Resource:Risk Management in Schools

School administrators often view risk management as an ancillary activity to the strategic management of a school district.  However, effective risk management is much more than rules and governance.  The cultivation of an effective risk culture through a bottom-up engagement in risk management can drive higher morale and increase employee engagement.  Oliver Wendell Holmes Jr. once said, “I would not give a fig for the simplicity on this side of complexity, but I would give my life for the simplicity on the other side of complexity.”  A formal risk management process can also provide the “simplicity on the other side of complexity” by creating stronger risk intelligence and resilience within the school.  The purpose of this article is to provide a process for developing an all-inclusive risk management program in a school district.  

According to Goldstein, Sptiznagel, and Taleb (2009), “Because of the internet and globalization, the world has become a complex system, made up of a tangled web of relationships and other interdependent factors” (pg. 1).  School districts face these complex risks on a daily basis in the form of cyber-bullying, active shooter events, and lead in water to name a few.  Children have more access to information today than they ever have, and the access continues to grow.  Goldstein et al. go on to explain that we often use hindsight and mistake it for foresight.  A comprehensive risk management plan will allow a school to develop foresight and prepare for those risks that we have yet to face.  

Leadership Commitment

According to Campbell (2015), “there has been a growing awareness that rules and compliance are not enough, and increasingly, governance and leadership are cited together when discussing the ability to manage risk effectively” (p. 116).  Leaders drive the risk culture of an organization by modeling expected behaviors that can enhance the risk culture.  A risk management program that lacks the support of leadership is doomed to fail.  

A strong risk culture can create an environment where employees feel safe to discuss risk with their supervisors.  “Cultures of Silence” are usually created by leaders who do not want to hear about risk due to the difficult discussions that may follow.  These cultures encourage employees to maintain silence with regards to their concerns due to the repercussions of speaking up.  Open and transparent risk management practices will combat this problem and can create a school district with more resilience to risk.  

Getting Started

Starting a risk management plan can appear to be a daunting task.  Many organizations don’t start the process because they don’t know where to start.  The best place to start is to memorialize the commitment of the leadership to the risk management program through a policy statement that is signed by the superintendent and disseminated to the entire staff.  The policy statement addresses the school’s commitment to the risk management plan and encourages employees to bring forth any threats or opportunities to the school for discussion by the risk management committee without the fear of retaliation.  

Before disseminating the policy statement, the district will benefit from the development of a risk committee that includes a cross-section of professionals from across the district.  Avoiding a committee of “like-minded individuals” can increase the effectiveness of the committee, so strive for diversity amongst the committee.  A committee comprised of individuals who are comfortable engaging in “respectful dissent” reduces the risk of group-think that may reduce the effectiveness of the committee.  The committee is more effective if it is not simply the top leaders of the organization, but it includes other organizational members.   It is appropriate to have a mix of both employee and management-level individuals on the committee.   

Risk Inventory 

There are many ways to develop an inventory of risk, but ideally, this process can be used to engage the employees of the district in the risk management process.  For instance, outside experts could be used to develop the risk inventory, but a teacher may be aware of a gap in the educational process that is unique to the school district.  The industry expert will not identify this risk through their process without understanding the unique aspects of the school district’s culture.  

The best process for developing a risk inventory is to hold council-style meetings where individual employees can speak up about the risks that they believe the school faces.  These meetings allow leadership to build trust in the process as it is designed to be a one-way communication.  Some groups even use a “talking stick,” so the only person that can speak is the moderator and the individual holding the stick.  The point in this process is to avoid minimizing a person’s concern.  

A cross-section of employees will make these meetings more effective than having the meetings in each department.  The members of an individual discipline are more likely to speak up in a cross-sectional group than they are in a group of their peers.  According to Campbell (2015), “honesty and courage are needed in the willingness to identify and assess risk openly” (p. 126).  Avoiding activities that reduce an employee’s willingness to participate in the process will enhance the outcome of the process.  

Some participants might have a hysterical or mistaken belief that a risk-related disaster is imminent and inevitably, there will be “chicken little” risks identified in the process.  These types of events are hard to quantify and forecast, but ignoring them can be a mistake.   This process can help reduce the school’s vulnerability to them.  For example, a member of the committee might bring up the risk of a meteor strike, which is very unlikely, but preparing for a disaster is an important part of the risk management process.  So, while the actual risk that is identified is unlikely to occur, the controls are necessary for other exposures.    

Risk Registry

The risk committee then takes the information obtained in the risk inventory process and creates a risk registry.    The purpose of the risk register is to formalize a process to assign a risk owner and to discuss the effectiveness of current risk treatments.  The goal of the risk treatment is to reduce vulnerability to a risk; not create certainty that it won’t happen.  The risk owner does not have to be on the risk committee, but they are required to report on their risks to the committee at least annually.  

For example, the school’s human resources director may own the risk of sexual harassment in the workplace.  To “treat” the risk, the school will likely create an anti-harassment policy, provide training for the employees and administrators, and investigate every accusation.  All of these activities will discourage sexual harassment, but they likely won’t completely prevent it.  As the risk owner, the director of human resources is responsible for keeping up with changing case law on this risk and enhancing the controls in place to reduce the likelihood of occurrence. They would also be responsible for keeping the committee informed.  

In the end, the risk registry may help identify weaknesses in the school's current risk management practices.  The risks that are identified in the process must all have a level of treatment that makes the district comfortable in their ability to manage them.  Inevitably, some identified risks in this process will lack adequate treatment and steps can be taken to create resilience to them. 


A formal risk management program can help a school district enhance the education of its students by identifying risks and allocating resources appropriately.  According to Goldstein et al. (2009), “Any organization that doesn’t recognize its Achilles’ heel is fated to die because of it” (p. 4).  The process outlined in this article is designed to be applied to the entire risk portfolio of a school district and build resilience to risk, which will enhance the education and experience of the school’s students.  


Campbell, K. A. (2015). Can effective risk management signal virtue-based leadership? Journal of Business Ethics, 129(1), 115–130.

Goldstein, D., Spitznagel, M.W., Taleb, N.N. (2009). The six mistakes executives make in risk management. Harvard Business Review, 10/09, 1-4.

About the author

Bill Raab is currently the Director of Risk Control for Glatfelter Public Entities, a leading insurer of public entities.  He holds his Masters’ Degree in Risk Management and Insurance from The Florida State University and a Bachelors’ Degree in Industrial Health and Safety from The Pennsylvania State University.  Bill is currently a Doctoral student at Abilene Christian University where he is studying Organizational Leadership.