The external environment across the wider NHS, including the creation of a new department combining NHS England and DHSC and the publication of the Government’s 10-Year Health Plan, has informed our ongoing review of strategic risks. This work has assessed the impact of these changes on the delivery of our four fraud focused pillars, and on our ambition to support our people to deliver counter fraud activity across the NHS while making best use of available resources. We have considered the impact on how the changes to delivering NHS services will alter the vulnerabilities to fraud as new models are introduced and digital solutions are rolled out. We continue to monitor the risks emerging from this changing landscape.
The scale of transformation across the NHS has highlighted the need to adapt our approach to better understand and respond to fraud, bribery and corruption risks. This has also reinforced the strategic risk associated with meeting increasingly ambitious government counter fraud objectives without commensurate funding.
During the reporting period, the reputational risk associated with demonstrating the return from investment in data analytics was actively monitored. Project Athena was a specific data analytical project delivered over a two-year period. It tested the concept of using data analytics to identify potentially fraudulent activity, prevention opportunities and identify financial returns. This further matured over the year; the associated mitigations and controls enabled the workstreams to demonstrate the value to the work and this is now transitioning into business as usual activity. This capability now represents a key enabler of our ambition to move from reactive detection to the proactive prevention of fraud losses across the NHS.
The rapid pace of technology-enabled fraud continues to present a strategic risk, with the potential for threats to evolve more quickly than the NHS counter fraud community’s capacity to detect, prevent and respond effectively. Mitigation activity during the year has focused on forward planning to ensure our workforce is equipped with the digital, data and artificial intelligence skills required to respond to emerging risks and provide assurance.
Cyber security has remained a consistent area of strategic risk throughout the year. Targeted investment has been made in our people, cyber security controls and IT resilience to mitigate the threat of malicious cyber activity and to maintain operational continuity.
The impact of the risks described has been the redeployment of resources to provide mitigation, in line with our agreed risk appetite, which is set out below. Our aspirations for the next strategic period will also reflect a change in direction to a more data driven approach which will require the development and implementation of a new operating model to support delivery. Further information is set out in the future plans section of this report.
| Risk description | Risk appetite | Key mitigations | Direction of travel of the risk score |
|---|---|---|---|
| NHS transformation and counter-fraud capacity | Open | Active engagement with NHS system partners and ongoing monitoring of transformation impacts on fraud prevention capacity . | Upward |
| Funding and operating model sustainability | Open | Active engagement with DHSC on funding arrangements and ongoing review of operating model design .. | Static |
| Project Athena delivery and data analytics | Open | Robust programme governance, regular reporting to the Board, and engagement with the proof-of-concept workstream . | Downward |
| Cyber security and IT resilience | Cautious | Ongoing investment in cyber controls and regular assurance reviews | Static |
| Technology-enabled fraud outpacing counter-fraud capacity | Cautious | Horizon scanning group established for monitoring external threats. A review of the cyber threat landscape led by the Information and Cyber Security Manager. Findings from these feeds an information security forum .. | Static |
| Emerging technology and AI capability | Open | Development of our Digital Strategy and incorporation of digital, data and AI skills requirements into future Board recruitment .. | Static |
| Risks across the procurement lifecycle | Open | Enhanced procurement pipeline reporting and lessons learned reviews of contract renewals introduced during the year | Static |
The organisation’s overall approach to risk management and its risk appetite are explained in the accountability section of the report.
Future plans
Our Strategy for 2026 to 2027 places ‘Counter Fraud by Design’ at its core and aligns with the new DHSC Counter Fraud Strategy. This approach will embed fraud resilience into everyday practice across the health service, influencing decision making, governance, accountability and system design. It aligns with the direction of NHS reform and sets the foundation for a longer-term ambition in which counter fraud is fully embedded within frontline services, protecting health resources from fraud while supporting service delivery and modernisation.
During the reporting period, our expanded data analytics capability has successfully transitioned from proof of concept to business as usual. A sustainable business model to support further development and ambition will be approved in early 2026 to 2027 and become operational from April 2027. This enhanced capability will underpin our ambitions to strengthen prevention, support digitalisation, and embed counter fraud principles within healthcare models and frameworks, thereby improving the sectors’ overall response to fraud.
Our risk profile for the next strategic period recognises the critical importance of effective stakeholder engagement. Delivery of our ambitions depends on strong, integrated relationships across the system, rather than organisations operating in isolation. The following have therefore been identified as our key engagement partners.