17
Acknowledged
NS&I's new Risk Management Framework remains inadequately embedded and reliant on external expertise
Conclusion
In 2025, NS&I implemented a new Risk Management Framework, but has not yet fully embedded the framework throughout its organisation.43 We wanted assurance that this framework is good enough to ensure that risks to customer data could be managed, and NS&I claimed it was “comprehensive”.44 NS&I did say that it had improved its risk management processes through greater involvement of its risk directorate, but also 38 Qq 6, 11; C&AG Report, para 2.4 and Figure 6 39 Q 65 40 Q 22 41 C&AG’s Report, paras 20 and 24 42 Q 78 43 C&AG’s Report, para 3.23 44 Q 66 12 said that it was relying on GIAA, as “we accept that we do not have all the expertise in these areas”.45 GIAA is intended to be an internal audit function which should be assuring risk management, rather than doing the work. Having the right skills and capability to deliver the Programme
Government Response Summary
The Treasury and NS&I acknowledge concerns about risk management and are committed to addressing them through robust planning, risk management, and governance, including developing a comprehensive integrated plan and strengthening systems integration capabilities.
Government Response
Acknowledged
Government Response
Acknowledged
HM Government
Acknowledged
The Treasury and NS&I acknowledge these concerns and are committed to addressing them through robust planning, risk management, and governance. NS&I is working to develop a comprehensive integrated plan that includes clear timelines, cost estimates, and resource allocation. NS&I has strengthened its systems integration capabilities and is ensuring that decisions are based on sound evidence and analysis.
Source
Committee
Public Accounts Committee
Inquiry
NS&I’s transformation programme
Report
67th Report - NS&I’s transformation programme
13 Feb 2026
HC 1237
Addressee Bodies
HM Treasury
Timeline
Recommendation age
0.3 yrs
Report published
13 Feb 2026