Risk Management

Effective governance is a critical aspect of a successful business: it supports management in delivery of the strategy, managing costs, attracting investment, making better decisions and responding to risk. There has never been more focus on how organisations identify and manage risk. From regulators to investors to senior executive management, companies are under pressure to be able to clearly articulate how they identify the principle risks to their business and how they ensure these are being managed within their risk appetite. Deloitte Risk Advisory, August 2015.

Good Governance Series Blog #1 included the Australian Institute of Company Directors (AICD) ten Principles that promote Good Governance of which number four is Recognition and Management of Risk. The full blog can be read here: Good Governance Series #1

Risk management is not as complicated as many will have us believe. In simple terms it is understanding the key risks and deciding if you want to accept them or perhaps mitigate them with a control. Risk management assesses the inherent risk in something such as a process or the organisation’s strategy; that is the risk that exists without any controls. Depending on the risk appetite of the organisation, or individual, controls are determined and the residual risk is assessed to determine if it is acceptable; that is within risk appetite. For example, crossing the street carries the risk of being run over by a car but we put in a risk mitigating control of looking both ways before we cross. This significantly reduces the inherent risk to an acceptable level; within our risk appetite. There are environmental factors that can increase the inherent risk such as busy roads or more lanes. Additional controls may be required in these scenarios such as a pedestrian crossing or a set of traffic lights. Risk management is about assessing the risk and determining the appropriate controls based on the risk appetite. Our risk appetite may also be different depending on the scenario. For example, most parents have a lower risk appetite for their children than they do for themselves.

The Queensland Department of Education (DoE) provides a sound summary of good risk management through their Enterprise Risk Management Framework as follows:

The DoE further articulates the risks they have the lowest appetite for which includes safety of children and students, workplace health and safety of staff and the community, fraud and corruption, security of confidential and personal information and compliance with legislation and regulation. These are not the sole risks identified but simply those the DoE has articulated they have the lowest risk appetite for.

Standard risk assessment processes include several steps which are worth understanding at a high level.

1. Understanding the environment your organisation operates in.

2. Identifying the key risks to the organisation achieving its key objectives such as profit, reputation, compliance, child safety etc.

3. Analysing the risks to determine the potential causes and impacts should the risk eventuate. This step should also determine if any mitigating controls exist currently.

4. Evaluate the risk and determine the organisation’s risk appetite for each of the risk areas or categories. This step includes determining the organisations tolerance for the risk and whether any additional controls are required to ensure the residual risk is within the risk appetite.

5. Strengthen the current controls, where identified in step four, and put measures in place to monitor the key controls. Monitoring is critical to ensuring controls are operating as expected. If they are not the residual risk will likely be above the risk appetite approved by the Board/Council of the organisation.

The following image is a good summary of the DoE’s approach to enterprise risk including the key risks they have identified for each category. Each of these elements is relevant for the Presbyterian and Methodist Schools Association (PMSA) and in fact would be a demonstration of good governance if an approach similar to this was adopted. The information has been readily available for some time on the internet.

Assessing the PMSA’s approach to risk management is difficult as limited information is available beyond policies for select risk areas such as child safety. The policies do not include details of the key controls, how often they are control tested, how often risk assessments are conducted nor how often policies are reviewed. In contrast some of the PMSA’s competitors demonstrate risk is top of mind for their organisations through articulation in the school’s annual reports.

Brisbane Grammar School submits a full annual report each year to the Minister for Education and Minister for Tourism, Major Events and the Commonwealth Games. It is publicly available on the internet and includes benchmarked data, their financial reports, governance report and risk management. The report is approximately 92 pages long.

By comparison the annual reports for Brisbane Boys College and Somerville House are about 15 pages long with Clayfield Collage and Sunshine Coast Grammar School being about 25 pages in length. None of the PMSA school reports include governance (beyond referencing the PMSA as the governing body), risk management nor detailed financial information. The lack of risk information in the annual reports leaves it impossible to determine whether any enterprise risk management or operational risk practices truly exist and if they do how effective they actually are.

Further comparison to another PMSA competitor is St Margaret’s Anglican Girls School who have published a 12 page Risk Management Strategy and Operational Framework. This is in addition to their 44 page annual report which is provided for State and Federal government reporting in addition to being made available on the school’s website.

So what does all of this really mean? It comes down to good governance and unfortunately, in my opinion, the PMSA is lacking. Even without having the opportunity to review risk management information, as it is not publicly available, it is clear from the incidents that have occurred in the past, and continue to occur, that sound risk management is not in operation at PMSA schools. Whether it is human resource practices, data theft, reputational risk management, child safety or financial management there are many incidents which show either the risks were not identified, controls not assessed or the effectiveness of controls are not monitored. The other key to effective risk management is good culture and I do not know if anyone has seen evidence of that which is certainly a failure of good governance and good management.