Report

Annual report and accounts 2024 to 2025

The Gambling Commission's 2024 to 2025 annual report and accounts. For the period 1 April 2024 to 31 March 2025.

---

Published
15 October 2025

Last updated
15 October 2025 - Changes

Document actions
Print or save (opens in new tab)

Contents

• Annual report and accounts 2024 to 2025

---

• Foreword
• Performance report
• • Introduction
  • The organisation
  • Financial performance analysis
  • Complaints
  • Sustainability
• Accountability report
• • Overview
  • Corporate governance report
  • Remuneration report
  • Staff report
  • Parliamentary accountability and audit report
  • The report of the Comptroller and Auditor General to the Houses of Parliament
• Financial statements
• • Statement of comprehensive net expenditure
  • Statement of financial position for the year ended 31 March 2025
  • Statement of cash flow for the year ended 31 March 2025
  • Statement of changes in taxpayers' equity for the year ended 31 March 2025
• Notes on the accounts
• • Statement of accounting policies
  • Statement of operating costs by operating segment
  • Expenditure
  • Income cash receipts
  • Property, plant and equipment
  • Right of use assets
  • Intangible assets
  • Financial instruments
  • Cash and cash equivalents
  • Trade and other receivables
  • Trade and other payables
  • Provisions and charges
  • Retirement benefit obligations
  • Lease liabilities
  • Contingent liabilities disclosed under IAS 37
  • Related party transactions
  • Amounts of income to the Consolidated Fund
  • Events after the reporting period
• Appendices
• • Annex A - Key operational data
  • Annex B - Performance by Business Plan Deliverable in 2024 to 2025

Risk and internal control framework

Risk management

The Board is responsible for the approval of the Gambling Commission’s risk appetite and the arrangements for risk management. Through the Audit and Risk Committee (ARC), the Board seeks assurance that controls are in place and applied, and that risks are appropriately managed. The Commission is supported in this work through an independent Internal Audit service. The Commission’s risk management process was reviewed and revised during 2023 to 2024 with a focus on securing dedicated risk and assurance resource and developing the risk management culture of the organisation.

Key actions to increase the effectiveness of risk management and internal controls in 2024 to 2025 were implementing a new process for reviewing internal policies, improvements to information management culture and practice, supported by an internal audit review, and provision of dedicated risk support for key projects. These activities were reviewed by ARC and the Committee’s analysis of progress and effectiveness was reported to Board.

The 2024 to 2025 Internal Audit Annual opinion reflected progress in the development of risk management practices and the internal control environment, and assessed the Commission’s governance, risk management and control framework as maturing. The Internal Audit service will review the Commission’s risk management process again in 2025 to 2026 as the Commission implements new software to enhance consistency and risk reporting.

The Commission operates a Risk Management Policy and a Risk Appetite statement which are reviewed at least annually. Risk Registers are in place at the Strategic, Programme and Business Area (team) levels. There is an agreed schedule for the review of risk at Board, ARC and Executive meetings. The Commission’s Board, ARC and Executive Team are committed to continue strengthening risk management maturity across the organisation and have been sighted on our future development plans for risk management.

Current practice is based on regular review and updating of key risks and control adequacy and effectiveness, including assessing the progress in completing mitigating actions, with new and changed risks being submitted to the Performance and Delivery Panel and Executive Team for approval, with regular reporting to the ARC. The ARC reports at least quarterly to the Board, and the Board considers the Strategic Risk Register at least twice a year, as well as setting the risk appetite at least annually.

The risk management policy

The risk management policy sets out how the Commission will continue to develop and maintain a mature risk management culture over time, grounded in the Commission’s operating context and supporting continuous improvement. The policy outlines roles and responsibilities, goals for enhancing the risk management culture, the Commission’s approach to determining risk appetite, the use of risk registers and risk management processes, and review and reporting arrangements. The policy is reviewed at least annually by the Board, following review by the ARC.

The Commission’s risk appetite

The Commission’s risk appetite is expressed in an overarching risk appetite statement which describes its attitude, at a point in time, to accepting risk in each of the areas of principal risk (based on the categories set out in the Orange Book (opens in new tab)). The statement outlines the risks that the Commission is exposed to and the risks that it is willing to take to achieve its strategic objectives and strategy. Draft appetite statements are developed with subject matter experts to set out the acceptable level of risk. Appetite statements are reviewed and agreed with the Board at least annually to enable risk appetite to inform risk management, escalation and decision making.

