attendees did not listen or skipped ahead to the quiz at the end.

Schools that were scored as “Maturing” or “Optimising” should have identified key risk control data and other sources of information for each key risk area and would be using this data to assist in determining the effectiveness of risk controls and the review of overall risk ratings.

 

Answers to Specific Questions – Highest Scoring Questions and Commentary

Question “Yes” %
Have you developed a risk register that is reviewed at least annually by the Board/Executive Team? 64%
Is there a process in place for the Executive Team to regularly (at least twice per year) review key operational risks? 50%
Does your existing risk management policy ensure that the Executive Team actively engages in risk identification, risk management, risk review and risk reporting? 50%

 

Have you developed a risk register that is reviewed at least annually by the Board/Executive Team?   Yes 64%

 

Is there a process in place for the Executive Team to regularly (at least twice per year) review key operational risks? Yes 50%

The score for the first question is not surprising given that nearly every school has at least started their journey to risk maturity by developing some sort of register of risks. Many state and territory school regulators require schools to identify and manage risks and having a risk register is a key element in complying with this requirement. The challenge for many schools is to move beyond just ‘having’ a risk register to integrating risk management across all school operations and key decision-making and to use risk as a tool of good governance. The purpose of a risk register is to enable risks to be identified and managed effectively.

This of course relates to the second of these questions in that, while many schools would have a process for reviewing their risk registers twice each year, the review process might be rudimentary, with minimal discussion of the effectiveness of risk controls for each risk. Often in these risk reviews there is a greater emphasis on listing the controls for each risk even though the controls may not be fully implemented or working as expected.

 

Does your existing risk management policy ensure that the Executive Team actively engages in risk identification, risk management, risk review and risk reporting? Yes 50%

With half of the survey participants answering “Yes” to this question, some schools are clearly moving upwards towards risk maturity. Effective enterprise risk management requires leadership and commitment and school leaders must be involved at each step in the process to risk maturity. A key aspect is that the executive is involved in the processes set out in the question.

 

Risk Maturity - Change of Mindset Required?

For many schools to move ‘onwards and upwards’ towards a more risk mature state, a change of mindset is required. Risk management in a school has to move beyond having a risk register towards adopting a ‘whole of enterprise’ approach. The table below illustrates some of these mindset changes.

Old Mindset New Mindset
We have a risk register For us risk management is an essential element of good school management
We have someone who is responsible for risk management We are all engaged and responsible for risk management which is driven and resourced by the school leadership
The risk register means we comply with the school regulator requirements Our risk management system is much more significant than just a compliance exercise
The leadership team ‘does’ risk management because the school is required to do it We have developed a positive risk management culture and are convinced of its value to the school
The risk register review is a one-off process each year We identify risk controls for each risk and the data we want to capture to determine the effectiveness of risk controls
We don’t have much data on whether our risk controls are working We identify risk controls for each risk and the data we want to capture to determine the effectiveness of risk controls
Risk management is siloed Risk management is integrated throughout all school operations and planning
The Board wants to see a risk register report We provide regular and detailed reports to the Board on operational and strategic risks and include information on risk control effectiveness and risk movement

 

Conclusion

The Risk Maturity Survey results show that schools are in very different places when it comes to risk maturity, which would come as no surprise. No school or organisation ever ‘arrives’ and can claim to be ‘risk mature’ as it is a continuous improvement process. Foundational to any school moving upwards through the steps to risk maturity is the leadership and commitment from the top down. Sometimes it is the school leaders and the Board that lack the required new mindset and don’t have a good understanding of the value that enterprise risk management can bring to the school.

 

Request a Conversation about your School's Risk

If you'd like to request a conversation about your school's risk management, CompliSpace can help.  Click here to request a conversation.  

 

Jonathan Oliver

Jonathan is a Principal Consultant working with CompliSpace education clients. He has more than 10 years experience in the school sector as a teacher, compliance and legal adviser and more recently as a Business Manager. Jonathan has been a solicitor for nearly 30 years and worked in both private practice and community legal centres.