Key risks to achieving our objectives
Overview
This section explains how we identify, manage and mitigate the principal risks that could affect delivery of the objectives set out earlier in this Performance Report. We define risk as a possible future event that may adversely or beneficially affect achievement of our objectives. This section summarises:
- the principal risks faced during the year;
- their impact on delivery;
- how they changed;
- the mitigations in place; and
- key emerging risks that may influence future performance.
You should read this alongside the Governance Statement, which describes the governance, responsibilities and processes that underpin risk management and internal control.
The external risks we monitor help shape our regulatory strategy and delivery priorities. In contrast, our corporate risk management framework focuses on the risks (and opportunities) that could affect our ability to deliver our strategic objectives and regulatory responsibilities. It includes:
- a risk management policy;
- a risk appetite statement; and
- supporting procedures.
This framework guides how we identify, assess and manage risks at each level of our business planning hierarchy. The following section sets out how we embed this approach in planning, delivery and performance management throughout the year.
As part of our external risk monitoring, we recognise climate change as a significant risk with the potential to affect our infrastructure, operations and staff wellbeing. Informed by the UK Government’s National Risk Register, we assess our exposure to climate-related threats, including:
- extreme weather events; and
- longer term climate shifts.
We maintain a dedicated climate risk register, which we review and update regularly. This records our assessment of likelihood and impact alongside mitigations and planned responses.
Embedding risk management in performance delivery
We integrate risk considerations into planning and delivery throughout the year to support prioritisation, performance management and decision making. Our Governance Statement sets out how we underpin this approach with our:
- governance framework;
- roles and responsibilities;
- assurance arrangements; and
- compliance with recognised standards.
How the risk profile changed during the year
During 2025/26, our corporate risk profile evolved in response to internal change and an increasingly complex external environment. We didn’t assess any risks as very high during the year, but several principal risks maintained ahigh rating. This reflected sustained pressures and uncertainty affecting delivery.
Key changes included increased uncertainty around technology regulation, meaning the AI regulation risk remained rated high throughout 2025/26. We also articulated five new corporate risks (all currently medium):
- Reward & Retention (separated from Pay, Capacity and Capability);
- Governance Transition (potential benefits of a new governance structure and board);
- Expectations Gap (alignment between stakeholder expectations and our ability to deliver);
- Operational Demand (significant increased demand for operational services exceeding available capacity); and
- Regulatory Perception & Expectations (being viewed as a proportionate regulator that protects people while supporting growth and innovation).
We also rearticulated one risk from an opportunity to a threat. We reframed the AI Utilisation opportunity as Insufficient AI Adoption and Utilisation to better reflect current risks; this remains a medium risk. We also de-escalated several risks from the corporate risk register following delivery of control actions.
Summarised below are the principal risks we rated as high during the year and that we considered most likely to affect delivery
Principal risks affecting performance including the cause, threat and impact
Political and economic environment: Risk that we don't have the plans, relationships or the ability to react to and influence changes in the political and economic climate, in government policy or in government attitudes and reviews. This means that we are disproportionately impacted by political and economic events that prevent the achievement of the ICO25 enduring objectives.
| Risk appetite level | The risk appetite is cautious and the risk is above appetite. |
| Why this risk mattered | Changes in the political and economic environment could affect our ability to plan effectively, influence decision-making and deliver our ICO25 objectives. |
| Impact on performance during 2025/26 | Increased political and economic uncertainty required sustained senior involvement and horizon scanning to stay ahead of cross-government priorities. We continued with deliver, but required management effort to respond to emerging priorities and potential policy change. |
| Change in risk profile | This risk remained high throughout the year, reflecting continued external uncertainty. |
| Key mitigations and what more we’ll do in 2026/27 | We strengthened our involvement with the Department for Science, Innovation and Technology (DSIT) and wider government departments, supported by improved horizon scanning and internal coordination. We’ll continue further formalisation of these arrangements during 2026/27. |
Improving productivity: Risk that our infrastructure, people and process resources aren’t effectively used to reduce contradictory and duplication of efforts, minimise delivery gaps, exploit new business models and maximise best use of our resources. This would mean that we don’t prioritise effectively or improve efficiency and productivity, meaning we’re no better placed to achieve our ICO25 objectives and be impactful and collaborative.
