Cookies on the Gambling Commission website

The Gambling Commission website uses cookies to make the site work better for you. Some of these cookies are essential to how the site functions and others are optional. Optional cookies help us remember your settings, measure your use of the site and personalise how we communicate with you. Any data collected is anonymised and we do not set optional cookies unless you consent.

Set cookie preferences

You've accepted all cookies. You can change your cookie settings at any time.

Skip to main content


Annual Report and Accounts 2021 to 2022

The Gambling Commission's 2021 to 2022 Annual Report and Accounts.

  1. Contents
  2. Risk and internal control framework

Risk and internal control framework

The Board and Audit and Risk Committee

The Board, supported by the Audit and Risk Committee, oversees the arrangements in place for the risk management. The Gambling Commission’s risk management framework was reviewed and revised during 2020-21, with the support of the Commission’s internal auditors. Programme risk registers are reviewed monthly, and the Executive team review escalations and the Corporate Risk Register at least quarterly. The Audit and Risk Committee receive the Corporate Risk Register each quarter, and Board discuss risk twice a year.

The risk management strategy

The strategy outlines the objectives and policies for identifying and managing risk to the achievement of the Commission’s strategic objectives and business plan. This also includes the Commission’s tolerance or appetite for risk. The framework sets out management roles and responsibilities, the process for identifying and recording risk, allocating ownership of risk, evaluating risk, determining responses to risk and monitoring and reporting on progress in managing risk. The framework applies to all levels of the organisation up to the Corporate Risk Register.

The Commission’s risk tolerance

The Commission's risk tolerance is expressed through the level of residual risk judged acceptable for each risk identified. Risk owners are required to identify and implement mitigating actions to reduce the residual risk value to an acceptable level.

The Commission’s governance framework

The Commission’s governance framework sets out how the Board manages its affairs and which matters are delegated to the Chief Executive, or to other employees or committees. This is reviewed periodically (typically every three years), with the most recent changes to the overarching framework being made in June 2020.

Specific aspects of this framework are reviewed more frequently to ensure they remain fit for purpose.

The internal audit programme

The internal audit programme focuses on the requirement to provide assurance that the risks faced by the Commission are properly managed and controlled. Where control weaknesses are identified, these are drawn to the attention of senior managers, who are responsible for determining and implementing an appropriate response.

In their annual report, the Commission’s internal auditors for 2021-22 have been PricewaterhouseCoopers (PwC), supplemented by the Government Internal Audit Agency in certain areas. PwC provide an independent opinion on the adequacy and effectiveness of the Commission’s system of internal control, together with recommendations for improvement. During the year, the following internal audit reviews were carried out:

  • Governance and Assurance – internal governance (GIAA)
  • Financial Systems – review of the assumptions in the medium-term financial plan (PwC)
  • Cybersecurity (PwC)
  • 4th National Lottery Licence Competition (GIAA).
Is this page useful?
Back to top