Risk Management and Assurance for Academies

A question for you: How do you reconcile the total accountability of the Board for all that the Trust does with the practical impossibility of knowing everything that is being done in the Trust’s name?

The answer (at least in part) is having a robust process for the management of risk which includes providing you (be it the SLT, Finance Committee, Audit Committee, Board, or an individual Trustee) with assurance that everything is ok (or as ok in practice as you believe it to be).

In governance terms, it’s no longer an acceptable response to say “no-one told me there was a problem so how was I supposed to know?”

The answer to this, certainly at Trustee level but equally for senior management is that you are (now) required to keep asking / checking / challenging until you have concrete evidence that either everything is ok, or you know categorically that you have a problem in that area (and so can go on to decide what you do about it).

The AFH updates last year and again this year strengthened a number of key governance and risk assurance requirements for Academy Trusts. The main overall theme though was a reinforcement of the requirement for you to be aware of, and where practical manage, all risks (financial and non-financial), and equally be assured that they are effectively mitigated in practice. Trusts have been told for a while now that they needed greater clarity and visibility over their key risks, and these expanded AFH requirements in recent years are seeking to help Trusts achieve this. 
This is actually a beneficial development IF approached in a pragmatic and reasonable way. But many Trusts are unsure how to apply or achieve this in practice.

To help with this, Trusts must (previously should) now have a formal risk register, but the format for this isn’t set or prescribed. Each Trust therefore needs to make sure that whatever format it adopts for a risk register, it actually does help practically with their view on how well everything is managed. All too often a lot of time and effort (and no short measure of blood, sweat and tears) goes in to ensuring that there is a lengthy, intricately coloured, fully scored but in all likelihood too complicated risk register that actually doesn’t provide you with much in terms of concrete assurance. Far better to keep it simple, update it often and ensure it tells you enough about what is currently happening with each risk. In this way, you can use it to start or prompt conversations about what needs focusing on, and what to do next.

Good practice already suggests (and the above direction of travel will ultimately require) that the risk register does more than simply identify key risks. To be a properly useful assurance tool for management and Board / Audit Committee alike, it should also:

• highlight both existing and further required controls / processes to manage the identified risks;
• produce a clear list of further actions required to “close the gap” on the risks faced by the Trust, and;
• produce a clearer picture of the assurance (or evidence) that the Trust currently relies on to inform management and Board / Audit Committee that things are indeed working as well they are believed to be.

But what exactly constitutes “assurance”? To answer this, let’s have a brief recap on risk management in general:

Do we know what we want to achieve?

-> AIMS / OBJECTIVES

Do we know what is going to stop or hinder us achieving these?  

-> RISKS

What are we doing to address these risks?    

-> CONTROLS / MITIGATION

But are the controls / mitigation truly effective? How do we know?   

-> ASSURANCE

Controls or mitigations are actions taken to reduce the change of the risk coming to pass (its probability or likelihood) or how bad it will be if it does (impact). Most controls tend to aim to reduce the likelihood rather than the impact. 

If a risk does come to pass, it becomes an urgent issue and generally needs a contingency action to address it. Contingencies should be planned in advance but are only undertaken if the issue occurs (the risk “crystallises”).

Controls and Assurance are not the same thing. Assurance is what gives you comfort that a control is working properly. It therefore informs you whether a risk is being managed in practice as effectively as you had envisaged on paper. It helps you to answer the questions:

    “How do you know that everyone understands what they should be doing?”
    “How do you know they then do this in practice?”
    “How do you know if this has been effective?”
    “How do you know therefore that we’ll achieve our aim or outcome?”

In a nutshell, you need some form of assurance that everything you think is being done “on the ground” to stop your risks becoming a reality actually is happening in practice.

Assurance can be obtained from several different sources – it can (and should) come from management first of all, then additional assurance is gained through Senior Management / Board challenge and discussion, with another layer then provided by internal audit and other external sources. 
Ideally the risks / assurances should be linked to your “KPI dashboard”, as a KPI can tell you exactly whether the outcome (financial, academic or otherwise) is where you want it to be or not. Don’t create extra work for yourself – use what you already have. Make use of and link existing “KPI dashboards” rather than duplicating or reinventing the wheel.

So, putting all this together - if we take from above that risks are simply obstacles to achieving our strategies and objectives, then Risk Management in this context is simply being able to:

• Identify the risk cause at the earliest opportunity, measure the risk effect and apply a proportionate level of resource to controlling the risk.

AND

• Obtain assurance that the controls on which the organisation relies to mitigate the risk are effective.

What this means is that every Trustee and Senior Leader individually must be able to answer both of the following key questions:

• Do I know the risks faced by my Trust? 

                AND

• How / by what means am I assured that these risks are adequately mitigated in practice?

