Risk management policy

The risk management policy sets out how risks to the NHSCFA are identified, evaluated, recorded and prioritised, and who has responsibility for mitigating or managing individual risks.

Published: 28 July 2022

Version: 4.0




This policy sets out the overarching approach to managing risks within the NHS Counter Fraud Authority (NHSCFA).

It sets out how the NHSCFA will deliver risk management across the organisation; outlining who does what and when.

This risk management policy is a standalone document that utilises a different methodology to one adopted by the Government Counter Fraud Profession to undertake ‘fraud’ risk assessments. Once undertaken, any identified NHSCFA fraud risks should be recorded and managed in line this policy.

This policy should be read by the Board, the Executive Management Team (EMT), the Senior Management Team (SMT), the Leadership Team (LT) and staff who are delegated to manage specific risks or issues.

The policy is available for everyone to read on the internal staff intranet (Go2) and the LT should encourage their staff to familiarise themselves with it.

To comply with transparency obligations, the policy is also available to the public on the NHSCFA website.

Senior roles and responsibilities

The Board is responsible for providing strategic leadership for the organisation, ensuring that it is able to account to parliament and the public on how the functions of the NHSCFA are delivered. The Audit, Risk & Assurance Committee (ARAC) provide an independent and objective view of the effectiveness of the organisation’s internal controls.

The ARAC is responsible for:

  • assessing the governance within NHSCFA
  • agreeing the Board Assurance Framework (BAF)
  • reviewing assurance and governance reports
  • reviewing internal and external audit reports; and
  • identifying matters of concern to be raised with the Board.

The EMT, supported by the SMT provides strategic leadership in all matters relating to the creation and delivery of the organisation’s strategy, strategic plans and business priorities.

The EMT & SMT are also responsible for developing the NHSCFA’s vision, strategy and strategic plan; setting, agreeing and communicating the annual business priorities to meet the plan.

The SMT, who meet fortnightly are responsible for:

  • setting and overseeing the delivery of the organisation’s strategic aims and business priorities; and
  • establishing and maintaining the delivery of governance which includes an effective risk management process and robust internal controls.

The LT provides leadership on the development and delivery of the NHSCFA’s strategic plans and business priorities, through the design and implementation of work programmes based on agreed business priorities. It is comprised of the organisation’s business leads who meet monthly.

The LT is responsible for:

  • contributing to the development of the strategic plan; and
  • providing assurance to the SMT on progress against plans and risks areas through the identification, mitigation and escalation where appropriate.

What is "risk"?

Risk is defined as the effect of uncertainty on objectives, whether positive opportunity or negative threat . This means that risks may involve both positive and negative outcomes. An example is given below:

Action Risk:Negative Risk:Positive
Action A decision is taken to disrupt a criminal organisation through civil litigation rather than spend resources on a full criminal investigation Negative

the action taken may not achieve its objective by failing in court

Cival litigation costs may be greater than first thought

The decision not to investigate may attract adverse parliamentary comment which in turn generate adverse media coverage


Resources may be freed up to undertake more productive criminal investigation

The civil litigation may succeed and the criminal organisationmay stop its activities and may be bound to make reparations

Further resources may be obtained in light of a demonstable shortfall

Risk Management is the co-ordinated activities designed and operated to manage risk and exercise control within an organisation. It is the proactive identification, classification and control of issues that may affect the NHSCFA’s delivery of its objectives. It is a fundamental activity that is embedded in our strategic and business planning and project management processes. Whilst the Board accepts that not all risk can be eliminated, it is committed to reducing its risks to an acceptable level wherever possible.

All risks and opportunities which may have an impact on the achievement of our strategic and operational objectives, or have an impact on individual projects, must be recorded and reported upwards. Both the EMT, SMT and the Board via the ARAC need to be made aware of these. This will enable them to introduce appropriate measures to manage those risks or exploit opportunities.

