Recommendation 3

It has taken NS&I far too long to develop a risk management framework, which has left the taxpayer exposed to unacceptable risks. NS&I launched multiple procurements and planned to deliver four transitions in parallel with no understanding of the risks this was exposing the organisation and its customers to. The programme was rated high- risk by external reviews on several occasions, but NS&I has not shown it can manage the risks effectively. In 2025, NS&I implemented a new Risk Management Framework, but it is not yet fully embedded. There are still many risks for the Programme to manage, for example the replacement of core banking engine is extremely high risk, but the main work has yet to start. NS&I is bringing in skills through its new System Integrator (CapGemini), but it is not yet clear that NS&I is listening to what it has to say about the realism of the timetable and the delivery risks. Programme governance has been strengthened, with the Treasury instigating the main changes by appointing new non-executive directors to NS&I, establishing a new committee to scrutinise the programme and by appointing David Goldstone in an advisory capacity. recommendation a. NS&I should ask Mr Goldstone to review how the Programme is applying the new risk management framework, and identify what additional support is needed. 4 b. By June 2026, NS&I should write to the Committee setting out the progress implementing its risk management framework, and how NS&I will strengthen and fully embed the framework in its operations.