To illustrate by way of an example:

In summary, you are therefore being asked to review your process for identifying and managing risk, but also to then look at what this is telling you – where are you ok, where do you have problems (do you know?), and are there any areas that you can’t answer this for (ie you have a gap in assurance)? You then need to discuss and decide how best to obtain this missing assurance, and fill these gaps.
 

Ultimately, within an Academy Trust the responsibility for ensuring risks are managed appropriately rests with the Board of Trustees. Should a risk materialise - for example, breakdown in safeguarding or financial mismanagement - questions will be raised regarding the effectiveness of the governance and risk management processes. It is therefore imperative that members of the Board – collectively and individually – are able to articulate how and to what extent they are assured that all risks – financial and non-financial - are properly mitigated in practice.

So ask yourself - how do I know everything is operating well in practice, and therefore that:

• risks are actually rather than only theoretically controlled, and 
• we are actually rather than theoretically compliant?

Tips / takeaways for risk management and assurance:

• Keep the “two key questions” in mind at all times.
• Keep it simple. A simple but clear register is much more likely to be kept up to date and therefore be useful to you.
• Keep it focused on assurances and actions (and ensure actions are actually actioned).
• Remember assurances can be internally provided by management as well as external (eg from internal audit).
• Don’t have too many top level / corporate risks. A Board probably cannot properly scrutinise 300 risks and their related assurances. Signpost the top 10 / 15 / 20 – whatever you consider reasonable.
• Don’t spend too long trying to control risks you have little influence over; instead, plan your response.
• Ensure scoring is collegiate/moderated and prompts discussion – the narrative should explain the score and be the real focus – the score is only a marker to start and direct the conversation to the areas most needed.
• Where relevant, think about / include links to strategic aims or objectives, and think of the risk(s) in terms of what will stop or hinder you achieving these.
• Use the risk description to make it clear exactly what risk the Trust is seeking to review and mitigate. In so doing, it may be helpful to (explicitly) consider both the risk cause and risk effect when expanding the risk description, so it is as clear as possible to the reader what is being considered.
• Consideration of the most practical way to include or reflect local school risk as appropriate, in particular where a local school risk may represent or become a Trust-wide risk. COVID-19 aside, individual schools in a MAT don’t necessarily need to maintain their own full-blown detailed risk registers, but there should still be a mechanism for them to articulate their own risks and related assurances, and for these to feed in to the Trust-level register if and when they need to.
• The assurance that management relies on to inform them how well the risk is currently mitigated in practice should be included / articulated in the register, together with an indication of what this assurance currently shows in order to properly inform and drive decision-making. For example, is the associated KPI for a particular risk within tolerance or substantially breached? Is it below tolerance but close to the threshold? Have internal audit reviewed the area recently? If so was the report positive or negative? What action should the Trust take as a result?
• Ideally the risks / assurances should be linked to your “KPI dashboard”, as a KPI can tell you exactly whether the outcome (financial, academic or otherwise) is where you want it to be or not. Don’t create extra work for yourself – use what you already have. Make use of and link existing “KPI dashboards” rather than duplicating or reinventing the wheel.
• Management should be regularly asked to present to Trustees on risks they are responsible for managing, to build Trustee understanding of the risk itself, its context but also how they as managers are assured on a day-to-day basis (ie – “understand how they sleep at night so you can sleep at night”).
• As well as concentrating on higher scored (“red” or “amber”) risks, there should be periodically a challenge of risks with a higher inherent but lower residual score as a result of mitigating controls (“green” risks) to ensure that the related assurance indicates the mitigated risk score is as really low in practice as reported. Is it really green, or a red risk masquerading as a green risk because you’ve been lulled in to a false sense of security? (Incidentally, the terms for these are “watermelon” risks – green at first glance, but scratch the surface and they quickly show their true underneath red colour…)
• Realise you are managing risk most if not all of the time, and you’re actually quite accomplished at doing so.  Equally, don’t think that you are only considering risk management when it’s named as an agenda point. It’s fine to have an agenda point to review the process and perhaps the register, but don’t lose sight of the valuable risk identification, challenge and resulting assurance that comes out of the discussions for other agenda points. (eg if Risk Management is agenda item #10, remember that you’re also managing risks for agenda points #1-#9. How are these captured and updated on to the register?)
• Finally, when considering information presented to you regarding the risk mitigation and related action:

1. Do you feel you have enough assurance / information?
2. Do you feel you have the right assurance / information? 
3. What else do you think you need to provide you with comfort?
4. What is the question? Ie – what do we actually need assuring?
5. Do we have all the assurances we need to answer this, across all key areas?
6. Does the assurance only provide comfort on part of the question / area? Or all? How do we know?
7. How rigorous is the assurance? Is it evidence based?
8. What is the assurance telling us? What other questions result?