academies back to school report - home | rsm uk · terrorism. in other instances, inexperienced...
TRANSCRIPT
ACADEMIES BACK TO SCHOOL REPORTSeptember 2016
A
CONTENTS
A WORD FROM MIKE 3
CYBER SECURITY 4
GOVERNANCE MATTERS 6
BROKERING – TAKING ON A NEW SCHOOL 8
DO YOU HAVE A BOARD ASSURANCE FRAMEWORK IN PLACE? 11
THE TWO CRITICAL ROLES - CHAIRPERSON AND CHIEF EXECUTIVE 12
2
•
A WORD FROM MIKE
When I wrote the intro for our last edition, the White paper had just been released and there was a seeming inevitability about the relentless drive towards full academisation.
Since then though…the Brexit vote, a new Prime Minister, a new Education Secretary, a new shadow Education Secretary (or should that be three…), a new Chief Inspector (nominated, rejected, and appointed anyway), and a prospective new Chair of Ofsted as well. Not a bad strike rate for a few short months.
But what does all this turmoil mean in practical terms? In reality, it is business as usual in terms of doing the day job. Primary school pupil numbers continue the rise seen over the last 10 years, with a further five per cent increase expected through to 2019 (though secondary numbers look slightly more stable). The pressures therefore on budgets, competition for good staff and outcomes aren’t going to lessen anytime soon.
There will though be inevitable delays around policy initiatives and the new funding formula as ministers and civil servants reappraise priorities, and the resources available to deliver them.
In the meantime, inside this edition of our Back to School report we look at some areas we think warrant some discussion:
• cyber security;
• continuing issues around governance; and
• brokering – taking on a new school.
As ever, if you have any queries, or suggestions for future editions of this report, please feel free to contact either myself, or your usual RSM contact, and we will be delighted to help.
Best wishes
Mike Cheetham
National Head of Academies Partner, Risk AssuranceM +44 (0)7800 617 204 [email protected]
3
CYBER SECURITY
Cybercrime continues to be one of the fastest growing areas of crime with increasing numbers of individuals and groups exploiting the speed, convenience and anonymity of new digital structures to commit a diverse range of disruptive activities that know no national borders.
Historically, cybercrime was committed mainly by individuals or small groups. Today, criminal organisations use full time ‘staff’ who use real time sophisticated techniques to commit crimes on an unprecedented scale, either for the rewards that they bring in their own right or to fund other illegal activities such as terrorism. In other instances, inexperienced hackers can simply download readily available attack tools from the internet.
The crimes these people carry out may not be necessarily new, as in the case of fraud and theft, but the ease with which these can be committed and the potential rewards have changed due to our ever increasing reliance upon inter-connected technology.
We read that new trends in cybercrime, such as ransomware, are constantly emerging with the costs to the global economy now running to billions. The Cabinet Office recently estimated the cost of cybercrime to the UK alone to be £27bn per annum. However, this does not give a proper insight in the impact on an organisation of a fully-fledged cyber-attack. Many people still consider the biggest risk to be a failure in technological controls which in turns results in the theft of money or data. The reality is the impact upon schools, colleges, staff and students can be much wider than that.
• Some attacks will seek to deny the use of operational systems, either through ransomware attacks where systems are locked and a fee is demanded to enable you to access them or through a Distributed Denial of Service attack (DDOS) that overwhelms your systems, such as the attack on the JANET network in December 2015. Some organisations have been wholly unprepared for the impact of the loss of their teaching systems and have struggled to react and recover.
• Other attacks will seek to harvest data or intellectual property that can later be sold on the ‘dark’ web. This could be through the introduction of malware through a phishing attack. Phishing is where criminals target many individuals with blanket e-mails in the hope that at least some will open the attached links or attachments and either download viruses or provide financial information. Data loss through activities such as this can currently result in fines of up to £500,000 from the Information Commissioner. Several educational establishments have been reprimanded for hacking incidents and the Department of Education itself narrowly avoided action in 2012 when it accidentally exposed the email addresses of respondents to a consultation exercise.
