Academy trust risk management
Updated 16 December 2024
Applies to England
This content was last updated in May 2021.
1. Introduction to risk management
Risk is inherent in everything academy trusts do to deliver high quality services. Risk management should be an essential part of governance and leadership and an integral part of business planning and decision-making processes. Academy trusts may find it helpful to consider risk management in terms of the ICAEW four lines of defence concept:
- 1st line of defence – management and staff who own and manage risk on a day-to-day basis.
- 2nd line of defence – the board who oversee the effectiveness of the risk management framework.
- 3rd line of defence - the internal scrutiny function who provide independent assurance on the overall effectiveness of risk management and controls.
- 4th line of defence - assurance from external independent bodies such as the external auditors and other external bodies.
It is a requirement of the Academies Financial Handbook (AFH) that:
- Academy trusts must manage risks to ensure their effective operation and they must maintain a risk register (part 2).
- The trusts management of risks must include contingency and business continuity planning (part 2).
This guide is intended to help the board and management establish effective risk management arrangements for their academy trust.
Risk management involves the identification, measurement, management, monitoring and reporting of threats to an academy trusts business objectives. Such threats can arise from a wide variety of sources such as litigation relating to safeguarding failures, financial uncertainty from a falling roll, security risk from inappropriate access to data, property risk from fire or flood, accidents resulting in injury, natural disasters, and of course a global pandemic. School leaders identify risks and implement appropriate mitigating control measures as part of normal business, for example managing the risks associated with school trips.
Risk management is not about adding new processes, but ensuring processes are integrated in the management and operation of businesses. Effectively managing risk informs business decisions, enables a more effective use of precious resources, enhances strategic and business planning and strengthens contingency planning.
Although ultimate overall responsibility for risk management, including the oversight of the risk register, lies with the academy trusts board, the board must appoint an audit and risk committee in accordance with AFH (part 3) to:
- direct the trust’s programme of internal scrutiny
- ensure that risks are being addressed appropriately through internal scrutiny
- report to the board on the adequacy of the trust’s internal control framework, including financial and non-financial controls and management of risks.
It is also important that academy trusts ensure there is an individual identified who has responsibility for risk management on a day-to-day basis.
Academy trusts should read the ESFA good practice guide on internal scrutiny in conjunction with this guide.
Academy trusts may find the publication The Orange Book - Management of Risk - Principles and Concepts helpful, in particular page 38 which provides examples of risk categories.
2. Steps to developing a risk management process
2.1 Risk management policy
The first step a trust should carry out is to define its approach to risk management in a risk management policy. This document should set out the framework the trust has adopted for risk management and should include the trust’s risk appetite, the processes for identifying, categorising, measuring risks and its strategy for treating risks. The policy should also include roles and responsibilities, monitoring, reporting and review procedures, and training arrangements to ensure effective risk management is embedded throughout the trust.
Risk management processes may differ in terms of sophistication, nevertheless most follow broadly the same steps that combine to make up the overall framework (illustrated below). It is important to take a balanced view to managing opportunity and risks, to make the process meaningful.
2.2 Identification
At the risk identification stage, all potential events that are a threat to the achievement of business objectives (including not capitalising on opportunities) are identified, defined and categorised. This is best done as a joint effort and academy trusts may get maximum benefit from this stage if risks are identified in a “top-down” as opposed to “bottom up” way. Events that appear to be negative, but which do not have any direct impact on business objectives, may not be risks at all.
To ensure all major risks are identified it is helpful to consider the various types of risk and there are several different ways to categorise them. Understanding the type of risk being faced can also help determine what action is best to take. A common approach is to consider risks under the following categories:
- Internal risks - these are risks over which the academy trust has some control, by managing them through internal controls/ additional mitigating actions. Examples of such risks include health and safety risks, data security.
- External risks - this focuses on big external events/perils and then considers how to make the academy trust more resilient to such events. Examples of such risks include a pandemic and extreme weather.
- Strategic risks – these are risks to the achievement of the academy trust’s core objectives. For example, the risk of high staff turnover.
- Project risks – risks associated with any critical projects the academy trust may be involved in. For example slippage on the delivery timescale for a new building.
