RISK REGISTER xxxx School

September 2014

Next Review – xxxx

Version number / x
Compiled by / x
Approved by / Tony Hull - CEO

Risk Management Strategy

  1. Background

Risk Management is a tool to analyse uncertainty and allows the Academy to manage the risks that it faces and also to focus on potential opportunities. Risk management should be part of any good organisation; it provides a methodology to identify the issues that can stop it achieving its objectives and to spot new opportunities. The benefits of ensuring that sound risk management becomes a part of day to day working are considerable:

  • Contributing to attaining the highest standards of Governance – the way the Academy directs, manages and monitors its functions and is accountable to its key stakeholders
  • Informing the business planning process and supporting the achievement of the Academy’s objectives

The Academy takes a pragmatic approach to risk management. The Strategy will be developed over time to take account of changes in best practice and the nature and extent of risk management activities that are being undertaken.

In assessing what constitutes a sound system of internal control, consideration should be given to:

  • The nature and extent of the risks facing the organisation
  • The extent and categories of risk which it regards as acceptable
  • The likelihood of the risks concerned materialising
  • The organisation’s ability to reduce the incidence and impact of the risks that do materialise
  1. Risk Management objectives

The objectives for managing risk across the Academy are:

  • To comply with risk management best practice;
  • To ensure risks facing the Academy are identified and appropriately documented;
  • To provide assurance to the SAIG and EAT Directors that risks are being adequately controlled, or identify areas for improvement;
  • To ensure action is taken appropriately in relation to accepting, treating, avoiding and transferring risks.
  1. Risk Management Strategy

This strategy aims to:

  • Outline the roles and responsibilities for risk management.
  • Identify risk management processes to ensure that all risks are appropriately identified, controlled and monitored
  • Ensure appropriate levels of awareness throughout the Academy

3.1Roles and responsibilities

The Leadership Team (LT) has overall responsibility for risk management. The Principal has lead responsibility for risk management processes and the Academy-wide Risk Register. This responsibility includes:

  • Monitoring the performance of risk management processes
  • Ensuring that appropriate controls are in place to manage identified risks
  • Preparation of periodic reports to the SAIG and EAT Directors

All staff have an important role to play in identifying, reporting and managing the Academy’s risks. The Risk Register is formally reviewed each Termly by the LT. The updated Risk Register is reported to the Finance and Audit Committee on an annual basis.

3.2Identification of risks

The Risk Management Standard states that risk identification should be approached in a methodical way to ensure that all significant activities have been identified and all the risks flowing from these activities have been defined.

Our approach to risk management is linked to the Academy’s strategic aims and objectives.

The structure and organisation of the Academy’s risk register details the Academy’s risks in the following areas:

  • Strategic and reputational risk
  • Operational risks
  • Human resource risks
  • Compliance risks
  • Financial risks
  • Property risks
  • ICT risks

3.3Evaluation of risks

The Risk Management Standard states that risks should be evaluated against agreed criteria to make decisions about the significance of risks to the organisation.

The Academy uses a 5x5 matrix to assess likelihood and impact as illustrated in the diagram below:

Xxx School - Risk Rating

1 = Very Low

2 = Low

3 = Significant

4 = High

5 = Very High

Likelihood 5 / 5 / 10 / 15 / 20 / 25
Likelihood 4 / 4 / 8 / 12 / 16 / 20
Likelihood 3 / 3 / 6 / 9 / 12 / 15
Likelihood 2 / 2 / 4 / 6 / 8 / 10
Likelihood 1 / 1 / 2 / 3 / 4 / 5
Impact 1 / Impact 2 / Impact 3 / Impact 4 / Impact 5

The descriptors for high, medium and low likelihood and impact can be expanded as follows:

Impact of risk occurring

Impact / Description
Very High / The financial impact will be in excess of (£250,000)
Has a very high impact on the Academy’s strategy or on teaching and learning
Has very high stakeholder concern
High / The financial impact will be between (£100,000 and £250,000)
Has a high impact on the Academy’s strategy or on teaching and learning
Has high stakeholder concern
Significant / The financial impact will be between (£10,000 and £100,000)
Has a significant impact on strategy or on teaching and learning
Significant stakeholder concern
Low / The financial impact will be between £1,000 and £10,000
Has a low impact on strategy or on teaching and learning
Low stakeholder concern
Very Low / The financial impact is likely to be below £1,000
Has a very low impact on strategy or on teaching and learning
Very Low stakeholder concern

