Five Risks Facing Multi-Academy Trusts

Effective risk management is critical for any educational institute, whether that’s a school, college, university or multi-academy trust (MAT).

Of course, MATs have the additional challenge of managing risk across several schools. This requires a consistent, joined-up approach, plus the commitment and compliance of board members, academic staff and other stakeholders.

With the past 18 months throwing up a number of new challenges for MATs, many have had to revisit their risk management procedures. Here, we take a look at the five biggest risks facing MATs today and some of the steps to help mitigate them.

The rise of cybercrime

The Covid-19 pandemic has forced MATs to further digitise their processes, not only to continue teaching but to facilitate regular communication between staff and students.

However, with increased digitisation comes a higher risk of cybersecurity breaches.

As recent events continue to demonstrate, the impact of a ransomware attack can be incredibly damaging and far-reaching, both from a financial and reputational perspective. It’s critical, therefore, that MATs have the same measures in place as businesses to protect themselves against sophisticated cyber attacks.

In many cases, an attack can come from vulnerabilities within the MAT’s digital infrastructure, but in others it could result from something as simple as a weak password or poor decision-making. This is where training and employing the services of a cybersecurity specialist can really make all the difference – saving your trust from potentially long-lasting damage.

Losing control of the finances

Payroll and procurement procedures can expose MATs to financial risk if they’re not managed with the appropriate due diligence.

Carelessness in the monthly payroll process can result in payments being made to staff who are no longer employed by a trust or who have not yet commenced employment. Staff may also be paid for work they haven’t undertaken, or they could simply receive an erroneous payment due to a technical glitch with the trust’s payroll software.

An unauthorised change of bank details can also expose an MAT to fraudulent activity, so it’s advisable that any such changes are made in writing and independently verified, rather than accepting an email or telephone call alone. The latter should only be used by the MAT itself to obtain confirmation of a change of bank details.

On the procurement front, risk can arise in a number of ways, from appointing unsuitable contractors or contracting unsuitable work, to failing to establish contractual liability or promptly identify and address poor contractor performance. The consistency and transparency of sourcing multiple quotes can help ensure your procurement process delivers value for money.

Health & safety slips

Much like other organisations, MATs have a duty to protect the health, safety and wellbeing of employees, students and any other people that come into contact with the trust. This naturally presents an element of risk, particularly in the case of incidents or non-compliance.

Health and safety incidents can occur for numerous reasons, including but not limited to training or knowledge gaps, an unsafe learning environment and equipment malfunction, for example. The severity of an incident will ultimately dictate the impact on an MAT, but it may entail one or more of the following:

• Legal action against the trust
• A financial penalty for non-compliance with health and safety legislation
• Reputational damage
• Forced closure by the Health & Safety Executive, affecting student achievement and course completion

Regular health and safety training can go a long way to mitigating these risks, but it must be underpinned by a formalised and compliant health and safety policy. This is something a health and safety consultant can assist with, while a risk and assurance specialist can help you understand where your trust may be exposed.

The rise of cybercrime

The Covid-19 pandemic has forced MATs to further digitise their processes, not only to continue teaching but to facilitate regular communication between staff and students.

However, with increased digitisation comes a higher risk of cybersecurity breaches.

As recent events continue to demonstrate, the impact of a ransomware attack can be incredibly damaging and far-reaching, both from a financial and reputational perspective. It’s critical, therefore, that MATs have the same measures in place as businesses to protect themselves against sophisticated cyber attacks.

In many cases, an attack can come from vulnerabilities within the MAT’s digital infrastructure, but in others it could result from something as simple as a weak password or poor decision-making. This is where training and employing the services of a cybersecurity specialist can really make all the difference – saving your trust from potentially long-lasting damage.

GDPR compliance

The General Data Protection Regulation, commonly known as GDPR, came into effect in May 2018, impacting any organisation that holds data on customers, staff and other key contacts. In the case of MATs, this naturally covers students too.

Under GDPR, trusts have numerous legal obligations when it comes to the collection, processing and storing of personal data, with the risk of large fines and strict enforcement action for non-compliance. Such are the complexities involved in GDPR compliance, many trusts have understandably employed a third-party contractor to act as their Data Protection Officer (DPO), or alternatively employed or trained somebody in-house.

Given the severity of sanctions for violating data protection rules, all MATs are advised to have the appropriate procedures in place, and to follow them diligently. This includes the regular training of staff on their individual responsibilities under GDPR.

The risk of risk itself

Effective risk management starts with the creation of a robust risk management policy and  framework, laying out how an MAT will identify and respond to risks. If the MAT doesn’t have an effective framework in place, it could be exposed to risks it didn’t know existed, and which could impact its finances, data security, staff and students.

Within the risk management framework, there should be clear lines of responsibility for specific risks and mitigation measures, as well as clarity on the severity or importance of every risk. Each risk should be appropriately identified and documented, while any controls to mitigate risks must be fit for purpose.

An experienced risk and assurance specialist can help you establish a risk management framework tailored to the needs of your organisation, effectively protecting it from the myriad risks it may face.

Helping you understand and mitigate your risks

Whether you’re not receiving the level of assurance you require, or there are key risks facing your trust that have been poorly articulated or mitigated, we’re here to help you.

Following an initial meeting with our Risk & Assurance team, we’ll agree the best risk management solution for your organisation, with a view to detailing a number of initial recommendations, which we can then help you action.