Whilst risk management assessment at board level will focus on the highest priority risks, which will have the greatest impact on the trust, there is also a need for school leaders to assess operational risks. In a trust with multi academies, local governance can play an important role in working with the trust leadership team to identify these risks and ensure plans are in place to minimise any impact on the academy trust and its pupils. The audit and risk committee’s role is to oversee that all categories of risk are identified and must extend to ensuring the risks at constituent academies are being assessed and addressed appropriately.
The risk climate can change rapidly, and it is important emerging risks are carefully assessed and where appropriate are reflected in academy trust risk registers.
2.3 Measurement
Once risks have been identified it is important to measure them to give a standard for comparing the risks consistently. Measurement consists of assessment, evaluation, and ranking.
The aim of assessment is to understand better each specific instance of risk, and how it could affect business objectives. Academy trusts should estimate:
- the likelihood (or probability) of it occurring, and
- the impact (or severity) if it did occur
There are various ways to assess likelihood and impact, but, in an education context, a rational approach could be to simply assess each on a H/M/L scale. Alternatively a scoring approach could be used, using a range of 1 to 5 for each. For example, a score of 5 for likelihood would denote an extremely likely event and 5 for impact would denote a critical level of damage.
Evaluation: the “r scores” for each risk’s likelihood and impact respectively are combined to derive a single risk score reflecting its overall level of threat. Risks could be evaluated as H/H, H/M, L/H and so on. Alternatively, using a range of 1 to 5 would generate a numeric score with the minimum being 1 (1x1) and the maximum being 25 (5x5).
Ranking: once the scores for likelihood and impact have been combined into a single risk score, they can be plotted on a risk matrix. The matrix is simply a grid showing high likelihood/high impact risks to the upper right and low likelihood/low impact risks to the lower left.
Trusts should be aware that risks which are of very low likelihood and very high impact will be ranked in the same position as a risk with very high likelihood and very low impact. However, as the former could be catastrophic for the trust, if realised, they should be prioritised accordingly.
It is common practice to use a traffic light system (sometimes called a RAG-rating) for an intuitive representation of the ranking of risks. The matrix also provides a reference for the risk register to identify which risks fall outside the academy trust’s level of tolerance, based on its risk appetite, and which need to be managed actively.
It is not essential to use a measurement grid or RAG rating. Some academy trusts simply rate the identified risks. It is for the board to decide the best approach for the academy trust, which will be easily understood.
2.4 Management (control)
Once risks have been assessed, evaluated and ranked, academy trusts will need to ensure there are appropriate plans to manage them. These plans include preventative controls, mitigation processes and contingency plans, if risks materialise. The approach taken will depend substantially on the academy trust’s risk appetite and risk capacity:
- Risk appetite – the amount of risk the academy trust is willing to accept in the pursuit of its objectives
- Risk capacity – the resources (financial, human, and so on) which the academy trust is able to put in place in managing risk
Consideration of these factors may generate disagreement owing to differing views of risk, so it is important that discussion involves debate and challenge. Trustees may feel more comfortable when there is greater control of risk, but the availability of the academy trust’s resources and capacity must be taken into consideration. Excessive control may be stifling as well as expensive and controls and resources will directly affect how assured trustees feel about risks. For instance, trustees may prefer that the risk of inappropriate procurement would be reduced by having every purchase order over £100 signed off by the accounting officer, but would this be the most appropriate use of the time of the most highly paid member of staff in the academy trust, especially if effective and cheaper alternatives exist?
Once the academy trust has established its risk tolerance and capacity, it can move onto developing a risk control strategy. Again, there are various ways to do this and no one way is right, but one easy-to-follow approach is to consider the “4 T’s”.
Selecting the most appropriate risk treatment option(s) involves balancing the potential benefits from the achievement of objectives against the costs, efforts, or disadvantages of proposed actions.
-
Tolerating risk is where no action is taken. This may be because the cost of instituting controls is not cost-effective or the risk or impact is so low that they are considered acceptable. For instance, the academy trust may decide to tolerate the risk of contracting with a supplier with a poor credit rating provided the goods/services could be obtained relatively easily from someone else.
-
Treating risk involves controlling it with actions to minimise the likelihood of occurrence or impact. There may also be contingency measures to reduce impact if it does occur. For instance, an academy trust may decide to train more than the statutory minimum of staff as paediatric first aiders and to put in place a rota for first aid cover during lunchtimes.
