How to develop a board assurance framework

21 September 2022

Joe Roberts continues our brilliant basics series with a look at a vital document that will help address risks that could hold back your organisation.

Every NHS trust is required to have a board assurance framework – the vital document that tells the board, and the trust’s stakeholders, how it is managing the major strategic risks that could prevent it from achieving its objectives.

Despite this, there has not been any national guidance on how to develop a board assurance framework (BAF) for many years, and there is an almost infinite number of ways for NHS organisations to present their BAFs.

GGI’s work in NHS organisations almost always involves looking at their BAF. We have seen almost every way of writing a BAF, so we know what works and what doesn’t.

Based on our experience of reviewing BAFs across the NHS, here are ten top tips for producing a board assurance framework.

  1. Involve the board: the BAF is owned by the board and is a key tool in enabling it to do its job. Although most of the work on the BAF will be done by executives or senior managers, the board should be involved from the start in developing the BAF through seminars and workshops. The board should not see a new BAF for the first time when it is being asked to approve it.
  2. Start with the strategy: the BAF comprises strategic risks, which relate directly to achievement of the organisation’s strategy and are identified ‘top-down’ by the board or executive management. Operational risks, in contrast, arise from day-to-day activities and are usually identified ‘bottom-up’ by managers of individual services. Thus, the starting point for identifying the strategic risks should be the agreed strategic objectives. To identify risks first and then map them back to the objectives is to put the cart before the horse.
  3. Get the right balance between detail and digestibility: the BAF should be straightforward for a well-informed and conscientious non-executive director to understand. The takeaways for the reader should be what the most important strategic risks are, what is being done about them, and what more needs to be done. Often, we see hugely detailed BAFs that are difficult to digest and which bulk out already heavy agenda packs. A lot of work has gone into these documents, but unfortunately the key messages are often lost.
  4. Make the BAF ‘easy on the eye’: there are different ways to lay out a BAF, and an Excel spreadsheet in landscape format seems to be the most common. This isn’t always the most user-friendly format, and it does not match other board papers, which are mostly Word documents in portrait format. Including graphics, such as heat maps showing the current and target scores of the risks, and trend lines showing how the score of the risks have changed over time, is helpful for those who prefer information visually.
  5. Make it clear what the risks are: a risk is not the same as a problem or an issue. It is an uncertain event which, if it occurs, will prevent us from achieving our objectives. Some risks may actually represent an opportunity. Like risks on the trust’s risk registers, each of the strategic risks should be described in a sentence making clear what might happen, why, and what impact it would have. We recommend the ‘If… then…. resulting in….’ or ‘Cause-Risk-Effect’ formulation.
  6. Understand the difference between controls, assurances and actions: controls are measures that are already in place and are intended to prevent the risk from materialising – or reduce the impact if it does. Assurances are evidence showing us whether those controls are working. Actions are things we intend to do in future to reduce the risk further – and once we are doing them, they become controls.
  7. Include the right assurances: ‘third-line’ assurance that comes from outside the organisation, for example from auditors, regulators or Royal Colleges, is greatly valued for its independence and objectivity and is often seen as the ‘gold standard’. It is certainly necessary but ‘first line’ assurance (from services themselves) and ‘second-line’ assurance (from corporate functions within the trust, such as the clinical audit department or health and safety team) also have their place and may be shared with the board, at least in summary form. Usually, the BAF should only include those assurances which are reported to the board or to one or more of its committees.
  8. Make it clear how you will close gaps and when: where there are gaps in control measures or assurances, the BAF should include actions to close those gaps. These actions need to be SMART: specific, measurable, achievable, relevant, and – last but not least – time-limited. Deadlines should never be set as ‘ongoing’.
  9. Link the BAF to high-level operational risks: the BAF has a different function to the corporate risk register, which consists of high-level operational risks (see an explanation of the differences here). However, to provide context and a sense of the organisation’s risk profile, it helps to cross-reference each strategic risk with risks on the CRR that relate to the same issues. For example, most BAFs include a strategic risk relating to recruitment and retention of staff. The BAF entry for that risk should include a list of workforce-related risks from the CRR – specifically their risk numbers, risk titles, and current scores.
  10. Use performance information to provide context: it is helpful – although not essential – to include for each strategic risk in the BAF a brief bullet-point summary of performance information extracted from the trust’s integrated performance report. For example, a BAF risk addressing capacity and demand for services would include highlights against KPIs such as referral to treatment times for elective surgery. This performance information provides an insight into how well the risk is being managed in reality, and why the current risk score is as it is.

Find out more about how we can help to strengthen your core governance – including your board assurance framework - by visiting our website. If you would like to discuss your organisation’s approach to risk, please call us on 07732 681120, or email

Meet the author: Joe Roberts


Find out more

Prepared by GGI Development and Research LLP for the Good Governance Institute.

Enquire about this article

Here to help