• An increasingly common form of attack is called whaling – this is similar to phishing but targets a much smaller more select group of individuals, for example Finance Directors, Governors etc. This is because these people often have significant data access and higher authorisation levels. Very often, spoofing will be used to make the request for information or payment look like it has come from within the same organisation. Losses to this sort of attack range from the thousands to the millions.
Attacks such as these can easily result in some or all of the following:
• genuine financial loss to the organisation;
• loss of reputation amongst parents and trustees;
• compliance failures such as breach of the Data Protection Act or safeguarding rules;
• loss of intellectual property; and
• loss of key operational systems for an extended period.
4
So what can you do to protect your organisation?
In our experience, there are several key issues that need to be addressed.
1. Don’t ever think you won’t be attacked. Even if you are not at risk from disgruntled ex-employees or students, there are plenty of people who will attack you just because they can using the easily available tools we have already discussed.
2. You need to perform an exercise to assess the degree of cyber risk that you are exposed to. You cannot put in adequate safeguards if you do not know what data you are protecting where it sits or how it is used.
3. Cyber security needs to be discussed at the highest level in the organisation. It cannot be just seen as the responsibility of the IT department.
4. IT themselves need to get the basics right. In a nutshell, good old fashioned IT controls such as back-ups, systems patching and anti-virus software will help mitigate a lot of the cyber risks currently faced by organisations.
5. Establish IT controls that provide strength in depth. In this way, the failure of a single control should not be as harmful should the worst occur.
6. People continue to be the weak link. The best technological controls can be undone by a member of staff or a student who clicks on something they shouldn’t or writes their password on a post-it note. Training and education continues to be a key element of successful cyber security arrangements.
7. Establish an environment where it is OK to query an email or question an unknown person wandering around the corridors. Staff and students need to know that they will be taken seriously if they act upon what they have been told to do.
8. Plan for the worst. Many organisations have no incident management plan that can be invoked when an attack is underway. This can result in initial confusion which can in turn exacerbate the incident.
9. Consider compliance with the government’s 10 step cyber essentials scheme - which can be found https://www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility/10-steps-summary.
5
GOVERNANCE MATTERS
“We should not underestimate just how vital the role of governors and trustees has become in helping to raise standards.” Sir Michael Wilshaw, 2015 Annual Report
Although it is possible to take issue with Sir Michael on many matters, the above statement has never been truer, or more concerning in terms of some of the implications within the academy sector.
Going back to basics, the core principles expected of all charity trustees are that they:
• act within their legal powers;
• act in good faith;
• act always, and only, in the best interests of the organisation;
• ensure they have sufficient, relevant and reliable information on which to base decisions; and
• are demonstrably open and transparent.
These principles are not new, nor could they be regarded as controversial in any way. Adherence to them though requires a degree of altruism and self-awareness (individually and collectively) that sometimes seems to disappear during the practical challenges of running the academy trust. Whenever one reads a report about a ‘failure’ in an academy, a well known charity, an NHS Trust or a myriad of other sorts of organisations, a failure of ‘governance’ is often at the core of the problem, and in particular a failure of governors/trustees to hold management to account.
Accountability has been a mantra of Government over the last few years, and generally linked also to providing greater freedom to organisations to run themselves as they see fit – itself the core rationale underpinning the academy trust concept. The term accountability appeared 64 times in the academies White Paper earlier this year across a range of topics. It is also a core expectation of the National Schools Commissioner that academy trust Boards hold ‘their’ management to account for delivery of the Trust’s mission.
So what does good governance actually look like?
It isn’t all about policies, procedures and record keeping, as important as these are. It is though more about outcomes and behaviours – most Inspectors who have to opine on governance would say that they know good (and poor) governance when they see it, and those judgements are far easier to make when you observe trustees in actual committee and Board meetings.
6
In essence, this reflects the core principles referred to previously:
Knowledge Having the right information on which to base decisions, whether organisation specific or more holistic. It also means recognising any shortfalls in that information and taking action to remedy that shortfall as far as realistically possible.
Thought Application of knowledge in the strategic, and best, interests of the organisation, no matter what that might mean for an individual.