-
Transferring risk may involve the use of insurance or payment to third parties willing to take on the risk themselves (for instance, through outsourcing). An academy trust may decide to take out insurance to mitigate the risk of the excessive costs of supply staff in the event of extended staff absences.
-
Terminating risk can be done by altering an inherently risky process to remove the risk. If this can be done without materially affecting operations, then removal should be considered, rather than attempting to treat, tolerate or transfer. Alternatively if a risk is ranked highly and the other potential control measures are too expensive or otherwise impractical, the rational decision may well be that this is a process the academy trust should not be performing at all. For instance, an academy trust may decide not to contract with a related party to eliminate reputational risk.
Some risk experts suggest a fifth “T”, “take advantage”, in recognition that the uncertainty attached to risk sometimes offers opportunities as well as threats. For example, an academy trust may take advantage of working with a local university’s media faculty on a campaign to publicise the academy trust, this may run the risk of taking up staff time, but could lead to the opportunity to increase pupil numbers and funding.
2.5 Monitoring
Monitoring should be ongoing and continuous as this supports the academy trust’s understanding of whether and how the risk profile is changing. Monitoring also provides assurance on the extent to which the mitigating actions and controls are operating as intended and whether risks are being managed to an acceptable level.
The risk register is central to risk monitoring. As risks are identified, they should be logged on the register and the associated control measures documented. A risk register should be a ‘live document’ and should be an on-going process. Risk registers come in various formats and no particular version is recommended.
However, some elements should always be included.
- Risk category – risk should be categorised under, for example, IT, finance, HR, premises to facilitate their effective management. Categorisation helps tease out other likely risks as well as potential duplication.
- Risk description – a brief description of the potential risk, namely the event itself, for example “a cyber-attack on the trust’s IT systems” and its consequences “students cannot access their saved work”.
- Risk ID – a unique number used to identify and track the risk.
- Business objective threatened – a description of the relevant business objective that the risk would affect if it materialised.
- The estimated likelihood that the risk will occur. This could be scored H/M/L (as above) or using another method.
- The estimated impact of the risk if it materialised. This too should be scored or assessed.
- The gross risk score - this is the combined score of the estimated likelihood and impact, without control measures being implemented. It is also known as the inherent risk.
- Control measures – which of the risk treatment option(s) (the T’s) have been opted for and the rationale for the decision. Also what the proposed actions are, including timescales for implementation and resources required.
- The net risk score – the risk that remains after control measures have been put in place. This is essentially a re-assessment of likelihood and impact assuming that control measures are in place. It is also known as the residual risk.
- Risk ranking – this is the overall level of the residual risk, it reflects its position on the risk matrix and, if appropriate, its “traffic light” rating. It may be helpful to use a series of arrows to indicate the direction of travel of the risk ranking after each review i.e. up, down or static.
- Risk trigger – what is the event that would trigger implementation of contingency plans?
- Contingency plan – an action plan to address the risk if it does materialise and what plans are in place to mitigate the risk. It is a requirement of the AFH (part 2) that the trust’s management of risks must include contingency and business continuity planning.
- Risk owner – the person responsible for deciding whether the risk trigger needs to be activated and managing the control measures and contingency plans. This should always be in identifiable individual who will ensure effective communication where necessary.
- Date of last review – this is an indication of when the audit and risk committee or the board last reviewed the risk. It may be that the risk climate has changed, and the risk level is of a sufficient level that it can be retired from the register. A date supports regular monitoring of risk.
- Current status of risk – this should include any comments that will support the review of the risk at the appropriate time.
- Risk retired date and rationale for retiring risk – this is an important element as it is an audit of any risks that have been considered by Trustees and later retired with the rationale. These can be hidden from any live document, but should still be recorded.
2.6 Reporting and scrutiny
The board and the audit and risk committee should set out how and when it wants to receive information about risks. Information should be clear and provide key information on the significant business risks. The information should support the board and the audit and risk committee to assess whether decisions are being made within their risk appetite, to review the adequacy and effectiveness of internal controls, to reprioritise resources and improve controls and to identify emerging risks.
For this process to be effective it is important that the number of risks reported is appropriate to the trust’s own circumstances and is a manageable number. If too many risks are reported the process may become more difficult to manage and may lose focus.
