GGI jargon buster: board assurance framework

19 May 2021

The board assurance framework (BAF) is, in GGI’s view, the original invest-to-save scheme for boards. Today we go back to basics to explain some key terms.

The board assurance framework (BAF) is, in GGI’s view, the original invest-to-save scheme for boards. Time spent on getting the various elements of their BAF right will help boards streamline assurance, locate where and how assurance is tested, and develop proportionality in board reporting.

Key to developing an effective BAF is identifying the organisation’s risk appetite and risk tolerance for each strategic objective and agreeing what is sufficient in terms of controls and the assurances that the controls are operating effectively. The greater the risk appetite, the more controls should be put in place to avoid or mitigate risk.

However, while operational terms such as actions, controls and gaps can be easily understood and applied, boards often struggle to grasp strategic notions such as risk appetite or reassurance.

This illumination will provide a simple summary of what some of these terms mean and why they matter.

Risk appetite vs risk tolerance

Risk appetite is the level of risk that an organisation is prepared to accept in relation to an event/situation, after balancing the potential opportunities and threats that situation presents. It represents a balance between the potential benefits of innovation and the threats that change inevitably brings.

We need to know about risk appetite because:

  • If we do not know what our organisation’s collective appetite for risk is, and the reasons for it, this may lead to erratic or inopportune risk-taking, exposing the organisation to a risk it cannot tolerate; or an overly cautious approach, which may stifle growth and development.
  • If our leaders do not know the levels of risk that are legitimate for them to take, or do not take important opportunities when they arise, then service improvements may be compromised, and patient and user outcomes affected.

Risk tolerance is the predetermined upper level of risk that can be assigned to an objective. This might be set as an overall risk rating or might specifically relate to an upper ‘impact’ or upper ‘likelihood’ rating which, if reached, must be mitigated at all costs.

We need to know about risk tolerance because:

  • It informs the scheme of delegation and escalation procedures if breaches occur.

Assurance and reassurance

Assurance happens when someone tells you what is happening and offers you triangulated evidence of how it was done. You can then judge for yourself if all is well.

For instance:

“Are we keeping an accurate record of mortality incidents?”
“Yes, we are. Here you have the documentation presented to the Mortality Group for the past six months.”

Reassurance happens when someone tells you all is well and you believe there’s no need for further checks.

For instance:

“Are we keeping an accurate record of mortality incidents?”
“Yes, we are.”

Why do assurance and reassurance matter?

  • Boards should use assurance and reassurance differentially and in context. In some matters, being reassured is enough, while in others the board should seek a greater level of assurance.
  • Even the most productive and thorough board can’t be assured of absolutely everything. Where possible, boards should discharge their assurance responsibilities through the trust’s governance structure.
  • The audit committee, if used well, can play a big role in the assurance/reassurance dichotomy. The audit committee needs to be able to assure the board that governance systems and processes are working effectively across the organisation. The other committees should function as content committees to triangulate evidence and look at the content that is submitted from management groups.
  • The BAF is a key tool to help boards identify when they should seek assurance or reassurance.
  • More mature NHS boards tend to focus on strategic areas and priorities, leaving assurance to committees. In contrast, boards of more challenged organisations tend to focus heavily on assurance, relegating strategic thinking as a secondary priority.

Board assurance framework

The BAF brings together all the relevant information about risks to the board’s strategic objectives. It is an essential tool for boards but, like all tools, it needs to be used with skill and diligence.

Used properly, the BAF should:

  • provide a structure and process for the board to focus on those risks that might compromise the achievement of the organisation’s strategic objectives
  • provide the board with a simplified approach to reporting and prioritisation and drive the board’s (and sub-committees’) cycle of business
  • encourage individuals and groups within the organisation to proactively think about their objectives, with board agendas focused on strategic and reputational risks rather than operational issues.

The BAF is an agreement between the board and the trust’s management which summarises:

  • the organisation’s strategic objectives
  • the risks to achieving these
  • the controls management are to put in place to minimise the likelihood or effect of those risks materialising
  • the assurances the board needs to be confident that the controls are operating effectively.

The themes raised in this illumination can be explored in greater detail in the following GGI publications:


  • Risk appetite is how much risk you want; risk tolerance is how much risk you can live with.
  • Assurance is about proactively establishing for yourself that all is well; reassurance is about reactively having concerns dispelled by someone else.
  • The board assurance framework is the key document that should be driving the board and committee agendas.

If you have any questions or comments about this briefing, please call us on 07732 681120 or email

Meet the author: Peter Allanson

Principal Consultant

Find out more

Prepared by GGI Development and Research LLP for the Good Governance Institute.

Enquire about this article

Here to help