Special Contribution from Weaver |
In past years, your district may have performed a risk assessment that was thorough and detailed — but was it useful? Did it provide leadership insight and direction for decision making? When you begin planning the next risk assessment, first ask how it will be used. Who will rely on the results? What other strategic or operational processes will it drive?
There are two very different perspectives for a risk assessment: either the entity level or the process level. An entity-level assessment is from the outside in and considers external factors such as the local economy, political environment and demographic shifts, as well as district-wide decisions such as the business model, reliance on technology, and both inputs (revenue, curriculum) and outputs (student outcomes). A process-level risk assessment is more granular and internally focused, evaluating processes and internal controls for primary functions such as procurement, human resources, instruction, transportation and so on.
Where to begin?
For most districts, regardless of size, the best risk assessments work from the outside in, looking at the big cultural, political and economic factors in play, then looking for aspects that the district can affect.
Entity-level risks should be a collaborative effort of all stakeholders and examine external influences that are largely beyond the district’s control, considering the inherent risk that the district faces. Using the results, leadership then sets out a path to confirm the priorities and allocation of mitigation efforts to reduce fallout and impact of the risk.
The entity-level risk assessment results recognize that external forces can affect every aspect of district leadership, from construction to curriculum to hiring and more; therefore, this is where the risk assessment must start. Using the highest-rated entity-level risk events, the district should then undertake a process-level risk assessment to ensure that procedures are appropriately placed to control the right risks.
Entity-level risks could include:
- Demographic changes, either fast growth or declining enrollment
- Funding risks, whether from legislative change or economic conditions
- Regulatory or political risks
- Technology risks, including cyber security
Process-level risks are more internal and — while they may seem overwhelming sometimes — can be managed from inside the district. Process-level risks involve the processes and internal controls used to manage functional areas such as:
- Procurement
- Human resources
- Technology
- Asset management
- Financial reporting
- Instruction and curriculum
- Transportation
- Food service
Planning = Results
Your district’s biggest risks — and therefore the focus of your annual risk assessment and resulting internal audit priorities — are unique. They depend on your geographic region, demographic trends, size, history and financial situation.
By working from the outside in, looking first at the external risks that affect the district, then homing in to specific process areas most affected by those risks, you and your team can be confident that you are spending your valuable time and resources where they will make the most difference.
