Skip to content

Risk management

We manage risk through our directorates and divisions, with clear lines of executive accountability and regular review and challenge by our Risk Improvement Group and Senior Leadership Team. Our Audit and Risk Assurance Committee (ARAC) and Board provide scrutiny and we put new controls and mitigations in place where necessary to address our risks.

Our appetite for particular risk areas depends on factors such as the likelihood of the risk occurring and the potential impact of the risk (before and after controls) on our strategic objectives. We also consider the interdependencies in our risk appetite across our functional areas, taking account of the cumulative impact that may manifest as a result.

Our risk appetite statement is reviewed annually by our board and provides the context for making well considered decisions in particular areas. Our board expects decisions to be taken in line with the appetite it has determined. Where appropriate, we have assigned a classification in line with the Treasury risk appetite definitions listed below.

Classification

Averse

Avoidance of risk and uncertainty in achievement of key deliverables or initiatives is paramount. Activities undertaken will only be those considered to carry virtually no inherent risk.

Minimalist

Predilection to undertake activities considered to be very safe in the achievement of key deliverables or initiatives. Activities will only be taken where they have a low degree of inherent risk. The associated potential for reward/pursuit of opportunity is not a key driver in selecting activities.

Cautious

Willing to accept/tolerate a degree of risk in selecting which activities to undertake to achieve key deliverables or initiatives, where we have identified scope to achieve significant reward and/or realise an opportunity. Activities undertaken may carry a high degree of inherent risk that is deemed controllable to a large extent.

Open

Undertakes activities by seeking to achieve a balance between a high likelihood of successful delivery and a high degree of reward and value for money. Activities themselves may potentially carry, or contribute to, a high degree of residual risk

Hungry

Eager to be innovative and choose activities that focus on maximising opportunities (additional benefits and goals) and offering potentially very high reward, even if these activities carry a very high residual risk.

Risk appetite statements for 2023/24

Financial

We have established a robust budget-setting process that secures the funding required to support the efficient and effective delivery of our planned regulatory activity. Our aspiration and commitment to invest in our people and systems supports our 'Cautious' appetite. Whilst all financial and commercial decisions adopt a minimalist approach to optimise value for money in the stewardship of public funds and ensure appropriate compliance against HM Treasury and Cabinet Office controls, our innovative approach to prioritising and future-proofing the organisation to react to the demands of a changing nuclear landscape indicates a Cautious approach. We also adopt a Cautious approach to our policy and processes which will be managed robustly by hierarchy but is not intended to constrain business and operational delivery.

Operational

In terms of our approach to delivering regulation, we are Open to considering innovative, faster, and more efficient approaches and processes as regards how we regulate. We are also Open to (and an advocate for) the introduction of beneficial innovative technologies and approaches that industry may wish to adopt. We are proactive in seeking industry feedback as regards the proportionality and consistency of our regulation and are open to changing our approach any ideas where these need to be improved. We will ensure that we apply proportionate change control and related governance processes as regards the implementation of both internal and external innovation, including the adoption of new processes and ways of working. This reflects the importance of maintaining industry and public confidence in our regulation.

Reputational

The nuclear industry comes under close public scrutiny and our role as a regulator is equally open to challenge, which means protecting our reputation and stakeholder confidence in us is important. Our reputation is one of our biggest assets and we will not tolerate unsolicited comments or behaviours that could be detrimental to our mission or adversely affect the trust necessary to maintain the confidence of duty holders, other stakeholders, and the public. To that end, we place significant corporate and regulatory effort on maintaining high levels of engagement with those we regulate and wider stakeholders. We have a suitably qualified, and experienced workforce; and we seek regular feedback and provide assurance that we are effective to make evidence-based regulatory decisions.

Our approach to reputational risk is Open given the significant attention we give activities across all our functions to ensure we maintain stakeholder confidence, while enabling – where it is safe to do so – innovation internally and externally.

