Cookies on the Gambling Commission website

The Gambling Commission website uses cookies to make the site work better for you. Some of these cookies are essential to how the site functions and others are optional. Optional cookies help us remember your settings, measure your use of the site and personalise how we communicate with you. Any data collected is anonymised and we do not set optional cookies unless you consent.

Set cookie preferences

You've accepted all cookies. You can change your cookie settings at any time.

Skip to main content

Report

Annual report and accounts 2023 to 2024

The Gambling Commission's 2023 to 2024 Annual report and accounts. For the period 1 April 2023 to 31 March 2024.

  1. Contents
  2. Risk and internal control framework

Risk and internal control framework

Risk management 

The Board, supported by the Audit and Risk Committee (ARC), oversees the arrangements in place for risk management. The Gambling Commission’s risk management process was reviewed and revised during 2023 to 2024. Responsibility for risk management was moved to the Governance team in late 2022 with a focus on developing the Gambling Commission’s risk management culture and reviewing processes and practice. Additional resource to support this work was put in place during the year.

The Commission operates a Risk Management Policy and a Strategic Risk Register which are regularly reviewed. The Commission finalised the Corporate Strategy for 2024 to 2027 during Quarter 4 2023 to 2024, and a phased review of the Strategic Risk Register is now underway to ensure any risks impacted by the strategy are appropriately reflected. Programme and Operational (Business as Usual) Risk Registers are in development. The Commission’s Board, ARC and Executive Team are committed to continue strengthening risk management maturity across the organisation and have been sighted on our future development plans for risk management. These committees have approved the Commission’s Risk Management Policy, Risk Appetite Statement and phased plans for ongoing development and enhancement. 

Current practice is based on regular review and updating of risks and control adequacy and effectiveness, including assessing the progress in completing mitigating actions, with new and changed risks being submitted to the Performance and Delivery Panel and Executive Team for approval, with regular reporting to the ARC. The ARC reports quarterly to the Board, and the Board considers the Strategic Risk Register at least twice a year, as well as setting the risk appetite annually. 

The risk management policy 

The risk management policy sets out how the Commission will develop and maintain a mature risk management culture over time, grounded in the Commission’s operating context and supporting continuous improvement. The policy outlines roles and responsibilities, goals for enhancing the risk management culture, the Commission’s approach to determining risk appetite, the use of risk registers and risk management processes, and review and reporting arrangements. 

The Commission’s risk appetite 

The Commission’s risk appetite is expressed in an overarching risk appetite statement which describes its attitude, at a point in time, to accepting risk in each of the areas of principal risk (based on the categories set out in the Orange Book (opens in new tab). The statement outlines the risks that the Commission is exposed to and the risks that it is willing to take to achieve its strategic objectives and strategy. Draft appetite statements are developed with subject matter experts to set out the acceptable level of risk. Appetite statements are reviewed and agreed with the Board annually to enable risk appetite to inform risk management and escalation and decision making. 

Emerging risks for 2024 to 2025  

Risks associated with the implementation of the Fourth National Lottery Licence. The licence was awarded from February 2024 and full implementation of the licence requirements is programmed through 2024 to 2025. Litigation in respect of the outcome of the Fourth National Lottery Licence competition is managed as an issue.

Volume, pace, capacity and capability for change management in respect of programme work to deliver the Gambling Act Review, and key objectives from the 2024 to 2027 Corporate Strategy (enhancing core operational functions and using data and analytics to make gambling regulation more effective).

Potential for legal challenge (up to and including judicial review) to the Commission in respect of implementation of the Gambling Act or other policy change. 

Digital and Data; ensuring that the Commission has appropriate skills, capacity, resilience and processes to manage the introduction of new systems and capabilities, whilst maintaining effective data governance, design authorities and compliance with procurement requirements.

Powers and capacity to tackle unlicensed gambling and to disrupt illegal activities constrained by legislative framework. 

