Board Assurance Framework Update Summary Report - February 2026
Meeting: Trust Board – Public Meeting
Date: 11 February 2026
Report Title: BAF Update Summary Report
Agenda Item: PUB26/02/2.1
Author: Jamie O’Callaghan, Governance Improvement Specialist
Lead Director: Hein Scheffer, Director of Strategy, Transformation and Governance
Purpose:
| Decision/Approval | Discussion/Review | Information/Noting |
|---|---|---|
| X |
Assurance:
| None | Limited | Reasonable | Substantial |
|---|---|---|---|
| X |
| Link to CQC Domain | Link to EEAST’s Strategic Missions: | ||
|---|---|---|---|
| Caring | X | Patient Mission | X |
| Responsive | X | Partnership Mission | X |
| Effective | X | People Mission | X |
| Well Led | X | Productivity Mission | X |
| Safe | X |
Link to Strategic Risk:
| SR1 | X | SR3 | X | SR5 | X | SR7 | X | SR9 | X |
| SR2 | X | SR4 | X | SR6 | X | SR8 | X | SR10 | X |
Equality Impact Assessment: |No negative impact identified|
Previously considered by: Executive Directors as part of monthly BAF reviews.
Purpose: The report seeks to provide the Board with an overview of changes to the strategic risks in the last quarter.
Recommendation:
- Review if controls and actions in place are adequate, with gaps identified.
- Check and challenge assurance sources provided if there are sufficient, duplicated or absent.
- Triangulate with other agenda items if they provide confidence on assurance, controls and actions
Executive Summary:
The Board Assurance Framework (BAF) remains the central mechanism through which the Trust identifies, evaluates and oversees the strategic risks that may impact delivery of the four strategic missions. Since October 2025, a strengthened governance approach has been introduced to start creating a clear golden thread between the BAF, the Integrated Performance Report (IPR) and Executive Leadership Team (ELT) discussions. Whilst early conversations show improvements, much more embedding is required.
As part of this enhanced model, the ELT has implemented a structured ten week review cycle, ensuring each strategic risk is examined in detail as a standing element of the ELT agenda. The first full cycle has now been completed, providing improved visibility of risk, tighter triangulation between operational performance and strategic risk indicators, and more consistent oversight of assurance.
At its meeting on 27 January 2026, the ELT agreed to repeat the cycle, further strengthening alignment by explicitly linking each BAF risk to the four Trust missions, key metrics within the IPR, and areas requiring heightened assurance due to risk level or gaps in control. This creates a coherent and systematic line of sight from operational data through to strategic discussion and Board level assurance.
The revised approach, centred on integration, discipline and clarity, supports the maturation of the Trust’s governance arrangements and provides the Board with increasing confidence in the adequacy of controls, the quality of assurance, and the trajectory of the Trust’s highest risk areas.
Introduction / Background:
The Board Assurance Framework (BAF) has been re formatted over the past year to reflect learning from the EPUT governance review and to strengthen the Trust’s approach to strategic risk oversight. While these improvements represent a step in the right direction, the current Excel based BAF format is not consistent with emerging best practice across the NHS. Its structure makes integrated risk triangulation, assurance mapping and line of sight to strategic delivery more complex than is optimal for a mature governance system.
Recognising these limitations, further development work is now underway to ensure the BAF becomes a more effective strategic tool for the organisation. The next phase of improvement focuses on enhancing the BAF further, by moving away from the restrictive spreadsheet format toward a cleaner, more accessible design that explicitly links each strategic risk to the Trust’s four missions and aligns with the delivery intentions set out in the Trust’s 2025–2030 Strategy.
It is anticipated that the enhanced version of BAF will be presented to the Board in May 2026. This enhanced version will provide clearer articulation of risk, sharper alignment with mission delivery, greater visibility of controls and assurance, including identified gaps and a more intuitive structure that supports both Executive and Board scrutiny.
It is also anticipated that the IPR will by then be deconstructed to be aligned to each of the four missions, which will enable the Executive to talk, by mission, to the BAF, IPR and assurance discussions. This aligns with the Trust’s shift toward a more integrated governance model, designed to provide a consistent golden thread between operational performance, strategic risk, mission delivery and Board level assurance, as demonstrated in the graphic below:

Wording from graphic Box on top of pyramid - OUR VISION AND PURPOSE
Top of pyramid - Strategic Delivery: (5-Year Strategy 2025 – 2030)
2nd row of pyramid - OUR FOUR STRATEGIC MISSIONS: The enabling framework that ensures safe delivery of the four missions by identifying threats, gaps in control and assure.
1st row of pyramid - STRATEGIC RISK (BAF): SR1 Demand & Capacity . SR2 Quality Governance . SR3 Estates . SR4 Finance & Use of Resources . SR5 Cyber Security .SR6 Business & Partnerships . SR7 Workforce Sustainability . SR8 Staff , Retention . SR9 Organisational Development . SR10 Digital
Base of pyramid - LEADERSHIP, OVERSIGHT & RESULTS STRUCTURE: Integrated Performance Report (IPR), Executive Leadership, Drive daily performance, risk mitigation and delivery of mission-enabling, Policies, Controls & Accountability Frameworks.
