Skip to content

Risk management

We manage risk through our directorates and divisions, with clear lines of executive accountability and regular review and challenge by our Risk Improvement Group and Senior Leadership Team. Our Audit and Risk Assurance Committee (ARAC) and Board provide scrutiny and we put new controls and mitigations in place where necessary to address our risks.

Our appetite for particular risk areas depends on factors such as the likelihood of the risk occurring and the potential impact of the risk (before and after controls) on our strategic objectives. We also consider the interdependencies in our risk appetite across our functional areas, taking account of the cumulative impact that may manifest as a result.

Our risk appetite statement is reviewed annually by our board and provides the context for making well considered decisions in particular areas. Our board expects decisions to be taken in line with the appetite it has determined. Where appropriate, we have assigned a classification in line with the Treasury risk appetite definitions listed below.

Classification

Averse

Avoidance of risk and uncertainty in achievement of key deliverables or initiatives is paramount. Activities undertaken will only be those considered to carry virtually no inherent risk.

Minimalist

Predilection to undertake activities considered to be very safe in the achievement of key deliverables or initiatives. Activities will only be taken where they have a low degree of inherent risk. The associated potential for reward or pursuit of opportunity is not a key driver in selecting activities.

Cautious

Willing to accept or tolerate a degree of risk in selecting which activities to undertake to achieve key deliverables or initiatives, where there is identified scope to achieve significant reward and/or realise an opportunity. Activities undertaken may carry a high degree of inherent risk that is deemed controllable to a large extent.

Open

Undertakes activities by seeking to achieve a balance between a high likelihood of successful delivery and a high degree of reward and value for money. Activities themselves may potentially carry, or contribute to, a high degree of residual risk.

Hungry

Eager to be innovative and choose activities that focus on maximising opportunities (additional benefits and goals) and offering potentially very high reward, even if these activities carry a very high residual risk.

Risk appetite statements for 2025/26

Business continuity

Having robust and well-maintained business continuity management arrangements in place is key to the organisation mitigating risks arising from a failure to respond to unplanned significant events or incidents which could prevent or seriously impede ONR’s operations and outputs.

In implementing and maintaining business continuity arrangements, we will cautiously tolerate risks to realise opportunities for greater integration of processes across the organisation in order to realise arrangements that are both robust and proportionate for the size and scale of the ONR; however, we recognise that activities associated with implementing and maintaining business continuity arrangements should not generate additional inherent risk.

Therefore, our aggregate risk appetite for business continuity arrangements is ‘minimalist’.

Commercial

We have established a Commercial Governance Framework, which embeds robust management, oversight and control of ONR's commercial arrangements and aligns to HM Government Functional Standard GovS 008: Commercial.

All commercial decisions adopt a 'Cautious' approach to optimise value for money in the use of public funds and ensure appropriate compliance against Public Contract Regulations, HM Treasury and Cabinet Office controls.

We will adopt a 'cautious' approach to our commercial arrangements, and support this with formal governance and control structures that provide fair, transparent, proportionate, evidence-based decision making. All procurement activity must comply with internal controls, financial probity rules and relevant legislative requirements and all spend must be approved in line with the Financial Control Arrangements and Scheme of Delegation.

Corporate security

ONR holds a range of information related to its regulatory activity in the United Kingdom's civil nuclear sector. Electronic information stored and processed on ONR systems is classified up to OFFICIAL-SENSITIVE. A small amount of paper documentation classified at a higher level is stored securely in ONR offices.

As the regulator for security in the civil nuclear sector, ONR must lead by example and adopt a security approach that, at least, meets the standards it expects nuclear operators to meet. As such ONR will align its security posture with international and Government standards, including ISO27001, Cyber Essentials+, the GovS007 Functional Standard. Additionally, ONR will actively manage security risks and apply additional security controls in areas where they are required. Examples of this may be additional controls to protect Sensitive Nuclear Information and Export Controlled Information.

Security threats and adversaries are constantly evolving which requires an agile approach to security risk management, therefore ONR adopts a progressive approach to security, and we are open to new innovations, technologies and security best practices.