Emerging risks for 2025 to 2026

The Commission has identified a range of emerging risks for the coming year. The list below features the highest rated risks:

• risks arising from the delay to the achievement of 4NL full functionality, which has necessitated the further extension of the Commission’s 4NL programme, has resulted in enforcement action being commenced against Allwyn and may result in an adverse impact on expected returns to Good Causes. This risk was present and increasing during 2024 to 2025 as full functionality was not delivered in year as planned, but the Commission expects to see further developments during 2025 to 2026 as transition continues
• continuing litigation in respect of the 4NL competition and related matters, of which the scale, complexity and associated risks have grown during the year. Risks relate to the potential impact on returns to Good Causes, the availability and costs of legal resource and potential litigation risk, although the litigation is being defended vigorously by the Commission
• risks arising from the current structure of the Commission’s fees framework, and the processes required to predict future costs and demand. Slippage in the timescale to implement the revised fees framework will impact on the Commission’s ability to deliver against its corporate strategy and statutory objectives
• balancing internal and external appetites and drivers for change with the need to focus on core regulatory activity and delivery of Corporate Strategy objectives. Risks relate to the need to maintain services whilst undergoing major change activities in relation to key internal software platforms and systems
• expectations and workload in respect of tackling the illegal market, balanced with the funds available to support this work
• risks arising from the volume and complexity of legal casework and the resource demand this places on the Commission. In addition to litigation relating to 4NL, which stands as a risk in its own right, the Commission is managing an increasing caseload of litigation across a range of courts and jurisdictions. In part, this reflects the Commission’s strategic objectives relating to tackling illegal gambling, but there are also wider pressures as a result of either litigation or other legal processes where parties have sought to engage the Commission.

Principal risks and uncertainties during 2024 to 2025

The principal risks and uncertainties are managed through the Commission’s Strategic Risk Register as part of the internal control framework. Risks and controls are subject to continuous review and improvement activity.

During the reporting period, consideration was given to changes arising from political, legislative and regulatory changes. During 2024 to 2025, the change of Government had an impact, in particular as the new Government considered its approach to the Gambling Act Review and the White Paper which was published under the previous Government. Policy changes, including the implementation of the statutory Gambling Levy were moved back, and the Commission has had to review and adjust both its approach to engagement and its implementation plans.

The change in government has resulted in adjustments to the planned legislative programme, which has directly impacted the Commission’s work on addressing illegal gambling. A previously proposed Criminal Justice Bill, containing provisions for enhanced enforcement powers, was not enacted prior to the dissolution of Parliament on 30 May 2024.

The new administration is progressing a revised Crime and Policing Bill that reintroduces those powers and provisions. Subject to successful passage through Parliament, the Bill is expected to be implemented by April 2026.

In addition, the Commission has considered the impact of external and internal events during the year, including additional litigation in respect of the Fourth National Lottery licence and a major investigation into election betting.

IT and Operational Resilience

Risks relating to inadequate or ineffective organisational security, including vulnerability to cyber-attacks, and lapses in the management and maintenance of critical functions, including the pipeline of IT systems development and replacement.

Mitigating actions

Business impact assessments were refreshed in year, additional financial and people resource in place focused on security, infrastructure and technological resilience. Roadmap, programme structure and strengthened governance arrangements in place for the removal and replacement of key systems, including ensuring holistic oversight of change.

Opportunities and further work

Removal of legacy systems and the introduction and development of new systems bring opportunities to streamline processes and improve services.

Operations and Regulatory Role

The risks that the Commission does not have the appropriate resources, skills or tools to adequately and effectively regulate the gambling industry both now and as it continues to develop and innovate, including as a result of rapidly changing technology; failures to appropriately carry out our remit in respect of licensing, compliance and enforcement functions; and negative impact on gambling consumers, the industry and/or the wider public as a result of regulatory action or inaction.

Mitigating actions

Corporate strategy commitment to increasing our understanding of the gambling market and consumer behaviour has resulted in the delivery of work on evidence gaps, changes to the submission of regulatory returns and work with licensees to improve data and submission processes. The Commission has piloted data sharing and the development of an account management framework to improve industry engagement. Plans to enhance core operational capabilities through the implementation of a new case management system; the improvement of data collection and reporting; and the enhancement of operational efficiencies to support delivery against the Corporate Strategy and the licensing objectives.

Legal

Risks relating to litigation and regulatory decisions, including those related to the significant quantum of disclosure required in the ongoing 4NL litigation case. These risks include legal challenges to Commission decisions, including policy changes arising from the Gambling Act Review as well as challenges to our regulatory work. Legal risks can also arise from performance or non-performance of contracts, as well as in relation to employee relations casework. The Commission managed an increasing litigation caseload in 2024 to 2025, in a range of courts and jurisdictions, including criminal prosecutions.

Mitigating actions

Increasing in-house and contracted legal resource to appropriately manage demand for legal advice and support; regular engagement with sponsor department on legal issues and litigation.

Opportunities and further work

Continuous enhancement of in-house legal resource and knowledge. Ongoing support from key external legal partners secured to ensure appropriate capacity to manage litigation alongside other complex case work.

Financial

A range of risks covering income and expenditure, forecasting and budgetary controls.

In particular, the risk that as a fees-based regulator, the Commission’s income and planned expenditure are impacted by market changes; the risk that the current fees model does not offer independence for the Commission to review the licence fees, resulting in a lack of flexibility to respond at pace to emerging regulatory challenges; and the risk that the Commission is unable to adequately forecast and manage income to meet obligations.

Mitigating actions

Horizon scanning and tracking of licence changes to inform forecasting resulting in an outturn of under 1.5 percent variance between budgeted fees and other income. Work to model options for a fees review, and liaison with the Department for Culture, Media and Sport (DCMS) to take forward the review, business planning processes to prioritise work and evaluate capacity.

Opportunities and further work

Ongoing development of the finance function and reporting to improve forecast accuracy and budget management. Regular engagement with DCMS on fees position.

People

Risks associated with the inability to attract, recruit and retain suitably skilled and experienced staff; not having the right number of people with the right skills to deliver the Commission’s objectives and strategy; inadequate and/or ineffective learning and development strategy to facilitate key business activities and prepare appropriately for future challenges; and lack of appropriate diversity and inclusion in the organisation structure which may impact the Commission’s ability to effectively regulate the gambling industry.

Mitigating actions

Development of a new People and Culture Strategy and our response to key organisational priorities in respect of recruitment, retention, leadership, management capability and inclusion, along with setting out an Employee Value proposition for the Commission. Developing a pay flexibility case to address key pay issues which impact recruitment and retention.

Opportunities and further work

Outcome of pay flexibility business case awaited and development of a Total Reward philosophy to be a focus regardless of the outcome. The Commission is reviewing its strategic risks following the approval of the 2025 to 2026 budget and business plan by the Commission Board.

Internal control

The Commission has in place a wide range of internal controls to manage the risk of failure to meet our strategic and operational objectives. The systems of internal control described in this report have been in place for 2024 to 2025 and up to the date of approval of the annual report and accounts.

These systems include the following:

• effective delegations – from Board to Committees, to the Executive and to individuals
• key risk and control policies and standards in place in finance, information management, governance, IT, and people services (further detail on information management incidents can be found in this section), which are subject to ongoing review and improvement
• an internal audit programme of work that tests performance against key policies and controls
• complaint and Speak Up (whistleblowing) policies and reporting that are monitored by the Executive Team and the ARC
• financial and operational performance reporting, considered monthly by the Executive Team and quarterly by Board, and submitted quarterly to the DCMS
• quality assurance processes for licensing, compliance and enforcement, which are subject to continuous review and enhancement, including actions arising from internal audit review and a risk-based approach to proactive compliance activity
• lessons learned exercises conducted following casework and other significant issues. In 2024 to 2025 these have included internal assurance reviews.

The Commission is further developing its assessment of policies, procedures and internal controls based on the Risk Control Framework set out in the Orange Book, which will enable regular testing of key controls aligned to the government functional standards and other relevant standards applicable to our work. Further detail on this review of adequacy and effectiveness can be found in this section.

Information security

The Commission has policies, processes and procedures in place to maintain compliance with General Data Protection Regulation (GDPR), the Data Protection Act 2018, and related legislation. The Information Management Team supports the Data Protection Officer to mitigate the risks and impacts of information security incidents, ensure adequate and effective policies and controls are in place to deliver compliance, and manage Freedom of Information requests and requests from data subjects.

Information management incidents, including cyber security incidents, are reported quarterly to ARC, and the Executive Team receives escalations as needed, with an annual report produced to provide an overview of issues and lessons learned.

