Board Assurance Framework Update Summary Report - February 2026

Meeting: Trust Board – Public Meeting

Date: 11 February 2026

Report Title: BAF Update Summary Report

Agenda Item: PUB26/02/2.1

Author: Jamie O’Callaghan, Governance Improvement Specialist

Lead Director: Hein Scheffer, Director of Strategy, Transformation and Governance

Purpose:

Decision/Approval	Discussion/Review	Information/Noting
	X

Assurance:

None	Limited	Reasonable	Substantial
		X

Link to CQC Domain		Link to EEAST’s Strategic Missions:
Caring	X	Patient Mission	X
Responsive	X	Partnership Mission	X
Effective	X	People Mission	X
Well Led	X	Productivity Mission	X
Safe	X

Link to Strategic Risk:


SR1	X	SR3	X	SR5	X	SR7	X	SR9	X
SR2	X	SR4	X	SR6	X	SR8	X	SR10	X

Equality Impact Assessment: |No negative impact identified|

Previously considered by: Executive Directors as part of monthly BAF reviews.

Purpose: The report seeks to provide the Board with an overview of changes to the strategic risks in the last quarter.

Recommendation:

Review if controls and actions in place are adequate, with gaps identified.
Check and challenge assurance sources provided if there are sufficient, duplicated or absent.
Triangulate with other agenda items if they provide confidence on assurance, controls and actions

Executive Summary:

The Board Assurance Framework (BAF) remains the central mechanism through which the Trust identifies, evaluates and oversees the strategic risks that may impact delivery of the four strategic missions. Since October 2025, a strengthened governance approach has been introduced to start creating a clear golden thread between the BAF, the Integrated Performance Report (IPR) and Executive Leadership Team (ELT) discussions. Whilst early conversations show improvements, much more embedding is required.

As part of this enhanced model, the ELT has implemented a structured ten week review cycle, ensuring each strategic risk is examined in detail as a standing element of the ELT agenda. The first full cycle has now been completed, providing improved visibility of risk, tighter triangulation between operational performance and strategic risk indicators, and more consistent oversight of assurance.

At its meeting on 27 January 2026, the ELT agreed to repeat the cycle, further strengthening alignment by explicitly linking each BAF risk to the four Trust missions, key metrics within the IPR, and areas requiring heightened assurance due to risk level or gaps in control. This creates a coherent and systematic line of sight from operational data through to strategic discussion and Board level assurance.

The revised approach, centred on integration, discipline and clarity, supports the maturation of the Trust’s governance arrangements and provides the Board with increasing confidence in the adequacy of controls, the quality of assurance, and the trajectory of the Trust’s highest risk areas.

Introduction / Background:

The Board Assurance Framework (BAF) has been re formatted over the past year to reflect learning from the EPUT governance review and to strengthen the Trust’s approach to strategic risk oversight. While these improvements represent a step in the right direction, the current Excel based BAF format is not consistent with emerging best practice across the NHS. Its structure makes integrated risk triangulation, assurance mapping and line of sight to strategic delivery more complex than is optimal for a mature governance system.

Recognising these limitations, further development work is now underway to ensure the BAF becomes a more effective strategic tool for the organisation. The next phase of improvement focuses on enhancing the BAF further, by moving away from the restrictive spreadsheet format toward a cleaner, more accessible design that explicitly links each strategic risk to the Trust’s four missions and aligns with the delivery intentions set out in the Trust’s 2025–2030 Strategy.

It is anticipated that the enhanced version of BAF will be presented to the Board in May 2026. This enhanced version will provide clearer articulation of risk, sharper alignment with mission delivery, greater visibility of controls and assurance, including identified gaps and a more intuitive structure that supports both Executive and Board scrutiny.

It is also anticipated that the IPR will by then be deconstructed to be aligned to each of the four missions, which will enable the Executive to talk, by mission, to the BAF, IPR and assurance discussions. This aligns with the Trust’s shift toward a more integrated governance model, designed to provide a consistent golden thread between operational performance, strategic risk, mission delivery and Board level assurance, as demonstrated in the graphic below:

2026 Strategy Pyramid.png

Wording from graphic Box on top of pyramid - OUR VISION AND PURPOSE

Top of pyramid - Strategic Delivery: (5-Year Strategy 2025 – 2030)

2nd row of pyramid - OUR FOUR STRATEGIC MISSIONS: The enabling framework that ensures safe delivery of the four missions by identifying threats, gaps in control and assure.

1st row of pyramid - STRATEGIC RISK (BAF): SR1 Demand & Capacity . SR2 Quality Governance . SR3 Estates . SR4 Finance & Use of Resources . SR5 Cyber Security .SR6 Business & Partnerships . SR7 Workforce Sustainability . SR8 Staff , Retention . SR9 Organisational Development . SR10 Digital

Base of pyramid - LEADERSHIP, OVERSIGHT & RESULTS STRUCTURE: Integrated Performance Report (IPR), Executive Leadership, Drive daily performance, risk mitigation and delivery of mission-enabling, Policies, Controls & Accountability Frameworks.