Further detailed guidance for internal staff on risk and risk management in the organisation and the completion of the risk register within the Management Reporting Tool (MRT) application, prior to its move to the ‘Verto’ platform is available on the internal staff intranet.

Before going on to describe how we as individuals, teams and an organisation should deal with risk, there is another term which is also addressed in this policy, which is “issue”. The two terms are often conflated but are quite different.

What is an "issue"?

An issue is defined as an event that has happened or is happening. It is a ‘known’ as opposed to an ‘unknown’ quantity.

The outcome of an action or event is no longer subject to uncertainty. The consequences may be observed and measured.

It is possible for one or more of these consequences being identified as an actual or potential risk.

Risk Registers

NHSCFA maintains a ‘strategic’ and ‘corporate’ risk register which is overseen by the Board via the ARAC. All entries are reported to and monitored by the Board with risks scoring 12+ reported in detail to the ARAC. Each work stream will inevitably carry its own risks, which need to be assessed, recorded and managed by way of ‘operational’ risk entries. Where there are any risks identified by the LT that could impact upon the NHSCFA, these are discussed together with the Corporate Board Secretary and the Risk Management Lead and where appropriate, escalated to SMT to be considered for placement as a corporate risk.

As the NHSCFA is a relatively small organisation it is practicable for it to operate a single registry system which incorporates, strategic risks, corporate and operational risks and issues. The register is located within the MRT application.

The risk register currently contains the following minimum datasets:

Date risk registered When the risk was first identified
Risk aspect category The broad general category the risk falls under
Risk description If [event happens] then [this will be the consequence]
Risk Owner Named individual who is responsible for the risk
Controls/mitigations Details the processes in place to control the risk
Inherent risk score What the current risk score is (probability x impact)
Residual risk score The anticipated score post mitigation
Lines of defence 1st,2nd and 3rd Lines of defence
Risk response Terminate/Reduce/Accept/Pass/Share

Risk indentification and assessment criteria

We currently assess the level of risk by using a simple scoring system based on two criteria:

  • Probability
  • Impact

We judge how probable it is that the risk we have identified will lead to an adverse outcome. This is scored on a scale from one to five. See Appendix A.

We also judge the likely impact that the adverse outcome might have on our organisation and its ability to meet its strategic and operational objectives. This is scored in a similar way to probability on a scale from one to five. See Appendix B.

A further element is also considered in the risk assessment process. Assessing the proximity of the risk informs us of the urgency of the matter and we can factor this in as part of our response. To indicate the proximity of an event we use a standard Red, Amber Green (RAG) rating. See Appendix C.

All identified risks are recorded on the risk register. Guidance on how to complete the risk register is provided within the internal guidance document available on the staff intranet.

The operational risks are regularly reviewed by the LT and appropriate high scoring risks are escalated to a corporate risk on the register. Corporate risks are regularly reviewed by the SMT at the Risk Register Review Group meetings, where they are monitored and action as required.

A holistic view of risk concerning our strategic, corporate and operational aims allows us to judge whether certain risks might interact with other risks and whether our response needs to reflect this interaction.

Probability, impact and proximity are dynamic elements and consequently all three must be reviewed and reassessed frequently. This method of identification, assessment and scoring enables us to prioritise our response.

Risk Appetite

The Board regularly reviews and approves its position on risk appetite. The ‘appetite’ sets out the level of risk that the NHSCFA is willing to accept. Managers and Team Leads in the organisation are expected to use this to guide their decision making.

The risk appetite of the NHSCFA records its decision on the appropriate exposure to risk it is willing to accept in order to deliver its strategic objectives. Allowing it to be innovative in its methods to combat fraud and corruption in the NHS in England, confident that when doing so it is done in full compliance with its statutory and regulatory obligations.

The risk appetite will strongly influence the way a risk is managed. However, in order to apply this factor, it will be necessary to establish the gravity of each risk and prioritise action accordingly.