Double ended arrow under the pyramid: Digital and Estates Strategic Plans
Summary of BAF risks – As of January 2026.
SR1 – Demand & Capacity: If capacity does not match demand, response times will not improve. Current Score: 16 Status: Demand continues to exceed capacity, affecting operational performance. Actions to improve productivity, hear-and-treat rates, handover delays and fleet availability are progressing.
SR2 – Quality Governance: If clinical and operational models do not meet required standards, avoidable harm or regulatory concerns may arise. Current Score: 9 Status: Quality governance arrangements remain strong, with ongoing policy updates, assurance processes and development of the Patient Plan.
SR3 – Estates: If estates infrastructure is not adequately maintained, facilities may not support safe, high-quality care. Current Score: 16 Status: Estate condition and compliance remain high risks. Surveys, planning and modernisation work continue while long-term investment is required.
SR4 – Finance – Use of Resources: If financial sustainability is not achieved, the Trust may be unable to deliver safe and effective services. Current Score: 12 Status: Financial governance remains strong while medium-term modelling continues to support future sustainability.
SR5 – Cyber Security: If a cyber incident occurs, digital systems may be compromised, leading to patient, operational or reputational impact. Current Score: 12 Status: Cyber controls and monitoring remain in place, with improvements following audits and penetration tests ongoing.
SR6 – System Partnership Working: If EEAST does not work effectively with system partners, patient flow and pathways may be suboptimal. Current Score: 9 Status: Collaboration with ICBs continues to strengthen, though system variability persists.
SR7 – Workforce Sustainability: If workforce plans do not support effective recruitment, the Trust may experience skills shortages and reduced resilience. Current Score: 9 Status: Recruitment challenges and specialist skill gaps persist, with People Strategy work supporting future sustainability.
SR8 – Staff Retention: If the Trust does not manage retention effectively, skills shortages and morale impacts may affect service quality. Current Score: 12 Status: Retention pressures remain, with ongoing work to improve staff experience and workforce insights.
SR9 – Organisational Development: Without effective OD support, cultural development and change management may not achieve expected improvements. Current Score: 12 Status: OD programmes continue, though capacity constraints and wider transformation maintain elevated risk levels.
SR10 – Digital: If digital systems are not modernised or integrated, they may not support efficient, high-quality care or future needs. Current Score: 12 Status: Delivery of the digital roadmap continues, but investment is required to modernise legacy systems.
The below table outlines the score risk comparison per quarter, as of January 2026:
| BAF Risk | Committee | Exec Lead | 01/04/25 | Q1 | Q2 | Q3 | Q4 | Aspirational Target |
|---|---|---|---|---|---|---|---|---|
| SR1 Demand and Capacity | Performance Committee | COO | C4 x L4 16 | C3xL3 9 | C3xL3 9 | C4xL4 16 | C3xL2 6 | |
| SR2 Quality Governance | Quality Governance Committee | DoQ/MD | C4xL4 8 | C3xL3 6 | C3xL3 9 | C3xL3 9 | C2xL2 4 | |
| SR3 Estates | Finance and Sustainability Committee | CFO | 01/10/25 C5xL4 | C4xL4 16 | C4xL4 16 | C2xL2 4 | ||
| SR4 Finance and use of resource | Finance and Sustainability Committee | CFO | C5xL5 20 | C4xL3 12 | C4xL3 12 | C4xL3 12 | C4xL3 12 | |
| SR5 Cyber security | Finance and Sustainability Committee | DoDI | C5xL4 20 | C4xL3 12 | C4xL3 12 | C4xL3 12 | C3xL3 6 | |
| SR6 Partnership working | Performance Committee | DoSTG | C4xL4 16 | C3xL3 9 | C3xL3 9 | C3xL3 9 | C2xL2 4 | |
| SR7 Workforce sustainability | People Committee | CPO | C5xL4 20 | C3xL3 9 | C3xL3 9 | C3xL3 9 | C2xL2 4 | |
| SR8 Staff retention | People Committee | CPO | C4xL4 16 | C4xL3 12 | C4xL3 12 | C4xL3 12 | C2xL2 4 | |
| SR9 Organisational development | People Committee | CPO | C4xL4 16 | C4xL3 12 | C4xL3 12 | C4xL3 12 | C3xL2 6 | |
| SR10 Digital | Finance and Sustainability Committee | DoDI | 01/10/25 C5xL4 | C4xL3 12 | C4xL3 12 | C2xL2 4 |
KEY:
- C relates to Consequence
- L relates to Likelihood
Executive Leads:
- COO: Chief Operating Officer
- DoQ: Director of Quality
- MD: Medical Director
- CFO: Chief Finance Officer
- DoDI: Director of Digital Innovation
- DoSTG: Director of Strategy, Transformation & Governance
- CPO: Chief People Officer
- DoDI: Director of Digital Innovation
