As school leaders, risk management is something that we are incredibly familiar with. We have processes in place to ensure safety on school trips, that our site is secure and that we screen staff who work for us in accordance with safeguarding legislation.
We have woven these systems into the fabric of school life, often without issue or incident. However, there are other types of risks to our schools – beyond the operational – that require more consideration and focus to allow us to mitigate them appropriately.
By taking a strategic approach to risk management, your school can be proactive and make well-informed and timely decisions.
What does risk management involve?
The process of risk management in schools involves six steps:
- identification
- assessment
- measurement
- management response
- monitoring
- reporting
As an organisation, you should have a process that outlines how you follow these steps to ensure that the management of risk is clearly articulated, understood and implemented by key stakeholders.
At a strategic level, you should link risk management to your school development plan and its objectives; specifically the risks that will impede you from implementing your plan effectively.
What types of risk are there?
It’s easy to fall into the mindset that everything is a risk i.e. an accident on a school trip or a break-in at school. While these are all risks, as outlined above, they will likely already have comprehensive mitigation measures in place.
Unless you have reason to believe that your measures are not working or are out of date, an audit identifies areas of concern or some other variable factor has changed, then these types of risk need not feature on your strategic and ‘live’ risk register (or similar document).
Risk management does not equate to avoiding risk altogether as this is often not possible. It’s about forward thinking, taking appropriate action at the right time and ensuring that you’ve done all that you can to reduce the impact of any risk.
If your management actions are effective and you can deem the risk ‘low’ then you are managing risk effectively.
Strategic risks usually fall into five main categories:
- governance
- educational
- financial
- external
- compliance
You can incorporate operational risks, as outlined above, into your risk management process but only if there is a significant impact upon your progress towards your strategic objectives.
Chances are, you’re covering serious operational risks under one of the other five types of risk. Here are some examples of risk for each category:
Governance: Constitution or structure of your LGB (numbers, attendance, committees), capacity of the LGB in terms of skillset and time, conflicts of interest.
Educational: Outcomes, Ofsted, curriculum, provision, staffing etc.
Financial: Limited income, insurances, procurement, internal controls, cash flow, inadequate information or reporting, asset management.
External: Reputational, demographic changes, pupil numbers, community, changes in government policy.
Compliance: Failure to meet legislative requirements, poor knowledge of responsibilities and regulations, audit issues.
How do we manage risk in schools?
Where you’ve identified a risk, you need to be able to quantify both its probability of occurrence and the relative impact if it does occur.
When you have identified the measures you are going to put in place to mitigate the risk, you should then assess what effect these measures will have on both the likelihood and impact.
You should expect a lower probability of it happening or a lesser impact if it does after you have taken management action.
In the academy sector, you will document this risk assessment process on a risk register. In the maintained sector, you may have an LA risk register template that you use or you may record it in another way.
There are four main approaches to risk:
- tolerating (accepting and managing)
- treating (controlling or reducing)
- transferring (contracting out or insuring)
- terminating (avoiding)
The approach you choose to manage each risk will depend on your context and your resources.
To be clear on accountability and responsibility, you should determine who ‘owns’ each risk. This will likely be the person who is responsible for implementing the mitigating actions.
While we know that the ‘buck’ stops with the headteacher, risk management is everyone’s responsibility. Line management and reporting to your LGB should incorporate the risk management process, ensuring that the accountability chain is robust.
Making sure your risk management process is fit for purpose
When you have successfully mitigated a risk to what you determine to be an ‘acceptable’ level, there should be a point where you remove this risk from the risk register.
This means that the focus of risk management is not diluted and that you give priority to current and ‘live’ risks. In the future, it may be that some risks ‘return’ and at that point, you can revisit them.
When it comes to managing strategic risk, it’s important that you integrate the process into existing structures and systems. This ensures that it is a regular topic of discussion.
The more people involved in the identification, assessment and management of risk, the less likely it is that the process will become subjective or overlooked.
Risk management may appear to be an onerous administrative process. However, when you implement it well, it can help you to protect your school, staff and students as well as save money, provide stability and help you to make smart decisions about the use of time and resources.
Risk management: self-evaluation
- Do we have a formal risk management process?
- Have we explicitly linked it to our strategic objectives?
- How do we categorise risk?
- Is our assessment of risk robust?
- What is our approach to risk?
- Are accountability lines clear in terms of risk management?
- How do we communicate management action in terms of addressing risk?
- How does our governance structure support risk management in terms of scrutiny and challenge?
- How do we keep our risk management process objective?
- How do we determine whether we should remove a risk from the risk register?
Laura Williams is an executive coach and trainer working with headteachers, SBLs and CEOs.
