Risk Appetite statement

The Risk Appetite statement sets out the amount of risk the NHSCFA is willing to accept in pursuit of strategic objectives.



Vision and Strategic Objectives

The vision of the NHS Counter Fraud Authority is for an NHS which can protect its valuable resources from fraud. To lead the NHS in protecting its resources by using intelligence to understand the nature of fraud risks, investigate serious and complex fraud, reduce its impact and drive improvements. This will be done by:

  • delivering the Department of Health and Social Care Unit’s strategy, vision and strategic plan and leading the counter fraud activity in the NHS in England
  • being the single expert intelligence led organisation providing a centralised investigative capacity for complex economic crime matters in the NHS
  • lead, guide and influence the improvement of standards in counter fraud work; and
  • take the lead and encourage fraud reporting across the NHS and wider health group


The Department of Health and Social Care Anti-Fraud Unit (DHSC-AFU) sets the overarching counter fraud policy and strategy across the whole of the health group in England. The NHSCFA will be accountable to its Board, which in turn will be accountable to the DHSC-AFU for the delivery of its strategy.

Risk management is an essential component of NHSCFA governance framework and supports the achievement of the organisation’s strategic themes and objectives. Effective risk management increases the probability of successful outcomes, whilst protecting the reputation and sustainability of the organisation.

The NHSCFA’s Organisational Strategy sets out the current plan to tackle fraud and corruption in the NHS and the wider health group. Such overriding themes and objectives demand a risk appetite that embraces the taking and effective management of its inherent risks.

The NHSCFA takes its responsibilities to its stakeholders seriously and regards risk management as both a tool of good management and an important factor in ensuring that the organisation meets its obligations to key stakeholders.

The NHSCFA’s Risk Management Policy provides the structural framework to effectively manage its risks. The policy looks to maximise opportunities and minimise adverse risks in the organisation’s pursuit of achieving its strategic plan. The probability and impact matrix used to calculate risk scores is included at Appendix A.

The NHSCFA Risk Appetite Statement considers the significant strategic corporate risks to which NHSCFA is exposed and the appetite NHSCFA has based on behaviours and decision making.

Overall Risk Appetite

The NHSCFA’s Board, management and staff will have regard to the organisation’s risk appetite in both strategic and operational decision making.

The NHSCFA’s strategic vision and objectives set out above will impact the way in which the organisation accepts those risks in respect of those specific areas, commensurate with the potential reward. Whilst overall the NHSCFA has a ‘minimalistic - cautious’ appetite for risk, it is acknowledged that there may be occasions where it will undertake specific activities within its identified strategic corporate risk areas, where the appetite may be higher or lower.

Appendix B is a chart based on the HM Treasury’s practitioner’s guide on managing risk appetite, which has been adapted to provide a charted reference of NHSCFA’s risk appetite (adverse, minimalist, cautious, open, hungry) for each of its identified risk aspects.

The key challenges in achieving an appropriate balance is to ensure:

  • ethical and effective governance practices including responsible management and oversight of resources
  • realisation of opportunities and permitting innovation, while avoiding unnecessary bureaucracy; and
  • avoidance of a risk adverse corporate culture which stifles innovation rather than supports it through the correct assessment and management of risks.

Risk Framework

Good risk management practice indicates that organisations should specify their appetite for risk at a granular level, related to the nature of the organisation’s activities. This Risk Appetite Statement specifies the amount of risk the organisation is willing to seek or accept in the pursuit of its strategic objectives.

In terms of priorities, the need to avoid risk related to compliance and the overall health and safety for its staff, will take priority over other factors. It will for example, be acceptable for NHSCFA to acquire and undertake research of bulk data sets providing it does not expose the organisation or individuals to undue compliance risks. This permits the organisation to undertake its functions which will be integral to its success in achieving its strategic objectives.

Therefore a balanced assessment is taken of risks, as in many cases there are risks attached to both doing something and doing nothing. The ‘do nothing’ option may often impose greater risk.

