With more than 200 members in our Academy team, we've got the capacity and expertise to meet your needs.
A question for you: How do you reconcile the total accountability of the Board for all that the Trust does with the practical impossibility of knowing everything that is being done in the Trust’s name?
The answer (at least in part) is having a robust process for the management of risk which includes providing you (be it the SLT, Finance Committee, Audit Committee, Board, or an individual Trustee) with assurance that everything is ok (or as ok in practice as you believe it to be).
In governance terms, it’s no longer an acceptable response to say “no-one told me there was a problem so how was I supposed to know?”
The answer to this, certainly at Trustee level but equally for senior management is that you are (now) required to keep asking / checking / challenging until you have concrete evidence that either everything is ok, or you know categorically that you have a problem in that area (and so can go on to decide what you do about it).
The AFH updates last year and again this year strengthened a number of key governance and risk assurance requirements for Academy Trusts. The main overall theme though was a reinforcement of the requirement for you to be aware of, and where practical manage, all risks (financial and non-financial), and equally be assured that they are effectively mitigated in practice. Trusts have been told for a while now that they needed greater clarity and visibility over their key risks, and these expanded AFH requirements in recent years are seeking to help Trusts achieve this.
This is actually a beneficial development IF approached in a pragmatic and reasonable way. But many Trusts are unsure how to apply or achieve this in practice.
To help with this, Trusts must (previously should) now have a formal risk register, but the format for this isn’t set or prescribed. Each Trust therefore needs to make sure that whatever format it adopts for a risk register, it actually does help practically with their view on how well everything is managed. All too often a lot of time and effort (and no short measure of blood, sweat and tears) goes in to ensuring that there is a lengthy, intricately coloured, fully scored but in all likelihood too complicated risk register that actually doesn’t provide you with much in terms of concrete assurance. Far better to keep it simple, update it often and ensure it tells you enough about what is currently happening with each risk. In this way, you can use it to start or prompt conversations about what needs focusing on, and what to do next.
Good practice already suggests (and the above direction of travel will ultimately require) that the risk register does more than simply identify key risks. To be a properly useful assurance tool for management and Board / Audit Committee alike, it should also:
But what exactly constitutes “assurance”? To answer this, let’s have a brief recap on risk management in general:
Do we know what we want to achieve?
-> AIMS / OBJECTIVES
Do we know what is going to stop or hinder us achieving these?
-> RISKS
What are we doing to address these risks?
-> CONTROLS / MITIGATION
But are the controls / mitigation truly effective? How do we know?
-> ASSURANCE
A risk is something that might happen to threaten an expected outcome. Risks generally have a “cause”, and produce an “effect”, and it sometimes helps to think about what these may be to properly describe the risk itself (and also so everyone is talking about the same risk). Think of a fire – the risk of a fire will have several possible causes (for example carelessness, electrical equipment fault, arson), and numerous effects (damage to or destruction of property, and of course injury or death). You can then direct attention to reducing the likelihood of the causes, and minimising the impact of the effects. Thinking of risk in this way is especially useful when trying to tie down risks with a new area or venture – what are you trying to achieve, what things would stop or hinder that, would what cause those things and what would the effect be if they happened.
You may see the terms “inherent” and “residual” risk used too. All this means is to what extent have we contained the risk by introducing controls:
Controls or mitigations are actions taken to reduce the change of the risk coming to pass (its probability or likelihood) or how bad it will be if it does (impact). Most controls tend to aim to reduce the likelihood rather than the impact.
If a risk does come to pass, it becomes an urgent issue and generally needs a contingency action to address it. Contingencies should be planned in advance but are only undertaken if the issue occurs (the risk “crystallises”).
Controls and Assurance are not the same thing. Assurance is what gives you comfort that a control is working properly. It therefore informs you whether a risk is being managed in practice as effectively as you had envisaged on paper. It helps you to answer the questions:
“How do you know that everyone understands what they should be doing?”
“How do you know they then do this in practice?”
“How do you know if this has been effective?”
“How do you know therefore that we’ll achieve our aim or outcome?”
In a nutshell, you need some form of assurance that everything you think is being done “on the ground” to stop your risks becoming a reality actually is happening in practice.
Assurance can be obtained from several different sources – it can (and should) come from management first of all, then additional assurance is gained through Senior Management / Board challenge and discussion, with another layer then provided by internal audit and other external sources.
Ideally the risks / assurances should be linked to your “KPI dashboard”, as a KPI can tell you exactly whether the outcome (financial, academic or otherwise) is where you want it to be or not. Don’t create extra work for yourself – use what you already have. Make use of and link existing “KPI dashboards” rather than duplicating or reinventing the wheel.
So, putting all this together - if we take from above that risks are simply obstacles to achieving our strategies and objectives, then Risk Management in this context is simply being able to:
AND
What this means is that every Trustee and Senior Leader individually must be able to answer both of the following key questions:
AND
To illustrate by way of an example:
Risk |
Control |
Potential Assurances |
Insufficient cash reserves to meet requirements |
Cashflow forecasts to be built in to longer term forecasts to a level of granularity proportionate to the cash “buffer” at any point in time |
Scrutiny, review and challenge by Senior Management and Trustees – for example, the CFO is asked to articulate how they are confident the cashflow properly reflects all key factors and hence is an accurate forecast. Do we have confidence built up from previous years / months of accurate cashflow forecasts without surprises? What do our related KPIs tell us? Supplementary assurance can be gained from an Internal Audit review of the process and related assumptions used.
These together give us confidence that the control – producing a cashflow forecast – is an effective means of mitigating the risk of running out of cash. |
In summary, you are therefore being asked to review your process for identifying and managing risk, but also to then look at what this is telling you – where are you ok, where do you have problems (do you know?), and are there any areas that you can’t answer this for (ie you have a gap in assurance)? You then need to discuss and decide how best to obtain this missing assurance, and fill these gaps.
Ultimately, within an Academy Trust the responsibility for ensuring risks are managed appropriately rests with the Board of Trustees. Should a risk materialise - for example, breakdown in safeguarding or financial mismanagement - questions will be raised regarding the effectiveness of the governance and risk management processes. It is therefore imperative that members of the Board – collectively and individually – are able to articulate how and to what extent they are assured that all risks – financial and non-financial - are properly mitigated in practice.
So ask yourself - how do I know everything is operating well in practice, and therefore that:
Tips / takeaways for risk management and assurance: