Date published: 3 December, 2025
Date last updated: 3 December, 2025
Board meetings

Risk management

Agenda item: 4 (public session)
Report by: John Lester, Director of Corporate Governance
Paper type: For approval

Executive summary and action required

This report summarises the Strategic and Operational Risk Registers (SRR and ORR). All risks were reviewed in October and the registers approved by the NHS England Executive on 18 November. Following the establishment of the new joint executive team on 3 November, the owners of SRR and ORR risks have been updated.

The longer term approach to NHS funding introduced with the latest Spending Review, alongside the publication of the 10 Year Health Plan and the Medium Term Planning Framework, have given us the opportunity to further analyse our strategic and operational risks in the context of these allocations and commitments. In turn, this will allow us to introduce more robust risk monitoring and assurance.

As we begin to work closer with our colleagues in DHSC there are opportunities to align our risk management approaches during and after organisational transformation. Proposals to achieve this are summarised in this report.

The NHS England Board is asked to note the SRR and ORR.

Strategic risks

1. A summary of the SRR, setting out headlines of the controls and mitigation plans is included at Annex 1. The full SRR with detailed controls and mitigation plans is routinely reviewed by the NHS England Executive and the Audit & Risk Assurance Committee.

2. One of the main challenges in managing our strategic risks has been developing long-term mitigation plans and risk trajectories against funding allocations that can change from year to year. Shifting priorities have resulted in previous commitments being revised, impacting our ability to deliver mitigations within the projected timeframes.

3. The medium-term approach to funding allocation introduced with the latest Spending Review provides a more stable basis for planning, enabling us to set risk mitigation targets aligned with agreed funding allocations and strengthen accountability.

4. All strategic risk owners have reviewed their risks and confirmed that their mitigation plans, target risk scores and target mitigation dates remain realistically achievable within current funding allocations.

5. The potential impact of SRR5 – Quality of care has reduced from 5 (Severe) to 4 (Significant), bringing the overall risk score down from 20 to 16. This reflects the status and breadth of mitigating work in progress, which includes:

  • The development of a Quality Strategy by March 2026, with significant progress made to date with agreeing the National Quality Board’s terms of reference and membership.
  • The inclusion of quality and safety functions in the recently published Model ICB and Model Region.
  • Review and alignment of internal NHSE quality governance reporting structures, including risk escalation, reporting and response to NHSE and DHSC during the integration and in relation to ICB and Regional changes.

6. The achievement of the target score for SRR 6 – Workforce quantity and capability has been revised from March to June 2026. This change follows the ministerial agreement to publish the 10-Year Workforce Plan in Spring 2026. As not all anticipated Workforce, Training and Education business plan activities received full funding in the recent Spending Review allocations, work is underway to map available funding against priority actions and commitments. Once the projected target score of 15 is achieved, the ambition is to further reduce the risk through assurance on short term commitments delivery.

7. A deep dive review of SRR2 – Delivering change took place at ERG on 31 October. The Group explored the various factors influencing this risk, including the Model Integrated Care Board, the Model Region, and the closure of Commissioning Support Units. The Group also considered the key challenges impacting this risk, particularly uncertainty surrounding organisational change.

8. Now that that revised board committees have been established, we’ll start a programme of strategic risk deep dives through these.

  • SRR1 – Strategy and delivery plans was considered by the Strategy Committee on 16 October. The Committee reviewed the list of significant strategies and policies in development and considered an initial framework for structuring DHSC and NHSE policy and strategy work. The Committee intends to use this framework to identify whether key activities needed to deliver the 10YHP are in hand, and any significant gaps in the portfolio of projects where new work might be commissioned. This work will complement ongoing 10YHP delivery reporting.
  • Deep Dives for all risks held on the SRR have been factored into agendas for upcoming Committee meetings. This is set out in Annex 1.

Operational risks

9. A summary of risks, with a current risk score of 16 or above, within the ORR is at Annex 2, including headlines of the current controls and the mitigation plans. In total, there are 25 open risks, with the following changes in the risk profile: two new risks (replacing former risks recorded on the ORR), four closed risks, and two risks which have seen a decrease in their risk score.

10. The new risks are:

  • Regarding ISFE2, risk 18589 focused on delays to ISFE2 launch, with mitigations around UAT, cutover rehearsal, and defect resolution. This risk has been replaced as 20925: Disruption during transition to ISFE2, reflecting operational impacts post go-live rather than pre-launch delays. The current risk score of 20 is unchanged from inherent score, indicating high residual risk post-launch. Controls in place around this risk include training plans, user engagement, and resolver groups for high-priority defects. Further mitigations include intensive hypercare calls, defect tracking, targeted support for ICBs and clear escalation routes.
  • Regarding Performers list / system support, risk 18882 concerned capacity to support the Revalidation Management System (RMS), Athena rebuild, and Primary Care Support England Online re-procurement. This risk has been superseded by 8736: Lack of system support for Performers List concerns, highlighting fragility of current platforms and delays in redevelopment. The current risk score of 25 is unchanged from inherent score, reflecting criticality of system stability. Controls in place around this risk include resource reprioritisation, governance escalation, interim support options. Further mitigations include rapid review of Athena re-platforming feasibility, focus on stabilising RMS usability, and security enhancements.

11. There are two reductions in risk score recorded:

  • 15077: Significant operational disruption to critical digital live services reduced from 25 to 20, reflecting improved resilience planning.
  • 18594: Delivering NHS 2025/26 budget reduced from 20 to 15, largely due to progress with the productivity programme and deficit support levers.

From risk to resilience: mapping NHS England and DHSC’s risk profiles against each other and to the 10 Year Health Plan

12. Mitigating our strategic risks will be critical to successfully deliver the three shifts outlined in the 10YHP. A comparison of the top risks held by NHSE and DHSC, and mapping of these to the 10YHP and the Cabinet Office’s Chronic Risks Analysis*, has taken place.

* The Chronic Risks Analysis, published by the Cabinet Office in July 2025, focuses on long-term, systemic challenges such as demographic shifts, climate change, and antimicrobial resistance that could gradually erode national resilience. The Chronic Risks Analysis serves as a strategic foresight tool for shaping long-term policy and investment.

13. This has identified key areas of cross-over and divergence. Both organisations acknowledge the critical importance of workforce transformation, financial sustainability and cyber resilience. These shared risks are not only operationally significant but also strategically central to delivering the digitally enabled, financially sustainable and workforce-secure health system envisioned in the 10YHP. The registers also reflect a shared understanding of the fragility in supply chains and the disruptive potential of industrial action.

14. There are some risks set out in the Chronic Risks Analysis that do not currently feature in either organisation’s top risks, including climate resilience, demographic change, and biosecurity. We will collectively consider whether further work is needed to develop such risks.

15. To bring together unified risk discussions for senior leaders as we go through transformation, the two organisation’s risk teams have identified several opportunities for collaboration. Our aim is that executive colleagues will feel like they are managing a single set of risks rather than two distinct registers, while acknowledging that some risks will remain specific to each organisation while we exist as separate legal entities. Beyond this, we are starting to have conversations about how we might align risk policies, processes and risk appetite.

Next steps

16. Recognising that the MTPF sets out tangible targets for the next three years, we will work with risk owners to link relevant risks to the performance trajectories outlined in the MTPF, further strengthening assurance.

17. The first joint ARAC meeting will take place on 12 December. It is intended that the risk discussion at this first meeting focusses on how we, alongside colleagues in DHSC, progress our plans for risk management during to best support alignment and bring together single risk discussions for senior leaders.

Date published: 3 December, 2025
Date last updated: 3 December, 2025