Strategic Risk Tolerances

This chart sets out the various levels of Strategic Risk Tolerances.

  Occurrence is highly unlikely Occurrence is possible but not likely Occurrence is likely Occurrence is highly likely Occurrence is highly likely in the near future
Strategic Risk Areas
Inability to Proactively Fight Fraud   There is a risk the organisation’s redesign, is not capable to provide a proactive intelligence function and does not support proactive initiatives       

Hard to Recruit and Specialist Roles

  There are a number of specialist roles which are becoming increasingly difficult to attract or retain quality people with the desired skills and experience. Many of these roles including specialist IT and Forensic Computing roles are attracting significantly higher salaries than we are able to offer due to AFC terms.  This may result in key specialisms remaining vacant and alternative supply considered.       

Cyber Risk to NHSCFA Information

    There is a recognised and ongoing risk to the NHSCFA IT infrastructure in failing to maintain a sufficient level of Cyber resilience in technology, processes and awareness.  This could result in compromise of Confidentiality, Integrity and/or Availability of IT systems and the information held in them.    
Cyber Enabled Fraud

The use of technology to commit and/or support the commission of fraud offences is potentially significant and growing risk to the NHS sector.  The risk is compounded by a lack of non-compliance with, systemic fraud prevention measures designed to mitigate against the threats. Cyber Security (the adoption of measures to keep IT systems secure from attack) falls within the remit of the NHS Digital Cyber Security Operations Centre) The NHSCFA, when it becomes aware of a particular modus operandi, that uses technology as an enable to a fraud being committed, can and will share fraud prevention advice and guidance. An example being where we have become aware of an innovative MO to attempt payment diversion fraud, in this example NHSCFA issued immediate fraud prevention advice identifying how NHS partners an recognise and respond to the ways in which technology had been used by the criminals involved.


Failure to Deliver New Strategic Objectives

  Post implementation of the organisation’s new operating business model, there is a risk of failing to adequately translate the high-level ambitions of the strategy into the specific actions required to successfully achieve its aims, whilst incorporating the necessary flexibility to respond to changes in the fraud landscape and secure stakeholder and sector buy-in needed to deliver the strategy.      
Assurance Mapping & Rating of Organisation Business Plan Inability to complete 2023-2024 Business Plan assurance mapping and rating within reasonable timescales due to delay and resourcing issues. Leading to inability to independently assess risks to efficient, effective & legally compliant delivery and flag these to SMT & ARAC as part of our governance and assurance framework.        

Help us improve

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.


Thanks for the feedback!