The frequency of the board’s review of the risk register is a matter for the board, though at least an annual review is required by the AFH (part 2). The audit and risk committee may decide that it is appropriate to review the risk register at every meeting. However, this may result in a diminution in impact if it comes to be regarded as a routine box ticking exercise. The frequency of review can be kept flexible, with more frequent review during periods of heightened risk.
As part of the trustees’ report, which accompanies the audited financial statements, academy trusts are required to explain their principal risks and uncertainties and the plan for managing those risks.
Boards should keep their own risk appetite under review and should consider the ongoing appropriateness of its risk management policy. Unforeseen events will materialise periodically and when this happens the board should consider the extent to which the risk was identified and measured and whether the selected control measure was appropriate.
The audit and risk committee is responsible for directing the academy trust’s programme of internal scrutiny. The internal scrutiny function must focus on evaluating the suitability of, and level of compliance with, financial and non-financial controls, offering advice and insight to the board on how to address weaknesses in financial and non-financial controls and ensuring all categories of risk are being adequately identified, reported, and managed. The risk register also facilitates a rational risk-based approach for the internal scrutiny function’s work programme and the risk register must be used as a reference point, as required by the AFH (part 3).
Risk management is as much about ensuring that the control environment remains effective to manage the risks that are already known, such as through testing of the controls. Risks will materialise if controls only exist on paper. Trustees must stress test the controls and mitigating actions to ensure that they have been implemented and are effective. For example, trustees, or the internal scrutiny function, could ask their IT provider to produce their MIS backup data within contract time and quality requirements.
3. Common pitfalls
- Reporting too many risks: academy trusts can fall into the trap of tracking too many risks or ones that substantially overlap. The board should clarify the number of risks they are able to oversee, maybe prioritising their “top 10”. Other “divisional” risks may be delegated and managed locally?
- Ignoring known risks: risks are sometimes ignored because of organisational politics or the preferences of a dominant personality. Are you ignoring the elephant in the room because of the tone at the top?
- Overreliance on subjective judgement: one person’s risk is another person’s opportunity and individual perceptions influence the way risks are assessed. Potential risks should be discussed with the aim of reaching a common understanding of what they are and how they should be dealt with.
- No real buy-in at a senior level: the person who administers the risk management framework may not have the seniority to have an impact or the capacity to fulfil the role effectively. As a result, risk management may not get the required attention and the process may decline into a tick-box exercise. Academy trusts should ensure that the person appointed is sufficiently senior to have adequate influence and has sufficient time to dedicate to the role, and/or designate one of the trustees as their “risk champion”. The audit and risk committee role is to ensure the risk management framework in place is effective.
- Risks not linked to strategic objectives or only captured bottom-up: commonly risks are captured from the bottom up and this can leave them disassociated from strategic objectives. As a result it may be almost impossible to see what impact risks are going to have on the academy trust’s goals at a higher level. Although ultimate responsibility for risk management lies with the board, everyone in the academy trust has a role to play in identifying risks to business goals.
- Over-complexity: endless discussions about methodology and terminology, which leave no time left to address the risks themselves, are symptomatic of an over-engineered approach
- Not using the output: it has been said that all management is risk management. Whether or not this is so, organisations that put the review of risks as the last item on meeting agendas run the risk of an unexpected event having a significant negative impact on a business-critical system. Furthermore, good risk management will inform a sound programme of internal scrutiny reviews, which should focus on areas of risk.
4. Conclusion
Active risk management is fundamental to any organisation and should be embedded in its activities and processes. It is not about creating excessive paperwork, but rather about proactively identifying appropriate measures to control risks.
Most academy trusts are probably already doing this instinctively, or as the result of legal requirements (such as fire safety risk assessment), but a risk management policy helps you decide whether you have covered everything you need to. There is no “one size fits all” for risk management arrangements. They must be tailored to fit the size, complexity and particular challenges facing an academy trust. However, even for a small academy trust the process needs to be formal, documented and provided with appropriate resources.
Individual risks should not be looked at entirely in isolation from each other and should always be linked to business objectives. If trustees take a holistic view of risk management then appropriate processes can then be embedded in both day-to-day operations and governance.
5. Acknowledgements
Special thanks to Maxine Adams, Chief Finance & Operations Director, Apollo Partnership Trust; Chair, Leicestershire Academies Group.
ESFA will review and update this guide by December 2023.