Principal risks and uncertainties during 2023 to 2024 

The principal risks and uncertainties are managed through the Commission’s Strategic Risk Register as part of the internal control framework. Risks and controls are subject to continuous review and improvement activity. 

IT and Operational Resilience  

Risks relating to organisational security, including vulnerability to cyber-attacks, lapses in the management and maintenance of critical functions, including the pipeline of IT systems development and replacement  

Mitigating actions: Transfer to cloud-based services completed with process and governance arrangements subject to internal audit review; business continuity plans reviewed and updated in year; detailed reporting on cybersecurity assessments; vulnerabilities identified and resolved in timelines based on criticality; and mitigating activity added to monthly performance reporting.

Opportunities and further work: Development of digital roadmap and design authority arrangements to support existing system development and new procurement work.

Operations and Regulatory Role 

The risk that the Commission does not have the appropriate resources, skills or tools to effectively regulate the gambling industry both now and as it continues to develop and innovate, including as a result of rapidly changing technology; failures to appropriately carry out our remit in respect of licensing, compliance and enforcement functions; and negative impact on gambling consumers, the industry and/or the wider public as a result of regulatory action or inaction.

Mitigating actions: Development of enhanced regulatory performance reporting and management information, quality assurance and oversight in Operations function (licensing, compliance and enforcement). 

Opportunities and further work: Enhancing core operational functions is a key strategic outcome of the 2024 to 2027 Corporate Strategy, including procurement of a new Case Management system and wider review of our approach and outcomes.  

Litigation relating to the Fourth National Lottery Licence Competition; potential for judicial review of Commission policy decisions; challenges to regulatory decision-making by licensees; and inadequate or ineffective proactive and reactive legal engagement.

Mitigating actions: Increasing in-house and contracted legal resource to manage shifting demand for legal advice and support; dedicated programme governance for Fourth National Lottery and Gambling Act Review focused on oversight and assurance; and regular engagement with sponsor department on legal issues and litigation.

Opportunities and further work: Continuous improvement to in-house legal resource and knowledge. 

Financial  

A range of risks covering income and expenditure, forecasting and budgetary controls. 

The risk that as a fees-based regulator, the Commission’s income and planned expenditure are impacted by market changes; the risk that the current fees model does not offer independence for the Commission to review the licence fees, resulting in a lack of flexibility to respond to emerging regulatory challenges; and the risk that the Commission is unable to adequately forecast and manage income to meet obligations. 

Mitigating actions: Horizon scanning and tracking of licence changes to inform forecasting resulting in an outturn of 1 per cent variance between forecast income and expenditure in year. Internal audit review of income forecasting gave substantial assurance and recommendations for ongoing improvement. Ongoing management and oversight of key risks which could cause significant financial impact to the Commission.

Opportunities and further work: Gambling Act Review committed to begin fees review in 2024, continuous improvement activity in Finance function; and close working between Licensing, Finance and Market Insight teams to forecast market changes which impact income.  

People 

Risks associated with the inability to attract, recruit and retain suitably skilled and experienced staff; not having the right number of people with the right skills to deliver the Commission’s objectives and strategy; inadequate access to industry specific and specialist knowledge; inadequate and/or ineffective learning and development strategy to facilitate key business activities and prepare appropriately for future challenges; and lack of appropriate diversity and inclusion in the organisational structure which impact the Commission’s ability to effectively regulate the gambling industry.

Mitigating actions: Diversity and inclusion strategy introduced, internal audit review of single points of failure used to inform resource and succession planning. 

Opportunities and further work: People Strategy and employee value proposition development, and introduction of organisational design approaches to underpin strategic workforce and resource planning.

Governance and Decision Making  

Risk that the Commission does not have appropriate and effective governance and decision-making arrangements; that roles and responsibilities are not clearly defined; that the Commission is not compliant with regulations and codes of practice as an arm’s length body. 

Mitigating actions: Change in Board composition in year via recruitment of seven new Commissioners and the appointment of the CEO as a Commissioner; focused induction plan delivered to support development of organisational and industry knowledge; increased engagement of Commissioners in stakeholder and industry engagement activities.

