Risk Management Policy (2023)
Risk Management Policy
- Date approved by Trust Broad - 18/05/2023
- Applicable from - 01/09/2023
- Next review date - May 2026
- Process and Procedure
- Risk Identification
- Risk Assessment
- Risk Management and Assurance
- Risk Monitoring, Evaluation and Review
Purpose and Aims
This risk management policy forms part of the Co-op Academies Trust’s internal control and corporate governance arrangements, covering all aspects of the organisation’s risk management approach. This document explains the Trust’s underlying approach to risk management, documents the roles and responsibilities of the Headteachers, Academy Governing Councils, Central Team, Trust Board and Trust Board committees. It also outlines key aspects of the risk management process and identifies the main reporting procedures. In addition, it describes the process the Trust Board, Audit and Risk Committee, and Academy Governing Councils use to evaluate the effectiveness of the Trust’s internal control procedures.
In order for the Trust to meet its strategic objectives it is important that risk has a suitably high profile and everyone recognises the part they play in helping to manage risk. Risk should not be seen as an ‘add on’ to your role or something that someone else does. Risk is all around us and part of our day-to-day life and therefore it is important that each and every one of us can recognise a risk and has the ability to raise concerns appropriately.
Risk Management is beneficial to the Trust as it:
- helps us to be more flexible and responsive to new and emerging internal/external demands;
- provides assurance to academy leadership, the Academy Governing Councils, the Central Team, and the Trust Board and its committees;
- meet the expectations of its stakeholders
- reduces the likelihood and impact of incidents and other control failures; and
- helps in the achievement of Trust’s key strategic objectives and ensures that the Trust’s strategic plan is shaped in a risk aware way
Managing risks across the Trust reduces the chance of us having to deal with the unexpected and ensures proactive management rather than reactive crisis management. As a publicly funded organisation it is especially important to manage risk to ensure the best possible use of resources.
This document highlights The Trust’s framework for managing risk and sets out the process through which risks will be identified, assessed, controlled, monitored and reviewed.
This policy and any associated procedures, guidance, templates and training, apply to all Trust Board members, senior leadership team members, management, governors and staff employed by the Trust, and people representing the Trust such as contractors and consultants.
All major foreseeable strategic and operational risks will be identified, evaluated, documented, monitored, and treated in keeping with this policy. A process of horizon scanning will be undertaken to identify the risks impacting upon the Trust as far as this is reasonably possible. This policy does not support person-specific or asset-specific risk assessments and is instead designed to support safe and effective operational service delivery from the Board to academy teams, and all those departments in between within the Trust.
Risk Appetite and Culture
Risk appetite is a way of expressing our attitude to different types of risk and the nature of the risks we are prepared to take. Our appetite for risk can vary depending on the nature of the risk and the prevailing operating conditions or circumstances.
Our Trust Board, via our Audit and Risk Committee, define the Trust’s risk appetite. The risk appetite is not absolutely prescriptive but instead provides a number of underlying component parts that encourage structured thinking. The aim of the risk appetite is to allow us to reach an informed conclusion as to whether the risk can be accepted and to what extent.
Our risk appetite is outlined in Appendix A.
To enable translation of the risk appetite into the Trust’s risk scoring methodology, the risk tolerance is described in our risk appetite matrix, which outlines where a risk is tolerable and where it is intolerable.
Our risk appetite ratings are outlined in Appendix B.
We will continue to keep our risk appetite statement under review, recognising that this may be subject to change due to various factors both internal and external that could shape the nature and extent of the risks we are prepared to take.
How we manage risk
Process and Procedure
The Trust has developed a risk management strategy built around a comprehensive risk management and controls assurance framework/ process as detailed in the 4 step process below:
- Risk Identification
- Risk Assessment
- Risk Management and Assurance
- Risk Monitoring, Evaluation and Review
The process of risk identification will involve Trust Board members and members of the Trust’s Central Team working alongside governors, headteachers and management at academy level. It is recognised that the identification and proactive management of risk in the early stages of an initiative is far more cost effective than introducing retrospective interventions at a later date.
