Matthew Humphrey, Partner, RSM
Let’s start with what might be a definition of a strategic risk.
This is a risk that if it were to materialise will have a fundamental impact on the achievement of one, some or all of your Trust objectives.
The risk will be material by nature; you will feel it and know about it should it occur; it will be either as a loss or lost opportunity.
As a board you recognise this as being important and it is something that you talk about (or should be talking about) in the board room.
Now picture this
The strategic risks will have been determined by the Board, this will involve Trustees and Directors (be these executive or non-executive).
You will have between 7 and 12 strategic risks normally.
Your board will want to know how these strategic risks are being managed and have created a risk management framework to enable this with the Audit Committee receiving regular reports on the management of these strategic risks particularly focussed on the effectiveness of the controls and progress of actions.
Your Audit Committee will be directing the internal audit resources to provide independent assurance over the management of the strategic risks and coupled with other forms of assurance being received from across the Trust e.g., from deep dives, scrutiny etc., be able to provide on-going assurance to the Board over the effectiveness of the risk management framework including identifying any areas of concern.
A board strategic risk register will be maintained including a measure of effectiveness of the key controls that manage the risks based on assurance provided.
Your board agenda includes the headline strategic risks as a point of reference to help board members better contextualise and couch the board discussion and prompt challenge.
Your board risk reporting will be concise focussed on matters of importance, the Trust CEO providing a commentary on the Trust’s strategic risk profile – looking ahead and playing in emerging risks, how these might affect the Trust and what actions the Trust will need to take.
Your Board, in addition to scoring the strategic risks, so as to get a sense as to their impact and probability, will have agreed their appetite for these types of strategic risks and this will be set out in a board risk appetite statement which will have been communicated across the Trust.
The cyclical risk assessment at academy level will be shaped by the strategic risks (and risk appetite) after all your Trust Board will want to understand what risk exposures are being carried by academies, how these are being managed and what this means for the Trust. Each academy will maintain a key risk register incorporating risks that are specific to them. The individual academy governing body will play a role in reviewing how these risks are being managed - what more can be done and whether any risks need escalating within the Trust.
The Trust itself will have in place efficient mechanisms to enable the capture, escalation, assessment, monitoring and reporting of risk management activities – ideally at the click of a button, with reporting constructed to meet stakeholder needs.
What do you recognise in your Trust?
Discover more about the CST Masterclass in Risk Assurance.
Discover more about RSM, a CST Platinum Partner.
The CST Blog welcomes perspectives from a diverse range of guest contributors. The opinions expressed in blogs are the views of the author(s), and should not be read as CST guidance or CST’s position.
