The Education sector faces its own unique set of risk & compliance requirements. Risks are high as they strive to modernise facilities, keep pace with the latest technology, and protect student safety. Schools, colleges, and universities are also subject to a whole host of legislation, regulatory requirements, and regular audits & inspections – making governance and compliance a high priority too.
With so much on their plates, educational institutions are only now realising how intrinsically linked risk, compliance, strategic planning, and project management are, and how crucial it is to have the right tools and techniques in place to be better equipped to face the associated threats and take advantage of the strategic opportunities.
Recently, I had the chance to sit down with Paul Griffiths, Director of Risk Management at the University of Leeds, one of the largest higher education institutions in the UK, and Katherine Styman, Risk & Data Protection Manager at NCFE, an educational charity, and leader in vocational and technical learning. We had an insightful discussion where they shared how digitising & automating their processes has reduced time spent on admin & reporting and provided a holistic view of risk.
To kick things off, Katherine and Paul delved into the past risk management practices of their respective organisations and shared the challenges they encountered.
Paul revealed that upon joining the university he “inherited a very basic level of risk management”. Things were done in different ways across the institution using spreadsheets, word documents, and Microsoft Project. One of the main challenges was “consistency” regarding the “rating of risks and how people were assessing risks and documenting them”. Disjointed processes “led to a lot of confusion”. “People were scoring risk at different levels and there was a lack of confidence in the data” and to top it off, the risk team didn’t have a centralised view of what was being recorded.
Katherine shared that NCFE “faced a lot of the same challenges”. They were using spreadsheets and smart sheets and also experienced a lack of consistency which made it difficult to prioritise risks as “not everyone was using the same matrix to assess their risks”. They had a culture where “people see risk as a scary thing” and would have a tendency to log risks and not necessarily follow up on the actions or look for mitigations, making it hard to understand the progress that had been made towards reducing risk.
Paul and Katherines respective organisations decided that to standardise processes and create a common risk framework that they should implement a best-practice GRC platform. Both organisations chose the Camms platform, and they provided some insights about what they wanted to get out of the solution and shared some of the feedback from stakeholders.
After inheriting a very basic level of risk management, Paul explained that one of the biggest challenges his organisation encountered was establishing a feeling of consistency with the solution rollout across the university – and motivating teams to use it. Katherine agreed with these comments and continued, “Risk is frequently perceived as something frightening, and there is a fear aspect when actually interacting with a framework. To help teams grasp the value of introducing something new and what the overall beneficial influence on the organisation will be, a demonstration is necessary.”
Katherine shared that NCFE really wanted to be able to mitigate their risks properly and make good business decisions based on the data that was extracted, and that she felt using a risk platform would be the best way to address that challenge. “What drew us to Camms was the system’s integration of many of the key areas that we were interested in, such as compliance and QMS, as well as the way it linked everything together. We also saw some great reporting features with a lot of visual elements, which helps to engage more people when they can see progress happening but also allows us to act on risks that arise, see clear action, and make good decisions.”
At the University of Leeds, they took a slightly different approach. Paul stated, “We engaged with end users of the risk data, relevant committees, and board members to effectively identify what was missing in keeping with the university’s risk culture. After developing a written policy, it was clear that the next step was to implement a tool that would bring everything together in a consistent manner”.
“One of the things that attracted us to Camms was its simplicity and ease of use”, said Paul. “We didn’t want to put too much pressure on people as they began to do something different from what they were doing. The ability to generate reports and self-manage was very important to us, especially in the early days of the product rollout when we needed to engage with various groups of people, share analysis coming out of this database, and demonstrate the value it provided and how it made their lives easier – particularly when putting together reports for committee meetings, or leadership & team meetings – making it very simple to look at and make decisions”.
It’s clear that having the right reporting tools in place helps drive interest and engagement with the board about risk, as well as smooth the transition path. Katherine agreed that the availability of reporting tools was a critical factor for them. She added, “We have to report to a lot of different people, in a lot of different ways. It is critical to present data in a visual format to engage people and allow them to see areas of progress and challenges at a glance”.
Following the implementation of this new method of risk management through the use of the Camms platform, I was curious to learn if Paul and Katherine discovered that the conversations within the leadership team had changed in terms of risk and its relation to strategic goals & objectives.