Opportunities and further work: Development of programme level governance arrangements and SRO arrangements, refresh of corporate governance and committee structures alongside internal governance arrangements.

Following the successful implementation of mitigations, this risk is now considered within appetite and is no longer a principal risk for 2024 to 2025. 

At the time of writing, the Commission is reviewing its strategic risks in light of the areas of strategic focus set out in the Corporate Strategy 2024 to 2027 which was adopted by the Board in March 2024. This review, along with the development of risk registers at the programme and operational levels, will inform updates to the Strategic Risk Register. 

Internal control 

The Commission has in place a wide range of internal controls to manage the risk of failure to meet our strategic and operational objectives. The systems of internal control described in this report have been in place for 2023 to 2024 and up to the date of approval of the annual report and accounts. 

These systems include the following: 

  • effective delegations – from Board to Committees, to the Executive and to individuals
  • key risk and control policies and standards in place in finance, information management, governance, IT, and people services (further detail on information management incidents can be found in this section)
  • an internal audit programme of work that tests performance against control policies and controls
  • Complaint and Speak up (whistleblowing) policies that are monitored quarterly by the Executive Team and the ARC (further detail on the speak up policy can be found in this section)
  • financial and operational performance reporting, considered monthly by the Executive Team and quarterly by Board, and submitted quarterly to the DCMS
  • quality assurance processes for Licensing, Compliance and Enforcement and a risk-based approach to proactive compliance activity 
  • lessons learned exercises conducted following casework and other significant issues. 

The Commission is further developing its assessment of internal controls based on the Risk Control Framework set out in the Orange Book, which will enable regular testing of controls aligned to the government functional standards and other relevant standards applicable to our work. Further detail on this review of effectiveness can be found in this section. 

Information security 

The Commission has policies, processes and procedures in place to maintain compliance with General Data Protection Regulation (GDPR), the Data Protection Act 2018, and related legislation. The Information Management Team supports the Data Protection Officer to mitigate the risks and impacts of information security incidents, ensure adequate and effective controls are in place to deliver compliance, and manage Freedom of Information requests and requests from data subjects. 

Information management incidents, including cyber security incidents, are reported quarterly to ARC, and the Executive Team receives escalations as needed, with an annual report to provide an overview of issues and lessons learned. 

No personal data incidents met the threshold for reporting to the Information Commissioner’s Office (ICO) in 2023 to 2024. 48 information security incidents were reported and investigated internally: 0 high risk, 0 medium risk, 32 low risk and 16 very low risk. Common causes were misdirected emails and post, accidental disclosure, non-compliance with policy or procedure, loss of equipment, and phishing. 

The Commission’s privacy policy is available on our website. 

Speak up (whistleblowing) policy 

The Commission has a Speak up (whistleblowing) policy in place for the confidential reporting of unlawful conduct or malpractice. 

The policy is published on the Commission’s website and is available to all employees and appointees. The Commission also maintains an external confidential reporting service for staff who do not wish to raise issues internally. No new whistleblowing reports were received in 2023 to 2024, but actions from a report received in 2022 to 2023 were being implemented in this year. 

Where there are whistleblowing reports, ARC receive quarterly updates on the number and topics of disclosures under the policy, as well as the outcome of subsequent investigations. They also track the completion of any actions recommended following investigation. 

The previous whistleblowing policy, known as the Public Interest Disclosure policy, was reviewed and replaced with the Speak up (whistleblowing) policy in February 2024. There will be ongoing work to ensure the policy is publicised and understood by colleagues. 

Operational and financial reporting 

The Commission reviews and updates its business plan each year and prepares an annual budget to support the delivery of the plan. 

Performance against the budget and business plan deliverables are tracked and reported to the Executive Team each month. The Executive Team also reviews the performance of core activity and Key Performance Indicators (KPIs). Together, this performance pack is provided to the Board and the DCMS each quarter. Performance reporting is subject to review and enhancement on an ongoing basis, and will be developed in 2024 to 2025.  

