Source · Select Committees · Public Accounts Committee
Recommendation 17
17
NS&I's new Risk Management Framework remains inadequately embedded and reliant on external expertise
Conclusion
In 2025, NS&I implemented a new Risk Management Framework, but has not yet fully embedded the framework throughout its organisation.43 We wanted assurance that this framework is good enough to ensure that risks to customer data could be managed, and NS&I claimed it was “comprehensive”.44 NS&I did say that it had improved its risk management processes through greater involvement of its risk directorate, but also 38 Qq 6, 11; C&AG Report, para 2.4 and Figure 6 39 Q 65 40 Q 22 41 C&AG’s Report, paras 20 and 24 42 Q 78 43 C&AG’s Report, para 3.23 44 Q 66 12 said that it was relying on GIAA, as “we accept that we do not have all the expertise in these areas”.45 GIAA is intended to be an internal audit function which should be assuring risk management, rather than doing the work. Having the right skills and capability to deliver the Programme
Government Response
Response Pending
HM Government
Response Pending
The Treasury and NS&I acknowledge these concerns and are committed to addressing them through robust planning, risk management, and governance. NS&I is working to develop a comprehensive integrated plan that includes clear timelines, cost estimates, and resource allocation. NS&I has strengthened its systems integration capabilities and is ensuring that decisions are based on sound evidence and analysis.