7 August 2019
Risk. This is a term often used by ESFA and the demanding requirements of the Academies Financial Handbook (AFH) require all academy trusts to manage risks to ensure effective operation. The new 2019 AFH, effective from 1 September coming, goes one step further than previous editions and states that trusts ‘must’ maintain a risk register (previously a ‘should’).
Risk management is a very broad topic and the list of risks that an academy trust may face is more or less endless. So how this should be approached?
What is risk management?
Risk management involves the identification, measurement, management, monitoring and reporting of threats to an organisation’s business objectives. Threats can be categorised into areas such as:
- physical (e.g. flood or fire)
- reputational (e.g. poor Ofsted, health and safety)
- financial (e.g. fall in pupil numbers leading to drop in income, poor budgeting)
- human resources (e.g. weak leadership, poor recruitment)
- Infrastructure (e.g. IT failure, loss of utilities)
- Governance (e.g. poor attendance at meetings, insufficient knowledge of trustees).
Some risk is managed easily, whilst it is impossible to protect against other risks entirely, and for these it is necessary to have an action plan to reduce the impact. Risk management therefore must include contingency and business continuity planning.
ESFA have prepared helpful risk management guidance which explains how risk management may be approached, including how to identify risks, measure their potential and likely impact using a matrix method similar to the extract below:
Source: ESFA Academy trust risk management guide.
On-going management of risks
Once risks have been identified and rated, a key challenge can be how to manage or control these risks on an on-going basis, and how to monitor them.
The risk register is crucial to risk monitoring, and it can be difficult to get the balance right between tracking too many and too few risks. It is vital that all significant risks are identified and monitored, but including too many risks on the register can make it unwieldy and difficult to review.
The risk register can be particularly challenging in a multi-academy trust. Depending on the structure of the trust and how varied its academies are, each academy may have its own local risk register, and these should feed in to the overall trust register. The board will need to prioritise the risks they can realistically oversee – the ESFA guidance suggests prioritising the top ten.
The role of internal scrutiny in risk management
The 2019 AFH makes it very clear how internal scrutiny plays an important part in risk management. All categories of risk must be adequately identified, reported and managed.
The programme of internal scrutiny (such as internal audit) should link to the risk register with the areas for review each year identified on a risk-basis.
We have reviewed the approach to risk management for some academy trusts as part of our internal audit work, and this is something these trusts have found useful. We are able to review areas such as whether the risk register identifies all significant risks and is being reviewed regularly, whether adequate contingency plans are in place and look for evidence that trustees have had regard to further guidance such as Charities Commission risk management and the Chartered Institute of Management Accountants (CIMA) publication “Fraud risk management – a guide to good practice”.
If you would like any advice regarding risk management, please contact your local UHY Academy School specialist.
Alternatively, fill out our Contact Form here.