Risk radar

  • 9th July 2024

Accountancy firm RSM partner Matthew Humphrey discusses how to manage your school’s risks


We’re all aware that the management of risk is a core component of the governing body’s responsibilities and agenda – but does it have all the right components in place to enable this? Given the current political and economic threats to the independent schools sector, effective risk management has never been more important.

A self-assessment tool

This tool highlights 20 expectations and discussion points for your school.

How do you assess your school against the 20 risk management expectations listed below – do they exist in your school? Are they consistently applied? And do they achieve the outcome you intended?

There may be things that you should start doing, do more of, or even stop doing.


Risk management expectation self-assessment
1. The risk management policy and strategy are subject to annual review and approval by the board and communicated across the school.
2. The risk appetite of the board is defined and communicated across the school in the form of a risk appetite statement.
3. Risk management roles and responsibilities are clear and communicated across the school, from the board to the operational areas, supported by appropriate training.
4. There is a specific board member who sponsors risk management and there is a specific committee with responsibility for ensuring the effectiveness of risk management.
5. Horizon scanning is undertaken as part of a cyclical exercise at the school. This focuses on opportunities as well as potential threats and areas of difficulty that are emerging, with the outcomes from the exercise recorded and appropriate action then agreed and taken.
6. The board receives timely and accurate risk and control information, including updates on the risk profile that informs its understanding of the school risk exposure, allowing for appropriate checking and challenging.
7. Reports for decision-making take account of the risk appetite and include an explicit assessment of risk.
8. The board keeps the risk appetite under review and updates the risk appetite statement accordingly.
9. The board sets the tone for the school risk management and this is followed throughout, supported in the form of communications, training, publications, articles and updates.
10. The board has confidence that all key activities, functions and initiatives are subject to regular risk assessment and review, with an operational risk register being maintained as required.
11. There are suitable risk escalation processes in place to ensure that key operational risks are made visible and are subject to appropriate reporting and monitoring.
12. There is a programme of ‘risk deep dives’ for the purpose of understanding more about a strategic or key risks, including the risk exposure and the effectiveness of risk mitigation at a more granular level – the outcome of the deep dive being appropriately reported.
13. Actions stemming from risk reviews across the school, including work of internal audit etc, are prioritised and tracked to their effective completion.
14. The school key control framework is documented, with key controls being understood and owned.
15. There is a clearly defined and visible school assurance framework (board assurance framework) and this is subject to regular monitoring and reporting within an appropriate committee or forum.
16. The school risk management maturity is understood and there is a risk maturity improvement plan produced, with progress monitored and kept in check.
17. Lessons learned from near misses and errors (internal or external) are communicated, reviewed and improvement-required tracked.
18. The board has confidence that incidents, complaints and other performance information is triangulated as part of the risk review and reporting process.
19. The strategic risks and other key areas of risk are subject to stress testing activities with a view to understanding the implications on the school and how it would respond.
20. A risk management information system is being used to enable all relevant risk-related information to be accessed, collated, maintained, monitored and reported, providing a complete picture of the risk and control environment in real-time across the school, from classroom to the boardroom.

Matt Humphrey

Keep Updated

Sign up to our weekly newsletter to receive the latest news.