Assured Governance: How to Control Risk in Academy Trusts
Risk is very much currently at the forefront of our minds as schools work tirelessly to manage the effects of the Covid-19 pandemic. However managing risk is always one of the core tasks of school governance and over 25 years of being a school governor, and more recently an academy trustee and chair of an audit and risk committee, I have always found governors holding the school leadership to account a vexed process. It is fundamentally challenging for a group of volunteers, with limited knowledge of the operational detail, to scrutinise, and if necessary challenge, the school leadership ("executive”) about their performance. However, recent developments in academy governance promise a more systematic approach to scrutiny which have the potential to make it both more effective and less confrontational.
This is important for trusts not just because schools need effective trustee scrutiny but because the DfE is becoming more interested in its effectiveness. In the last two editions of the Academies Financial Handbook, "internal scrutiny” has been described as an increasing priority and should now be regarded as "internal audit”. Every academy trust must make a full report annually on its internal audit programme of work to ESFA by 31 December, which must also inform the accounting officer’s statement of regularity, and the DfE clearly now regards internal audit as a key element of its system of controls of academy governance and performance. At first sight this may look like more work and expense for trusts, but done properly it gives an opportunity to set up systematic control of risks which enables trustees to govern risks with more confidence.
To get that outcome the first task is to give appropriate priority to the audit function in the trust’s governance structure. Although it is not compulsory to have a separate audit and risk committee unless trust income is more than £50 million, my advice is to set up that committee anyway as the focus point for scrutiny in the trust. Choose your most robust trustees to carry out that task. Do not regard appointment to the audit and risk committee as the short straw.
The audit and risk committee should then set up a risk
register which includes both risk identification and controls. Most trusts have a risk register which
identifies risks by likelihood of occurrence multiplied by severity of impact,
producing an overall risk level (often RAG rated). However too often this risk register does
not also include the mitigating effect of controls on that risk. Controls are traditionally described as the
"three lines of defence” which I describe below. The committee’s assessment of the effect of
these three lines of defence can be applied to the initial risk rating (severity
x probability) in the risk register to produce a much more meaningful "net”
status for each risk identified. Trustees can then see at a glance precisely what the bottom line is
regarding risks facing the trust and decide what can be done (or indeed not
done) about them and their effect on trust strategy (balancing risk appetite
and risk capacity).
So, how do these controls work in practice?
· The first line of defence is actual operational ownership and management of risk by the executive.
Managers identify, assess, control and mitigate risks and ensure that necessary procedures and policies to deal
with risks are deployed.
· The second line is risk management and
compliance by the executive, who ensure the first line of defence
is properly designed, in place, and operating as intended. Larger trusts may employ a risk manager (or that role can
be part of another job in a smaller trust) to carry out this monitoring.
· The third line of defence is internal and external audit
of that management which provides the board and senior It is fundamentally challenging for a group of volunteers, with limited knowledge of the operational detail, to scrutinise, and if necessary challenge, the school leadership ("executive”) about their performance. Roger Inman
management with scrutiny of the effectiveness of the first two lines of defence. This is conducted outside the
executive and reports direct to the audit committee and thus the trustees. Only this line of defence can give
trustees separate assurance from what they are told by the executive. External audit of the trust’s accounts is
the ultimate control, but being annual it is often too late to deal with fast developing risks. It is also primarily
tasked with financial performance whilst risk assurance should cover all risks to the trust, including governance
and strategic risks (as also expected by the DfE). Consequently internal audit is the critical control available to
trustees and should be given significant priority and resourcing.
It is fundamentally challenging for a group of volunteers, with limited knowledge of the operational detail, to scrutinise, and if necessary challenge, the school leadership ("executive”) about their performance.
Who then should be appointed to do the internal audit function? The CIAA recommends that "Internal audit should [be] able to make objective judgements, and … the authority to conduct its work across the whole organisation without constraint. To work effectively it also needs a close relationship with the chief executive”. Given these two balancing requirements, my advice is always to appoint an external professional provider to be the internal auditor rather then try to rely on a trustee or peer review by another trust: those arrangements often cannot achieve the necessary independence and objectivity.
To get the best out of that additional expense, and being realistic about the limited time available to the risk and audit committee, trusts are advised to use an active risk register which identifies the top 5 risks for the trust at any given time (i.e. at least annually and ideally at each meeting) and ensures those risks are addressed in depth. Regular reporting on those risks to the trust board is essential, ideally as an agenda item at every trust board meeting. That way key risks are consistently visible to trustees who can gain real assurance from a well-managed and meaningful risk register about how those risks are being controlled, rather than having to worry about risks in an ad hoc way. The executive likewise also benefits from the systematic mapping of controls in a risk register as a way of maintaining an efficient risk control system.
In short, investing in a risk register system including
detailed controls frees trustees to govern with real assurance and confidence.