Managing our risks

A detailed summary of how the NHSCFA managed its risks over the past year.

Published: 16 July 2026

The external environment across the wider NHS, including the creation of a new department combining NHS England and DHSC and the publication of the Government’s 10-Year Health Plan, has informed our ongoing review of strategic risks. This work has assessed the impact of these changes on the delivery of our four fraud focused pillars, and on our ambition to support our people to deliver counter fraud activity across the NHS while making best use of available resources. We have considered the impact on how the changes to delivering NHS services will alter the vulnerabilities to fraud as new models are introduced and digital solutions are rolled out. We continue to monitor the risks emerging from this changing landscape.

The scale of transformation across the NHS has highlighted the need to adapt our approach to better understand and respond to fraud, bribery and corruption risks. This has also reinforced the strategic risk associated with meeting increasingly ambitious government counter fraud objectives without commensurate funding.

During the reporting period, the reputational risk associated with demonstrating the return from investment in data analytics was actively monitored. Project Athena was a specific data analytical project delivered over a two-year period. It tested the concept of using data analytics to identify potentially fraudulent activity, prevention opportunities and identify financial returns. This further matured over the year; the associated mitigations and controls enabled the workstreams to demonstrate the value to the work and this is now transitioning into business as usual activity. This capability now represents a key enabler of our ambition to move from reactive detection to the proactive prevention of fraud losses across the NHS.

The rapid pace of technology-enabled fraud continues to present a strategic risk, with the potential for threats to evolve more quickly than the NHS counter fraud community’s capacity to detect, prevent and respond effectively. Mitigation activity during the year has focused on forward planning to ensure our workforce is equipped with the digital, data and artificial intelligence skills required to respond to emerging risks and provide assurance.

Cyber security has remained a consistent area of strategic risk throughout the year. Targeted investment has been made in our people, cyber security controls and IT resilience to mitigate the threat of malicious cyber activity and to maintain operational continuity.

The impact of the risks described has been the redeployment of resources to provide mitigation, in line with our agreed risk appetite, which is set out below. Our aspirations for the next strategic period will also reflect a change in direction to a more data driven approach which will require the development and implementation of a new operating model to support delivery. Further information is set out in the future plans section of this report.

Strategic Risks opened in 2025 to 2026 (previous strategic risks were subsumed into these)
Risk description Risk appetite Key mitigations Direction of travel of the risk score
NHS transformation and counter-fraud capacity Open Active engagement with NHS system partners and ongoing monitoring of transformation impacts on fraud prevention capacity . Upward
Funding and operating model sustainability Open Active engagement with DHSC on funding arrangements and ongoing review of operating model design .. Static
Project Athena delivery and data analytics Open Robust programme governance, regular reporting to the Board, and engagement with the proof-of-concept workstream . Downward
Cyber security and IT resilience Cautious Ongoing investment in cyber controls and regular assurance reviews Static
Technology-enabled fraud outpacing counter-fraud capacity Cautious Horizon scanning group established for monitoring external threats. A review of the cyber threat landscape led by the Information and Cyber Security Manager. Findings from these feeds an information security forum .. Static
Emerging technology and AI capability Open Development of our Digital Strategy and incorporation of digital, data and AI skills requirements into future Board recruitment .. Static
Risks across the procurement lifecycle Open Enhanced procurement pipeline reporting and lessons learned reviews of contract renewals introduced during the year Static

The organisation’s overall approach to risk management and its risk appetite are explained in the accountability section of the report.

Future plans

Our Strategy for 2026 to 2027 places ‘Counter Fraud by Design’ at its core and aligns with the new DHSC Counter Fraud Strategy. This approach will embed fraud resilience into everyday practice across the health service, influencing decision making, governance, accountability and system design. It aligns with the direction of NHS reform and sets the foundation for a longer-term ambition in which counter fraud is fully embedded within frontline services, protecting health resources from fraud while supporting service delivery and modernisation.

During the reporting period, our expanded data analytics capability has successfully transitioned from proof of concept to business as usual. A sustainable business model to support further development and ambition will be approved in early 2026 to 2027 and become operational from April 2027. This enhanced capability will underpin our ambitions to strengthen prevention, support digitalisation, and embed counter fraud principles within healthcare models and frameworks, thereby improving the sectors’ overall response to fraud.

Our risk profile for the next strategic period recognises the critical importance of effective stakeholder engagement. Delivery of our ambitions depends on strong, integrated relationships across the system, rather than organisations operating in isolation. The following have therefore been identified as our key engagement partners.

Key national and sector partners supporting a health‑wide counter fraud approach Infographic showing the range of national, regulatory, system and delivery partners involved in supporting a health‑wide counter fraud approach. The image is arranged as a connected group of hexagons, each representing an organisation that contributes to preventing, detecting and responding to fraud across the health sector. These include central government bodies, regulators and assurance organisations, NHS organisations across the UK, arm’s‑length bodies, oversight authorities, local government, professional and regulatory agencies, and public sector partners. The graphic highlights the importance of coordinated, cross‑system collaboration to embed fraud resilience into NHS reform, digital transformation, commissioning and service delivery, supporting effective governance and protection of resources for patient care. Patients Public Polic e Service
Key national and sector partners supporting a health‑wide counter fraud approach Infographic showing the range of national, regulatory, system and delivery partners involved in supporting a health‑wide counter fraud approach. The image is arranged as a connected group of hexagons, each representing an organisation that contributes to preventing, detecting and responding to fraud across the health sector. These include central government bodies, regulators and assurance organisations, NHS organisations across the UK, arm’s‑length bodies, oversight authorities, local government, professional and regulatory agencies, and public sector partners. The graphic highlights the importance of coordinated, cross‑system collaboration to embed fraud resilience into NHS reform, digital transformation, commissioning and service delivery, supporting effective governance and protection of resources for patient care. Patients Polic e Se r vice Public

Help us improve cfa.nhs.uk

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.

Close

Thanks for the feedback!

Close