Are you taking your trust risk management seriously?

We are all aware that the management of risk is a core component of a trust responsibilities and agenda – but do you have all the right components in place to enable this?

Matthew Humphrey, Partner, RSM

RSM’s risk management self-assessment tool

This tool highlights 20 expectations and discussion points for your trust.

How do you assess your trust against the 20 risk management expectations listed below – do they exist in your trust? Are they consistently applied? And does it achieve the outcome you intended? There may be things that you should start doing, do more of, or even stop doing.

Risk management expectation self-assessment

1. The risk management policy and strategy are subject to annual review and approval by the board and communicated across the trust.

2. Risk appetite of the board is defined and communicated across the trust in the form of a risk appetite statement.

3. Risk management roles and responsibilities are clear and communicated across the trust, from the board to the operational areas and individual schools, supported by appropriate training.

4. There is a specific board member who sponsors risk management and there is a specific committee that has responsibility for ensuring the effectiveness of risk management.

5. Horizon scanning is undertaken as part of a cyclical exercise at the trust. This focusses on opportunities as well as potential threats and areas of difficulty that are emerging with the outcomes from the exercise recorded and appropriate action then agreed and taken.

6. The board receives timely and accurate risk and control information, including updates on the risk profile that informs its understanding of the trust risk exposure, allowing for appropriate checking and challenging.

7. Reports for decision making take account of the risk appetite and include an explicit assessment of risk.

8. The board keeps the risk appetite under review and updates the risk appetite statement accordingly.

9. The board sets the tone for the trust risk management and this is followed throughout, supported in the form of communications, training, publications, articles and updates.

10. The board has confidence that all key academy activities, functions and initiatives are subject to regular risk assessment and review, with an operational risk register being maintained as required.

11. There are suitable risk escalation processes in place to ensure that key operational risks are made visible and are subject to appropriate reporting and monitoring.

12. There is a programme of "risk deep dives” for the purpose of understanding more about a strategic or key risks, including the risk exposure and the effectiveness of risk mitigation at a more granular level. The outcome of the deep dive being appropriately reported.

13. Actions stemming from risk reviews across the trust, including work of internal scrutiny etc., are prioritised and tracked to their effective completion.

14. The trust key control framework is documented, with key controls being understood and owned.

15. There is a clearly defined and visible trust assurance framework (board assurance framework), and this is subject to regular monitoring and reporting within an appropriate committee or forum.

16. The trust risk management maturity is understood and there is a risk maturity improvement plan produced, with progress monitored and kept in check.

17. Lessons learned from near misses and errors (internal or external) are communicated, reviewed and improvement required is tracked.

18. The board has confidence that incidents, complaints and other performance information is triangulated as part of the risk review and reporting process.

19. The strategic risks and other key areas of risk are subject to stress testing activities with a view to understanding the implications on the trust and how it would respond.

20. A risk management information system is being used to enable all relevant risk related information to be accessed, collated, maintained, monitored and reported, providing a complete picture of the risk and control environment in real-time across the trust, from classroom to the board room.

Are you attending our risk assurance masterclass with CST?

In our risk assurance masterclass, starting on Tuesday 4 June, we will be covering the self-assessment tool in more detail, plus we will be sharing practical experiences and examples of good and alternative risk management practices. Attendees will be able to ask questions and connect with colleagues to discuss experiences in a collaborative learning environment.

We will cover risk management fundamentals, adopting a strategic risk approach and risk controls effectiveness.

Learn more about how RSM can help you develop and improve your trust risk management and how your trust can benefit from use of the RSM risk management digital solution, Insight4grcby or contacting matthew.humphrey@rsmuk.com.

The CST Blog welcomes perspectives from a diverse range of guest contributors. The opinions expressed in blogs are the views of the author(s), and should not be read as CST guidance or CST’s position. 

 

Blog Finance and operations Financial management Governance Operations Risk management

Confederation of School Trusts, registered in England & Wales, company no 05303883, charity no 1107640
CST Professional Development Ltd, registered in England & Wales, company no 10354936, VAT registration no 270088018
Registered offices both at Fifth Floor, 167-169 Great Portland Street, London W1W 5PF

Contact Details

The Confederation of School Trusts is the sector body and employer body for school trusts in England. We advocate for, connect, and support executive and governance leaders.

© Confederation of School Trusts 2025 | Website and CiviPlus Designed and built by Compuco