Risks are managed in accordance with the organisation’s Risk Management Policy. Non-Corporate risks are reviewed monthly by the Leadership Team (LT) and escalated to the Senior Management Team (SMT) where it is considered the risk should potentially be recategorised as corporate. Corporate risks are reviewed by Risk Register Review Group and recommendations are taken forward/actioned by the SMT.

Responsibility for reviewing and approving the NHSCFA’s Risk Appetite Statement lies with the Board via the Audit, Risk & Assurance Committee.

Risk Approach

The NHSCFA’s approach is to minimise its exposure to risks relating to its regulatory and legal compliance, whilst accepting and encouraging an increased degree of risk in pursuit of its strategic objectives. There can be a danger when focusing on negative risks that the organisation will sometimes forego opportunities. Where positive risks occur, these will be managed as an opportunity with actions most likely to bring about a successful outcome prioritised.

The organisation recognises that its appetite for risk varies according to the activity. Also, that the acceptance of risk is always subject to ensuring that the potential benefits and risks are fully understood before projects and programme developments are authorised, and that sensible measures to mitigate risks are established when required. An overview of risk appetite against risk areas, taking into account the identified strategic corporate risks listed below are shown at Appendix B.

The NHSCFA has identified the following strategic corporate risk areas:

Insufficient Funding to deliver objectives

There is a risk to the organisation of being unable to deliver against the strategic objectives due to an increasing financial gap, changes in the fraud landscape and centrally driven directives or those associated with political changes to priorities and Insufficient Funding to deliver objectives policy direction. A lack of funding could potentially result in the ineffective use of organisational resources.

Suboptimal Business Infrastructure

The is a risk the organisation does not have the optimal business structure in place to allow timely and appropriate reaction to a changing fraud landscape. As a result, there is a consequential risk of a lack of service responsiveness and failure to ensure the best use of its resources, impacting on the organisation’s delivery capability.

Ineffective Engagement

There is a risk the organisation does not have the most appropriate engagement models in place both strategically and tactically, to help maximise the impact of relationships with key influencers, including the local counter fraud community in the detection, prevention and investigation of fraud in the NHS.

Cyber Security threats

There is a risk of failing to maintain a sufficient level of cyber threat resilience (technology, processes and awareness) throughout the organisation, that could result in the theft or loss of personal or confidential data, a distributed denial of service attack, or an inability to access key information systems by staff or the organisation’s stakeholders; potentially leading to financial penalties, reputational damage and loss of public and stakeholder confidence.

Project & Programme Management

There is a risk that strategic and unit objectives will not be achieved due to ineffective project and programme management.

Working Arrangement in light of COVID-19 Pandemic

There is a real risk that the ongoing impact of the pandemic could result in the organisation failing to deliver on its strategic, tactical or operational objectives.

Implementation & review of NHSCFA’s Risk Appetite Responsibility

The Board is responsible for providing strategic leadership for the organisation, ensuring that it is able to account to parliament and the public on how the functions of NHSCFA are delivered.

The NHSCFA SMT is responsible for setting and overseeing the delivery of the organisation’s strategic aims and business priorities; while establishing and maintaining the delivery of governance which includes an effective risk management process and compliance with this Risk Appetite Statement.

Risks entered onto the risk register take into account risks from within the organisation and external sources and are reviewed regularly. The register is also updated when there are key changes in policies, structures, functions or operating landscape.

The SMT are responsible for risk register entries relating to strategic corporate risks faced by the organisation and the control frameworks in place to mitigate these. Unit Business Leads are responsible for risk register entries relating to risks faced by business units in day-to-day operations and the control frameworks in place to mitigate these.

Both the SMT and Unit Business Leads are responsible for maintaining the risk register entries in a manner which is consistent with this ‘Statement’, allowing for the escalation of risks outside the stated appetite or agreed tolerance levels for specific activities.

Confirmation review & Communication

This Risk Appetite Statement has been reviewed and approved by the Board and the Audit, Risk & Assurance Committee.

Reviews take place no less than annually.

The NHSCFA’s Risk Appetite Statement is published on its website and the staff internal intranet.