The Health Research Authority website uses essential cookies

This site uses session cookies and persistent cookies to improve the content and structure of the site.

By clicking “Accept All Cookies”, you agree to the storing of cookies on this device to enhance site navigation and content, analyse site usage, and assist in our marketing efforts.

By clicking 'See cookie policy' you can review and change your cookie preferences and enable the ones you agree to.

By dismissing this banner, you are rejecting all cookies and therefore we will not store any cookies on this device.

See cookie policy

The risk and control framework and the capacity to handle risk – long description

Last updated on 17 Jul 2025

A graphic showing the risk and control framework and the capacity to handle risk.

The HRA Board is responsible for conducting a high-level risk assessment as part of the annual business planning activities and ensuring that risk controls and contingencies are implemented. It also reviews the strategic risk register quarterly and sets and reviews the risk appetite statement annually

The HRA Audit and Risk Committee is the sub-committee of the Board that oversees and ensures that the appropriate systems and activities are taking place to ensure effective risk management. It also reviews the strategic and corporate (significant) risk registers quarterly.

The Strategic risk register is reviewed on a quarterly basis. The Department of Health and Social Care (DHSC) Sponsor holds quarterly accountability meetings where the strategic risk register is reviewed. This includes deep dives into specific risks to understand the risk in more detail, the mitigations and controls in place, and the recommendations which can be made

The Executive Committee conducts high-level risk assessments as part of the annual business planning activities. It also ensures that risk controls and contingencies are implemented. It reviews the strategic risk register quarterly and reviews the corporate (significant) risk register every month.

The Executive Committee agrees those risks which require escalation to the strategic risk register. All risks with a combined impact and likelihood risk score of 15 and above are captured in the corporate (significant) risk register.

At directorate and programme level, all risks are owned by a director. Directorate and other team meetings are held on a regular basis (monthly or bi-monthly) where risks are regularly reviewed. A risk engagement framework is in place which supports discussions regarding risk identification, risk appetite and risk assurance to take place regularly alongside training and sharing of best practice.

In the bottom left corner there is a cycle for risk management. This covers risk treatment, risk monitoring risk identification and assessment and risk reporting.

In the bottom right there are four categories of HRA risk. These are strategic, internal, external and centrally-reported projects

Back to accountability report 2024-25
© Copyright HRA 2025
Site by Big Blue Door