We openly inform government on policy to ensure the UK's high safety, security and safeguards standards are maintained, and invest time to build trust with interested parties/groups and the public through greater openness and transparency about our work.

Regulatory

Our regulatory framework is mainly non-prescriptive and places the responsibility wholly on duty holders to demonstrate that the levels of safety, security and safeguards required by UK law are met. In reaching regulatory decisions, our inspectors use guidance from a range of sources, including our Safety Assessment Principles (SAPs), Security Assessment Principles (SyAPs) and safeguards principles (ONR Guidance for Nuclear Material Accountancy, Control and Safeguards – ONMACs), as well as our guidance on Risk-Informed Decision-making. We also seek to ensure that the standards we apply are consistent (where relevant) with those of other national and international regulators.

In interpreting the different legal frameworks for safety, nuclear security, and nuclear safeguards, we recognise that there is an element of risk in undertaking every activity. For example, we may accept an increase in short-term risk to enable accelerated risk reduction in the longer term. However, we ensure that duty holders can demonstrate that risks are adequately controlled, taking account of relevant factors and circumstances; and we satisfy ourselves that controls are in place through proportionate and targeted sampling.

Public acceptance in nuclear technology is dependent on ongoing confidence in the robustness and effectiveness of the independent regulator. However, regulatory decisions that we make can incur substantial cost and other implications for our duty holders. Consequently, we apply a proportionate but Cautious approach to regulation and decision-making to ensure that public and duty holder confidence in our regulation and regulatory decisions is maintained. Nevertheless, in instances where nuclear operations may convey substantial additional risks (from the norm), we will apply a minimalist risk appetite as appropriate. We are averse to tolerating practices which do not comply with prescriptive law or which do not minimise safety risks so far as is reasonably practicable. 

People

Having a well-resourced, diverse, motivated, and highly competent workforce that is well-led, is key to achieving our strategic vision. As a public body, we are accountable to society and must demonstrate the highest standards of behaviour, integrity, and values in how we discharge our duties.

To attract, build and retain the capability, experience, and leadership we need, in an increasingly challenging and competitive global labour market, we must ensure that we are Open to how we recruit and develop our staff and in how we create and sustain an inclusive culture. This will include being innovative in how we create opportunities for the development of technical; professional; management, and leadership skills, and in how we build the resilience across ONR.

Cyber (Security)

ONR handles and processes a range of sensitive information including data that is classified as Sensitive Nuclear Information (SNI). As a regulator of cyber security for civil nuclear duty holders, ONR, as well as protecting its own information, must be an exemplar in good security practice to maintain its reputation and integrity within the wider civil nuclear sector.

The ONR Corporate Security Strategy sets out a plan by which ONR will take major steps to improving its security posture over the coming years. It must continue to protect its information assets and maintain its position as a trusted security regulator. A range of security enhancements, assured by industry recognised standards certifications, will continue over the coming years to ensure we achieve this.

Failure to improve security standards could mean a cyber-attack results in serious business disruption and reputational damage. The National Cyber Security Centre threat assessments, which assess that such attacks on UK regulators are "highly likely", and therefore our aggregate appetite to risk in our information and cyber security related activities is Minimalist.

Technology

There is a potential risk that information technology processing, security, stability, capacity, and performance jeopardise core operations of ONR. This includes both daily operations and ongoing enhancements to ONR's IT solutions.
Having adopted a hybrid approach to our ways of working, we have moved much of our day-to-day interaction online and are exploiting new technologies to enhance engagement and communication both internally and externally. We are supportive and open to considering innovative technologies and adopting agile principles, while maintaining a low tolerance towards system incidents and outage, caused by poor change management process. This is aligned to a Cautious risk appetite.

Governance

In addition to the strong financial stewardship, we instil in ONR, our governance activity focuses on three areas:

  • Information security, where we aim to meet Government minimum security standards, international standards and align with established security best practice.
  • Records management, where we follow best practice and implement government recommendations, prioritising security, and privacy; and
  • Information governance, where we ensure ONR complies with relevant legislation when processing personal data.

