Turnbull Report - A left field view on risk management for schools

Euro 2016 has started. Up and down the land adults and school children will be making assessments of the chances of their country in winning (at least one match), and thinking about mitigating the risks of an early exit.

With this in mind – this week’s blog considers risk management and the effectiveness of internal controls.

I was reminded this week that long about concerns relating to the internal controls of companies listed on the stock exchange. In 1999 Nigel Turnbull reported on these concerns and produced Internal Control: Guidance for Directors on the Combined Code. All schools and academies must review their controls – with academies providing written assurances it their Annual Report & Accounts. Whilst the ‘Turnbull Report’ was not aimed at the education sector, many of the areas that companies must consider as part of their internal control do apply.

Assessing the effectiveness of the organisation's risk and control processes

Some questions which trustees and governors may wish to consider and discuss with management when regularly reviewing reports on internal control and when carrying out its annual assessment are set out below. The questions are not intended to be exhaustive and will need to be tailored to the particular circumstances of the organisation.

Risk assessment

• Does the organisation have clear objectives and have they been communicated so as to provide effective direction to employees on risk assessment and control issues?
• Are the significant internal and external operational, financial, compliance and other risks identified and assessed on an ongoing basis?
• Is there a clear understanding by management and others within the organisation of what risks are acceptable to the board?

Control environment and control activities

• Do trustees/governors have clear strategies for dealing with the significant risks that have been identified? Is there a policy on how to manage these risks?
• Does the organisation's culture, code of conduct, human resource policies and performance reward systems support the business objectives and risk management and internal control system?
• Does senior management demonstrate, through its actions as well as its policies, the necessary commitment to competence, integrity and fostering a climate of trust within the organisation?
• Are authority, responsibility and accountability defined clearly such that decisions are made and actions taken by the appropriate people? Are the decisions and actions of different parts of the organisation appropriately co-ordinated?
• Does the organisation communicate to its employees what is expected of them and the scope of their freedom to act?
• Do people in the organisation (and in its providers of outsourced services) have the knowledge, skills and tools to support the achievement of the organisation's objectives and to manage effectively risks to their achievement?
• How are processes/controls adjusted to reflect new or changing risks, or operational deficiencies?

Information and communication

• Do management receive timely, relevant and reliable reports on progress against business objectives and the related risks that provide them with the information, from inside and outside the organisation, needed for decision-making and management review purposes? This could include performance reports and indicators of change, together with qualitative information such as customer satisfaction, employee attitudes, etc.
• Are information needs and related information systems re-assessed as objectives and related risks change or as reporting deficiencies are identified?
• Are periodic reporting procedures, including half-yearly and annual reporting, effective in communicating a balanced and understandable account of the organisation's position and prospects?
• Are there established channels of communication for individuals to report suspected breaches of law or regulations or other improprieties?

Monitoring

• Are there ongoing processes embedded within the organisation's overall business operations, and addressed by senior management, which monitor the effective application of the policies, processes and activities related to internal control and risk management? Such processes may include control self-assessment, confirmation by personnel of compliance with policies and codes of conduct, internal audit reviews or other management reviews.
• Do these processes monitor the organisation's ability to re-evaluate risks and adjust controls effectively in response to changes in its objectives, its business, and its external environment?
• Are there effective follow-up procedures to ensure that appropriate change or action occurs in response to changes in risk and control assessments?
• Is there appropriate communication to the board (or board committees) on the effectiveness of the ongoing monitoring processes on risk and control matters? This should include reporting any significant failings or weaknesses on a timely basis.
• Are there specific arrangements for management monitoring and reporting to the board on risk and control matters of particular importance? These could include, for example, actual or suspected fraud and other illegal or irregular acts, or matters that could adversely affect the organisation's reputation or financial position.

All organisations, whether they be a national football team or your school, must have a clear process to manage and mitigate risks if they are to be excellent. Audit or internal control procedures should be designed to help you in achieving excellence. The 'Combined Code' is a requirement for all companies listed on the stock exchange, however the principles behind it apply to all organisations.