Risk management and the role of the audit committee

The focus on risk management could not have been greater than since COVID entered our radar. Your trust is required to have an audit and risk committee, to advise the board on the internal control framework, risk management arrangements, direct internal scrutiny and look after external audit quality and results.

While schools have, for years, undertaken the practice of risk management in many forms, the formalising of a risk register itself has evolved and is now been regulated within the AFH.

In my experience, the function of the audit committee varies in its effectiveness, with some really covering all duties and responsibilities thoroughly, and others less so. In times like these we really do need to focus on making sure our committees are really asking those questions around “how do we know” everything is ok in practice, and checking the terms of reference and actual activity covers all that is required.

We have helped many clients review the trustees’ approach to risk and indeed the function of the audit and risk committee, which really can be helpful to have an additional view on their terms of reference, function and to make sure it’s happening in practice. It really is fascinating to see the range of approach, and let’s not forget each trust has its own way, but the fundamentals of the requirements are necessary.

We have no doubt all believed we were “scrutinising” our risk assessments previously but in real terms, probably not as much as we should.  This has clearly changed over the summer and from Autumn 2020 with wider school opening and the maintenance of safe environments for the children and young people to learn due to COVID.

While the audit and risk committee will advise the board, let’s not forget that it is the overall responsibility of the whole board to manage risk and of course, this is not just financial risks, but the whole operation and activities of the trust. This must be reviewed at least annually by the board and should include contingency and business continuity.

The ESFA guidance on Academy trust risk management is helpful with the mechanics of risk management. There are basic steps to developing a risk management process as below, which are covered in detail in the guidance: 

In practical terms, the executives will create and maintain the documents, including the identification, measurement, management (control) and monitoring, but it is the board (including any sub-committee) who should set out what you want to see and when, to be able to satisfy yourselves that you really know that risk is being monitored and mitigated as far as possible.

When risk is high, you may want a more frequent review and to use internal scrutiny to ensure that risk management is actually living in practice, to use the function to assure boards that risk is being appropriately managed.

The role of the audit committee (and the full meaning of assurance) is also to challenge where something is reported as operating well / low risk / green to make sure it really is (ie does the evidence support this assertion), as much as to scrutinise what management plan to do about the risks everyone agrees are high / red.

As employers, the board and CEO carry a great deal of responsibility and we need to be sure that we are happy with the measures and processes in place.

If you would appreciate any help in connection with audit and risk, or internal controls, please do contact us.