Leadership Commitment to ensuring the delivery of the strategic objectives, which includes holding management to account for the operational delivery. In many of the reports of ‘failures’, this is often the weakest element of governance, particularly where there is a very strong Chief executive in post who doesn’t accept (even if they understand) the role of a Board of Trustees.
Ethics The Nolan principles of openness, transparency, selflessness etc.
This is by no means a guarantee of success, but if not in place, then it is more likely there will be poorer governance.
As alluded to earlier, it requires a great degree of self-awareness across a Board to look at itself this way, and it can lead on occasion to (personally) painful recognition that some trustees should not be trustees. This is one of the key concerns of some of those working in the sector. As the number of academy trusts continues to grow rapidly, are there enough potential trustees with the right skills and attributes who are willing and able to give sufficient of their time to make academies a success?
Knowledge
Thought
Leadership
Ethics
In a recent series of seminars for our academy clients we put forward a diagrammatic representation of how we look at governance.
7
BROKERING – TAKING ON A NEW SCHOOL
Schools are being encouraged by the Department for Education (DfE) to establish Multi Academy Trusts (MATs) or join existing MATs. The DfE has indicated that the future development of academies lies in the consolidation of more schools (whether individually or as clusters/groups) into MATs as well as schools deciding to leave one MAT and join another.
Whilst taking on a new school may be perceived to offer many potential benefits, trustees have a responsibility to ensure that they make the right decision for the local community and pupils, both current and future (the academy’s beneficiaries in charity terms). Therefore, trustees need to ensure they have obtained appropriate information (both financial and non-financial) on which they can make an informed decision.
The decision of a single school to join a MAT family of schools requires careful thought on both sides. For the new joiner school the head teacher and trustees will need to be satisfied that the match is a good one, the cultures are aligned and that operating at scale will bring the expected benefits for pupils. Equally, the board of the MAT will need to be satisfied that the school they are ‘acquiring’ or partnering with will fit well with the aims and ethos of the group, will not create unmanageable risks or liabilities for the future, nor de-stabilise the group as a whole.
Both parties need to spend quality time considering how they can discharge their responsibilities and what information is required to achieve this. Whilst there are common themes associated with all school transfers, differences do arise simply by the type of organisation from whom they are being transferred from (Local Authority or another MAT). It is therefore important that the trustees obtain sufficient information to assure themselves that they are making the right decision.
Questions to ask should include
• Why change?
- For the new joiner, what is in it for your pupils/local community by joining or changing groups?
- For the acquiring MAT, is it part of your strategy to grow by acquiring new schools? Do you genuinely have the capacity, resources and support systems to absorb and nurture the staff, pupils, buildings, contracts and liabilities you will be taking on?
• What information do you require and what do you hold?
• What questions do you have and what risks do you believe exist?
• What is your knowledge gap?
Consider facilitating a meeting between management and trustees to crystalise your thoughts and questions. Time is never wasted when effective planning is undertaken as this could reduce ‘bumps’ along the way.
What to consider
Quality and performance• Ofsted, EFA, recruitment, demographics. Both parties
need to understand where the other currently stands in performance terms.
8
Financial matters• Budget v performance, cashflow, identification
of assets and liabilities. New joiners will need to understand how the ‘top slice’ deduction to their school budget to pay for central support services will be applied and whether it represents value for money. For the MAT it will be more about understanding what is being acquired and is the information complete and accurate.
• GAG pooling arrangements. The decision to pool and allocate on the basis of need, or not to pool and allow each school within a MAT to keep their own GAG allocation can be very contentious, but there is no right or wrong answer. Any differences in approach need to be considered and agreed in advance therefore by both parties.
HR harmonisation• Structure, terms and conditions, pensions. Payroll
costs typically account for c80per cent of a schools’ expenditure so this is obviously an area to pay careful attention to. The transfer of teaching and support staff will be covered by the Transfer of Undertakings (Protection of Employment) Regulations 2006 (‘TUPE’). TUPE can also apply to staff employed by external contractors. So, if the joining school has a contract for say cleaning with an outside provider with staff who spend most of their time on site, these staff may also end up transferring onto the MAT payroll as well.
Property matters• Conditions survey, PFI arrangement, leases. What
state are the school buildings in? What kind of backlog maintenance liabilities are there and what is the likelihood of significant capital expenditure in coming years? Who is responsible for any work and can it be completed before transfer?
