We aim to make this site as accessible as possible and therefore have provided the settings below to use if you are finding it difficult to view this website. See the SFO Accessibility Statement for more information.

Where it is appropriate to provide a Welsh translation, you can switch to Cymraeg. See the Welsh Language Commissioner website for more information.

Use the settings button in the bottom right corner of the page to access these settings again.

We would like to use Analytics Cookies on our website. 

Turn these on below if you are happy with us collecting information on how our site is used, in order for us to improve the overall experience of our website. 

All other cookies are necessary and therefore by continuing to browse this website, you are agreeing to the usage of these cookies.

 See the SFO Privacy Policy for more information. 

Analytics Cookies

Operational Risk Assessment


The SFO Operational Handbook is for internal guidance only and is published on the SFO’s website solely in the interests of transparency. It is not published for the purpose of providing legal advice and should not therefore be relied on as the basis for any legal advice or decision. Some of the content of this document may have been redacted.


An Operational Risk Assessment (ORA) is a tool to identify hazards and minimise the risks which may accompany an operational deployment relating to an SFO investigation or intelligence project, whether in the UK or overseas.

The Chief Investigator, HODs, Case Controllers and Principal Investigators must ensure that an appropriate ORA is completed or in place prior to every operational deployment.

If the deployment involves multiple premises the risks for each premises must be assessed independently but can be articulated in one composite document providing it is clear which specific risks apply to which premises.

It is not possible to eliminate risk completely. However, before operational deployments are authorised, Case Controllers and Heads of Division should ensure that the inherent risk has been reduced to an acceptable level by the application of control measures. All staff are responsible for ensuring the control measures are applied and adhered to.

ORAs are to be completed by a nominated case team member with suitable operational experience, or by a less experienced case team member supervised by a senior or principal investigator. It is advisable to subject the completed document to a peer review prior to finalisation.

The completed document must be countersigned by the Case Controller. ORAs that relate to search deployments must accompany the Operational Order [See the “Operational Orders” topic]. The risk assessment section of the Operational Order is countersigned by the relevant Head of Division and authorised by the Chief Investigator.

All staff taking part in an operational deployment must read the two part ORA for the premises they are attending and sign a register, held by the SFO Bronze Commander, to indicate that they have understood the risks and the control measures in place.

Health and Safety

Risk assessment is a legal requirement. A five step process enables the management and control of health and safety by:

  • Identifying the hazard
  • Deciding who might be harmed and how
  • Evaluating the risk – introduce preventative and protective measures to reduce or eliminate the risk
  • Record findings and implement them
  • Reviewing the control measures to ensure they are still appropriate.

The Health and Safety at Work Act 1974 places a legal responsibility on the SFO to ensure, so far as is reasonably practicable, the health, safety and welfare at work of all its staff, and the safety of those who may be affected by SFO activities, e.g. visitors, customers, contractors, police officers and members of the public.

The Management of Health and Safety at Work Regulations 1999 require employers to:

  • Undertake a systematic general examination of all work activity
  • Identify and record the significant risks arising out of work
  • Assess the risks to the health and safety of those in our employment
  • Assess the risks to the health and safety of persons not in our employment who are working on our premises or affected by our business
  • Implement control measures to reduce these risks, as far as is reasonably practicable
  • Review our assessments.

It is the responsibility of all managers to ensure risk assessments are in place and brought to the attention of their staff. It must be borne in mind that under the health and safety legislation everyone has a duty of care to themselves and others.

Types of Risk Assessment

Generic Risk Assessment

A Generic Risk Assessment (GRA) is one which is completed centrally to cover areas of working activity that are repeated on a regular basis, e.g. search of premises. It is a summary of the significant hazards/risks and possible control measures typical of a particular or regular activity. The purpose of a GRA is to give managers and those staff compiling the ORA some assistance. The GRA does not replace the need for an ORA (see below). To assist SFO staff in the compilation of an ORA two GRA’s have been created   [See “ID 17 ORA Business risk template”].

It is important to remember that the General Risk Assessment is only designed to highlight general risks. The Operational Risk Assessment is designed to identify and address risks which are specific to the actual deployment.

Operational Risk Assessment

An Operational Risk Assessment (ORA) is to be drafted with assistance from (but not necessarily restrained by) the GRA for specific operational deployments. It is to be compiled by a member (or members) of the case team about to undertake the deployment and must be discussed and countersigned by the Case Controller. Completed ORAs should incorporate control measures and indicate who is responsible for ensuring that they are adhered to. They must include hazards/risks specific to that particular deployment (e.g. guard dogs, working at heights, firearms etc.). ORA’s that relate to search deployments must accompany the Operational Order. The risk assessment section of the Operational Order is countersigned by the relevant Head of Division and authorised by the Chief Investigator. [See “ORA Combined Risk Template” in “Operational Stock Forms”]

Dynamic Risk Assessment

A Dynamic Risk Assessment (DRA) is carried out “on the spot” where unexpected or unplanned scenarios occur. They can also be carried out at any specific moment during a deployment to check for any additional hazards that may not have been possible to assess prior to commencement.

[See ID90 Risk Evaluation and Completion of the ORA document for guidance on risk evaluation and completion of the ORA Combined Risk Template].

Risk Assessment at the Operational Briefing

Risk assessment considerations should form a major part of any briefing. An IIMARCH structured briefing specifically includes a section on risk assessments.

At the briefing the key risks and associated control measures for each premises contained in the ORA must be conveyed to all staff. The SFO Bronze Commander for each deployment will be responsible for ensuring all members of the SFO operational team read the ORA. Each individual should sign a register, held by the Bronze Commander, so that:

  • there can be no doubt that each staff member has been provided with a copy
  • SFO staff subsequently called out to support/replace colleagues at a new or different premises will have an opportunity to familiarise themselves with the ORA for that premises.

The Case Controller should ensure the content of the SFO ORA is brought to the attention of the relevant police officer in charge so that he may, if appropriate, inform his or her staff.

Dynamic Risk Assessments (unexpected hazards)

Given the breadth of duties performed by law enforcement personnel it is not possible to cover every eventuality outlined above in an ORA. Occasionally circumstances will arise in the course of a deployment which may require an additional assessment of risk to be made.

It is important, therefore, that all staff who are expected to take part in operational deployments (investigators, lawyers, exhibits officers, inputters, DFU and contractors) should be familiar with the principles and techniques of risk assessment so that they can take appropriate measures to safeguard themselves and others when they encounter unexpected hazards.

Minor changes can be made to the ORA to accommodate new or changing hazards. The Case Controller or SFO Bronze Commander should date any such additions on the risk assessment and bring them to the attention of relevant staff, noting when this was done either in the Silver Command control log or the Bronze Commanders notebook.

Formal Debrief

A formal debrief must provide an opportunity to review the risk assessments. Section 10 of the standardised format for debriefing ensures this. [See “ID40 Standardised format for debriefing”]. Any feedback regarding the adequacy of control measures or risks identified, together with those not identified prior to deployment, should be given to the case team and highlighted during the debrief process, which will follow soon after the deployment. The Case Controller will be responsible for ensuring new risks encountered are forwarded to the Ops Handbook inbox in the form of an RFC for consideration and inclusion in the Generic risk assessment document.

Version OGW 1, Published July 2017 © Crown Copyright, 2020.

 This information is licensed under the Open Government Licence v3.0. To view this licence, visit http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/ or write to the Information Policy Team, The National Archives, Kew, Richmond, Surrey, TW9 4DU.

Any enquiries regarding this publication should be sent to the Serious Fraud Office, 2-4 Cockspur Street SW1Y 5BS email: information.officer@sfo.gov.uk