“Personally, I think so”, said Paul. “In the past, there was a lot of confusion, especially if we hadn’t rated a particular risk at the appropriate level, so getting that consistency really helped.” He went on to say that they use the tool to “drive a higher-level conversation” – especially around the risk appetite function as they didn’t have a framework for it before.
Paul added “Once we developed a framework and then built that within the Camms tool, it started a completely different conversation, particularly with those leadership teams and boards”. Paul shared that previously he received questions like “Have we rated this risk at the right level?” or “How do we get that risk from a red rating down to green?”. Whereas now risk is linked to a defined risk appetite he finds he is having much broader conversations at a higher level with strategic questions like “What appetite do we have for this risk? Are we taking enough risk in this area? Should we be taking more risk? Or are we taking far too much risk?”. This kind of conversation empowers the organisation to take some degree of risk if the outcome is likely to be positive, maximising opportunities while carefully managing those critical risks that exceed the risk appetite.
Paul also recognised how much they have matured. “The report we produce once a year usually summarises our key risks at a high level. Now we are really focused on those that are outside our appetite, and that is a much more focused conversation than just looking at the whole raft of risks like before”. Paul believes this has helped focus attention and allow leaders to pick five or six risks which they can fully address going forward and invest in correcting.
Katherine agreed with Paul, stating that risk appetite has been brought to the forefront with the introduction of a new framework. She added that “not all risks are created equal” and the tool has certainly helped them to prioritise. Katherine added, “It’s difficult to introduce people to the idea of ‘taking risks’ in some areas because we want to innovate and be leaders” and we can’t do this if we always play it safe. So, by determining our risk appetite and risk tolerance, as well as being able to direct resources where they are needed, we are able to think about things differently and focus on the most important risk areas.
Both Paul and Katherine went on to share key points that other organisations can use when creating categories and risk registers.
Katherine revealed that they have divided their risks into many categories, they have strategic risks, which are linked to strategic goals, and operational risks. She went on to say that some of those operational risks could be parent-child relationships with the strategic risks, or even with each other. They also have a category for project-based risk, which they can associate with strategic or operational risks. Other risk types they use include finance, reputation, legal, and regulatory risk categories. She concluded by stating that “when they rate risk, they are able to select the most relevant category to rate in an appropriate and consistent manner” – which was not always the case previously.
Paul noted that at the University of Leeds they have found some benefits of linking risk directly to their strategy around things like student education, research, and digitisation. He said “This helps to bring in risk appetite because you can evaluate a risk based on its relationship to that part of the strategy. The tool obviously allows us to do that and link these different risks together and show how they relate to each other, which is quite helpful”.
Katherine acknowledged that educational organisations are subject to stringent regulations when it comes to compliance, and each regulator has its own set of reporting requirements. Paul highlighted that because compliance is dependent on reporting to various governance bodies within the education sector, the Camms platform has helped them to achieve consistency and efficiency by allowing them to present a standard report layout to each governing body.
We concluded the session by discussing what recommendations they would make to those interested in moving to an automated risk management process and changing the way they manage their day-to-day compliance processes.
Paul noted that this is frequently perceived as a daunting task and that there is a preconceived notion that transitioning to an automated tool will take a long time. He added “Our relocation to Camms.Risk took only three months, which was a quick transition – I feel.” He suggests creating a clear plan that answers questions like who should be involved, how much training is required, and how to do that training. He added “Camms has a dedicated training portal to assist people, particularly because training is critical to bringing people on board and getting them involved early in the process.
Katherine ended the webinar by touching on how her company deals with the challenges of complying with changing laws and regulations. She shared “Priorities do shift. It’s critical to first understand why these things need to happen and to get people on board with that perspective. It is not just about red tape; it must be integrated into the business. Compliance is everyone’s responsibility, and everyone has a role to play in it”.
It was a pleasure to catch up with 2 accomplished Risk Managers and hear first hand how they have transformed their processes to bring teams together, standardise their risk framework, and automate their processes to create a holistic view of risk for their organisations. Their success stories show what a real difference selecting the right platform to manage risk can make, with both agreeing that the board now views risk differently and they use risk data for strategic decision making.
Watch the complete webinar session on-demand here.