Double ended arrow under the pyramid: Digital and Estates Strategic Plans

Summary of BAF risks – As of January 2026.

SR1 – Demand & Capacity: If capacity does not match demand, response times will not improve. Current Score: 16 Status: Demand continues to exceed capacity, affecting operational performance. Actions to improve productivity, hear-and-treat rates, handover delays and fleet availability are progressing.

SR2 – Quality Governance: If clinical and operational models do not meet required standards, avoidable harm or regulatory concerns may arise. Current Score: 9 Status: Quality governance arrangements remain strong, with ongoing policy updates, assurance processes and development of the Patient Plan.

SR3 – Estates: If estates infrastructure is not adequately maintained, facilities may not support safe, high-quality care. Current Score: 16 Status: Estate condition and compliance remain high risks. Surveys, planning and modernisation work continue while long-term investment is required.

SR4 – Finance – Use of Resources: If financial sustainability is not achieved, the Trust may be unable to deliver safe and effective services. Current Score: 12 Status: Financial governance remains strong while medium-term modelling continues to support future sustainability.

SR5 – Cyber Security: If a cyber incident occurs, digital systems may be compromised, leading to patient, operational or reputational impact. Current Score: 12 Status: Cyber controls and monitoring remain in place, with improvements following audits and penetration tests ongoing.

SR6 – System Partnership Working: If EEAST does not work effectively with system partners, patient flow and pathways may be suboptimal. Current Score: 9 Status: Collaboration with ICBs continues to strengthen, though system variability persists.

SR7 – Workforce Sustainability: If workforce plans do not support effective recruitment, the Trust may experience skills shortages and reduced resilience. Current Score: 9 Status: Recruitment challenges and specialist skill gaps persist, with People Strategy work supporting future sustainability.

SR8 – Staff Retention: If the Trust does not manage retention effectively, skills shortages and morale impacts may affect service quality. Current Score: 12 Status: Retention pressures remain, with ongoing work to improve staff experience and workforce insights.

SR9 – Organisational Development: Without effective OD support, cultural development and change management may not achieve expected improvements. Current Score: 12 Status: OD programmes continue, though capacity constraints and wider transformation maintain elevated risk levels.

SR10 – Digital: If digital systems are not modernised or integrated, they may not support efficient, high-quality care or future needs. Current Score: 12 Status: Delivery of the digital roadmap continues, but investment is required to modernise legacy systems.

The below table outlines the score risk comparison per quarter, as of January 2026:

BAF Risk	Committee	Exec Lead	01/04/25	Q1	Q2	Q3	Aspirational Target
SR1 Demand and Capacity	Performance Committee	COO	C4 x L4 16	C3xL3 9	C3xL3 9	C4xL4 16	C3xL2 6
SR2 Quality Governance	Quality Governance Committee	DoQ/MD	C4xL4 8	C3xL3 6	C3xL3 9	C3xL3 9	C2xL2 4
SR3 Estates	Finance and Sustainability Committee	CFO	01/10/25 C5xL4		C4xL4 16	C4xL4 16	C2xL2 4
SR4 Finance and use of resource	Finance and Sustainability Committee	CFO	C5xL5 20	C4xL3 12	C4xL3 12	C4xL3 12	C4xL3 12
SR5 Cyber security	Finance and Sustainability Committee	DoDI	C5xL4 20	C4xL3 12	C4xL3 12	C4xL3 12	C3xL3 6
SR6 Partnership working	Performance Committee	DoSTG	C4xL4 16	C3xL3 9	C3xL3 9	C3xL3 9	C2xL2 4
SR7 Workforce sustainability	People Committee	CPO	C5xL4 20	C3xL3 9	C3xL3 9	C3xL3 9	C2xL2 4
SR8 Staff retention	People Committee	CPO	C4xL4 16	C4xL3 12	C4xL3 12	C4xL3 12	C2xL2 4
SR9 Organisational development	People Committee	CPO	C4xL4 16	C4xL3 12	C4xL3 12	C4xL3 12	C3xL2 6
SR10 Digital	Finance and Sustainability Committee	DoDI	01/10/25 C5xL4		C4xL3 12	C4xL3 12	C2xL2 4

KEY:

C relates to Consequence
L relates to Likelihood

Executive Leads:

COO: Chief Operating Officer
DoQ: Director of Quality
MD: Medical Director
CFO: Chief Finance Officer
DoDI: Director of Digital Innovation
DoSTG: Director of Strategy, Transformation & Governance
CPO: Chief People Officer
DoDI: Director of Digital Innovation