Risk Appetite Statement

The organisation recognises that its appetite for risk varies according to the activity and that the acceptance of risk is always subject to ensuring that the potential benefits and risks, are fully understood before projects and programme developments are authorised and that sensible measures to mitigate risks are established when required.

The risk appetite statement also details the organisation’s current strategic risks; it is published on the website as a separate document, in addition to being referenced in the annual report.

The NHSCFA risks are categorised into one of the following six broad operational and corporate risk areas:

  • Legal/Regulatory/Compliance & Finance
  • Service Disruption
  • Reputation and Credibility
  • Technology and Cyber-Security Threats
  • Safety, Health & Environment
  • Personal Information and Bulk Data

Risks throughout the organisation should be managed within the NHSCFA’s risk appetite, or where this is exceeded, priority action taken to reduce the risk.

Risk tolerance

The NHSCFA recognises that in some circumstances it will have to accept a level of risk, in order to achieve its overall objectives. However, it must take and accept risks in a controlled manner, thereby reducing its exposure to unacceptable risks.

NHSCFA uses a standard 5x5 risk scoring matrix (see below) for assessing the impact and likelihood of identified risks. The Board and the ARAC have responsibility for monitoring and reviewing all risks scored outside of the organisation’s tolerance threshold and taking appropriate action.

Risk tolerance is the minimum (9+) and maximum risk (12+) that NHSCFA is willing to accept, as outlined in the Risk Management Guidance document. This details the risk aspect categories against which all identified organisational unit risks are assessed for their likelihood and impact using the ‘probability and impact’ scoring matrix.

Any risks rated at or above the minimum score are reported to the Business Unit Leads on a monthly basis. A risk score of (9+) is treated as a trigger for a discussion at the LT meeting, together with Board Secretary and the Risk Management Lead, to determine whether the risk score is justified. Any risks considered to be correctly rated will be escalated to the SMT for review and to be actioned accordingly.

A target risk rating should be set for all risks. This target (the “residual”) risk rating is a means of expressing a target for the lowest acceptable (“tolerated”) level for that risk. When setting residual risk ratings, risk leads should consider what level of tolerated risk they are willing to retain. For some risks, the residual risk rating could be high, especially where the consequences are potentially severe, or some elements of the risk lie outside the direct control of the business unit or organisation.

The ARAC supports the Board by reviewing among others, the comprehensiveness and reliability of assurances on governance and risk management. The ARAC will have sight of all Corporate risks scoring (12+).

The Board will review the position on risk appetite at least annually against any new NHSCFA strategic objectives and will produce an annual statement of risk appetite.

Risk prioritisation

Different organisations will have different appetites for tolerating risk. Not all risks can be “managed” out of existence and virtually any significant actions or decisions taken by an organisation, including the conduct of its day-to-day business, carry “inherent risks”. The job of risk managers and decision makers is to establish what constitutes a tolerable level of “residual risk” once risk mitigation measures have been taken and are seen to be as effective as anticipated.

The risk appetite will strongly influence the way a risk is managed. However, in order to apply this factor it is necessary to establish the gravity of each risk and prioritise action accordingly.

We give ‘probability’ and ‘impact’ a rating from one to five. This allows us to rate each risk, taking into account both criteria. The figure below shows the potential score for each combination of probability x impact.

Probability 1 2 3 4 5
5 5 10 15 20 25
4 4 8 12 16 20
3 3 6 9 12 15
2 2 4 6 8 10
1 1 2 3 4 5

The greater the probability of the risk coming to fruition and the greater the impact it is likely to have, the higher the risk will be rated and vice versa.