Leadership and governance• Structure (pre and post), terms of reference, assurance
arrangements. Leadership and governance will be critical to future success. How would you rate the quality of the Board and is there a good mix of skills and experience?
Legal• Litigation, contracts of employment, leases and other
contracts. Are you aware of all potential risks?
Regularity• Probity, value for money, conflicts, leases. Can you be
confident that the organisation has applied the highest standards of propriety and internal control to avoid reputational damage?
Internal controls and risk management • Procedures and compliance. Are controls in place to
mitigate the risks identified by the NAO following their reviews of academies such as inappropriate expenses claims or undocumented salary increases, inappropriate or unauthorised purchases (eg luxury goods, alcohol, cars), etc.
The combined MAT • Cashflow, risk management, SWOT analysis. Does it
add up?
Common problems
• Identification and/(or) value of assets and liabilities
• Whether the school is transferring from another MAT or the ‘state’ difficulties can arise when identifying what is actually passing across. It is important to ensure the legal agreement clearly sets out assets and liabilities beyond just the property.
9
• Where assets are held as part of a PFI agreement specific legal advice should be taken as the risks and the financial implications associated with these arrangements can be prohibitive.
• The transfer of the Local Government Pension Scheme (LGPS) may be straight forward but it is not uncommon for delays to occur whilst the LGPS satisfies itself over any change, especially if the merger crosses scheme boundaries. It is advisable to discuss any potential transfer issues with the associated LGPS at an early stage. A key consideration is the on-going contributions expected as these would need to be included within any cash flow projections.
• There must be sufficient management resource to do the day job as well as the transition process. Be honest about your management team’s experience/capacity and ensure the right support is put in place for the duration.
Combined financials and curriculum
Robust combined financial plan and cash flows are required to ensure the enlarged MAT is sustainable. Sensitivity analysis should be completed based on the curriculum plan where you can model the impact of changing pupil numbers and staff posts. The curriculum plan should build on recognised strengths of each school to establish staff requirement (FT v PT v Agency) and the required estate.
You will also need to consider:
• harmonisation of systems and procedures;
• termination costs of leases and other obligations;
• increased marketing and professional costs associated with any rebranding and advising/assisting with the transfer; and
• availability of grants and available cash funds to deliver a sustainable model.
Overall message
• Invest time in planning the transition.
• Develop a combined curriculum offering building on existing strengths.
• Develop combined financials that are stress tested under different scenarios such as falling pupil numbers or the addition of a sixth form.
• Understand the risks and impact of the transfer, then monitor and manage them.
• Consider commissioning a due diligence review to assist/validate some of the information on which your decision will be based.
• Ensure you have sufficient management resource to deliver.
• Trustees need to buy into the vision and then support/challenge management.
• Have you sufficient cash resource to deliver your vision?
Above all, never under-estimate the costs associated with a merger in both time commitment and cash requirements as well as the potential impact on quality and your reputation.
10
DO YOU HAVE A BOARD ASSURANCE FRAMEWORK (BAF) IN PLACE?
The HM Treasury Guidance on Assurance Frameworks (2012) defines an assurance framework as:
“A structured means of identifying and mapping the main sources of assurance in an organisation, and co-ordinating them to best effect”.
Following on from our previous article in the April edition, the development of board assurance arrangements should be a logical extension of an academy’s existing risk management arrangements. It is important therefore that you are satisfied with how your Board and audit committee (or equivalent) understands and implements risk management, and that you maintain an informed engagement with the risks and opportunities that you face. If these arrangements are effective they will help you to understand the process and control environment, and help you answer the core questions:
• what do we want assurance over? and
• how much assurance do we need?
It could be argued that a BAF should represent the total arrangements in place for managing an academy’s assurances and not just an output produced for the board.
Developing and maintaining board assurance arrangements is not, and should not be, a separate activity, but rather an embedded tool of management. As a natural extension of risk management, it would be reasonable to incorporate your board assurance policy and procedures into your risk management documentation, therefore ensuring that risk, control and assurance identification and monitoring processes are considered as a single, not disparate, set of activities.
