Risk Appetite statement

The Risk Appetite statement sets out the amount of risk the NHSCFA is willing to accept in pursuit of strategic objectives.



Our vision and purpose

Our vision is:

“Working together to understand, find and prevent fraud, bribery and corruption in the NHS”.

Our purpose is to:

"Protect the NHS from fraud, bribery and corruption”.

We achieve this by:

  • being experts and leaders in our field
  • leading the NHS response
  • empowering others; and
  • putting the interests of the NHS and patients first


The Department of Health and Social Care Anti-Fraud Unit (DHSC-AFU) sets the overarching counter fraud policy and strategy across the whole of the health group in England. The NHSCFA will be accountable to its Board, which in turn will be accountable to the DHSC-AFU for the delivery of its strategy.

Risk management is an essential component of NHSCFA governance framework and supports the achievement of the organisation’s strategic themes and objectives. Effective risk management increases the probability of successful outcomes, whilst protecting the reputation and viability of the organisation.

The NHSCFA’s Organisational Strategy sets out the current plan to tackle fraud and corruption in the NHS and the wider health group. Such overriding themes and objectives demand a risk appetite that embraces the taking and effective management of its inherent risks and opportunities..

The NHSCFA takes its responsibilities to its stakeholders seriously and regards risk management as both a tool of good management and an important factor in ensuring the organisation meets its obligations to its partners and key stakeholders.

The NHSCFA’s Risk Management Policy provides the structural framework to effectively manage its risks. The policy looks to maximise opportunities and minimise averse risks in the organisation’s pursuit of achieving its strategic plan. The likelihood and impact matrix used to calculate a risk score is shown at  Appendix A.

NHSCFA’s Risk Appetite Statement considers the significant strategic risk areas that the organisation is exposed to and the appetite level that it is willing to accept based upon its decision making. 

Overall Risk Appetite

NHSCFA’s Board, management and staff will have regard to the organisation’s risk appetite both in its strategic and operational decision making.

The strategic vision and objectives set out above will impact the way in which the organisation accepts those risks in respect of those specific areas, commensurate with the potential reward.

The chart at  Appendix B is based on the HM Treasury’s practitioner’s guide on managing risk appetite, which has been adapted to provide a charted reference of NHSCFA’s risk appetite (adverse, minimalist, cautious, open, hungry) for each of its identified risk aspects.

Overall, the NHSCFA has an 'OPEN' appetite for risk, but it is acknowledged that there may be occasions where it will undertake specific activities within its identified strategic corporate risk areas, where the appetite may be higher or lower.

The key challenges in achieving an appropriate balance is to ensure:

  • ethical and effective governance practices including responsible management and oversight of resources
  • realisation of opportunities and permitting innovation, while avoiding unnecessary bureaucracy; and
  • avoidance of a risk averse corporate culture which stifles innovation rather than supports it through the correct assessment and management of risks.

Risk Framework

Good risk management practice indicates that organisations should specify their appetite for risk at a granular level, related to the nature of the organisation’s activities. This Risk Appetite Statement specifies the amount of risk the organisation is willing to seek or accept in the pursuit of its strategic objectives.

In terms of priorities, the need to avoid risk related to compliance and the overall health and safety for its staff, will take priority over other factors. It will for example, be acceptable for NHSCFA to acquire and undertake research of bulk data sets providing it does not expose the organisation or individuals to undue compliance risks. This permits the organisation to undertake its functions which will be integral to its success in achieving its strategic objectives.

Therefore a balanced assessment is taken of risks, as in many cases there are risks attached to both doing something or doing nothing. The ‘do nothing’ option could give rise to a greater risk.

Risks are managed in accordance with the organisation’s Risk Management Policy. Operational (non-corporate) risks are reviewed monthly by the Leadership Team (LT) and escalated to the Senior Management Team (SMT) where it is considered it should potentially be recategorised as a corporate risk. Corporate and emerging risks are discussed as part of the quarterly divisional Performance & Appraisal Panel meetings and reviewed by Risk Register Review Group where recommendations are taken forward/actioned by the SMT.

Responsibility for reviewing and approving the NHSCFA’s Risk Appetite Statement rests with the Board via the Audit, Risk and Assurance Committee.

Risk Approach

The NHSCFA’s approach is to minimise its exposure to risks relating to its regulatory and legal compliance, whilst accepting and encouraging an increased degree of risk in pursuit of its strategic objectives. There can be a danger when focusing on negative risks that the organisation will sometimes forego opportunities. Where positive risks occur, these will be managed as an opportunity with actions most likely to bring about a successful outcome prioritised.

The organisation recognises that its appetite for risk varies according to the activity. Also, that the acceptance of risk is always subject to ensuring that the potential benefits and risks are fully understood before projects and programme developments are authorised, and that sensible and realistic measures to mitigate risks are established when required.

Appendix C chart’s NHSCFA’s current overarching strategic risk areas and the tolerance levels associated with those risks, being the agreed acceptable deviation from our stated risk appetite.

Implementation & review of NHSCFA’s Risk Appetite Responsibility

The Board is responsible for providing strategic leadership for the organisation, ensuring that it is able to account to parliament and the public on how the functions of NHSCFA are delivered.

The NHSCFA SMT is responsible for setting and overseeing the delivery of the organisation’s strategic aims and business priorities; while establishing and maintaining the delivery of governance which includes an effective risk management process and compliance with this Risk Appetite Statement.

Risks entered onto the risk register take into account risks from within the organisation and external sources and are reviewed regularly. The register is also updated when there are key changes in policies, structures, functions or operating landscape.

The SMT are responsible for risk register entries relating to strategic corporate risks faced by the organisation and the control frameworks in place to mitigate these. Unit Business Leads are responsible for risk register entries relating to risks faced by business units in day-to-day operations and the control frameworks in place to mitigate these.

Unit Business Leads are responsible for risk register entries relating to the day-to-day operational risks faced by their respective divisions and the control frameworks in place to mitigate these.

Project / Programme Managers / SRO’s are responsible for risk register entries relating to corporate projects, programmes and portfolio’sportfolios of work and the control frameworks in place to mitigate these.

Both the SMT and Unit Business Leads are responsible for maintaining the risk register entries in a manner which is consistent with this ‘Statement’, allowing for the escalation of risks outside the stated appetite or agreed tolerance levels for specific activities.

Confirmation review & Communication

This Risk Appetite Statement has been reviewed and approved by the Board and the Audit, Risk & Assurance Committee.

Reviews take place no less than annually.

The NHSCFA’s Risk Appetite Statement is published on both the external website and the staff internal intranet.

Help us improve cfa.nhs.uk

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.


Thanks for the feedback!