While security risk appetite may vary in certain areas, such as the examples above, overall, ONR has a ‘cautious’ appetite for any security risk being realised.

Direct regulation

ONR has a ‘cautious’ appetite to risk as regards anything that might compromise its ability to deliver its statutory purposes or its ability to support strategic government priorities.

Our regulatory framework is mainly non-prescriptive and places the responsibility wholly on duty holders to demonstrate that the levels of safety, security and safeguards required by UK law are met.

We also seek to ensure that the standards we apply are consistent (where relevant) with those of other national and international regulators.

In interpreting the different legal frameworks for safety, nuclear security, and nuclear safeguards, we recognise that there is an element of risk in undertaking every activity. However, we ensure that duty holders can demonstrate that risks are adequately controlled, taking account of relevant factors and circumstances; and we satisfy ourselves that controls are in place through proportionate and targeted sampling.

Public acceptance in nuclear technology is dependent on ongoing confidence in the robustness and effectiveness of the independent regulator. However, regulatory decisions that we make can incur substantial cost and other implications for our duty holders. Consequently, we apply a proportionate but “Cautious” approach to regulation and decision-making to ensure that public and duty holder confidence in our regulation and regulatory decisions is maintained. Nevertheless, in instances where nuclear operations may convey substantial additional risks (from the norm), we will apply a minimalist risk appetite as appropriate. We are averse to tolerating practices which do not comply with prescriptive law or which do not minimise safety risks so far as is reasonably practicable.

Environmental and sustainability

As a responsible public sector body and regulator of the UK's nuclear industry, we recognise the importance of reducing the impact of our operations on the environment.

We prioritise activities that align with environmentally responsible best-practices, ensure compliance with relevant regulations and reporting frameworks, and embed sustainability into our key decision-making processes.

As a forward-looking organisation, we are prepared to take calculated risks in the pursuit of environmental-related objectives, balancing the potential rewards with the challenges posed by a rapidly changing world.

Our risk appetite for environmental and sustainability is 'cautious' which reflects our desire to actively contribute to the development of a more sustainable society while maintaining a prudent approach to risk management.

Finance

We have established a robust budget-setting process that secures the funding required to support the efficient and effective delivery of our planned regulatory activity. Our aspiration and commitment to invest in our people and systems supports our 'cautious' appetite.

Whilst all financial and commercial decisions adopt a minimalist approach to optimise value for money in the stewardship of public funds and ensure appropriate compliance against HM Treasury and Cabinet Office controls, our innovative approach to prioritising and future-proofing the organisation to react to the demands of a changing nuclear landscape indicates a Cautious approach.

We also adopt a ‘cautious’ approach to our policy and processes which will be managed robustly by hierarchy but is not intended to constrain business and operational delivery.

Fraud

As a regulator, we aspire to be an exemplar in our compliance and legal standing. We are averse to the risks of internal fraud and fraudulent behaviour and will maintain appropriately robust controls and sanctions to maximise prevention, detection, and deterrence of this type of behaviour.

We also adopt a minimalist approach to optimise value for money in the stewardship of public funds and ensure appropriate compliance against HM Treasury and Cabinet Office controls as established through our Scheme of Delegation and Corporate Governance Framework with authority levels across the organisation reflecting the appropriate levels of decision making.

This supports our robust position in terms of internal control and governance to prevent instances or opportunity for Fraud and merits an 'averse' appetite to risk in this area.

Governance

Governance is a system that provides a framework for managing organisations. It identifies who can make decisions, who has the authority to act on behalf of the organisation and who is accountable for how an organisation and its people behave and perform.

At ONR, governance enables the Board and management team to run organisations effectively for the benefit of stakeholders, including industry, staff, and wider society.

Our ‘cautious’ appetite represents our commitment to use clear decision-making processes, behave openly by reporting on our activities, managing the risks we face, and taking responsibility for controlling and protecting our assets including our reputation. It also reflects our willingness to tolerate a degree of risk in order to realise opportunities.

Health and safety

ONR staff perform a range of duties which potentially exposes them to a broad range of hazard and risk. We are focused on mitigating the risks arising from our work activities to protect our staff and others, meet our statutory duties and reduce the reputational and financial risks associated with breaching health and safety legislation. Our intent is to ensure that we maintain a safe and healthy work environment. 

