Cookies on the Gambling Commission website

The Gambling Commission website uses cookies to make the site work better for you. Some of these cookies are essential to how the site functions and others are optional. Optional cookies help us remember your settings, measure your use of the site and personalise how we communicate with you. Any data collected is anonymised and we do not set optional cookies unless you consent.

Set cookie preferences

You've accepted all cookies. You can change your cookie settings at any time.

Skip to main content


Annual Report and Accounts 2022 to 2023

The Gambling Commission's 2022 to 2023 Annual Report and Accounts. For the period 1 April 2022 to 31 March 2023.

  1. Contents
  2. Risk and internal control framework

Risk and internal control framework

Risk management

The Board, supported by the Audit and Risk Committee (ARC), oversees the arrangements in place for risk management. The Gambling Commission’s risk management framework was reviewed and revised during 2020 to 2021, with the support of the Commission’s internal auditors.

The Commission operates a Risk Management Policy and Risk Registers at Programme and Corporate level. Current practice is based on regular review and updating of risks, with new and changed risks being submitted to the Executive Team and ARC for approval. ARC reports quarterly to the Board, and the Board considers the corporate risk register twice a year, as well as setting the risk appetite.

The risk management strategy

The strategy outlines the objectives and policies for identifying and managing risk to the achievement of the Commission’s strategic objectives and business plan. This also includes the Commission’s tolerance or appetite for risk. The framework sets out management roles and responsibilities, the process for identifying and recording risk, allocating ownership of risk, evaluating risk, determining responses to risk and monitoring and reporting on progress in managing risk. The framework applies to all levels of the organisation up to the Corporate Risk Register.

The Commission’s risk tolerance

The Commission's risk tolerance is expressed through the level of residual risk judged acceptable for each risk identified. Risk owners are required to identify and implement mitigating actions to reduce the residual risk value to an acceptable level.

Principal risks and uncertainties facing the Commission

The principal risks and uncertainties are managed through the Commission’s Corporate Risk Register as part of the internal control framework. The most significant risks facing The Commission are as follows:

  1. Disruption to the transition from the Third National Lottery Licence to the Fourth National Lottery Licence.
    Mitigations have included intensive programme management of transition and robust governance structures, and focussed stakeholder engagement at senior level.

  2. The uncertainty of the expectations and resources needed to deliver the Commission’s obligations under the Gambling Act Review White Paper.
    Mitigations have included focused stakeholder engagement with the Department for Culture, Media and Sport (DCMS) and recruitment of programme management staff to ensure strong planning capability is in place. Uncertainty regarding resourcing contributed to issues of forecasting accuracy.

  3. The Commission’s funding model does not provide sufficient flexibility for us to meet regulatory challenges.
    Mitigations have included an operations transformation programme to ensure the Commission can effectively horizon scan and cost changes to regulatory activity, and increasing focus on income modelling to improve our financial planning capability.

  4. Cyber security attack resulting in inability to use digital networks and systems which halts our work.

  5. Breach of personal data or sensitive commercial data through a co-ordinated cyber attack.
    Mitigations (for risk 4. and 5.) include testing, incident reporting, compliance with standards and accreditations and staff training.

At the time of writing, the Commission is considering risks relating to the delivery of commitments made in the Gambling Act Review White Paper published in April 2023. These are likely to be among the most significant risks facing the Commission in the year ahead.

Internal control

The Commission has in place a wide range of internal controls to manage the risk of failure to achieve strategic objectives. The systems of internal control described in this report have been in place for 2022 to 2023 and up to the date of approval of the annual report and accounts.

These systems include the following:

  • effective delegations – from Board to Committees, to the Executive and to individuals
  • key control policies in place in finance, information management, governance and people services. Further detail on information management incidents can be found in this section
  • an internal audit programme that tests performance against the control policies
  • Complaint and Public Interest Disclosure policies that are monitored quarterly by Executive Team and the Audit and Risk Committee (ARC). Further detail on the Public Interest Disclosure policy can be found in this section
  • finance and operational performance reporting, considered monthly by the Executive Team and quarterly by Board, submitted quarterly to the DCMS.
  • lessons learned exercises conducted following casework and other significant issues.

The Commission has assessed compliance with government functional standards, and has embedded the standards into the organisation’s business plan as a means of planning and delivering core functions. The functional standards establish consistent ways of working and support the Accounting Officer in fulfilling his duties. The Commission meets the mandatory requirements of the functional standards and uses them to drive improvements to policy and practice.

Information security

The Commission has policies and processes in place to maintain compliance with General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (opens in new tab), and related legislation. The Information Management Team support the Data Protection Officer to mitigate the risks and impacts of information security incidents, ensure effective controls are in place to deliver compliance, and manage requests from data subjects.

Information management incidents, including cyber security incidents, are reported quarterly to ARC, and the Executive Team receives escalations as needed, with an annual report to provide an overview of issues and lessons learned.

