A plain-English guide to the BAF, covering what it is, how it works, what's inside it, and how to use it to find sales opportunities in NHS Trusts.
No credit card required • 300+ NHS Trusts monitored
BAF stands for Board Assurance Framework. Every NHS Trust is required to have one. It's the document that tells the board how it's managing the major strategic risks that could stop it achieving its objectives.
The BAF maps each strategic risk to the controls in place (what they're doing about it), the assurances they have (how they know controls are working), and any gaps (where controls or assurances are missing).
→ For sales teams: BAF gaps are your biggest opportunities. They're where the Trust has admitted its current approach isn't working.
The Board Assurance Framework is a governance tool used by every NHS Trust in England. It provides the board with a structured view of the strategic risks facing the organisation and tracks whether the controls in place are adequate.
Think of the BAF as the Trust's strategic risk dashboard. While the corporate risk register captures all operational risks (hundreds of them), the BAF focuses only on the top strategic risks, typically 8 to 15 risks that could prevent the Trust from delivering its annual objectives.
The BAF is reviewed at every board meeting and updated regularly. It's a living document, not something filed away and forgotten. Board members use it to challenge executives, ask whether gaps are being addressed, and decide where to allocate resources.
NHS Trusts are required to produce a BAF as part of their governance obligations. The annual governance statement, which every Trust publishes alongside its annual accounts, must confirm that the board has been properly informed about risks through the BAF. External auditors and the Care Quality Commission (CQC) both review it.
BAF vs Corporate Risk Register. What's the Difference?
Board Assurance Framework
Corporate Risk Register
Every BAF follows a similar structure. Once you know what to look for, you can scan any Trust's BAF in minutes.
Each BAF risk is linked to one of the Trust's strategic objectives. For example: "Deliver outstanding patient care" or "Achieve financial sustainability." This tells you what the Trust is trying to achieve.
A plain statement of what could go wrong. For example: "There is a risk that the Trust fails to recruit sufficient nursing staff, resulting in unsafe staffing levels and poor patient outcomes." This is the problem statement.
BAFs use a standard risk scoring matrix, typically likelihood (1-5) multiplied by impact (1-5), giving a score from 1 to 25. Most BAFs show three scores:
Inherent Score
The risk level if no controls existed at all
Current Score
The risk level with existing controls in place
Target Score
The risk level the Trust is aiming for
Pro tip: When the current score is significantly higher than the target score, it means the Trust's existing controls aren't working well enough. That's your opportunity.
The specific actions, systems, and processes in place to manage the risk. For example: "Existing firewall infrastructure" or "Agency staff arrangements." These are your current competitors, the existing approach the Trust is using.
The evidence that tells the board whether controls are effective. This is where the three lines of assurance come in (more on this below). For example: "Internal audit report on cyber security, June 2025" or "CQC inspection report."
This is the most important section for sales teams. Gaps are where the Trust has admitted that its current approach isn't adequate:
The planned actions to address the identified gaps, with deadlines and owners. For example: "Procurement to issue tender for cyber security platform, Q2 2026. Owner: Chief Digital Officer." This tells you the timeline, the decision-maker, and exactly what they're looking for.
NHS Trusts use a three-line model to categorise where their assurance comes from. This framework was adapted from HM Government's Orange Book on risk management.
Assurance from the people who deliver services day-to-day. Ward managers, service leads, and operational staff who manage risks as part of their normal work.
Examples: Ward staffing reports, incident reporting, operational dashboards, team-level performance data.
Assurance from internal corporate functions that oversee and support risk management. Separate from the frontline but still within the organisation.
Examples: Clinical audit department, health and safety team, infection control, information governance, internal compliance checks.
Assurance from outside the organisation, valued for its independence and objectivity. Often considered the gold standard of assurance.
Examples: External audit (e.g., KPMG, Deloitte), CQC inspections, NHS England reviews, Royal College reviews, peer reviews.