Given our position as one of the market leaders of audit, advisory and assurance services to the academy sector, we have developed a guide to further aide understanding, share our experience and expertise in the successful implementation and roll out of effective board assurance arrangements within many clients and to provide support through the provision of a toolkit.
Please download your copy from: www.rsmuk.com/BAFtoolkit
11
THE TWO CRITICAL ROLES – CHAIRPERSON AND CHIEF EXECUTIVEFraming the issue
F Warren McFarlan, Baker Foundation Professor of the Social Enterprise Initiative at Harvard Business School cites the recruitment of a chief executive as one of the most important tasks facing a non-profit Board. Similarly having the right chairperson in place beforehand is critical to the future direction of an organisation.
There are essential differences in the two roles: one carries the ultimate responsibility for the academy trust, is unpaid, part-time and a leader in the background whereas the other is responsible for the day to day operations, is remunerated and a more visible leader. While it is worth noting that there are some high-profile chairs who can play an important role in promoting and furthering a charity’s work, this should be balanced with maintaining a clear distinction about who does what. These sometimes conflicting standpoints mean that it is imperative that the right individuals fill these two critical roles and that they have the ability to work well together to achieve the organisation’s goals.
What this means for an academy trust, in our experience
The searchesWhen a vacancy, or potential vacancy, is arising in the position of chairperson it is important to initially involve all trustees or governors in the consideration of the required attributes of the ideal incoming person. Achieving a consensus on the attributes of a new chairperson will help to make the probationary phase easier once the appointment has been made. Potential candidates may arise from either the existing board or a new appointment from outside the academy trust. The use of head-hunters has become more common especially by larger academy trusts. Another key
person to have input in the process is the existing chief executive given the pivotal relationship that these two individuals will have in the future. Once trustees and the chief executive have been consulted then it is usually appropriate to create a small working group with a view to creating a shortlist of candidates for the whole board to consider.
A key element of the chairperson’s role is the amount of time required to properly carry out the required duties. Broadly this can be as much as twice the time required for a typical trustee. Having someone with the ability to be this flexible in the time that they are able to offer is important for any academy trust. Not least because many of the duties of a chairperson can be unplanned, for example, when a chief executive vacancy arises it is often the chairperson that has to become more involved as a quasi-interim chief executive in order to keep the academy trust on track.
The chairperson must be motivated by the academy trust’s longer-term aims given the voluntary nature of the role. While a chief executive should also be motivated by the mission, the payment of a salary does introduce a different dynamic. The selection of the chief executive is not solely the responsibility of the chairperson and, again, a small working party is an effective means in recruiting, involving the expertise of search and selection agencies as appropriate. As with recruiting a chairperson the potential pool of candidates can come from both within and outside the academy trust. For an internal candidate that might go on to become the chief executive competing against external candidates gives credibility to the appointment and shows existing staff that it was a robust process. Many of the principles for the recruitment of the chairperson similarly apply to the chief executive including an initial assessment of the characteristics required.
12
Relationship and cultureIdeally the vision of the chairperson and chief executive will be aligned and there will be general agreement on the academy trust’s needs and future direction. Both should have an appreciation and understanding of the others’ strengths and weaknesses, usually so as to be complementary but remembering that opposites can also be effective. The important aspect is both individuals having an understanding of where gaps may exist.
The relationship between chairperson and chief executive should be one that is sufficiently close, but not too cosy. Both should feel comfortable in challenging the other, and other trustees should not feel alienated by the relationship. It is important to remember that these other trustees carry more of the ultimate legal responsibility than the chief executive, on an equal footing with the chairperson.
Chief executive/chair evaluation and appraisalThe chief executive must be accountable to the board and not a free agent. A formal assessment of the chief executive’s performance should be undertaken on an annual basis often carried out by the chairperson or governance, nominations or remuneration committee. As soon as the new chief executive is in post objectives should be set for a suitable timeframe ahead. At the end of that period the relevant body should then assess the new chief executive’s performance providing appropriate feedback. Depending on the academy trust’s financial model this can be linked to remuneration and it is a good practice to confidentially share the outcome of any formal appraisal of the chief executive with the entire board. The comparability of remuneration across similar academy trusts may also be relevant and important to consider, as it has been highlighted in the press several times in recent years. The whole board need to be supportive of the agreed package and basis for the remuneration.
