In Conversation with Alex Rothwell, NHS CFA

Jessica Kimbell, GovNet
July 6, 2026

Mark Cheeseman OBE, Chief Executive of the Public Sector Fraud Authority, and Alex Rothwell, CEO of the NHS Counter Fraud Authority, took to the stage at Counter Fraud 2026 for a fireside chat on strategy, organisational culture, data analytics and what it takes to get fraud taken seriously at the top of large and complex public sector organisations. Here is a summary of what they said:

The scale of the NHS fraud challenge

Alex Rothwell opened by setting out the landscape the NHS Counter Fraud Authority operates in. Around £220 billion of public money flows through the Department of Health and Social Care into NHS England and out into the healthcare system each year. The NHSCFA's remit covers the full range of fraud, bribery and corruption risks across that system - insider threat across a workforce of 1.7 million employees (not including community doctors, pharmacists and dentists), supply chain corruption, and external fraud by those seeking to access services or money. The organisation estimates that the NHS is financially vulnerable to approximately £1.3 billion in fraud annually.

Rothwell brought a 30-year law enforcement background to the role, with a career repeatedly drawn back to fraud and cyber crime. His view on why fraud work is worth doing was direct: every fraud leaves a footprint, every case is solvable, and the work is both intellectually stimulating and socially meaningful. In a period when questions of ethics and integrity are prominent in public life, he said, counter fraud professionals are on the right side of that conversation.

Prioritisation: Understanding your threat picture

Asked how the NHSCFA prioritises in a system as large and complex as the NHS, Rothwell was unequivocal: you cannot prioritise without first understanding your threat picture. His organisation assesses threat - the things that happen - alongside risk, meaning the likelihood and impact of those things occurring, and financial vulnerability. Without that structured assessment, organisations end up responding to whatever lands on the desk rather than directing effort where it will have most impact.

He added a dimension that he felt was under-discussed: organisational posture on fraud. If a large organisation has only one person working on fraud, that is itself a risk - and one that does not always appear in standard fraud risk assessments. Mapping that kind of structural vulnerability is, he argued, just as important as mapping external threats.

Crucially, he framed prioritisation not just in terms of where fraud risk is highest, but in terms of where counter fraud work can contribute most meaningfully to healthcare objectives. The NHS ten-year plan is built around prevention and shifting care into the community. The question Rothwell asks his organisation is whether what they are doing supports those goals - not just whether it generates a financial return.

Screenshot 2026-04-29 152831

Getting fraud into the boardroom

Mark Cheeseman asked Rothwell why it matters that fraud is talked about at the top of organisations - and how you make that happen. His answer was partly structural and partly cultural.

On structure: the Failure to Prevent Fraud offence has had more impact than many anticipated, not because organisations are now enthusiastic about fraud prevention, but because it forced the conversation into boardrooms and executive teams from a compliance angle. That compliance framing is a start, but it is not enough on its own. Compliance creates minimum thresholds. It does not create advocates.

The harder and more important task is making the case for fraud work on its own merits - demonstrating that it delivers real value against things organisations actually care about. Rothwell drew an analogy with the rise of the Chief People Officer. Twenty years ago, HR was not typically an executive function. The recognition that strategic thinking about people and culture adds value changed that. Counter fraud has not yet made the same journey, but Rothwell sees a path - through loss prevention, efficiency and productivity - that could get it closer to the boardroom table.

His practical advice was to understand the diversity of executive teams. Some leaders are risk-averse, some want innovation, some are focused on cost. Fraud work touches all of those agendas. The skill is knowing which argument to make to which person - and recognising that the ability to build relationships and identify allies may be just as important as technical credibility as a fraud specialist.

Finding fraud should be celebrated, not treated as failure

Cheeseman raised a tension that many in the room will recognise: the tendency for organisations to treat the discovery of fraud as a reputational failure rather than a sign that controls are working. Rothwell's response was that incentive structures matter enormously here. Compliance-driven incentives nudge behaviour, but they do not create genuine buy-in. The shift happens when organisations can see tangible value - when fraud work demonstrably saves money, improves patient safety, or reduces the kind of conduct that undermines public trust.

He gave the example of temporary staffing in the NHS - a dynamic, high-value area where fraud occurs and where the NHSCFA can contribute meaningfully to decisions being made at short notice, late at night, under operational pressure. Getting into that space, he said, requires counter fraud teams to offer something useful to the people making those decisions, not just to flag that fraud is a risk.

Data analytics: The investment and the return

In response to a question from the floor, Rothwell described the NHSCFA's journey in building data analytics capability. Over approximately two years, the organisation invested around £6.5 million in developing a functioning data analytics system - able to acquire and store data, apply rules-based monitoring, and generate outcomes for investigation. Against that investment, prevention figures currently stand at £668 million. The return on investment is clear.

The ambition is to move towards machine learning and real-time analysis. But Rothwell was measured about pace. The lessons of Horizon and other technology failures in the public sector are present in his thinking. The quality of the underlying data must be assured before automation is extended. The blend of specialist fraud knowledge and technical capability is what makes the difference; neither alone is sufficient.

His broader point was unambiguous: counter fraud is now a technology-led profession, and will become more so. There is no version of the future in which fraud specialists are not working with and through technology across all disciplines. That is the direction of travel and the direction of investment.

Measuring what matters, including impact beyond money

On the question of how to measure fraud prevention - one of the most contested areas in the profession - Rothwell endorsed the Cabinet Office methodology as a credible framework, while acknowledging its limitations. The gold standard is a clear cycle: measure loss, identify fraud through data, introduce mitigations, measure again, and demonstrate a demonstrable reduction. But he also argued for a broader view of impact. Some of the NHSCFA's most significant work - tackling fraudulent COVID passes, for example - produced no direct financial saving to the NHS, but had clear social and ethical significance. Incentive structures that focus solely on financial return risk missing that dimension.

Cheeseman pointed to guidance from the International Public Sector Fraud Forum on measuring prevention and total impact as a resource worth drawing on. The profession is developing better tools for capturing the full picture of what fraud prevention delivers - and building that case is part of what gets fraud taken seriously beyond the finance function.

Fraud Blog CTAs (4)