Risk management for academy trusts

In today’s education sector, academy trusts are juggling an array of risks from financial pressures and safeguarding concerns to cyber threats and reputational damage. Managing these risks shouldn’t be a tick box exercise but a key component to ensure the success of the academy trust.

The DfE guidance on Academy Trust Risk Management and the Academy Trust Handbook (ATH) provides a clear framework for embedding risk awareness into the culture and operations of every academy trust.

What does risk management really mean?

No matter the structure of your educational institution, it is crucial to have effective risk management in place. Risk management involves the identification, measurement, management, monitoring and reporting of threats.

Multi academy trusts (MATs), in particular, face the added complexity of managing risk across multiple schools, which demands a more cohesive and unified approach, as well as cooperation from the board, academic staff and other stakeholders. Effective risk management is the responsibility of everyone and should be assessed, managed and mitigated through:

Senior Leadership Teams and staff – the first line, responsible for the day-to-day risk identification and control.
The Governance Structure – providing oversight and strategic direction.
Internal Scrutiny – offering independent assurance on controls in place to mitigate risk.
External Assurance – including auditors and regulators.

Risk management policy

All academy trusts should have a risk management policy which defines its approach to risk management. The policy should also include roles and responsibilities, monitoring, reporting and review procedures, and training arrangements to ensure effective risk management is embedded throughout the trust. The policy should include a clear statement of the academy trust’s risk appetite and its willingness to accept risk to guide decision-making. How much appetite your trust has for risk will depend on its unique circumstances. The following would be potential considerations:

How financially stable is the trust?
Is it in good regulatory standing?
Are systems and controls well embedded or are new, emerging processes still to be proven effective?
Is the trust going through significant constitutional change?
Is the trust growing or shrinking?

The considerations and more will have an impact on how much risk the trustees are willing to take in achieving the trust’s strategic aims and objectives.

How does risk management link to the audit and risk committee?

Although ultimate overall responsibility for risk management, including the oversight of the risk register, lies with the academy trust board, the board must appoint an audit and risk committee in accordance with the ATH (part 3) to:

direct the programme of internal scrutiny
ensure that risks on the risk register are being addressed appropriately through internal scrutiny
report to the board on the adequacy of the academy trust’s internal control framework, including financial and non-financial controls and management of risks.

Academy trusts with annual revenue income under £50 million can combine the audit and risk committee with another committee such as finance if they wish.

The risk register

The risk register is central to risk monitoring. When risks are identified, they must be recorded in the risk register, with corresponding control measures and the impact of these controls on the residual risk clearly documented. All academy trusts must maintain a risk register as required by the ATH (part 2). It should be a ‘live document’ and an on-going process. Risk registers come in various formats and no particular version is recommended.

The DfE recommend that the following elements should always be included.

Top tip

Is your risk register compliant? We recommend you review your risk register against the above graphic to ensure it includes all elements in line with DfE guidance.

Oversight and review of the risk register

By the full governing board: the frequency of the academy trust board’s review of the risk register is a matter for the board to consider. At least an annual full review is required by the ATH (part 2). This is a ‘must’ requirement and should be evidenced through minutes of governance meetings. The board has ultimate oversight.
By the audit and risk committee: the committee may decide that it is appropriate to review the risk register at every meeting. However, this may result in a diminution in impact if it comes to be regarded as a routine box ticking exercise. The frequency of review can be kept flexible, with more frequent review during periods of heightened risk. The audit and risk committee’s role is to ensure the risk management framework in place is effective.

Common pitfalls in risk management

Whilst many academy trusts ensure the risk register is regularly managed there are common pitfalls which include:

Reporting too many risks: academy trust often track too many risks and overwhelm the register with lots of low risks which overlap and could be combined into an overall risk. The DfE suggest to prioritise your “Top 10” risks and potentially delegate divisional risks to other committees or local governing bodies.
Lack of senior buy-in: if the person managing the risk framework lacks seniority or time, it can become a tick-box exercise. Appointing a senior risk lead or trustee champion can make a big difference.
Over-complexity: endless discussions about methodology and terminology, which leave no time left to address the risks themselves, are symptomatic of an over-engineered approach. Keep it practical and focused on outcomes.
Not using the output: risk registers should inform internal scrutiny reviews and strategic planning. If risk discussions are always last on the agenda, they risk being sidelined or rushed which could lead to serious consequences.

Our internal audit offering

Our internal audit team offer a comprehensive risk management review tailored for academy trusts. If you are interested in strengthening your risk management please speak to our team if you are interested or require more detail.

In line with ethical standards we are unable to provide any internal audit services to external audit clients.

Closing remarks

Ultimately, risk management is a collective responsibility. While the full governing board holds ultimate accountability, every representative of the academy trust should be encouraged to identify and escalate risks. Creating a culture of transparency, responsiveness, and strategic alignment will help academy trusts not only manage risks but turn them into opportunities for growth and resilience.

If you would like support, advice, or have any further questions regarding this article, you can contact our team using the form below.

We always recommend that you seek advice from a suitably qualified adviser before taking any action. The information in this article only serves as a guide and no responsibility for loss occasioned by any person acting or refraining from action as a result of this material can be accepted by the authors or the firms mentioned.

Sign up to receive exclusive business insights

Join our community of industry leaders and receive exclusive reports, early event access, and expert advice to stay ahead – all delivered straight to your inbox.