When identifying risks consideration will be given to the following factors:
- The Trust’s / academy’s vision, beliefs, values and strategic goals;
- The nature and scale of the Trust and the individual Academy’s activities, both current and planned;
- External factors that may affect the organisation such as legislation and regulation, and the Trust’s / academy’s reputation with its key stakeholders; and
- The operating structure, e.g. functions.
Risks are identified and grouped into two levels:
Trust Level - Corporate and Strategic Risks
Academy Level - Operational Risks
Risks are then grouped into the five standard categories described in our risk ratings matrix (set out above):
- Strategic and business
- Finance and treasury
- Operations and key stakeholders
- Regulation and compliance
- Brand and reputation
Each risk will be assessed to determine the likelihood of the risk occurring and the potential consequence or impact of it occurring.
Risk assessments allow the Trust to identify and manage the risk. The assessment is conducted by considering the probability/likelihood of the risk materialising against the impact should it materialise (using the five by five risk assessment matrix).
The following scoring system will be applied to each risk, whereby the risk score represents the product of the impact score and the likelihood score.
Impact (I) - Severity of impact if the risk should crystallise.
Likelihood (L) - Likelihood that the identified risk might crystallise
Each risk is assessed to determine its inherent risk score – the higher the score the more urgent the need for the risk to be mitigated. The application of risk mitigation interventions produces the residual risk score, which either lessens the likelihood of the risk occurring or lessens its impact if it does.
The residual risk scores are used by the Trust Board and its committees, Academy Governing Councils, Headteachers and Central Team members to identify the Trust’s or academy’s major risks.
The level of risk tolerance may vary depending on the nature of each risk or activity. The Trust Board will also consider the overall risk profile, i.e. the balance between higher and lower risk activities. The boundaries and limits will be communicated to management to ensure a clear understanding of the risks that can be accepted and those considered unacceptable. This may include identifying “target” risk scores for certain major risks, to be achieved after actions to further mitigate the risks.
Risk Management and Assurance
For each of the major risks identified, a designated risk owner is made accountable for its management. If the risk escalates or reduces, the risk owner may change. This person will be responsible for identifying suitable mitigations to manage the risk, and to ensure that any related actions are completed within identified timelines. Ownership and management of each risk should align with the responsibilities outlined in the Trust’s Scheme of Delegation.
The Trust Board and its committees are accountable for the oversight of all strategic and major operational risks, ensuring that plans are in place to manage them appropriately. This will involve:
- Establishing the effectiveness of the key factors mitigating or controlling the inherent risk;
- Identifying further actions and resources required to achieve target risk scores;
- Taking responsibility for monitoring the risk and sources of assurance.
The Academy Governing Council is responsible for monitoring and reporting risks within each individual academy.
The Trust’s Senior Leadership Team is responsible for ensuring the risk management policy is implemented and for coordinating risk management activity across the Trust, including liaison with headteachers in all academies.
Risk Monitoring, Evaluation and Review
Risk monitoring and reporting aims to provide the Trust Board and its committees, the Academy Governing Councils and the Trust’s Central Team with an accurate, timely and clear account of the current and projected risk exposure. This in turn helps management to make informed strategic and operational decisions to ensure the Trust continues to operate in line with our values, ethics and performance objectives.
The Trust uses the 4Risk system as its chosen risk register, to record and monitor risks impacting at both Trust-wide and academy level. Reports taken from the 4Risk system are presented to the Trust Board and its committees (overseen by the Audit and Risk Committee), and the Academy Governing Councils at academy level to allow for appropriate monitoring and review to take place. The reports allow for these boards and committees to monitor the management of individual strategically important risks and to monitor trends in the development and management of risks over time.
Roles and Responsibilities
Trust Board and its Committees
The Trust Board’s role is to:
- Set the tone and influence the culture of risk management within the Trust.