No personal data incidents met the threshold for reporting to the Information Commissioner’s Office (ICO) in 2022 to 2023. 27 information security incidents were reported and investigated internally: 0 high risk, 1 medium risk, 22 low risk and 4 very low risk. The most common cause was misdirected email (6 incidents), accidental disclosure (5 incidents) and phishing (4 incidents).

The Commission’s privacy policy is available on our website.

Public interest disclosure policy

The Commission has a Public Interest Disclosure Policy (whistleblowing) in place for the confidential reporting of unlawful conduct or malpractice.

The policy is published on the Commission’s website and is available to all employees and appointees. The Commission also maintains an external confidential reporting service for staff who do not wish to raise issues internally. One complaint was made under the policy in 2022 to 2023. This was investigated and was not upheld, although some best practice recommendations were identified and have been implemented.

ARC receive quarterly updates on the number and topics of disclosures under the policy. They also track the completion of any actions recommended following investigation.

Whilst the policy is published and available to all staff, the Chair of the Commission has requested a full review of the policy and its efficacy in 2023 to 2024.

Operational and financial reporting

The Commission reviews and updates its business plan each year and prepares an annual budget to support the delivery of the plan.

Performance against the budget and business plan deliverables is tracked and reported to Executive Team each month. Performance of core activity and Key Performance Indicators (KPIs) is also reviewed by the Executive Team. Together, this performance pack is provided to the Board and the DCMS each quarter.

Effectiveness of risk management and internal controls

The internal audit programme

The internal audit programme focuses on the requirement to provide assurance that the risks faced by the Commission are properly managed and controlled. Where control weaknesses are identified, these are drawn to the attention of senior managers, who are responsible for determining and implementing an appropriate response.

The Commission’s internal audit function was provided by the Government Internal Audit Agency (GIAA) in 2022 to 2023. In conjunction with the Executive Team and the Audit and Risk Committee, and using the Commission’s corporate risk register, GIAA put together an audit programme to test internal control in a range of areas across the organisation.

GIAA’s annual report provides an independent opinion on the adequacy and effectiveness of the Commission’s system of internal control, together with recommendations for improvement. During the year, the following internal audit reviews were carried out:

  • 4NL transition management – rated substantial assurance
  • Board Assurance Framework – advisory
  • key financial controls – expenses – rated limited (in relation to travel expenses) and unsatisfactory (in relation to home working expenses)
  • governance and financial controls – advisory
  • end of licence management (Third National Lottery licence) – rated substantial assurance
  • cloud governance – rated moderate assurance
  • novel products – rated moderate assurance
  • Economic Crime Levy (ECL) implementation – rated substantial assurance
  • licensing financial management – fieldwork took place across 2022 to 2023 and 2023 to 2024.

The unsatisfactory finding relates to the adequacy of homeworking expenditure guidance, and will be rectified as a matter of urgency. The internal audit report was received in June 2023, and so remedial action has not yet been completed. The report did not identify any irregularity or losses.

From the Commission’s Internal Auditor:

'I am providing a Moderate opinion on the adequacy of the framework of governance, risk management and control within the Commission for 2022 to 2023. My opinion is based primarily on the internal audit activity conducted during this period but is also informed by meetings with senior management and observations during attendance at the ARC, together with my wider understanding of the control environment and our previous service provision to the Commission. I have also considered the work of other assurance providers where appropriate.'

Improvement actions

For each internal audit report the Commission has agreed plans of action to improve issues identified. Progress against these actions is tracked by ARC, and is subject to the approval of the internal auditors.

In addition, improvements in casework disclosure management have been identified and are also being tracked by ARC.

Following the advisory review of governance and financial controls and a lessons learned review of business planning in 2022 to 2023, the Commission has introduced a range of changes to financial planning processes in order to improve the accuracy of the Commission’s financial forecasting. These were implemented in the planning process for 2023 to 2024.

Review of effectiveness

The process applied in reviewing the effectiveness of the system of internal controls involves reporting to the Accounting Officer:

  • the nature of the control
  • how it compares to government functional standards and/or other relevant standards
  • any breaches or near misses in year
  • the efficacy of remedial action.

Similarly, when evaluating the effectiveness of risk management systems, the Commission reviews with the Accounting Officer the movement of risks through the year, the results of horizon scanning activity, and the impact of mitigations on risk score.

Fifteen areas of control were identified. Twelve were rated as effective, three were partially effective and none were ineffective. The three partially effective controls were the corporate governance framework (based on findings in the Board Effectiveness Review), finance performance reporting (based on forecasting accuracy in 2022 to 2023) and risk management (based on improvements required to operationalise the existing policy and framework).

Following the review of effectiveness, the Accounting Officer has met with the Governance and Finance Teams to review risk management and internal controls. He reviewed the reports outlined previously in this section, and has concluded that there has been good progress in applying and testing controls, but expects to see more work on enhancing risk management processes in the year to come. He noted that the internal audit programme had looked at challenging areas of the organisation, and expected to see a similarly robust programme in the coming year.

The Accounting Officer confirms that these risk and control systems have been in place for the year under review and up to the date of approval of the Annual Report and Accounts.

Is this page useful?
Back to top