Risk Appetite statement

The Risk Appetite statement sets out the amount of risk the NHSCFA is willing to accept in pursuit of strategic objectives.



Vision and Strategic Objectives

The vision of the NHS Counter Fraud Authority is for an NHS which can protect its valuable resources from fraud. To lead the NHS in protecting its resources by using intelligence to understand the nature of fraud risks, investigate serious and complex fraud, reduce its impact and drive improvements. This will be done by:

  • delivering the Department of Health and Social Care Unit’s strategy, vision and strategic plan and leading the counter fraud activity in the NHS in England
  • being the single expert intelligence led organisation providing a centralised investigative capacity for complex economic crime matters in the NHS
  • lead, guide and influence the improvement of standards in counter fraud work; and
  • take the lead and encourage fraud reporting across the NHS and wider health group


The Department of Health and Social Care Anti-Fraud Unit (DHSC-AFU) sets the overarching counter fraud policy and strategy across the whole of the health group in England. The NHSCFA will be accountable to its Board, which in turn will be accountable to the DHSC-AFU for the delivery of its strategy.

Risk management is an essential component of NHSCFA governance framework and supports the achievement of the organisation’s strategic themes and objectives. Effective risk management increases the probability of successful outcomes, whilst protecting the reputation and sustainability of the organisation.

The NHSCFA’s Organisational Strategy sets out the current plan to tackle fraud and corruption in the NHS and the wider health group. Such overriding themes and objectives demand a risk appetite that embraces the taking and effective management of its inherent risks.

The NHSCFA takes its responsibilities to its stakeholders seriously and regards risk management as both a tool of good management and an important factor in ensuring that the organisation meets its obligations to key stakeholders.

The NHSCFA’s Risk Management Policy provides the structural framework to effectively manage its risks. The policy looks to maximise opportunities and minimise adverse risks in the organisation’s pursuit of achieving its strategic plan. The probability and impact matrix used to calculate risk scores is included at Appendix A.

The NHSCFA Risk Appetite Statement considers the significant strategic corporate risks to which NHSCFA is exposed and the appetite NHSCFA has based on behaviours and decision making.

Overall Risk Appetite

The NHSCFA’s Board, management and staff will have regard to the organisation’s risk appetite in both strategic and operational decision making.

The NHSCFA’s strategic vision and objectives set out above will impact the way in which the organisation accepts those risks in respect of those specific areas, commensurate with the potential reward. Whilst overall the NHSCFA has an ‘adverse’ appetite for risk, it is acknowledged that there may be occasions where it will undertake specific activities within its identified strategic corporate risk areas, where the appetite may be higher or lower.

Appendix B is a chart based on the HM Treasury’s practitioner’s guide on managing risk appetite, which has been adapted to provide a charted reference of NHSCFA’s risk appetite (adverse, minimalist, cautious, open, hungry) for each of its identified risk aspects.

The key challenges in achieving an appropriate balance is to ensure:

  • ethical and effective governance practices including responsible management and oversight of resources
  • realisation of opportunities and permitting innovation, while avoiding unnecessary bureaucracy; and
  • avoidance of a risk adverse corporate culture which stifles innovation rather than supports it through the correct assessment and management of risks.

Risk Framework

Good risk management practice indicates that organisations should specify their appetite for risk at a granular level, related to the nature of the organisation’s activities. This Risk Appetite Statement specifies the amount of risk the organisation is willing to seek or accept in the pursuit of its strategic objectives.

In terms of priorities, the need to avoid risk related to compliance and the overall health and safety for its staff, will take priority over other factors. It will for example, be acceptable for NHSCFA to acquire and undertake research of bulk data sets providing it does not expose the organisation or individuals to undue compliance risks. This permits the organisation to undertake its functions which will be integral to its success in achieving its strategic objectives.

Therefore a balanced assessment is taken of risks, as in many cases there are risks attached to both doing something and doing nothing. The ‘do nothing’ option may often impose greater risk.

Risks are managed in accordance with the organisation’s Risk Management Policy. Non-Corporate risks are reviewed monthly by the Leadership Team (LT) and escalated to the Senior Management Team (SMT) where it is considered the risk should potentially be recategorised as corporate. Corporate risks are reviewed by Risk Register Review Group and recommendations are taken forward/actioned by the SMT.

Responsibility for reviewing and approving the NHSCFA’s Risk Appetite Statement lies with the Board via the Audit, Risk & Assurance Committee.

Risk Approach

The NHSCFA’s approach is to minimise its exposure to risks relating to its regulatory and legal compliance, whilst accepting and encouraging an increased degree of risk in pursuit of its strategic objectives. There can be a danger when focusing on negative risks that the organisation will sometimes forego opportunities. Where positive risks occur, these will be managed as an opportunity with actions most likely to bring about a successful outcome prioritised.

The organisation recognises that its appetite for risk varies according to the activity. Also, that the acceptance of risk is always subject to ensuring that the potential benefits and risks are fully understood before projects and programme developments are authorised, and that sensible measures to mitigate risks are established when required.

Appendix C chart’s NHSCFA’s current overarching strategic risk areas and the tolerance levels associated with those risks, being the agreed acceptable deviation from our stated risk appetite.

Implementation & review of NHSCFA’s Risk Appetite Responsibility

The Board is responsible for providing strategic leadership for the organisation, ensuring that it is able to account to parliament and the public on how the functions of NHSCFA are delivered.

The NHSCFA SMT is responsible for setting and overseeing the delivery of the organisation’s strategic aims and business priorities; while establishing and maintaining the delivery of governance which includes an effective risk management process and compliance with this Risk Appetite Statement.

Risks entered onto the risk register take into account risks from within the organisation and external sources and are reviewed regularly. The register is also updated when there are key changes in policies, structures, functions or operating landscape.

The SMT are responsible for risk register entries relating to strategic corporate risks faced by the organisation and the control frameworks in place to mitigate these. Unit Business Leads are responsible for risk register entries relating to risks faced by business units in day-to-day operations and the control frameworks in place to mitigate these.

Both the SMT and Unit Business Leads are responsible for maintaining the risk register entries in a manner which is consistent with this ‘Statement’, allowing for the escalation of risks outside the stated appetite or agreed tolerance levels for specific activities.

Confirmation review & Communication

This Risk Appetite Statement has been reviewed and approved by the Board and the Audit, Risk & Assurance Committee.

Reviews take place no less than annually.

The NHSCFA’s Risk Appetite Statement is published on both the external website and the staff internal intranet.