For many multi‑academy trusts, compliance activity is happening in multiple places at once: policies are drafted and approved, training is delivered, risks are logged, and audits are completed.
Yet when trustees ask a straightforward question:
“Are we assured?”
the answer is often less clear than it should be.
This is rarely because schools or central teams are not doing the work. More often, the issue is fragmentation – compliance, risk and assurance spread across different systems, documents and owners, with no single, coherent picture at board level.
Increasingly, that fragmentation has itself become a board‑level risk.
Previously, many compliance areas could sit largely at an operational level:
cyber security was viewed as an IT issue
data protection was “handled by the DPO”
risk registers were updated annually
internal scrutiny focused on retrospective checks
Today, that separation no longer holds.
Cyber incidents disrupt operations, education and safeguarding.
Data breaches trigger ICO scrutiny and concern from parents and carers.
Control failures attract regulatory and public attention.
Trustees are now explicitly accountable for oversight across cyber, data protection, risk management and assurance, as reflected in the Academy Trust Handbook.
The question is not whether Trusts recognise this responsibility. It is whether boards are receiving the information they need to discharge it confidently.
On the surface, fragmentation can appear manageable. In practice, it creates four significant risks.
1. Trustees are forced to rely on reassurance, not evidence
When compliance activity is spread across spreadsheets, folders, systems and inboxes, board reporting often becomes summarised and subjective:
“No major issues to report.”
“Risks are being managed.”
“Controls are in place.”
The issue is not a lack of integrity; it is a lack of visibility. Without a consolidated view of:
which controls exist
whether they are operating effectively
what evidence supports those conclusions
trustees are asked to accept reassurance rather than exercise informed oversight.
In a context of increasing scrutiny, that is a fragile position.
2. Risk registers become static and stop informing decisions
Most MATs have a risk register; far fewer have one that genuinely shapes decision‑making.
Fragmentation is a major factor. When risks are not clearly connected to:
live controls
ongoing compliance activity
incident and near‑miss data
audit and review findings
They quickly become static statements, updated periodically rather than used as a live management tool.
Boards then discuss risk in isolation, rather than as an integrated picture of exposure, mitigation and assurance.
3. Evidence gaps only appear when it is too late
In many ICO enquiries, internal audits or serious incidents, a common pattern emerges; The work has been done, but collating the evidence becomes a manual, time‑consuming and stressful exercise.
Training records are stored in one place
Policies in another
Risk assessments elsewhere
Incident records partially documented or duplicated
This does not only increase workload, it raises the likelihood of:
delays in responding
incomplete or inconsistent evidence
avoidable reputational damage
Accountability frameworks such as UK GDPR are clear: compliance must be demonstrable, not simply asserted.
4. Board time is consumed by explanation, not oversight
Fragmented environments make meaningful reporting more difficult. Senior leaders and DPOs spend significant time:
explaining context
translating operational details into strategic language
bridging gaps between multiple reports
Instead of focusing on:
what has changed since your last meeting
where risk is increasing or controls are weakening
what action or investment is now required
The result is often longer reports, longer meetings and less clarity. For already stretched trustees, this undermines confidence rather than building it.
Trusts that are addressing this challenge are not necessarily doing more compliance work. They are organising it differently. Using platforms like GDPRiS they are moving to a more integrated assurance model where they have:
a single, connected view of risk and compliance across areas like cyber and data protection
clear ownership and escalation routes
evidence linked directly to controls
reporting designed for trustees as well as auditors
processes that do not depend on individual people or scattered files
Compliance is no longer just about doing the work or passing audits; it is about being able to demonstrate, with confidence and evidence at board level, that risks are understood and managed.
Explore our MAT case studies to see how Trusts like yours are using GDPRiS to strengthen board reporting and reduce compliance fragmentation or book a MAT consultation with our team.
No Trust sets out to build a fragmented compliance landscape. It tends to emerge over time as Trusts grow, responsibilities evolve and new systems are added to address individual issues.
As MATs increase in size and complexity, the cost of that fragmentation grows – in board confidence, leadership time and organisational resilience.
The most effective Trusts recognise that compliance is not only about passing audits or meeting minimum requirements. It is about assurance: the ability to say, with confidence and evidence:
“Yes, we understand our risks, and yes, we are managing them.”
In the current regulatory and threat environment, that level of assurance is no longer optional. It is a core responsibility for every board.