As we are keen to provide effective, proportionate, and pragmatic governance on everything we do, we adopt a Cautious approach to such risks.

Fraud and financial control

As a regulator, we aspire to be an exemplar in our compliance and legal standing. We are averse to the risks of internal fraud and fraudulent behaviour and will maintain appropriately robust controls and sanctions to maximise prevention, detection, and deterrence of this type of behaviour. We also adopt a minimalist approach to optimise value for money in the stewardship of public funds and ensure appropriate compliance against HM Treasury and Cabinet Office controls as established through our Scheme of Delegation and Corporate Governance Framework with authority levels across the organisation reflecting the appropriate levels of decision making. This supports our robust position in terms of internal control and governance to prevent instances or opportunity for Fraud and merits an 'Averse' appetite to risk in this area.

Commercial

We have established a Commercial Governance Framework, which embeds robust management, oversight and control of ONR's commercial arrangements and aligns to HM Government Functional Standard GovS 008: Commercial. All commercial decisions adopt a 'Minimalist' approach to optimise value for money in the use of public funds and ensure appropriate compliance against Public Contract Regulations, HM Treasury and Cabinet Office controls. We will adopt a 'Minimalist' approach to our commercial arrangements, and support this with formal governance and control structures that provide fair, transparent, proportionate, evidence-based decision making. All procurement activity must comply with internal controls, financial probity rules and relevant legislative requirements and all spend must be approved in line with the Financial Control Arrangements and Scheme of Delegation.

Business continuity

Having robust and well-maintained business continuity management arrangements in place is key to the organisation mitigating risks arising from a failure to respond to unplanned significant events or incidents which could prevent or seriously impede ONR's operations, outputs and reputation. In implementing and maintaining business continuity arrangements, we will cautiously tolerate risks to realise opportunities for greater integration of processes across the organisation in order to realise arrangements that are both robust and proportionate for the size and scale of the ONR; however, we recognise that activities associated with implementing and maintaining business continuity arrangements should not generate additional inherent risk. Therefore, our aggregate risk appetite for business continuity arrangements is Minimalist.

Health and safety

ONR staff perform a range of duties which potentially exposes them to a broad range of hazard and risk. We are focused on mitigating the risks arising from our work activities to protect our staff and others, meet our statutory duties and reduce the reputational and financial risks associated with breaching health and safety legislation. Our intent is to ensure that we maintain a safe and healthy work environment.

Therefore, we have adopted a 'minimalist' rather than 'averse' posture because, whilst the law requires us to reduce risks 'so far as is reasonably practicable' (i.e.to minimise them), some risk is inevitable as accepted by law (i.e. there is no requirement to avoid risks), hence an 'averse' posture would neither be appropriate no necessary.

Our strategic change programme, Achieving Cultural Excellence (ACE) in health, safety and wellbeing (HSW) sets out our vision for leaders and managers to drive health and safety improvements and supports our focused approach. All within ONR are expected to proactively and routinely consider the impact of health and safety in their work activities to enable greater collaboration, sharing of best practice, and support learning to drive continuous improvement.

Environmental and social governance

As a public sector body and regulator, we recognise the importance of incorporating Environmental, Social, and Governance (ESG) factors into our decision-making processes to ensure sustainable development and long-term value creation for our stakeholders.

We are committed to adopting ESG best practices that are aligned with the government's goals and regulations, and those of applicable international standards.

As a forward-looking public sector body, we are prepared to take calculated risks in the pursuit of ESG objectives, balancing the potential rewards with the challenges posed by a rapidly changing world. We aim to play a proactive role in addressing critical challenges such as climate change, social inequality, and responsible governance.

Our risk appetite for ESG is 'Cautious' which reflects our desire to actively contribute to the development of a more sustainable and inclusive society while maintaining a prudent approach to risk management.