Recovering risk management

16 June 2020

The rapid deployment of the Nightingale hospitals around the country to address the coronavirus threat is a great example of the substitution approach to risk management.

The hospitals were established to cope with the anticipated massive influx of patients requiring intensive healthcare. The COVID-19 risk to patients and the very real danger of an exponential rise in case numbers meant there was little hesitation in substituting the risk of harm for financial risk.

The bigger picture

Risk management has sat at the heart of organisations for many years. But despite its long standing, and the many years of learning, training and auditing in its name that have taken place, risk management is still often misunderstood and misapplied. There is still too often a focus on the here and now, not what is around the corner, let alone months or even years ahead.

Also, the mindset needs to shift from the binary ‘risk bad, no-risk good’. Taking risk is an essential part of change. Healthcare itself involves taking risks with patients through therapeutic interventions in order to achieve cure. Boards should guide their organisations’ flexing of risk in order to achieve their goals. There is a temporal dimension to this as well as the need to give consistent messages through mature risk management.

One issue is that systems in general are formed to deal with risks for a specific time tangent and little or no attention is given to making risk management a dynamic process. Staff often use risk registers as issues logs – thinking that scoring risks highly will mean things get done – without thinking of the bigger picture.

How often do organisations still make decisions based on short-term gains without fully anticipating the long-term consequences? How often is information from risk assessments used as intelligence?

Risk management is an invaluable tool in building useable intelligence that supports the decision-making process. But if data gathered on risks and incidents isn’t properly interrogated to create this intelligence, risk management can feel like nothing more than a boring tick-box exercise.

A good risk management system should give any organisation a structural ability to adjust its tactics and strengthen its integrity.

“Performance without integrity is like momentum without direction”

Mikael Hagstroem, 2019

Board assurance framework

COVID-19 may have forced risk management to take a back seat in many organisations, but it is one of any board’s main tools to ensure the organisation prioritises appropriately and takes a judgement-based and considerate approach to its endeavours.

Most organisations will have a board assurance framework (BAF) highlighting the main risks to the organisation’s strategic objectives. COVID-19 many not be a strategic risk in itself but it will have had a massive impact on the strategic priorities of all NHS organisations – priorities such as quality of care, the achievement of constitutional standards, and system engagement, to name just a few.

The BAF needs to be the tool that drives the agenda of the organisation and enables the conduct of its business, with every single molecule of the organisation delivering towards the attainment of its strategy. How often have you seen a BAF allowing the agility required to respond to the crisis such as COVID–19?


In tackling COVID-19, boards may have a greater appetite to loosen financial purse strings to achieve the quality needed. This focus on risk appetite needs to be a crucial, continuing conversation throughout the reset and recovery phase, especially with regulation and targets likely to be reimposed and focus renewed on system integration.

Striking the right balance is going to be difficult as local and central priorities are likely to pull organisational resources in different directions. Achieving the optimal balance is very much the board’s role.

The art of using risk appetite to create opportunities during the crisis, through harnessing natural partnerships COVID-19 has created in responding as a whole health economy, has broken some of the silo working among and within teams, removed redundant bureaucracy and achieved efficiencies. These are all important lessons to keep hold of during this new reset and resume phase.

What can boards do?

Without doubt, as the risk environment has changed so radically in the last three months, the board assurance framework must be refreshed. Boards should be challenging their executives on the controls and assurances in place. These should have changed during the pandemic and will require changing again for the reset phase. There should be a ‘loosening up’ in some areas to allow focus where it is really needed. Boards will simply have to be bold about proportionality in the assurances they require. Often and on the Pareto basis -- reassurance will need to be enough.

Boards will want to see new and emerging risks that could impact strategic objectives. The corporate risk register should capture these and the board should be assured these are filtering through from divisional teams.

Boards also need to work with executives in looking to the medium to long-term future, highlighting potential risks that COVID-19 may have created: future litigation from staff and patients, patients presenting late in A&E, harm to patients from the increasing waiting list might be some of the more immediate risks. But what does this mean for the timeliness of system integration, service delivery change, supply chains and procurement, among others? These risks are much less clear but need to be considered.

Future proof

The pandemic feels like a perfect storm, presenting boards with a great opportunity to take a dynamic approach to the structure of their BAFs and their underlying support processes. Boards should be considering how well their BAFs are structured to tackle scenarios such as COVID–19 and just how future-proof they are. Without careful thought and proper design to risk and assurance processes, releasing board time away from rote assurance checking will be wishful thinking.

Boards might also want to consider ways in which an agile approach to risk appetite is instigated in times of crisis. COVID–19 has certainly made boards more resilient to exponential risks; perhaps now is the time to rethink and introduce learning from this emergency back into the practices how BAFs are structured and managed.

Questions for boards

  • Does our BAF consider the changes COVID-19 has made on risks to our strategic objectives?
  • Are we making decisions that keep us within our risk appetite or at least our risk tolerance?
  • Are we seeing the emerging risks from COVID-19 – and is action being taken to mitigate these?

If this bulletin prompts any comments or questions, please contact us by calling on 07732 681120 or emailing

Ian Brandon


Nabil Jamshed


Prepared by GGI Development and Research LLP for the Good Governance Institute.

Enquire about this article

Here to help