Skip to content

Risk management

We manage risk through our directorates and divisions, with clear lines of executive accountability and regular review and challenge by our Risk Improvement Group and Senior Leadership Team. Our Audit and Risk Assurance Committee (ARAC) and Board provide scrutiny and we put new controls and mitigations in place where necessary to address our risks.

Our appetite for particular risk areas depends on factors such as the likelihood of the risk occurring and the potential impact of the risk (before and after controls) on our strategic objectives. We also consider the interdependencies in our risk appetite across our functional areas, taking account of the cumulative impact that may manifest as a result.

Our risk appetite statement is reviewed annually by our board and provides the context for making well considered decisions in particular areas. Our board expects decisions to be taken in line with the appetite it has determined. Where appropriate, we have assigned a classification in line with the Treasury risk appetite definitions listed below.



Avoidance of risk and uncertainty in achievement of key deliverables or initiatives is paramount. Activities undertaken will only be those considered to carry virtually no inherent risk.


Predilection to undertake activities considered to be very safe in the achievement of key deliverables or initiatives. Activities will only be taken where they have a low degree of inherent risk. The associated potential for reward/pursuit of opportunity is not a key driver in selecting activities.


Willing to accept/tolerate a degree of risk in selecting which activities to undertake to achieve key deliverables or initiatives, where we have identified scope to achieve significant reward and/or realise an opportunity. Activities undertaken may carry a high degree of inherent risk that is deemed controllable to a large extent.


Undertakes activities by seeking to achieve a balance between a high likelihood of successful delivery and a high degree of reward and value for money. Activities themselves may potentially carry, or contribute to, a high degree of residual risk


Eager to be innovative and choose activities that focus on maximising opportunities (additional benefits and goals) and offering potentially very high reward, even if these activities carry a very high residual risk.

Risk appetite statements for 2024/25

Business continuity

Having robust and well-maintained business continuity management arrangements in place is key to the organisation mitigating risks arising from a failure to respond to unplanned significant events or incidents which could prevent or seriously impede ONR’s operations and outputs. In implementing and maintaining business continuity arrangements, we will cautiously tolerate risks to realise opportunities for greater integration of processes across the organisation in order to realise arrangements that are both robust and proportionate for the size and scale of the ONR; however, we recognise that activities associated with implementing and maintaining business continuity arrangements should not generate additional inherent risk. Therefore, our aggregate risk appetite for business continuity arrangements is Minimalist.


We have established a Commercial Governance Framework, which embeds robust management, oversight and control of ONR's commercial arrangements and aligns to HM Government Functional Standard GovS 008: Commercial.  All commercial decisions adopt a 'Minimalist' approach to optimise value for money in the use of public funds and ensure appropriate compliance against Public Contract Regulations, HM Treasury and Cabinet Office controls.  We will adopt a 'Minimalist' approach to our commercial arrangements, and support this with formal governance and control structures that provide fair, transparent, proportionate, evidence-based decision making.  All procurement activity must comply with internal controls, financial probity rules and relevant legislative requirements and all spend must be approved in line with the Financial Control Arrangements and Scheme of Delegation.

Cyber (to change to Corporate Security)

ONR holds a range of information related to its regulatory activity in the United Kingdom's civil nuclear sector. Electronic information stored and processed on ONR systems is classified up to OFFICIAL-SENSITIVE. A small amount of paper documentation classified at a higher level is stored securely in ONR offices.

As the regulator for security in the civil nuclear sector, ONR must lead by example and adopt a security approach that, at least, meets the standards it expects nuclear operators to meet. As such ONR will align its security posture with international and Government standards, including ISO27001, Cyber Essentials+, the GovS007 Functional Standard. Additionally, ONR will actively manage security risks and apply additional security controls in areas where they are required. Examples of this may be additional controls to protect Sensitive Nuclear Information and Export Controlled Information.

Security threats and adversaries are constantly evolving which requires an agile approach to security risk management, therefore ONR adopts a progressive approach to security, and we are open to new innovations, technologies and security best practices.

While security risk appetite may vary in certain areas, such as the examples above, overall, ONR has a ‘Cautious’ appetite for any security risk being realised.

Environmental and sustainability

As a responsible public sector body and regulator of the UK's nuclear industry, we recognise the importance of reducing the impact of our operations on the environment. 

We prioritise activities that align with environmentally responsible best-practices, ensure compliance with relevant regulations and reporting frameworks, and embed sustainability into our key decision-making processes.

As a forward-looking organisation, we are prepared to take calculated risks in the pursuit of environmental-related objectives, balancing the potential rewards with the challenges posed by a rapidly changing world. 

Our risk appetite for environmental and sustainability is 'Cautious' which reflects our desire to actively contribute to the development of a more sustainable society while maintaining a prudent approach to risk management.


We have established a robust budget-setting process that secures the funding required to support the efficient and effective delivery of our planned regulatory activity. Our aspiration and commitment to invest in our people and systems supports our 'Cautious' appetite. Whilst all financial and commercial decisions adopt a minimalist approach to optimise value for money in the stewardship of public funds and ensure appropriate compliance against HM Treasury and Cabinet Office controls, our innovative approach to prioritising and future-proofing the organisation to react to the demands of a changing nuclear landscape indicates a Cautious approach. We also adopt a Cautious approach to our policy and processes which will be managed robustly by hierarchy but is not intended to constrain business and operational delivery.