In line with the scoring system, our general approach to risk is set out below:

  • EXTREME risks, over which we exercise control, are always unacceptable and require a response which will reduce probability or impact or both so that any remaining risk, known as the “residual risk” is reduced to high, moderate or low. Should certain risks be beyond our control there may be occasions where all possible mitigations will still leave the risk score at extreme. These rare instances will be monitored continuously by the Board and the SMT.
  • HIGH risks would normally call for mitigation to reduce them to moderate or low. Action taken to mitigate a risk needs to be proportionate to the “cost” of the risk.
  • MODERATE risks may call for mitigation to reduce them to low. Again, such action must be proportionate. An informed decision to tolerate a risk is possible where mitigation would not be cost-effective.
  • LOW risks normally require no further action, unless there is evidence of over control. Controls incur costs and should not be put in place unnecessarily.

Assigning a risk score

As part of the risk assessment process, each identified risk should undergo a three stage evaluation approach.

  • ‘Inherent’ - firstly, review as though there were no controls in place or any proposed controls in put in place are failing and then score on that basis; then
  • ‘Residual’ - assume adequate controls are in place and are operating effectively; and now
  • ‘Set a Score’ - this is achieved by implementing action to bring the risk in line (where possible) with the articulated appetite and tolerance level.

The table below may assist in helping to set an appropriate score for the risk:

Risk Rating Score Risk Action Required Minimum Review
1-8 LOW


Manage with routine procedures and existing policies/guidance

To be reviewed every 3 months by nominated actionee/ risk manager

SMT/LT Management ACTION Required

Costs to be funded within business unit. May necessitate business case for additional funding.

To be reviewed monthly by nominated actionee/ risk owner/ manager.

Review and discuss any potential escalations at LT meeting

12-25 HIGH


Board to be informed of the nature and need of any emergency action/ priority funding.

To be reviewed monthly by nominated SMT owner/ Board/

To be discussed and reviewed by ARAC

Escalating risks

Risks are scored so that they can be prioritised for action. Risk management should be proportionate to the level of risk and the NHSCFA will focus resources on addressing those risks with the greater probability of coming to fruition. The greater the impact it is likely to have the higher the risk will be rated and vice versa.

Escalation is about informing the organisation and mobilising additional resources to mitigate the risk, particularly where local resources are insufficient. At the business unit level, team Leads should assess the risk to the team objective, articulated in their unit business plan.

Where an operational business unit risk has arisen that the risk owner is concerned might impact on the strategic objective(s) of the organisation, this will be raised for discussion at the LT meeting together with the Board Secretary and Risk Management Lead. Where it is decided that an operational business unit risk should be escalated to the SMT for consideration, this will be done via the Board Corporate Secretary.

Escalation to the corporate risk register will be based on the following criteria:

  • the risk score is equal to or higher than (12) or
  • the Risk Management Lead has reported a thematic risk having identified similar risks across the organisation (such as a workforce resource issue).

Opportunity risks

There can be a danger when the organisation focuses on negative risks, that it will sometimes forego opportunities that while initially appearing to be too risky, have never been formally analysed. While positive risk is something the organisation will generally want to avoid, when they do occur it can often be managed as an opportunity and therefore it is equally important to prioritise actions and to concentrate on those opportunities that are most likely to bring about a successful outcome.

When deciding whether to take an opportunity risk (‘treat’ the opportunity), the same principles apply. The costs involved in exploiting the opportunity must be justifiable in terms of the anticipated benefits and the controls should not lead to significant risks.

Risk appetite levels will depend on the circumstances; for example NHSCFA will have a low tolerance to taking risks which may severely impact on the security and integrity of its information systems, but may have more appetite for opportunity risks such as major IT service developments which while presenting significant challenges, will ultimately bring considerable benefits to the organisation.

The risk responses for opportunity risks are similar to those for negative risks and are categorised as follows:

  • Exploit

    Ensuring the opportunity is realised.

  • Escalate

    Where an opportunity arises that a business unit is unable to realise as they lack the requisite authority to pursue.

  • Enhance

    Increase the chance of the risk occurring so that the benefit(s) of the opportunity can be realised.

