Corporate risk register vs. board assurance framework

10 March 2022

Our brilliant basics series continues with a look at the differences between two crucial risk management documents.

Since 2001, it has been mandatory for every NHS trust in England to have a board assurance framework. Most also have a corporate risk register – sometimes known as an organisational risk register, trust-wide risk register, or high-level risk register.

We’ve come across some confusion about what sets these important documents apart. So today we explore some of the differences between them.

The board assurance framework comprises strategic risks as defined by the board: the major risks that could prevent the board from fulfilling the objectives in the trust’s agreed strategy.

By contrast, the corporate risk register comprises operational risks, mainly identified by services themselves. It does not include all the organisation’s operational risks – a large NHS trust will often have hundreds of these – just the most significant ones.

These are usually risks that score highly in terms of their likelihood of occurring and their potential impact, that have a wider impact beyond the service where they arose, and that need involvement by executives or colleagues from other services to resolve them.

The table below outlines the main differences between the BAF and the CRR – but it should be noted that there are also some important similarities:

  • A risk should always be described clearly in terms of its cause, what is likely to happen, and what impact it would have on the organisation if it occurred.
  • A risk should always be scored in terms of its impact and likelihood using the criteria set out in the organisation’s risk matrix.
  • For every risk, controls should be listed – these are the measures that the organisation is already taking to reduce the level of risk.
  • Three risk scores should be always calculated for each risk: the inherent score (the level of risk in the absence of any controls), the current score (the level of risk with the current controls in place), and the target score which the organisation aims to reduce the risk to.
  • There should be a clear action plan, with deadlines and accountabilities for individuals, to manage all risks.

Board assurance framework

Corporate risk register


Comprises strategic risks aligned to the organisation’s strategic objectives – the risks which prevent the trust from achieving the strategy

Typically comprises operational risks arising from the trust’s day-to-day activities

Risks are trust-wide in their scope and impact

Some risks are trust-wide in nature, others are specific to particular services or departments but have been escalated to the corporate risk register because of the high level of risk or because action is required by executives, or colleagues from other services, to mitigate the risk

Risks typically have a high current score (15+) by virtue of their strategic nature, but there is not normally a threshold for a risk score that must be exceeded before a risk can be included in the BAF

Thresholds for inclusion in the CRR vary between organisations but often only risks scoring 15 or higher are included

Usually contains no more than ten risks

The number of risks varies between organisations but can be up to 50 (or even more) in some trusts

For each risk, both controls and assurances (evidence that shows whether the controls are working) need to be identified

Usually, only controls are identified


Risks are identified, defined and assessed by the executive team or board (top-down)

Risks are usually identified by services or departments themselves and escalated to corporate level (bottom-up)

Decision to include risks in the BAF, remove them, or adjust risk scores, is taken by the board

Escalation of risks to the corporate risk register, or de-escalation, is decided by the executive team or by a risk management group (an operational committee below board level)


Reported to the board in full and discussed usually quarterly or bi-monthly

Not always reported to the board, or reported in summary form only

Board assurance committees review risks relating to their remit in detail

Board assurance committees may receive an extract of risks relevant to their remit and discuss risks by exception e.g., new risks or those for which there is a lack of progress with action plans

Find out more about how we can help to strengthen your core governance by visiting our website. If you would like to discuss your organisation’s approach to risk, please call us on 07732 681120, or email

Meet the author: Joe Roberts


Find out more

Prepared by GGI Development and Research LLP for the Good Governance Institute.

Enquire about this article

Here to help