How can you build a risk management framework to identify and measure risks at your MAT?
CREDIT: This is an edited version of an article that originally appeared on gov.uk
Risk management policy should set out the framework the trust has adopted for risk management and should include the processes for identifying, categorising and measuring risk.
Identification
At the risk identification stage, all potential events that are a threat to the achievement of business objectives are identified, defined and categorised. This is best done as a joint effort and academy trusts may get maximum benefit from this stage if risks are identified in a ‘top-down’ as opposed to ‘bottom up’ way. Events that appear to be negative, but which do not have any direct impact on business objectives, may not be risks at all.
To ensure that all major risks are identified it is helpful to consider the various types of risk and there are several different ways to categorise these. Understanding the type of risk being faced can also help determine what action is best to take; a common approach is to consider risks under the following categories:
- Internal risks: these are risks over which the academy trust has some control, by managing them through internal controls/additional mitigating actions. Examples of such risks include health and safety risks and data security.
- External risks: this category focuses on big external events/perils and then considers how to make the academy trust more resilient to such events. Examples of such risks include a pandemic or extreme weather.
- Strategic risks: these are risks to the achievement of the academy trust’s core objectives – for example, the risk of high staff turnover.
- Project risks: these are risks associated with any critical projects the academy trust may be involved in – for example, slippage on the delivery timescale for a new building.
Whilst risk management assessment at board level will focus on the highest priority risks, which will have the greatest impact on the trust, there is also a need for school leaders to assess operational risks. In a trust with multi academies, local governance can play an important role in working with the trust leadership team to identify these risks and ensure plans are in place to minimise any impact on the trust and its pupils. The audit and risk committee’s role is to oversee that all categories of risk are identified and ensuring that the risks at constituent academies are being assessed and addressed appropriately. The risk climate can change rapidly, and it is important that emerging risks are carefully assessed and, where appropriate, are reflected in academy trust risk registers.
Measurement
Once risks have been identified it is important to measure them to create a standard for comparing the risks consistently; measurement consists of assessment, evaluation and ranking. The aim of assessment is to understand better each specific instance of risk, and how it could affect business objectives. Academy trusts should estimate:
- the likelihood (or probability) of it occurring; and
- the impact (or severity) if it did occur.
There are various ways to assess likelihood and impact but, in an education context, a rational approach could be to simply assess each on a high, medium and low scale. Alternatively, a scoring approach could be used, for example, using a range of 1-to-5 for each; using this scale, a score of 5 for likelihood would denote an extremely likely event, and 5 for impact would denote a critical level of damage.
Management (control)
Once risks have been assessed, evaluated and ranked, academy trusts will need to ensure there are appropriate plans in place to manage them. These plans include preventative controls, mitigation processes and contingency plans, if risks materialise. The approach taken will depend substantially on the academy trust’s risk appetite and risk capacity.
- Risk appetite: the amount of risk the academy trust is willing to accept in the pursuit of its objectives.
- Risk capacity: the resources (financial, human, and so on) which the academy trust is able to put in place to manage risk.
Consideration of these factors may generate disagreement owing to differing views of risk, so it is important that discussion involves debate and challenge. Trustees may feel more comfortable when there is greater control of risk, but the availability of the academy trust’s resources and capacity must be taken into consideration. Excessive control may be stifling, as well as expensive, and controls and resources will directly affect how assured trustees feel about risks. For instance, trustees may prefer that the risk of inappropriate procurement would be reduced by having every purchase order over £100 signed off by the accounting officer, but would this be the most appropriate use of the time of the most highly paid member of staff in the academy trust, especially if effective and cheaper alternatives exist?
Once the academy trust has established its risk tolerance, and capacity, it can move on to developing a risk control strategy. Again, there are various ways of doing this, and no one way is right, but one easy-to-follow approach is to consider the 4 Ts’ which are:.
- Tolerating risk is where no action is taken. This may be because the cost of instituting controls is not cost-effective, or the risk or impact is so low that they are considered acceptable. For instance, the academy trust may decide to tolerate the risk of contracting with a supplier with a poor credit rating provided the goods/services could be obtained relatively easily from someone else.
- Treating risk involves controlling it with actions to minimise the likelihood of occurrence or impact; there may also be contingency measures to reduce impact if it does occur. For instance, an academy trust may decide to train more than the statutory minimum of staff as paediatric first aiders and to put in place a rota for first aid cover during lunchtimes.
- Transferring risk may involve the use of insurance or payment to third parties willing to take on the risk themselves (for instance, through outsourcing). An academy trust may decide to take out insurance to mitigate the risk of the excessive costs of supply staff in the event of extended staff absences.
- Terminating risk can be done by altering an inherently risky process to remove the risk. If this can be done without materially affecting operations, then removal should be considered, rather than attempting to treat, tolerate or transfer. Alternatively, if a risk is ranked highly, and the other potential control measures are too expensive or otherwise impractical, the rational decision may well be that this is a process the academy trust should not be performing at all – for instance, an academy trust may decide not to contract with a related party to eliminate reputational risk.
Selecting the most appropriate risk treatment option(s) involves balancing the potential benefits from the achievement of objectives against the costs, efforts or disadvantages of proposed actions.
Be the first to comment