As a regulator, we aspire to be an exemplar in our compliance and legal standing. We are averse to the risks of internal fraud and fraudulent behaviour and will maintain appropriately robust controls and sanctions to maximise prevention, detection, and deterrence of this type of behaviour. We also adopt a minimalist approach to optimise value for money in the stewardship of public funds and ensure appropriate compliance against HM Treasury and Cabinet Office controls as established through our Scheme of Delegation and Corporate Governance Framework with authority levels across the organisation reflecting the appropriate levels of decision making. This supports our robust position in terms of internal control and governance to prevent instances or opportunity for Fraud and merits an 'Averse' appetite to risk in this area.


Governance is a system that provides a framework for managing organisations. It identifies who can make decisions, who has the authority to act on behalf of the organisation and who is accountable for how an organisation and its people behave and perform.

At ONR, governance enables the Board and management team to run organisations effectively for the benefit of stakeholders, including industry, staff, and wider society.

Our ‘Cautious’ appetite represents our commitment to use clear decision-making processes, behave openly by reporting on our activities, managing the risks we face, and taking responsibility for controlling and protecting our assets including our reputation. It also reflects our willingness to tolerate a degree of risk in order to realise opportunities.

Health and safety

ONR staff perform a range of duties which potentially exposes them to a broad range of hazard and risk. We are focused on mitigating the risks arising from our work activities to protect our staff and others, meet our statutory duties and reduce the reputational and financial risks associated with breaching health and safety legislation. Our intent is to ensure that we maintain a safe and healthy work environment. 
Therefore we have adopted a 'minimalist' appetite. This recognises the need for our staff to engage in work at times that can expose them to hazards, and balances it with our desire to reduce these so far as is reasonably practicable.

Our strategic change programme, Achieving Cultural Excellence (ACE) in health, safety and wellbeing (HSW) sets out our vision for leaders and managers to drive health and safety improvements and supports our focused approach. All within ONR are expected to proactively and routinely consider the impact of health and safety in their work activities to enable greater collaboration, sharing of best practice, and support learning to drive continuous improvement. 


Our ‘Minimalist’ risk appetite underscores our commitment to strict adherence to all applicable laws and regulations.

We prioritise legal compliance, seek to minimalise legal uncertainties, and maintain a vigilant stance against fraud, bribery, and corruption.

We are transparent in our approach to reporting against performance of legal compliance.


ONR has an ‘open’ appetite to accepting risks arising from exploring and implementing more modern, effective, efficient and productive means of delivering its business activities, whether regulatory or otherwise.  This level of risk is accepted on the basis that such risks are assessed and controlled, to a reasonable degree, in accordance with ONR's change control processes.   However, this is subject to limitations around ONRs appetite for risks as regards meeting ONRs legal requirements (‘Regulatory’ refers).


Having a well-resourced, diverse, motivated, and highly competent workforce that is well-led is the key to achieving our strategic vision. As an employer, we are bound by Employment Law, as a handler of our staff's data, we must safeguard confidential information, and as a public body we are bound by the highest ethical standards of behaviour, integrity, and values in all that we do. 
In order that we attract and retain suitably qualified and experienced staff, in an increasingly competitive environment, who allow us to build and maintain the capability, experience, and leadership that we need, we must innovate how we recruit, develop, reward and retain our staff. We have to make sure that we are utilising and exploiting new and advanced resources, approaches and opportunities that may not yet be tried and tested. This will include being innovative in how we create opportunities for the development of technical; professional; management, and leadership skills, and in how we build resilience across ONR. It will also include embracing technology to enable staff to work in a hybrid way with the flexibility and clear principles that can adapt to ensure a modern and inclusive work place and with easier and more efficient access to HR services. 

Therefore, our risk appetite is 'Open'.


ONR has a ‘Cautious’ appetite to risk as regards anything that might compromise its ability to deliver its statutory purposes, its ability to support strategic government priorities, or its duty to secure the health, safety and welfare of its own employees.


Our reputation as a trusted regulator is one of our biggest assets and we are committed to continuing to build, retain and enhance trust with our stakeholders domestically and internationally. Our approach to reputational risk is ‘Cautious’ and this is reflected by the significant attention we give activities across all our functions to ensure we maintain stakeholder confidence, while enabling – where it is safe to do so – innovation internally and externally. 

We openly inform government on policy to ensure the UK's high safety, security and safeguards standards are maintained, and invest time to build trust with interested parties/groups and the public through openness and transparency about our work. We recognise public trust as of equal importance as technical competence, independence, and adequate resources in line with international best practice guidance from the OECD Nuclear Energy Agency. We will not tolerate unsolicited comments or behaviours that could be detrimental to our mission or adversely affect the trust necessary to maintain the confidence of duty holders, other stakeholders, and the public. We have a suitably qualified, and experienced workforce; and we seek regular feedback and provide assurance that we are effective to make evidence-based regulatory decisions. 


There is a potential risk that information technology processing, security, stability, capacity, and performance jeopardise core operations of ONR. This includes both daily operations and ongoing enhancements to ONR's IT solutions and service provision. 

Having adopted a hybrid approach to our ways of working, we have moved much of our day-to-day interaction online and are exploiting new technologies to enhance engagement and communication both internally and externally. We are supportive and open to delivering and exploiting innovative technologies and adopting agile principles. We have implemented mature controls to achieve a low level of system incidents and outage. This is aligned to an ‘Open’ risk appetite.