GovS 013 component 3: Fraud bribery and corruption risk assessment

Have a fraud, bribery and corruption risk assessment that is submitted to the centre GovS 013 ref: 5.1

Published: 8 February 2022

Updated: 9 October 2025

Version: 2.0

NHS Requirement 3:

The organisation has carried out comprehensive local risk assessments to identify fraud, bribery and corruption risks, and has counter fraud, bribery and corruption provision that is proportionate to the level of risk identified. Risk analysis is undertaken in line with Government Counter Fraud Profession (GCFP) fraud risk assessment methodology and is recorded and managed in line with the organisation’s risk management policy and included on the appropriate risk registers, and the risk assessment is submitted upon request. Measures to mitigate identified risks are included in an organisational work plan, progress is monitored at a senior level within the organisation and results are fed back to the audit committee (or equivalent body).

For NHS organisations the fraud risk assessments should also consider the fraud risks within any associated sub company of the NHS organisation.

Organisation meets the requirement

Resources to carry out the work are realistically assessed and suitable for addressing the risk identified within a reasonable timescale, in line with the organisational risk policy

Risk based work plan objectives are demonstrably achieved.

Where necessary, additional resources are allocated during the year to address emerging risks.

Progress is continuously monitored at a senior level to ensure that risks are mitigated and that resources remain suitable for this purpose.

Note

This requirement directly relates to the organisation's defence in respect of the failure to prevent fraud offence as introduced by the Economic Crime and Corporate Transparency Act 2023. Guidance focusing on the failure to prevent fraud offence has been produced by the Home Office, with supplementary guidance produced by NHSCFA.

As the Counter Fraud Functional Standard Return (CFFSR) is a self-assessment, a GREEN rating does not in itself provide any assurance of the organisation’s defence in respect of the offence. The NHS Requirements and CFFSR can be used as tools to indicate the organisation’s preparedness for a defence; however, value is directly linked to the accuracy with which the organisation’s counter fraud position has been reflected and standard of procedures and other evidence available.

Organisation partially meets the requirement

Risk assessments have been carried out to identify fraud, bribery and corruption risks at the organisation in line with GCFP fraud risk assessment methodology. These risks are recorded in line with the organisational risk management policy.

Actions to mitigate/reduce risks have been appropriately prioritised and documented in a work plan which covers the required NHSCFA areas of activity.

Adequate resources have been assigned to specific areas of work.

The objectives in the work plan are measurable however there is no evidence that the effectiveness of activities carried out under it has been measured.

Organisation does not meet the requirement

There is no evidence of any local risk assessments carried out to identify fraud, bribery and corruption risks at the organisation.

Where local risk assessments have been carried out, they are not comprehensive and have not been undertaken in line with GCFP methodology. The risks have not been included on the organisations risk registers. No adequate resources have been allocated to mitigate the risks identified and an organisational work plan has not been developed.

Where an organisational work plan has been developed, it is not fit for purpose. For example, the work plan may not cover the required key areas of counter fraud, bribery and corruption activity as outlined in NHSCFA’s strategy. Resources may be inadequate to perform identified tasks and/or organisational risks may be insufficiently addressed.

The objectives in the work plan are not measurable.

Guidance, supporting documentation and evidence

Organisations should consider the following (the list is not exhaustive):

  • The NHSCFA strategy document
  • Local risk assessment materials
  • Evidence of liaison with risk management staff within the organisation
  • Evidence of risk monitoring being conducted at a senior level
  • Relevant meeting minutes, action points and records of their execution
  • Audit committee minutes
  • Counter fraud, bribery and corruption work plan is aligned to the risk assessment and NHSCFA counter fraud strategy.
  • Progress reports
  • Organisational risk registers
  • GCFP core discipline “Fraud Risk Assessment”

Help us improve cfa.nhs.uk

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.

Close

Thanks for the feedback!

Close