Likelihood of risk occurring

Likelihood / Description / Indicator
Very High / Likely to occur each year, or more than 25% chance of occurrence within the next 12 months / Potential of it occurring several times within a year
Has occurred within the last 12 months
High / Likely to occur within a 3 year time period, or more than 33% chance of occurrence within the next 12 months / Potential of it occurring several times within a 3 year period.
Has occurred within the last 3 years
Significant / Likely to occur within a 5 year time period or less than 20% chance of occurring within the next 12 months / Could occur more than once within a 5 year period.
Has occurred within the last 5 years
Low / Not likely to occur within a 5 year time period or less than 5% chance of occurrence / Could occur more than once within a 10 year period.
Some history of occurrence
Very Low / Not Likely to occur within a 10 year period or less than 1% chance of occurrence / Has not occurred
Is not likely to occur

3.4Risk appetite

The term risk appetite describes the Academy’s readiness to accept risks and those risks it would seek to reduce. The Academy’s risk threshold is the boundary delineated by the red shaded area (represented by scores of 11 and above) in the risk matrix in paragraph 3.3. Above this threshold, the Academy will actively seek to manage risks and will prioritise time and resources to reducing, avoiding or mitigating these risks.

3.5Addressing risks

When responding to risks, the Academy will seek to ensure that it is managed and does not develop into an issue where the potential threat materialises.

The Academy will adopt one of the 4 risk responses outlined below:

Avoid / Counter measures are put in place that will either stop a problem or threat occurring or prevent it from having an impact on the business
Transfer / The risk is transferred to a third party, for example through an insurance policy.
Treat / The response actions either reduce the likelihood of a risk developing, or limit the impact on the Academy to acceptable levels.
Accept / We accept the possibility that the event might occur, for example because the cost of the counter measures will outweigh the possible downside, or we believe there is only a remote probability of the event occurring.

4Risk Reporting and Communication

The aim of reporting risk is to provide assurance to the SAIG and EAT Directors, Senior Management and Auditors that the Academy is effectively managing its risks and has a robust system of internal controls.

4.1Risk register

The reporting mechanism will be the Academy’s Risk Register. This will highlight the key risks facing the Academy. Any significant changes in risk impact or probability, or the occurrence of an event which raises the profile of a risk will be recorded on the risk register as it occurs. Any new or increased risks identified by the Principal, or raised by a member of staff will be evaluated and, if appropriate, recorded in the Risk Register.

4.2 Communicating Risks

The CEO monitors the risk management plan each term. The Administrator will ensure that any perceived new or increased risks or significant failure of risk management control measures are considered by the LT and reported to the CEO, along with a summary of actions taken.

The Administratorwill endeavor to raise awareness that risk management is a part of the Academy’s culture and seek to ensure that:

  • individual members of staff are aware of their accountability for individual risks
  • individuals report promptly to senior management any perceived new risks or failure of existing control measures.

4.3 Annual risk review and assessment

The Responsible Officer review provides an annual assessment of the effectiveness of the Academy’s management of risk.

The Administrator will update the Risk Register on a termly basis in consultation with the Academy’s LT. This will enable the CEO to report on:

  • The significant risks facing the Academy
  • The effectiveness of the risk management processes
  • That the Academy has published a risk management policy covering risk management philosophy and responsibilities

1. Strategic & Reputational Risk

Risk Ref / Risk / Likelihood
(5 High, 1 Low) / Impact
(5 High, 1 Low) / Risk Rating
(L x I) / Existing Controls / Status 2014 / Status
2017 / Required Actions / Risk Owner
1.1 / Academy is not operating within its objectives / eg / eg
1.2 / Academy receives adverse OFSTED report / eg
1.3 / Reduction in student numbers
1.4 / Presence of competitor school in locality with similar objectives
1.5 / Stakeholders do not consider Academy provides quality service
1.6 / Political Risk – change in Government adversely impacts on Academy (funding etc.)
1.7 / Macro Economic Risk – recession, war, inflation etc.
1.8 / Natural Disaster Risk – Fire, flood, storm etc
1.9 / Outbreak of Communicable disease
1.10 / Major Fraud within the Academy exposed
1.11 / Adverse Litigation against the Academy
1.12 / SAIG delegate too much/ little responsibility to Leaders & Head
1.13 / Ability to attract & retain SAIG with suitable skills & knowledge
1.14 / Skills deficiency within SAIG
1.15 / SAIG fail to ensure rigorous monitoring in absence of the Head or SLT
1.16 / SAIG, Staff or Pupil actions (criminal or negligence) bring Academy into disrepute
1.17 / SAIG have a high profile cause the Academy adverse publicity

