Risk Management Policy
Details on our Risk Management Policy
- Risk management is an essential element of any large business’ corporate management and governance arrangements. The Academies Financial Handbook requires all academies to recognise and manage their risks, prepare risk registers and have procedures in place to regularly assess and review those
- An effective risk management framework must be:
- embedded at all levels of the business;
- both top-down and bottom-up, with identified risks being effectively escalated and disseminated as appropriate;
- consistent throughout the business;
- simple and not resource intensive;
- not a ‘bolt-on’ to normal business activity, but instead central to it; and useful
- In order to achieve the above objectives, some of which are in tension with each other, the objectives and concerns of management and the contents of each risk report must align with each other. In other words, the agendas for the Board of Directors (the Board), Local Governing Bodies (LGBs) and academy management meetings, and the contents of the Whole Trust Risk Report should significantly overlap.
A starting point for any schedule of risks should be the objectives of the academy, and the identification of risks that prevent the academy from achieving those objectives. This may appear to be self-evident, but this relationship is often missing from risk registers which instead often concentrate on minor operational concerns, or major ones that have not been identified in the business
- The Board is responsible for the oversight of Trust activity. The Board has identified that its Finance and Resources Committee and/or Audit Committee should have specific oversight over the Trust’s risk management arrangements.
- Each Headteacher has responsibility for ensuring that management of risk is properly addressed in all areas within their operational control.
- The Local Governing Body of each academy school should be aware of the risk register and the risks contained on it and should hold their Headteacher to account for the management of those risks in that school. A review of the school’s risk register should be a standing item of the LGBs Finance Committee agenda.
- The Director of Finance and Academy Services has been tasked with ensuring that the Trust has a robust and effective overarching risk management framework.
- For practical purposes, updated risk reports from each academy Headteacher shall be reported annually to the Director of Finance and Academy Services, at the start of each academic year. The Director of Finance and Academy Services shall prepare the Whole Trust Risk Report based on these submissions, for Finance and Resources Committee consideration.
3. Risk Appetite
The Board has established the Trust’s risk appetite as follows: The Trust is not risk adverse. In seeking to achieve its objectives it is willing to take risks, providing that they are identified, properly approved and that management have taken appropriate mitigating action, including preparing robust contingency plans. Staff who take risks within this context will not be penalised if subsequent events prove that the risk was actually unsafe.
4. Identification of Risks
- Risks should be considered in the light of:
- Trust and Academy strategic objectives;
- Learning and achievement objectives;
- Financial strategy;
- HR strategic objectives;
- Estates/Premises strategy;
- IT strategy; and
- Marketing strategy.
- There is a large degree of judgement in respect of which risks are identified and which are not, but a review of the above documents, and discussion with peers, Governors and Directors, should enable the Trust’s key risks to be identified. It is important that this process also includes scope for risks to be escalated from all staff, ideally through local risk reports.
- Risks are classified in three categories, as follows:
- Risks that have been ‘realised’, that is they have already happened, and are in fact ‘issues’;
- Risks that have not happened and which need to be identified, managed and monitored; and
- Risks that are more speculative, but which it may be helpful to capture in order to ensure a ‘no surprises’ environment (as far as is humanly possible).
Each Headteacher’s risk report should concentrate on the second class of risk, although the academy’s risk reports should include all material risks, including those that have been realised.
5. Completion of the Risk Report
- Each Headteacher’s Risk Report is a classic ‘risk register’ but should not merely identify and document risks, but the report should form a part of the active management of the academy business.
- The following paragraphs provide a brief synopsis of the contents of each risk
- Risk Title: a single statement that encapsulates the risk in a negative manner, for example, ‘weaknesses in’, ‘failure to’ and so forth
- Risk Description: a very brief outline of the actual risk itself that enables the reader to grasp the concern
- Owner: this should be a senior manager, and for the whole Academy risk report this should be Headteacher who is the ultimate risk owner. The risk owners may not be involved in the detailed mitigating actions, but they will need to direct resources and ensure progress is made in managing risks
- Mitigating Action Undertaken: those policies, processes and systems that both exist and operate effectively
- Mitigating Action to be Undertaken: those actions and/or improvements that need to be taken forward to better manage those risks. These actions should align with operating plan objectives and individual objectives. A timescale for action is also required.
- Impact: what will be the consequences if the risk is realised? Ultimately this is a matter of judgement, but the following table is offered as a guide for the whole Trust risk report.
|High||In excess of £1m||Learning is halted||Hits national press|
|Medium||In excess of
|Learning is significantly disrupted||Hits local press or educational partnerships|
|Low||Below £100k||Some learners are adversely affected||Within the Academy|
- The impact assessment usually remains constant despite mitigating action, as mitigating action usually reduces the likelihood of a risk occurring, and not its impact. Instances where this is not the case is where robust contingency plans exist that addresses the consequences if a risk manifests itself, or if environmental change occurs, (for example, there is new legislation or changed funding rules).
- Likelihood: again this is largely a matter of judgement, but the following table is offered as a guide.
|High||50% to 100%||The risk has happened, or is expected to happen, more likely than not|
|Medium||10% to 50%||There is a significant possibility that the risk might occur, but less than 50%|
|Low||5% to 10%||There is a small but not insignificant chance that the risk might materialise, that is more than 5%.|
|Very Low||Less than 5%||Risks that are considered to have a probability of less than 5% should not be included on the risk register|
- The completion of ‘Impact’ and ‘Likelihood’ fields then results automatically in a risk assessment of High, Medium or Low, with the following definitions.
|Overall Assessment||Colour Coding||Definition|
|High||RED||A business critical risk|
|Medium||AMBER||A significant business risk|
|Low||GREEN||An important risk that requires management|
- A GREEN risk does not equate to ‘no risk’.
- Each Risk Report keeps a record of previous months’ risk scores. This provides a track record of when the risk was first identified, and how its assessment has changed over the subsequent months.
- When risks are escalated from individual academy risk reports, the categorisation may well change. For example, one academy may have a RED risk in respect of success rates. By itself, this may not appear on the Whole Trust Risk Report, and might only be a “GREEN” risk on another academy risk report. The risk itself has not changed, it is simply a matter of perspective at different levels.
- Where numerous team reports have the same RED risk, then it might well be appropriate for this RED risk to be reflected globally on the Whole Trust Risk Reports. Again this is a matter of judgement and will be considered and co-ordinated in the first instance by each Headteacher for their reports and by the Director of Finance and Academy Services for the report submitted to the Finance and Resources Committee.
- Risk management often operates effectively at senior levels of a business, but not so well at frontline levels. This is because management fail to embed risk management (in a non-invasive manner) at all levels of the business.
- Traditional routes of addressing this risk include establishing risk champions, risk forums, and leaflets and communications. These approaches are not included within this Policy. Firstly they add to potential information and management over-load, but more importantly they can lead to a situation where ‘risk management’ is perceived to be something separate from normal management or normal work activity; or even worse, that it is somebody else’s problem and responsibility.
- To avoid this:
- all staff are reminded that they are responsible for managing the risks associated with their areas of responsibility;
- each member of staff should know who to escalate risks that are outside of their ability to address;
- management should capture any such risks within team risk reports for formal reporting and monitoring purposes;
- risk management should appear on all team meeting agendas, providing a mechanism for risks discussed within the meeting to be captured, and where necessary escalated, and
- all risk reports will be available on Academy
7. Monitoring and Review
- This Policy will be reviewed annually, or as otherwise directed by the Board, Trust policy or legislative
Review Date: October 2016 Next Review Due: October 2017
Author: Nichola Stretton – Director of Finance and Academy Services