| Risk appetite level | The risk appetite is cautious and the risk is above appetite. |
| Why this risk mattered | Not using our people, processes and infrastructure efficiently could limit prioritisation, delivery and progress against ICO25 objectives. This matters because we want to achieve greater impact with our funding, improving value for money, service performance and delivery confidence. |
| Impact on performance during 2025/26 | Productivity pressures required continued focus on prioritisation and delivery discipline. While we delivered outcomes, opportunities to improve efficiency remained. We targeted transformation programme investment and digital automation towards service efficiency and productivity gains. |
| Change in risk profile | This risk remained high throughout the year. |
| Key mitigations and what more we’ll do in 2026/27 | We designed our productivity controls to ensure delivery of ICO-25 by strengthening governance, prioritisation and performance management. We focused our work on the highest-impact activity and we monitored progress through clear KPIs and reporting. We’re mitigating productivity pressures by investing in a structured transformation and digital change portfolio (including assurance, automation and clearer project initiation) to improve efficiency and improve value for money. We manage capacity and capability through disciplined resourcing and budgeting controls, workforce/ways-of-working improvements, and targeted leadership and skills development to ensure we deploy the right level of resource to priority outcomes. |
AI Regulation: Risk that rapid expansion of AI technologies and their increasing complexity, combined with an evolving legislative landscape, may hinder us from applying the right regulatory interventions and providing effective guidance, supervision and assurance to stakeholders. This could undermine our ability to safeguard those who most need support and to support responsible innovation, impacting delivery of corporate objectives.
| Risk appetite level | The risk appetite is cautious and the risk is below appetite. |
| Why this risk mattered | Rapid advances in AI and an evolving legislative landscape increase the risk that we may not be able to provide timely, proportionate and effective regulatory guidance and supervision. This could affect protection outcomes and support for innovation. |
| Impact on performance during 2025/26 | The pace and complexity of AI developments required additional strategic focus and external engagement during the year. This increased delivery complexity alongside wider regulatory responsibilities. |
| Change in risk profile | This risk remained high throughout 2025/26, reflecting uncertainty around technology regulation and the pace and complexity of AI developments. |
| Key mitigations and what more we’ll do in 2026/27 | We published our Strategy for Regulating AI and Biometrics and strengthened involvement with industry and international partners. Further guidance, legislative work and development of the AI Code of Practice will progress in 2026/27. |
Senior leadership capability and cohesion: Senior leadership capability and cohesion may not be sufficiently effective to provide clarity of leadership and direction during a critical period of change. This could result in a delay in achieving our corporate objectives and their underpinning strategies and action plans.
| Risk appetite level | The risk appetite is open and the risk is within appetite. |
| Why this risk mattered | Effective leadership is critical to providing clarity, direction and pace of delivery, particularly during periods of organisational change. |
| Impact on performance during 2025/26 | Targeted development activity, including the ‘Leading the ICO’ programme, executive and senior leadership development days and focused work on executive decision making are helping to provide clarity of leadership. Senior leadership and people manager briefings have improved visibility of direction on organisational priorities. |
| Change in risk profile | More recent gaps at executive level present an increased risk to capacity in the short to medium term and so the net risk remains high. |
| Key mitigations and what more we’ll do in 2026/27 | We’ll undertake proactive work to fill vacancies on both a temporary and permanent basis. We’ll take further actions during 2026/27 through delivery of the Workforce Strategy and a continued focus on embedding effective decision-making. |
Link to governance and accountability
This section summarises how principal and emerging risks affected, or may affect, delivery during the year. The Governance Statement sets out our approach to risk management and internal controls, including:
- roles;
- responsibilities;
- frameworks;
- assurance arrangements; and
- compliance with recognised standards.
Together this provides a clear, joined up account of how risk management:
- supports delivery of ICO objectives;
- informs performance; and
- safeguards public value.