Executive summary and action required

This report summarises the Strategic and Operational Risk Registers (SRR and ORR), which were considered by the NHS Executive on 26 May. The risks are summarised at annexes 1 and 2.

Several strategic risks have reduced in score, demonstrating an overall improvement in our risk profile. This is reflective of risk owners’ perceptions of clearer strategic direction, stronger governance and a shift from planning into delivery. Target scores for some of our biggest risks have reduced, following challenge by the Board in the December 2025 meeting and subsequent consideration by risk owners.

We have set out our response to the Board’s previous question on relative prioritisation of emergency preparedness work and alignment to the risk registers, with reference to the government’s National Risk Register. We have also prompted risk owners to ensure risks arising from international conflict are adequately reflected in the registers.

The Board is asked to note the SRR and ORR.

Strategic Risk Register

1. Several of NHS England’s strategic risks have a reduced current or target score compared to the last report. Key areas of improvement include:

• Strategy and delivery planning (SRR1): the reduced risk reflects clearer national priorities and improved governance through strengthened oversight and structured programme delivery.
• Delivering change (SRR2): there has been a shift from design to implementation, supported by defined financial envelopes and formal governance arrangements, which has reduced uncertainty.
• Technology and innovation (SRR8): there has been a significant reduction in risk due to confirmed funding, Treasury approvals and embedded digital strategies, moving from dependency to active delivery.
• Data breach risk (SRR7): strengthened information governance, including enhanced oversight, third-party assurance and artificial intelligence (AI) governance frameworks, has reduced both likelihood and impact.

2. Looking ahead, there is increased confidence in the potential to further reduce risk exposure. This is reflected in proposed lower target scores for areas such as quality of care and cyber risk, where longer-term strategies and clearer delivery plans are now in place.

3. At its December 2025 meeting, the Board noted that 3 SRR risks were carrying target scores of 20, significantly above risk appetite. In-depth reviews have been undertaken into each of these risks, resulting in a number of changes as summarised below:

4. For SRR3 (delivering objectives within the NHS funding envelope), the target score has reduced to 12. This target acknowledges improvements in financial grip, productivity and planning as drivers for reduction. The target is viewed as ambitious but achievable if current improvements are maintained.

5. For JRR2 (cyber risk), there has been a change in approach and articulation, with a target score of 16 being set against a 2030 delivery horizon. This provides closer alignment to the Cyber Strategy lifecycle, while acknowledging that the risk remains above appetite in the medium term due to persistent external threat levels, variable sector maturity and reliance on enabling capabilities such as supplier assurance and recovery planning, which require sustained investment and time to embed.

6. The current score for cyber risk remains very high despite the mitigations already in place, because of the significant and increasing threat environment. A simulation exercise is planned for July to evaluate NHS resilience to a significant cyber incident, with a focus on the system’s ability to maintain critical services and coordinate a national response during a prolonged period of disruption. The exercise will be undertaken in phases, with a small number of NHS organisations participating as a representative sample of the wider system, particularly at local level, with learning used to inform system-wide preparedness.

7. For SRR7 (data breach), the current position shows a reduced target score of 16, aligned with the trajectory for the internal cyber risk reported in the ORR. This change also reflects strengthened information governance controls including the introduction of data protection health checks, enhanced third party assurance, and improved incident response arrangements. It also reflects a more coherent articulation of the relationship between cyber and non-cyber drivers of data breach risk, enabling a clearer pathway to reduction.

Operational Risk Register

8. A summary of operational risks with a current score of 16 or above is presented at annex 2, including key current controls and mitigation plans. There are 21 open risks, including 4 new risks. 7 risks have been closed or de-escalated from the ORR this quarter due to controls and mitigations progressing successfully. The most significant operational risks (with a score of 25) are:

• Adult secure inpatient capacity (ORR 18360)
  • risk score increased from 16 to 25 following closure of capacity at St Andrew’s Healthcare Northampton
  • impact includes pressures on patient flow, prison transfers and delivery of care standards
  • a national response has been mobilised to stabilise the system
• Digital workforce capacity (ORR 16936)
  • persistent risk relating to recruitment and retention of digital and data specialists
  • critical dependency for delivery of digital transformation and service continuity
• Performance management capability (ORR 8736)
  • ongoing risk regarding system support to manage performance concerns relating to primary care practitioners.
• Cyber security and service resilience (ORR 13180)
  • Persistent high-severity risk with long-term mitigation horizon to March 2027.

9. 4 new risks highlight emerging pressures:

• Pandemic preparedness (ORR 11941): escalated to the ORR, reflecting system-wide readiness requirements.
• Workforce attrition during organisational transition (ORR NEW): risk to capacity and capability prior to integration of NHS England into the Department of Health and Social Care.
• Technology, digital and data (TDD) transformation risk (ORR 22338): potential impact on service continuity during structural change.
• Medical device regulation compliance (ORR 22341): risk of an ‘innovation freeze’ if NHS England cannot meet new regulatory requirements for AI-enabled technologies.

Risk and resilience

10. In March 2026 the Board considered the Emergency preparedness, resilience and response (EPRR) annual assurance report. The Board questioned how the prioritisation of preparedness activity corresponds to our risk registers, particularly in the context of pandemic and cyber risk – with only the latter appearing on the SRR.

11. EPRR assessments are guided by the government’s National Risk Register, which considers risks at a whole‑country level, whereas NHS England’s risk registers focus specifically on the organisation, with linkage to the wider health system.

12. As a result, while a pandemic is assessed as a high risk at a national level given its potential to affect every person and organisation and place significant pressure on the health system, our organisational risk rating is lower due to the mitigations and preparedness measures already in place. Conversely, when viewed from an NHS England perspective, a cyber incident presents a higher risk in terms of both likelihood and impact, and is therefore rated higher than pandemic risk in our risk registers.

13. Following review by the responsible team, our existing pandemic preparedness risk has been escalated to the ORR. This risk focuses on the capacity and capability for the NHS to prepare for and respond to a new and emerging pandemic.

14. In relation to resilience more broadly, we have asked risk owners to ensure any impact of international conflict is adequately reflected in their risks. This is most pertinent to the risks relating to financial performance, supply chain and cyber attacks.