Therefore we have adopted a ‘minimalist’ appetite. This recognises that need for staff to engage in work at times that can expose them to hazards, and balances it with our desire to reduce these so far as is reasonably practical.

Our strategic change programme, Achieving Cultural Excellence (ACE) in health, safety and wellbeing (HSW) sets out our vision for leaders and managers to drive health and safety improvements and supports our focused approach. All within ONR are expected to proactively and routinely consider the impact of health and safety in their work activities to enable greater collaboration, sharing of best practice, and support learning to drive continuous improvement. 

Knowledge management

The ‘cautious’ risk appetite reflects the balance of innovation and knowledge sharing with the need to protect sensitive information and ensure the accuracy of the information held by ONR.

ONR aim to be a learning regulator that harnesses the collective knowledge of our people – past, present and future – to deliver trusted and efficiency regulation.

We embed learning and collaboration within all that we do in order to safeguard our critical knowledge to support our business operations and regulatory decisions.

Sustainable risk mitigation strategies are in development, through the Organisational Learning Function, to enable ONR to meet its key business drivers and to provide additional benefits to business efficiency and effectiveness.

Legal

Our ‘minimalist’ risk appetite underscores our commitment to strict adherence to all applicable laws and regulations.

We prioritise legal compliance, seek to minimalise legal uncertainties, and maintain a vigilant stance against fraud, bribery, and corruption.

We are transparent in our approach to reporting against performance of legal compliance. 

People

Having a well-resourced, diverse, motivated, and highly competent workforce that is well-led is the key to achieving our strategic vision. As an employer, we are bound by Employment Law, as a handler of our staff's data, we must safeguard confidential information, and as a public body we are bound by the highest ethical standards of behaviour, integrity, and values in all that we do. 

In order that we attract and retain suitably qualified and experienced staff, in an increasingly competitive environment, who allow us to build and maintain the capability, experience, and leadership that we need, we must innovate how we recruit, develop, reward and retain our staff. We have to make sure that we are utilising and exploiting new and advanced resources, approaches and opportunities that may not yet be tried and tested. This will include being innovative in how we create opportunities for the development of technical; professional; management, and leadership skills, and in how we build resilience across ONR. It will also include embracing technology to enable staff to work in a hybrid way with the flexibility and clear principles that can adapt to ensure a modern and inclusive work place and with easier and more efficient access to HR services.

Therefore, our risk appetite is 'open'.

Reputational

Our reputation as a trusted regulator is one of our biggest assets and we are committed to continuing to build, retain and enhance trust with our stakeholders domestically and internationally. 

We openly inform government on policy to ensure the UK's high safety, security and safeguards standards are maintained, and invest time to build trust with interested parties/groups and the public through openness and transparency about our work. We recognise public trust as of equal importance as technical competence, independence, and adequate resources in line with international best practice guidance from the OECD Nuclear Energy Agency. We will not tolerate unsolicited comments or behaviours that could be detrimental to our mission or adversely affect the trust necessary to maintain the confidence of dutyholders, other stakeholders, and the public.

ONR is committed to working with emerging industries and will support the nuclear industry as it expands into new areas and will appropriately manage the risks relating to uncertainty and potential exposures associated with operating in or expanding into industries undergoing rapid technological, or market evolution, where norms, standards, and stakeholder expectations are still being established.

We have a suitably qualified, and experienced workforce; and we seek regular feedback and provide assurance that we are effective to make evidence-based regulatory decisions.  

Therefore, our risk appetite is 'open'.

Technological

There is a potential risk that information technology processing, security, stability, capacity, and performance jeopardise core operations of ONR. This includes both daily operations and ongoing enhancements to ONR's IT solutions and service provision.

Having adopted a hybrid approach to our ways of working, we have moved much of our day-to-day interaction online and are exploiting new technologies to enhance engagement and communication both internally and externally. We are supportive and open to considering innovative technologies and adopting agile principles, while maintaining a low tolerance towards system incidents and outage, caused by poor change management process. This is aligned to a ‘cautious’ risk appetite.