NHS Governance Explained

What is BAF in NHS? (Board Assurance Framework Explained)

BAF stands for Board Assurance Framework. It's an NHS Trust's master list of strategic risks, and your goldmine for sales opportunities. Here's what it is, what it contains, and how to use it.

Automatically Track BAF Across 300+ Trusts

Quick Answer

The Board Assurance Framework (BAF) is a mandatory NHS governance document that lists a Trust's top strategic risks, the things that could prevent it from achieving its objectives.

Each risk in the BAF includes: what could go wrong, how likely it is, current controls, and gaps where controls are failing.

→ For sales teams: BAF gaps = your opportunities. If a Trust admits their cybersecurity controls are inadequate (a BAF gap), that's your sales opening.

What is BAF in NHS? (Full Explanation)

Every NHS Trust is required to maintain a Board Assurance Framework (BAF). It's part of NHS governance and risk management.

Think of the BAF as the Trust's "worry list", a structured document that tracks the biggest strategic risks facing the organisation.

BAF vs Risk Register

BAF = Strategic risks (Board-level, big picture, long-term)

Risk Register = Operational risks (day-to-day, departmental, specific incidents)

→ For sales teams, the BAF is more valuable because it reveals Trust-wide priorities and budget-backed initiatives.

What Does BAF Stand For in NHS?

Board Assurance Framework

  • Board, reviewed by the Trust Board (the most senior decision-makers)
  • Assurance, providing confidence that risks are being managed
  • Framework, a structured system for tracking and controlling risks

What's Included in a BAF?

Every BAF risk typically includes these elements (though format varies by Trust):

Risk Description

What could go wrong (e.g., "Failure to recruit and retain clinical staff")

Strategic Objective at Risk

Which Trust objective this threatens (e.g., "Deliver outstanding patient care")

Current Controls

What the Trust is currently doing to manage the risk (e.g., "Recruitment campaigns, retention bonuses")

Gaps in Assurance

Where controls are failing or insufficient (e.g., "Recruitment campaigns not reaching target demographics")

→ THIS IS YOUR SALES OPPORTUNITY! Gaps = problems the Trust admits it can't solve.

Risk Rating

How serious the risk is (usually a score of 1-25 based on likelihood × impact)

Example: Risk rating 16 (High) = 4 (likely) × 4 (severe impact)

Risk Owner

Who's responsible for managing this risk (e.g., "Chief Digital Officer")

→ THIS IS YOUR CONTACT! The risk owner is the person who needs your solution.

Example BAF Entry from an NHS Trust

[Example extract from an NHS Foundation Trust Board Assurance Framework]

Risk ID:

SR-07

Risk Description:

Failure to protect patient data from cybersecurity threats, resulting in data breach, regulatory fines, and loss of patient trust.

Current Risk Rating:

16 (High)

Current Controls:

  • Firewall infrastructure
  • Annual staff cybersecurity training
  • Incident response plan

Gaps in Assurance:

  • Firewall infrastructure is 5+ years old and not capable of detecting advanced threats
  • No real-time threat monitoring or automated response
  • Staff training completion rate only 67% (target: 95%)

Risk Owner:

Chief Digital Officer

For a cybersecurity supplier, this BAF entry tells you:

  • The problem: Outdated firewall, no real-time monitoring
  • The urgency: Risk rated as "High" (16/25)
  • The contact: Chief Digital Officer
  • The pitch: "Your BAF identifies gaps in cybersecurity, and we solve exactly this problem"

Where to Find BAF in NHS Board Papers

The BAF is included in NHS board papers (usually monthly or quarterly). Here's where to look:

1

Check the Board Papers Agenda

Look for an item titled "Board Assurance Framework", "BAF Update", or "Strategic Risk Register"

2

Usually Published Quarterly

Most Trusts review the BAF every quarter (March, June, September, December board meetings)

3

Search the PDF

Use Ctrl+F to search for "BAF", "Board Assurance", or "strategic risk" in the board papers PDF

The Problem: Tracking BAF Across 300+ Trusts Manually

Now you know what BAF is and where to find it. But manually tracking BAF across 300+ NHS Trusts every quarter is impossible.

Manual BAF Tracking:

  • → Visit 300+ Trust websites quarterly
  • → Find BAF in 100-200 page board papers
  • → Read through 10-20 risks per Trust
  • → Identify gaps relevant to your product
  • → Google for risk owner contact details

Result: You can only track 5 Trusts. Miss 97% of BAF opportunities.

Board Paper Scraper Automated BAF Tracking:

  • ✓ AI monitors 300+ Trusts automatically
  • ✓ Extracts all BAF risks from board papers
  • ✓ Identifies gaps matching your solution
  • ✓ Provides risk owner contact details
  • ✓ Alerts you when new BAF gaps appear

Result: Track all 300 Trusts. Never miss a BAF opportunity.

Stop Manually Tracking BAF Across 300+ NHS Trusts

Board Paper Scraper automatically finds BAF gaps that match your solution across all UK NHS Trusts. Try free for 7 days, no credit card required.

Find BAF gaps that match your solution

No credit card required • 300+ Trusts monitored • BAF gaps extracted automatically

Questions Everyone Asks

Frequently asked questions

  • BAF stands for Board Assurance Framework. It is a mandatory governance document maintained by every NHS Trust that maps strategic risks to controls and assurances, helping the Board understand whether risks are being managed effectively.

  • The BAF tracks strategic, Board-level risks that could prevent the Trust from achieving its long-term objectives. A risk register tracks operational, day-to-day departmental risks. The BAF is more useful for sales teams because it reveals Trust-wide priorities backed by budget and Board attention.

  • Most NHS Trusts review and update their BAF quarterly, typically at March, June, September, and December board meetings. Some Trusts update it monthly. The BAF is published as part of the board papers pack available on each Trust's website.

  • The BAF is included in the board papers pack, usually as a standalone agenda item titled "Board Assurance Framework", "BAF Update", or "Strategic Risk Register". Check the board meeting agenda first, then search the PDF for "BAF" or "Board Assurance".

  • A typical NHS Trust BAF contains between 12 and 18 strategic risks. The most common risk categories are workforce and staffing, financial sustainability, digital and cybersecurity, patient safety, and estates and infrastructure.

Still have questions?

Book a demo and our team will walk you through it.