Why this matters for sales: If a BAF risk only has first-line assurance (self-reported data from frontline teams), the board may lack confidence that controls are truly working. That's an assurance gap, and a potential opening to position your solution as providing stronger, independent evidence.
Alongside the BAF, NHS Trust boards set a risk appetite statement each year. This defines how much risk the Trust is willing to accept across different areas, including finance, quality, safety, workforce, and so on.
Risk appetite is typically expressed on a scale from "averse" (willing to accept almost no risk) to "hungry" (willing to accept significant risk in pursuit of innovation or growth).
| Appetite Level | Meaning | Typical Areas |
|---|---|---|
| Averse | Avoid risk wherever possible | Patient safety, regulatory compliance |
| Cautious | Accept minimal risk, prefer safe options | Finance, quality of care |
| Open | Willing to consider all options, even if some carry risk | Partnerships, workforce models |
| Hungry | Actively seek innovative approaches despite uncertainty | Digital innovation, service transformation |
When a BAF risk sits outside the Trust's stated risk appetite (i.e., the current risk score is higher than what they're willing to tolerate), it signals urgency. The board will be actively looking for ways to bring that risk back within appetite, which often means investing in new solutions.
While every Trust has its own BAF, certain strategic risks appear again and again. Here are the categories you'll encounter most often.
Failure to recruit and retain sufficient clinical staff. Vacancies, reliance on agency workers, and burnout are perennial issues.
Relevant for: staffing agencies, workforce planning software, wellbeing services, e-rostering systems
Risk that the Trust cannot deliver its financial plan. Cost pressures, efficiency requirements, and capital funding shortfalls are common themes.
Relevant for: cost reduction consultancy, procurement optimisation, energy efficiency, managed services
Risk of data breaches, ransomware attacks, and failure to meet the Data Security and Protection Toolkit (DSPT) standards. High-profile attacks have made this a board-level priority.
Relevant for: cyber security platforms, managed security services, data governance, backup and recovery solutions
Failure to deliver the digital strategy, including electronic patient records, interoperability, and remote monitoring. Digital workforce gaps and supplier dependency are common sub-risks.
Relevant for: EPR systems, integration platforms, digital health apps, IT staffing, cloud services
Risk that the Trust fails to deliver safe, effective care. Includes CQC ratings, never events, infection control, and waiting time targets.
Relevant for: patient safety software, clinical audit tools, infection prevention, quality improvement consultancy
Ageing buildings, backlog maintenance, and failure to meet environmental sustainability targets. Net zero commitments are adding new urgency.
Relevant for: facilities management, energy management, construction, HVAC, sustainability consultancy
Here's what a typical BAF risk looks like in practice. We've annotated each section to show you what to look for.
BAF Risk SR-04
Failure to meet cyber security standards
Strategic Objective
Deliver a digitally enabled organisation with robust information governance
Risk Description
There is a risk that the Trust fails to meet national cyber security standards, resulting in a data breach, regulatory fines, and disruption to clinical services.
Risk Scores
Inherent
20
Current
16
Target
8
→ Current score (16) is double the target (8). This risk is outside appetite.
Controls in Place
Assurances
Gaps Identified
Actions to Close Gaps
What a cyber security supplier sees in this BAF entry:
The BAF is typically a standalone agenda item at every public board meeting. Look for it in the board papers. It's usually titled "Board Assurance Framework" or "BAF Update." Some Trusts include it as an appendix to the Chief Executive's report.
Look through the risk descriptions and controls to find risks your product or service can address. If you sell cyber security, look for IT and data risks. If you sell workforce solutions, look for staffing and recruitment risks.
Gaps in controls and assurance are your strongest sales angles. They mean the Trust has publicly acknowledged a weakness. Risks scoring 15+ (red-rated) are typically outside the Trust's risk appetite and will be a board priority.
The actions-to-close-gaps section tells you who's responsible (your contact), the timeline (when to engage), and what they're looking for (your pitch angle). This is gold for sales outreach.