  • Accept

    No action is taken to realise the opportunity; it is left as it is and should it occur on its own, then the organisation will benefit from it (mainly employed when the cost of the response is high and there is less chance of it occurring or the benefit does not outweigh the effort involved).

  • Share

    This is where a business unit is not capable of realising the opportunity on its own and so works together with another business unit or stakeholder to realise the opportunity.

Strategic corporate risks

The Board will be responsible for the monitoring of all strategic corporate risks via the risks and issues overview report. The Risk Management Lead will be responsible for gatekeeping and assurance checking, to ensure the appropriateness of risks on the register. Challenges will be raised via the Risk Register Review Group.

The ARAC will have responsibility for reviewing the corporate risks via the BAF report.

The Board Secretary will have responsibility for ensuring any new strategic risks are added to the BAF report or amendment of any previous risks.

Risk response

NHSCA’s risk management and mitigation process follows the TRAPS model and may involve one or more of the following:

  • Terminating

    Where the residual risk after mitigation remains unacceptably high and is beyond the organisation’s risk appetite, it might be deemed wise to terminate the activity giving rise to the risk. This may typically involve the change, removal or abandonment of an aspect of organisational activity.

  • Reducing

    This means reducing the inherent risk of an activity by reducing the probability of the event occurring, the impact of the event should it occur, or both. This could involve changing the activity giving rise to the risk or finding some way of deadening its impact. Where mitigation action is implemented the success of the mitigation needs to be monitored.

  • Accept

    This involves a conscious and deliberate decision to retain the threat. This decision may be taken in circumstances where a risk cannot be easily or cost effectively mitigated and where the potential outcome justifies it. This relates to whether the inherent risk is within the organisation’s risk appetite.

  • Pass

    There may be an option open to pass the risk onto a third party who will become responsible for an aspect of the threat. This may be achieved by taking out insurance against an event; however, such insurance in respect of public bodies may be a restricted option.

  • Share

    This may involve sharing the risk internally with other parts of the business, with an outside organisation or stakeholder(s).

Examples of TRAPS measures can be found in the internal guidance for staff available on the intranet.

The level of risk remaining after internal control or strategies have been exercised (the ‘residual risk’), should be acceptable and justifiable.

All actions taken to mitigate or manage risks must be recorded as must the rationale for deciding what level of residual risk may be tolerated.

The overall process is described in the figure at Appendix D.

Staff roles and responsibilities

We are all responsible for identifying potential risks and alerting our managers accordingly.

Some staff may be given responsibility for managing risk in respect of certain work streams or projects. It is important that they familiarise themselves with this policy and supporting guidance. They will be responsible for reporting on risk to the appropriate member of the Leadership Team who will be the “owner” of the risk.

Each LT member is responsible for updating and collating the risks they own which are reported via the monthly LT meetings.

Occasionally, reporting risk issues to the SMT, Board or ARAC may require the presence of the risk owner or the person responsible for managing the risk if different (the ‘actionee’), to elaborate on the risk report.

Communication and Learning

All staff have a part to play in contributing to improving the way the organisation manages risk. Risk is a mandatory agenda item scheduled in all team meetings.

The LT is responsible for ensuring that effective risk management is communicated appropriately throughout the organisation. Similarly, where lessons are learned from less effective risk management practices these should also be disseminated.

Consideration should also be given to highlighting issues to the Board Secretary and /or the Information Governance and Risk Management Lead.

Reviewing polices and procedures

This Policy and the conduct of risk management processes across the organisation shall be reviewed no less than biennially.

This review should take into account:

  • The extent to which all risk owners review the risk controls within the ambit of their responsibility;
  • The accuracy or otherwise of risk prioritisation by risk owners
  • All of the key risks to which the Board/ARAC have been alerted during the previous two-years or relevant period
  • Any assurance or audit exercises carried out in respect of risk management during the preceding two-years or relevant period.

Help us improve cfa.nhs.uk

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.


Thanks for the feedback!