Effectiveness of risk management and internal controls 

The internal audit programme 

The internal audit programme focuses on the requirement to provide assurance that the key risks faced by the Commission are properly managed and controlled. Where control weaknesses are identified, these are drawn to the attention of senior managers, who are responsible for determining and implementing an appropriate response. 

The Commission’s internal audit function was provided by the Government Internal Audit Agency (GIAA) in 2023 to 2024. The GIAA maintain a rolling three-year audit plan which aims to cover all key areas of the Commission in a cycle, taking a risk-based approach. The plan for a particular year is confirmed by ARC, following input from the AO and Executive Team.

GIAA’s annual report provides an independent opinion on the adequacy and effectiveness of the Commission’s system of internal control, together with recommendations for improvement.

The GIAA have provided a Moderate opinion on the adequacy of the framework of governance, risk management and control within the Commission for 2023 to 2024. This is a continuation of the Moderate opinion provided for 2022 to 2023.

The governance, risk management and control arrangements were found to be operating adequately in most of the areas reviewed. Notable areas of good practice and improvement include:

  • improvements to the financial forecasting process. This had been identified by internal audit as an area requiring improvement in our 2022 to 2023 work
  • development of an appropriate risk-based approach to Compliance activity
  • establishment of appropriate governance arrangements to support delivery of the GAR Programme
  • evidence of positive collaboration across business areas within the organisation.

Areas where GIAA have identified that improvements are required include:

  • the maturity and effectiveness of risk management activity is inconsistent across the organisation and weaker in some operational and corporate areas.
  • understanding of business-critical roles and capacity risks at a tactical and strategic level
  • the development of systems to enable the capture of operational MI that will better drive continuous improvement activity in Licensing
  • preparations for 4NL Regulation operations that were hampered by capacity constraints.

Improvement actions 

For each internal audit report the Commission has agreed plans of action to resolve any issues identified. Progress against these actions is tracked by ARC and closure is subject to the approval of the internal auditors. 

Review of effectiveness 

To review the adequacy and effectiveness of Internal Controls, the Accounting Officer receives a report setting out the nature of internal controls, how they compare with government functional standards and/or other relevant standards, any breaches or near misses in the year, and the efficacy of remedial action. 

In the 2023 to 2024 review 15 areas of control were identified; 12 were rated as effective, 3 as partially effective and 0 as ineffective. The three rated partially effective were: 

  • governance framework (pending revisions to the whistleblowing policy, committee terms of reference and internal governance framework): all outstanding issues have been actioned
  • finance performance reporting (variance from forecast): all outstanding issues have been actioned
  • risk management (embedding a new approach, resourcing a team): all outstanding issues have been actioned.

This year, the Commission has been developing our controls analysis using the Orange Book Risk Control Framework published in May 2023. The framework identifies 93 possible control lines covering 16 areas. As a work in progress this is presented to the AO for input and comment, but our initial analysis suggests that 82 control lines apply to our operations. Of those, 50 are effective, 15 are partially effective, and 2 are ineffective. We are awaiting input on the remaining 15 areas. 

The 2 areas rated as ineffective are: 

  • reviewing lessons learned from major projects – paused pending litigation  
  • workforce planning used to inform annual planning process.

Following the review of adequacy and effectiveness the Accounting Officer has met with the Governance and Finance Teams to review risk management and internal controls. He reviewed the reports outlined above and has concluded that there has been good progress in applying and testing controls, particularly in relation to risk management and financial forecasting, and expects to see more work on planning, performance reporting, information management and internal policy management in the year to come. He noted that the internal audit programme had looked at challenging areas of the organisation and expected to see a similarly robust programme in the coming year. 

The Accounting Officer confirms that these risk and control systems have been in place for the year under review and up to the date of approval of the annual report and accounts. 

Is this page useful?
Back to top