Referencing the Trust's own BAF in your sales pitch builds instant credibility. You're not guessing what they need, you're reflecting their own documented priorities back to them.
Example Outreach:
"Hi Sarah, I noticed in your latest BAF update (risk SR-04) that the Trust has identified a gap in real-time threat detection. We've helped 12 NHS Trusts close that exact gap. Would 15 minutes to discuss be useful?"
BAFs are public documents. Every NHS Trust publishes its BAF as part of the board papers for public board meetings. Here's where to look:
Most Trust websites have a "Board meetings" or "Board papers" page. The BAF is usually included in the pack for each meeting.
The annual governance statement summarises BAF activity for the year. Useful for understanding long-term risk trends.
The Audit Committee often reviews the BAF in more depth. Some Trusts publish Audit Committee papers separately from the main board pack.
Now you understand what a BAF is and how to read it. But there are over 300 NHS Trusts in England, each publishing BAF updates every month or two. That's hundreds of documents to track.
Result: You can realistically track 5-10 Trusts. You miss opportunities at the other 290+.
Result: Track every Trust. Be first to every BAF opportunity.
BAF stands for Board Assurance Framework. It's the key document NHS Trust boards use to monitor and manage strategic risks.
No. The BAF focuses on strategic risks linked to the Trust's objectives (typically 8-15 risks). The corporate risk register covers all operational risks across the organisation (often hundreds). The BAF is a board-level document; the risk register is managed by risk teams.
The BAF is reviewed at every public board meeting, typically every one to two months. Risk scores, gaps, and actions are updated based on the latest information. The full BAF is refreshed at the start of each financial year (April) when new strategic objectives are set.
The Trust Board has overall ownership. Day-to-day, the Company Secretary or Head of Corporate Governance usually maintains the BAF document. Each individual risk has an Executive Lead (typically a board-level director) who is accountable for managing that risk.
Yes. Integrated Care Boards (which replaced Clinical Commissioning Groups) also produce BAFs. ICB BAFs tend to focus on system-wide risks such as health inequalities, service integration, and population health outcomes.
The structure is essentially the same. Both Foundation Trusts and non-Foundation Trusts are required to maintain a BAF. Foundation Trusts may additionally report to their Council of Governors on BAF risks, which means there's an extra layer of scrutiny.
Board Paper Scraper automatically monitors every NHS Trust's board papers, extracts BAF risks, and alerts you when gaps match your product. You get the intelligence, and we do the reading.
Get started freeNo credit card required • 300+ Trusts monitored • Cancel anytime
Questions Everyone Asks
Frequently asked questions
The Board Assurance Framework (BAF) is a mandatory governance document maintained by every NHS Trust. It maps the Trust's strategic objectives to the principal risks that could prevent those objectives being achieved, the key controls in place to manage each risk, and the assurances that confirm whether controls are working. BAF gaps, where controls are failing, represent sales opportunities for suppliers.
The BAF focuses on strategic, Board-level risks linked to the Trust's annual objectives, while the corporate risk register tracks operational, departmental risks. The BAF typically contains 12-18 strategic risks reviewed quarterly by the Board, whereas risk registers can contain hundreds of operational risks managed by individual departments. For sales teams, the BAF is more valuable because it reveals Trust-wide priorities with Board attention and budget backing.
BAF gaps are areas where a Trust's controls are failing or insufficient to manage a strategic risk. When a Trust identifies a gap in assurance, it is publicly admitting it cannot solve a problem with its current resources. For sales teams, these gaps represent qualified opportunities. The Trust has identified the need, rated its severity, and named the executive responsible for addressing it.
BAF risks are typically scored using a 5x5 matrix of likelihood multiplied by impact, giving a score from 1 to 25. Risks scoring 15-25 are rated as extreme or high and receive the most Board attention and resource allocation. Higher-rated risks with identified gaps represent the strongest sales opportunities because the Trust is under pressure to address them.
Book a demo and our team will walk you through it.