Click here to skip to content

Risk Management Policy

A statement defining risk and outlining the Library's policies and limits of responsibility with respect to risk management.


The British Library defines risk as the threat that internal or external events will adversely affect its ability to achieve its strategy, policy and operational goals. 

It recognises that risk is something that cannot be wholly contained but aims to manage the exposure to those risks to a satisfactory level. 

It is the intention that effective, proactive risk management supporting structured well managed risk taking is integrated into the culture of the Library. 


The Library will identify and manage risks that endanger the achievement of the strategic aims defined in its Business Plan or the operational aims defined in Directorate plans. 

The approach adopted will meet the requirements of the HM Treasury guidance on Management of Risk - A Strategic Overview (“The Orange Book”) and will be enhanced with best practice from other organisations as opportunities arise. 

The Library’s internal control framework incorporates its risk management approach. Management of risk will be embedded at all levels of the organisation, supported by an active training and education programme. 

Risk Assessment 

Risks will be assessed against estimation criteria approved by the Board. These criteria cover the potential impact of the risk and the likelihood of its occurrence. The risk will be considered for its effect on strategy, operations, finances or reputation and whether they are external or internal. 

Risk Tolerance 

The senior manager responsible for the work carrying a risk will, at the start of a year for operational services or at the start of a programme or project, assess the risks that that work may be subject to. 

They will use the estimation criteria noted above. They will also be responsible for identifying the acceptable tolerance level for the risks involved and confirming them with the Risk Group. 

As risks are managed this tolerance level will be used as the prompt for the escalation of risk reporting to senior management. 

Risk Management 

Risks will be managed in accordance with an agreed approach ranging from terminating the risk, through possible reduction measures, acceptance and monitoring or passing the risk on. Review of the risks will be carried out by the manager assigned responsibility for it. 

Risks will be reviewed: 

  • Annually by the Board as part of the planning cycle; 
  • Quarterly by the Exec Team as part of the business plan monitoring process; 
  • At each of its meetings by the Board Audit Committee; 
  • Monthly by the Exec Team on an exception basis; 
  • Monthly by Directorate Management teams for their own subset of risks; 
  • Local risk registers will be developed as needed based on these policy principles. 

Roles and responsibilities 

Each level of the Library has a responsibility for risk awareness and management. The main roles and responsibilities are as follows: 


The Board is responsible for confirming that the risk management approach will aid the achievement of policy aims. 

Board Audit Committee (BAC) 

BAC are responsible for annual review of the risk management process and for regular review of progress on risk management actions at thrice yearly meetings. 

Accounting Officer 

The Accounting Officer is responsible for ensuring that the risk management framework is adequate and that processes are in place to ensure that it is working effectively. 

Exec Team 

The Exec Team are responsible for risk review in their own areas of responsibility and for championing the required culture change. 

Risk Group 

This group includes the Compliance Officer, the Head of Estates Risk, the IT Security Officer and the Directorate Finance Managers of each Directorate. It is responsible for the maintenance and management of the risk register ensuring that changes are reflected on a timely basis when necessary. The group is also responsible for providing advice and organising training for managers on risk management issues. 


Managers at all levels are responsible for ensuring that risks to their activities are identified, recorded, assessed and managed on an agreed basis. Internal Audit Internal Audit act as an independent review of the Library’s overall internal control framework, including risk management, and reports their findings to the Accounting Officer and BAC.

Back to top Back to top

By using this site, you agree we can set and use cookies. For more details of these cookies and how to disable them, see our cookie policy.