Date published: 16 July, 2025
Date last updated: 16 July, 2025
Board meetings

Risk management

Agenda item: 5 (Public session)
Report by: David Probert, Deputy Chief Executive; and John Lester, Director of Corporate Governance
Paper type: For approval

Executive summary and action required

 

1. This report summarises the Strategic and Operational Risk Registers (SRR and ORR). Together these registers help to ensure that the most significant risks to the delivery of our strategies, as well as our most significant operational risks, are identified, managed and escalated at the most appropriate level in the organisation to allow action to be taken. 

2. The Board is asked to:

note the SRR and ORR, and

approve the Risk Management Framework, on the recommendation of the Executive Risk Group (ERG).

Strategic and Operational Risk Register

3. A summary of the SRR is included at Annex 1, which includes the key mitigating actions and a target score for each risk, showing how its score is expected to change over time.

4. The highest rated risks continue to be in the areas of cyber security, data loss and our ability to maximise the opportunities of new technologies and innovations.

5. A new risk has been added to the SRR, focussed on the potential that NHS England is unable to produce a coherent set of strategies and delivery plans needed to achieve its vision and objectives, including reducing healthcare inequalities and the 10 Year Health Plan.

6. The previous ‘New ways of working’ risk has been extensively reviewed to reflect the new context of the 10 Year Health Plan and NHS England’s integration with DHSC, and its title has been changed to ‘Delivering change’. The risk’s focus has shifted from our ability to fully deliver the objectives of the Health and Care Act 2022 and the NHS England’s operating framework, to the ability to deliver changes set out in the 10 Year Health Plan, create a simpler operating model, and ensure that NHS functions are carried out effectively within available resources.

7. SRR9 ‘Significant NHS England data breach’ has seen its risk score increase in the last quarter. Recognising that a cyber security failure could cause a personal data breach with the greatest severity of consequence, the score of this risk has increased from 20 to 25. This takes account of its dependency with ORR risk ‘NHSE cyber secure and resilient services’, which is also scored as 25.

8. The ORR holds a total of 21 risks. A summary of the 14 risks with a current risk score of 16 or higher is detailed at Annex 2. This includes the key mitigating actions and a target score for each risk. Two new risks and two reframed risks included in the annex reflect emerging integration risks, including NHS England’s ability to continue delivering statutory functions in the context of staff attrition.

9. Of the ORR risks scored 16 or higher and presented to Board, three risks have seen their score increase in the last quarter, with integration and broader NHS transformation being contributing factors. Updated mitigation plans have taken this into consideration.

Risk Management Framework

10. The Risk Management Framework supports the consistent and robust identification and management of opportunities and risks across NHS England.

11. The updates to this document, at Annex 3, have previously been considered by  ERG, and formalise significant improvements already made to governance, as agreed by the Audit and Risk Assurance Committee. The document also outlines enhanced risk evaluation processes, and has been updated to make it more succinct and user friendly. Additionally, the framework addresses feedback concerning cross-directorate risk management, which as we go through integration is becoming increasingly important.

12. The updated RMF aligns to the DHSC risk management policy, and there are discussions underway on the approach to be taken for policy harmonisation as we integrate.

Publication reference: Public Board paper (BM/25/26(Pu))

Date published: 16 July, 2025
Date last updated: 16 July, 2025