- determining that the Trust is ‘risk taking’ or ‘risk averse’ as a whole or on any relevant individual issue
- determining what types of risk are acceptable and which are not
- setting the standards and expectations of staff with respect to conduct and probity monitoring the implementation of risk culture across the Trust.
- Determine the appropriate risk appetite or level of exposure for the Trust.
- Approve major decisions affecting the Trust’s risk profile or exposure.
- Monitor the management of all the Strategic Risks & significant operational risks via Executive update reports
- Satisfy itself that the less significant risks are being actively managed, with the appropriate controls in place and working effectively.
The Trust Board is responsible for making a statement about risk management in theTrust’s annual report and financial statements.
The Trust Board delegates responsibility to the Audit and Risk Committee to:
- Monitor the management of strategic and major operational risks.
- Review and provide guidance on risks determined to be out-with the defined risk appetite.
- Satisfy itself that all known strategic and major operational risks are being actively managed, with the appropriate controls in place and working effectively via risk assurance reports
Academy Governing Councils
The AGC is responsible for monitoring and reporting risks within each individual academy. Via their schedule of meetings, the AGCs will:
- Review and provide guidance on relevant operational risks determined to be out-with the defined risk appetite (see risk appetite)
- Monitor the management of all known risks at academy level, and make suggestions for suitable mitigations where appropriate
- Satisfy itself that all known risks relevant to that academy are being actively managed, with the appropriate controls in place and working effectively
All AGCs are asked to appoint a link governor for risk who, via their academy visits, can provide support and challenge to academy leaders in the area of risk, and report back to their AGC during meetings.
Trust Senior Leadership Team (SLT)
The CEO and the COO are responsible for ensuring that the terms of the risk management policy are implemented. The CEO, COO and wider SLT are responsible for developing a sound culture of proactive risk management across the Central Team and the academies.
The specific roles and responsibilities include:
- Annually review the approach to risk management and approve changes or improvements to key elements of its processes and procedures.
- Ensure that the Trust manages risk systematically, economically and effectively
- Provide an overview summary report on the Strategic Risk Register to the Audit and Risk Committee at each of its scheduled meetings.
- Review the Risk Appetite annually and make recommendations for approval to the Audit and Risk Committee and Trust Board.
- Monitor, evaluate and update the Trust’s Strategic Risk Register at least once a term
- Satisfy itself that all known risks are being actively managed, with the appropriate controls in place and working effectively via risk assurance reports
- Preparation of contingency plans in those areas that are considered high risk.
- Support the Audit and Risk Committee and Trust Board in the development, implementation and review of the risk management approach
- Ensure risk management and its processes are disseminated and are embedded throughout the Trust.
- Set expectations that relevant Central Team and academy-level staff will complete relevant training in the area of risk management to ensure that knowledge and skills remain up to date and ensure that suitable training is provided.
The Headteacher, through their leadership team, has responsibility for ensuring that the risk management policy is implemented within their academy. The Headteacher will provide a regular report on risk management to their Academy Governing Council.
Where risk exceeds the defined risk appetite, the Headteacher must highlight the risk to their Academy Governing Council and via relevant Central Team channels.
Specific roles and responsibilities include:
- Disseminate the details of the approach and allocate responsibilities for implementation of actions and management of controls where relevant
- Ensure that relevant staff complete risk management training
- Share relevant information with others
- Identify any risk management issues and share with relevant leader
- Provide feedback to Trust SLT on their experience of implementing the approach and their perceptions of the effectiveness.
- Ensure that the approach is implemented across their academy
All relevant Central Team and academy level staff will be required to undertake risk management training.
The training will be delivered via workshops, online seminars and one to one support as appropriate. Those identified with increasing responsibility for risk and reporting may be required to attend additional specific risk training.
Charity Commission guidance on Charities and Risk Management
Education Finance Authority
Department for Education: Academy Trust risk management guidance
This policy will be reviewed by the Trust Central Team and subject to the approval of the Trust Board or a designated committee once every three years.