NHS Requirement 3:
The organisation has carried out comprehensive local risk assessments to identify fraud, bribery and corruption risks, and has counter fraud, bribery and corruption provision that is proportionate to the level of risk identified. Risk analysis is undertaken in line with Government Counter Fraud Profession (GCFP) fraud risk assessment methodology and is recorded and managed in line with the organisation’s risk management policy and included on the appropriate risk registers, and the risk assessment is submitted upon request. Measures to mitigate identified risks are included in an organisational work plan, progress is monitored at a senior level within the organisation and results are fed back to the audit committee (or equivalent body).
For NHS organisations the fraud risk assessments should also consider the fraud risks within any associated sub company of the NHS organisation.
Organisation meets standard
Resources to carry out the work are realistically assessed and suitable for addressing the risk identified within a reasonable timescale, in line with the organisational risk policy
Risk based work plan objectives are demonstrably achieved.
Where necessary, additional resources are allocated during the year to address emerging risks.
Progress is continuously monitored at a senior level to ensure that risks are mitigated and that resources remain suitable for this purpose.
Organisation partially meets the standard
Risk assessments have been carried out to identify fraud, bribery and corruption risks at the organisation in line with GCFP fraud risk assessment methodology. These risks are recorded in line with the organisational risk management policy.
Actions to mitigate/reduce risks have been appropriately prioritised and documented in a work plan which covers the required NHSCFA areas of activity.
Adequate resources have been assigned to specific areas of work.
The objectives in the work plan are measurable however there is no evidence that the effectiveness of activities carried out under it has been measured.
Organisation does not meet the standard
There is no evidence of any local risk assessments carried out to identify fraud, bribery and corruption risks at the organisation.
Where local risk assessments have been carried out, they are not comprehensive and have not been undertaken in line with GCFP methodology. The risks have not been included on the organisations risk registers. No adequate resources have been allocated to mitigate the risks identified and an organisational work plan has not been developed.
Where an organisational work plan has been developed, it is not fit for purpose. For example, the work plan may not cover the required key areas of counter fraud, bribery and corruption activity as outlined in NHSCFA’s strategy. Resources may be inadequate to perform identified tasks and/or organisational risks may be insufficiently addressed.
The objectives in the work plan are not measurable.
Guidance, supporting documentation and evidence
Organisations should consider the following (the list is not exhaustive):
- The NHSCFA strategy document
- Local risk assessment materials
- Evidence of liaison with risk management staff within the organisation
- Evidence of risk monitoring being conducted at a senior level
- Relevant meeting minutes, action points and records of their execution
- Audit committee minutes
- Counter fraud, bribery and corruption work plan is aligned to the risk assessment and NHSCFA counter fraud strategy.
- Progress reports
- Organisational risk registers
- GCFP core discipline “Fraud Risk Assessment”