However, it is important that the board’s involvement in routine and day-to-day staff matters stops at the chief executive. Trustees should not interfere with the appraisal of other staff members as this should rest with the chief executive. They should also consider appraising the performance of the chair.
The future – succession successPeriodically both the chairperson and chief executive should consider their own positions. Many academy trusts have limited time periods for an individual to serve as chairperson. Some recent high-profile charity failures have been cited as being due to a lack of rotation of individuals in key roles, and a number of public EFA investigation reports comment on the role of the chairperson in the appropriate oversight and accountability for the academy trust. Chief executives may have a sense of how long they should remain in post to deliver key objectives but without getting stale, or perceived as having their carpet slippers on. Encouraging a competent but stale chief executive to move on is one of the most difficult challenges facing a chair, and a reason to guard against too much closeness in the relationship.
13
The following questions to consider have been developed from Joining a Nonprofit Board: What you need to know, Marc J Epstein, F Warren McFarlan:
QUESTIONS A CHAIRPERSON SHOULD PERIODICALLY CONSIDER QUESTIONS A CHIEF EXECUTIVE SHOULD PERIODICALLY CONSIDER
Is the chief executive the visible leader of the academy trust and do I work appropriately behind the scenes?
Am I still the right person for the job given the academy trust’s current state?
Do I still have the confidence of the Board? Do I still have the support of the board?
Am I up to date on changes to the sector in which the academy trust operates?
Am I perceived as an asset or liability to the academy trust?
Do I have sufficient insight of the academy trust? Do I work well with the chairperson?
Have I considered my successor? Do I have the right management structure and team in place to support the board’s objectives? Am I bringing on/developing new talent within the academy trust?
Honest answers to these questions should then identify when it is appropriate to think about succession for the chairperson and chief executive.
14
15
The UK group of companies and LLPs trading as RSM is a member of the RSM network. RSM is the trading name used by the members of the RSM network. Each member of the RSM network is an independent accounting and consulting firm, each of which practices in its own right. The RSM network is not itself a separate legal entity of any description in any jurisdiction. The RSM network is administered by RSM International Limited, a company registered in England and Wales (company number 4040598) whose registered office is at 50 Cannon Street, London EC4N 6JJ. The brand and trademark RSM and other intellectual property rights used by members of the network are owned by RSM International Association, an association governed by article 60 et seq of the Civil Code of Switzerland whose seat is in Zug.
RSM UK Consulting LLP, RSM Corporate Finance LLP, RSM Restructuring Advisory LLP, RSM Risk Assurance Services LLP, RSM Tax and Advisory Services LLP, RSM UK Audit LLP and RSM UK Tax and Accounting Limited are not authorised under the Financial Services and Markets Act 2000 but we are able in certain circumstances to offer a limited range of investment services because we are members of the Institute of Chartered Accountants in England and Wales. We can provide these investment services if they are an incidental part of the professional services we have been engaged to provide. Baker Tilly Creditor Services LLP is authorised and regulated by the Financial Conduct Authority for credit-related regulated activities. RSM and Co (UK) Limited is authorised and regulated by the Financial Conduct Authority to conduct a range of investment business activities. Whilst every effort has been made to ensure accuracy, information contained in this communication may not be comprehensive and recipients should not act upon it without seeking professional advice.
© 2016 RSM UK Group LLP, all rights reserved. 2055
rsmuk.com
Hannah CatchpoolPartner, AuditT +44 (0)20 3201 8097 [email protected]
Steven Snaith Partner, Technology Assurance T +44 (0)20 3201 8674 [email protected]
Mike CheethamNational Head of Academies Partner, Risk AssuranceT +44 (0)20 3201 8219 M +44 (0)7800 617 204 [email protected]
CONTRIBUTORS
Matthew HumphreyPartner, Consulting T +44 (0)116 282 0550 [email protected]
Chris Mantel Partner, Assurance T +44 (0)2380 646 631 [email protected]