20 January 2023

"A good risk management process allows individual risks to be analysed, understood and managed proactively so that ideally the negative impact of threats can be minimised, whilst the positive impact opportunities can be maximised"


What is Risk Management?

Risk Management can be defined simply as anticipating what might not go to plan and putting in place actions to reduce uncertainty to a tolerable level.  When we think of risk, we normally perceive negative events, however risks can also be positive opportunities. 

The Academy Trust Handbook states that Trusts must manage their risks to ensure effective operation.  A good risk management process allows individual risks to be analysed, understood and managed proactively so that ideally the negative impact of threats can be minimised, whilst the positive impact of opportunities can be maximised.

Risk analysis is fundamentally based on an individual’s perception and therefore it is possible for Trusts to have separate and distinct risk profiles.  The risk profile or risk appetite of the Trust is an evaluation of individuals’ willingness and ability to take risks. To understanding the risk profile of a Trust we need to understand the acceptable levels of risk that management are prepared to accept.

What are the main responses to risk?

There are typically four main responses to risk:

  1. Transfer – this is where the risk is transferred to a third party such as insurance
  2. Tolerate – this is where management are prepared to accept responsibility for the risk. This might be the case where the likelihood of the event occurring and the impact to the Trust operations is relatively low, or where the cost of implementing controls outweighs the potential benefits.
  3. Treat – this is where controls are put in place to manage or mitigate the risk and keep any potential impact to an acceptable level
  4. Terminate - this is where measures are put in place to try and eliminate or avoid the risk.   

What is a Risk Register?

The Academy Trust Handbook states that Trusts must maintain a Risk Register. A Risk Register can be used to analyse the risks identified and document the responses to risks with a clear action plan.

Who is responsible for Risk Management?

The Board of Trustees ultimately has overall responsibility for risk management within the Trust, including oversight of the risk register. The Board of Trustees can rely on advice provided by the Audit and Risk Committee.  

Why is Risk Management important?

One can argue that it is better to be proactive rather than reactive. A proactive approach means that resources can be prioritised into key operational areas to deliver the Trust objectives.

Poor risk management can have a direct or indirect impact on outcomes for pupils.  Therefore, it is important that the Trust Board, Audit and Risk Committee and Senior Leadership Team work together effectively to ensure that there is an effective internal control environment.

Failure to ensure proper internal control over key business processes may result in irregular activity occurring, triggering an intervention by ESFA or a modification of the external auditor's regulatory opinion.

What is Internal Control?

Internal controls are a key element of the risk management process. 

The risk assessment process identifies the risks, taking into account the likelihood of the event occurring and the impact on the Trust operations. 

The internal control assessment takes the process one step further by mapping the existing controls onto the risks identified and determining if there are any gaps between risks and controls that can leave the Trust exposed.  

What is the link between Risk Management and Internal Scrutiny?

The Academies Financial Handbook states that planning a programme of internal scrutiny must be a risk based exercise between the Trust Board, the Audit and Risk Committee and the Internal Scrutineer.

A programme of Internal Scrutiny should ideally be informed by the Trust's Risk Register with guidance and advice from the Audit and Risk Committee. The internal audit program should consider the risk profile of the Trust and any concerns of the Audit and Risk Committee.

The process of formulating the internal audit work program can in itself be a form of risk assessment which results in a list of potential scrutiny areas.  A good risk review process is iterative and the findings of the programme of internal scrutiny will in turn inform the Risk Register.

High risk areas identified during the risk management process should be included in the internal audit work program and undergo more thorough frequent reviews, whereas low risk areas may be given less priority particularly if controls are found to be operating satisfactorily.  A schedule of potential work can be presented annually to the Audit and Risk Committee for consideration, challenge and sign-off.

How to develop the Internal Audit Plan?

To provide effective coverage and assurance, the internal audit plan should ideally be a rolling cyclical program over a period of at least 3 years and should include reviews of both financial and non-financial controls. 

Several factors can be taken into account when assessing risk and developing the internal audit plan, such as:

  • The volume and monetary value of transactions
  • The complexity, sensitivity and stability of the system
  • Changes in senior management and strategic roles
  • Potential fraud risks
  • The strength of existing management controls
  • Whether work has been carried out on the system recently

How are Risk Management and Internal Scrutiny linked?

It is a requirement of the Academy Trust Handbook that all Academy Trusts must have a programme of internal scrutiny to provide independent assurance to the Board that its financial and non-financial controls and risk management procedures are operating effectively.

Historically, Internal Scrutiny was viewed as a “necessary evil” to demonstrate compliance with the requirements of the Academy Trust Handbook.  A small amount of audit days was purchased by Trusts to fulfil a “tick box” exercise. 

A good understanding of risk management recognises Internal Audit as an independent function designed to give assurance, add value, and advise on improving business operations. To work effectively, this culture needs to be embedded in a top-down approach where the Audit and Risk Committee work closely with the Internal Scrutineer to develop the Internal Audit Plan. 

A top-down approach can demonstrate that the culture and values of risk management are embraced at the highest levels of the Trust where responsibility also sits for risk management.  This can in turn ensure that management actively co-operate with the Internal Auditor and embrace recommendations for change.  

What is a good programme of Internal Scrutiny? 

In line with the Academy Trust Handbook, a good program of internal audit scrutiny will focus on:

Risk Management

Although the Trust is responsible for identifying all categories of risk and maintaining a risk register, internal audit can assist by advising and giving the Board independent assurance that all categories of risk are adequately identified, reported and managed.

Risk Model

Internal Audit can advise the Trust on developing a risk model which in turn populates the Risk Register. We can provide training and advice to the Audit Committee on how to use the risk register to inform and prioritise the internal audit programme of work, ensuring a rolling program of work is developed and checks are modified as appropriate each year. We can facilitate the process for reviewing and updating the risk register and ensuring that the risk register is kept up to date. 


Internal Audit can review the suitability of, and level of compliance with, both financial and non-financial controls. We can assess whether procedures are designed effectively and efficiently and can check whether agreed procedures have been followed.

Advice and Insight 

Management are ultimately responsible for the day to day running of the Trust, but we are available to offer independent advice on how to address weaknesses in financial and non-financial controls and we can also act as a catalyst for change and improvement.  


HFL education can assist and advise on embedding a culture of risk management in your Trust.  We employ specialist auditors with the right qualifications, experience, and key skills required to perform the audit work and our auditors are governed by professional codes of ethics and standards.

If you would like further advice or information, please get in touch. 

Share this