2. Operational Risks

Risk Ref / Risk / Likelihood
(5 High,
1 Low) / Impact
(5 High, 1 Low) / Risk Rating
(L x I) / Existing Controls / Previous
status / Status
2017 / Required Actions / Risk Owner
2.1 / Standard of Teaching within the Academy fails to be of a good standard
2.2 / Poorly administered School Trips
2.3 / SATS results below floor
2.4 / Pupil Behaviour
2.5 / Pupil Attendance
2.6 / Appropriateness of relationshipsbetween partner schools
2.6a / Appropriateness of relationships with EAT and Cluster schools
2.7 / Management information is not accurate, timely or reliable to facilitate informed decision making
2.8 / SLT have insufficient experience of Academy or Education sector
2.9 / Fatality / Serious injury to staff, student or visitor
2.10 / SAIG become too involved in the day to day running of the Academy and are not independent
2.11 / SAIG lack of availability / poor attendance at meetings

3. Human Resource Risks

Risk Ref / Risk / Likelihood
(5 High, 1Low) / Impact
(5 High, 1 Low) / Risk Rating
(L x I) / Existing Controls / Previous
status / Status
2017 / Required Actions / Risk Owner
3.1 / High levels of staff absence
3.2 / Ability to recruit quality members of staff
3.3 / Ability to retain quality members of staff
3.4 / Loss of key member of staff due to illness or other reason
3.5 / Staff morale declines to an unacceptable level
3.6 / Recruitment processes lead to the recruiting of the wrong person or someone unsuitable to work with students

4. Compliance Risks

Risk Ref / Risk / Likelihood
(5 High, 1 Low) / Impact
(5 High, 1 Low) / Risk Rating
(L x I) / Existing Controls / Previous
status / Status
2017 / Required Actions / Risk Owner
4.1 / Employment Law not complied with
4.2 / Charities Act not complied with
4.3 / Health & Safety legislation not complied with
4.4 / Data Protection Act not complied with
4.5 / Licensing Acts not complied with
4.6 / National Curriculum not complied with
4.7 / Breach of child protection procedures
4.8 / Breach of Environmental Policy and non-compliance with CRC monitoring

5. Financial Risks

Risk Ref / Risk / Likelihood
(5 High, 1 Low) / Impact
(5 High, 1 Low) / Risk Rating
(L x I) / Existing Controls / Previous status / Status
2017 / Required Actions / Risk Owner
5.1 / Academy cannot balance its budget and runs at a deficit
5.2 / Academy Accounts do not accurately reflect the financial position
5.3 / Cash flow risk
5.4 / Fraudulent financial activity within the Academy
5.5 / Finance system is not suitable for the Academy’s needs. System not secure and no provision for disaster recovery
5.6 / Expenditure is incurred or committed to without adequate authorisation
5.7 / Local Government pension Scheme is in significant deficit
5.8 / Security of Academy’s Fixed Assets
5.9 / Debtors Risk –invoices not raised for income
5.10 / Statutory Annual Accounts – Qualified Audit Report
5.11 / Academy does not have appropriate insurance in place
5.12 / Tax legislation – risk so Academy does not know or comply with legislation re: VAT/PAYE/NI/Pensions

6. Property Related Risks

Risk Ref / Risk / Likelihood
(5-High, 1-Low) / Impact
(5-High, 1-Low) / Risk Rating
(L x I) / Existing Controls / Previous status / Status
2017 / Required Actions / Risk Owner
6.1 / Existing Academy building is not fit for purpose
6.2 / Existing Academy building is not fully compliant with fire regulations
6.3 / Academy is not cleaned to acceptable standards throughout the day
6.4 / Loss of Power sources
6.5 / Adverse Health & Safety audit

7. IT Risks

Risk Ref / Risk / Impact
(5-High, 1-Low) / Likelihood
(5-High, 1-Low) / Risk Rating
(I x L) / Existing Controls / Previous status / Status
2017 / Required Actions / Risk Owner
7.1 / Inadequate IT provision within the Academy
7.2 / IT equipment becomes out of date and no longer supported
7.3 / Power failure within the Academy
7.4 / Network attack (virus corruption)
7.5 / Temporary loss of communication channels (phone, internet, email)
7.6 / Potential Data Loss
Name and Current Role / Emergency Successor / Short Term Successor 1-2 years / Medium Term 2-3 years / Long Term 3-5 Years / Current Manager / Development Plan key points