No personal data incidents met the threshold for reporting to the ICO in 2024 to 2025. In total, 51 information security incidents were reported and investigated internally: 0 high risk, 0 medium risk, 22 low risk and 29 very low risk. Common causes were misdirected emails and post, misfiling of information within Commission systems and loss of equipment.

The Commission’s privacy policy is available on our website.

Speak up (whistleblowing) policy

The Commission has a Speak up (whistleblowing) policy in place for the confidential reporting of unlawful conduct or malpractice. During 2024 to 2025 the Commission successfully defended an employment tribunal claim concerning whistleblowing. Although the claim was unsuccessful, the Commission has undertaken a lesson learned exercise and undertook a comprehensive review of the policy supported by external advice on best practice. The revised policy is due to be presented to the Commission Board for approval in July 2025.

The current policy is published on the Commission’s website and is available to all employees and appointees. The Commission also maintains an external confidential reporting service for staff who do not wish to raise issues internally.

ARC receive quarterly updates on the number and topics of disclosures under the policy, as well as the outcome of subsequent investigations. They also track the completion of any actions recommended following investigation. Two new whistleblowing reports were received in 2024 to 2025 concerning recruitment processes and pay. Both were subject to investigation, the outcome of which will be reported to ARC in 2025 to 2026.

Operational and financial reporting

The Commission reviews and updates its business plan each year and prepares an annual budget to support the delivery of the plan.

Performance against the budget and business plan deliverables are tracked and reported to the Executive Team each month. The Executive Team also reviews the performance of core activity and Key Performance Indicators (KPIs). Together, this performance pack is provided to the Board and the DCMS each quarter. During 2024 to 2025, the performance reporting process and outputs were systematically reviewed. Revised reporting was developed to provide the Board and Executive with a consistent set of KPI reporting with accompanying narratives to explain changes, variations to expectations and progress made.

Effectiveness of risk management and internal controls

The internal audit programme

The internal audit programme focuses on the requirement to provide assurance that the key risks faced by the Commission are properly managed and controlled. Where control weaknesses are identified in Internal Audit reviews, senior management are responsible for determining and implementing an appropriate response.

The Commission’s internal audit function was provided by the Government Internal Audit Agency (GIAA) in 2024 to 2025. The GIAA maintain a rolling three-year audit plan which aims to cover all key areas of the Commission in a cycle, taking a risk-based approach. The plan for a particular year is confirmed by ARC, following input from the Accounting Officer and Executive Team.

GIAA’s annual report provides an independent opinion on the adequacy and effectiveness of the Commission’s system of internal control, together with recommendations for improvement.

GIAA provided an overall Moderate opinion in both 2024 to 2025 and 2023 to 2024. In their 2024 to 2025 annual opinion, GIAA noted continued progress with the development of risk management practices and the internal control environment, and an ongoing commitment to further mature the Commission’s approach to governance, risk management and control.

Improvement actions

For each internal audit report, the Commission has agreed plans of action to resolve any issues identified. Progress against these actions is tracked by ARC and closure is subject to the approval of the internal auditors. Processes have been revised and disseminated during 2024 to 2025 to provide clarification on the role of Internal Audit review owners and action owners. A Change Control process has been introduced to improve oversight of progress against internal audit actions and to ensure that there is an approval process for any changes requested to agreed actions.

Review of effectiveness

To review the adequacy and effectiveness of Internal Controls, the Accounting Officer receives a report setting out the nature of internal controls, how they compare with government functional standards and/or other relevant standards, any breaches or near misses in the year, and the efficacy of remedial action.

The report analyses the Commission’s compliance with 93 possible control lines, drawn from the Orange Book Risk Control Framework. Of the 93 possible control areas, 79 apply to the Commission across 16 areas. The analysis for controls in place in 2024 to 2025 found that 65 were rated as effective, 12 were partially effective and 1 was ineffective. This represents an overall increase in effectiveness from 2023 to 2024 with progress in internal governance structures, planning processes, performance reporting, internal policy development, and workforce planning. As a result of this analysis, areas identified for further improvement in 2025 to 2026 are project and programme management, information management (noting the impact of disclosure of privileged information in the 4NL litigation), consistency of adherence to functional standards and the effectiveness testing of internal policies.

The Audit and Risk Committee have also reviewed the report submitted to the Accounting Officer as part of their annual report to the Board of Commissioners. The Committee note the progress made but also stressed the need to strengthen work to review and enhance internal policies.

---

Last updated: 15 October 2025

Show updates to this content

No changes to show.