Assurance and the dog that didn’t bark

GGI CEO Professor Andrew Corbett-Nolan revisits a topic that arose during the COVID-19 pandemic

In Sir Arthur Conan Doyle’s Silver Blaze, Sherlock Holmes solves a mystery by noting the significance of a dog that didn’t bark. The absence of an expected signal—a bark—reveals a critical clue. In public sector governance, particularly within the NHS, the "dog that didn’t bark" represents risks or weaknesses that go unnoticed yet pose significant threats to organizational resilience, accountability, and public trust.

This article, originally developed during the COVID-19 pandemic, explores how assurance frameworks can detect these silent risks and offers updated insights for 2025, reflecting the evolving landscape of health and care governance.

The role of assurance in a complex landscape

Assurance is the bedrock of effective governance, providing confidence that risks are identified, managed, and mitigated. In the NHS, where complexity has intensified with the shift to integrated care systems (ICSs) under the Health and Care Act 2022, assurance ensures that boards, executives, and stakeholders can navigate financial, operational, and strategic challenges. The significant reforms of local government mirror similar complexities. Yet, as the pandemic exposed, assurance processes can falter when overwhelmed by crisis or distracted by visible risks, allowing quieter threats—the non-barking dogs—to persist.

During the pandemic, rapid decision-making and resource reallocation strained governance structures. The UK COVID-19 Inquiry’s interim findings (2023–2025) underscore this, highlighting delayed responses and inadequate preparedness as systemic failures.

Today, the NHS faces new pressures: a £22 billion funding gap, workforce shortages, and record service pressures. These high-profile issues risk overshadowing subtler threats, such as cybersecurity vulnerabilities or cultural barriers to speaking up. These are general challenges faced across the public purpose sector by local authorities, universities, the third sector and housing. And thinking ahead, there are further probable whole-globe crises looming—most predictably, the near-certain escalation of the wars in Eastern Europe and the Middle East.

Never mind the bark, avoid the bite

The metaphor of the non-barking dog invites us to question what isn’t being reported or discussed. In assurance terms, this means looking beyond routine reports and key performance indicators (KPIs) to uncover hidden risks. Examples from 2025 illustrate this challenge:

• Cybersecurity: The 2024 Qilin ransomware attack on NHS trusts disrupted services and exposed patient data, yet many boards had not prioritised cyber risk assurance until recently. A lack of specialist expertise and over-reliance on IT teams left the ‘cyber dog’ silent until it was too late.
• Workforce wellbeing: Chronic staff shortages and burnout, exacerbated by post-pandemic recovery, are often under-reported in assurance processes, which focus on vacancy rates rather than cultural or psychological risks.
• AI adoption: The rapid integration of AI in diagnostics and patient triage offers transformative potential but introduces risks around data ethics, bias, and regulatory compliance. Without proactive assurance, these could go unnoticed until incidents arise.

These examples echo the pandemic-era risks of supply chain fragility or health inequalities, which were often sidelined until crises forced attention. The lesson is clear: assurance must anticipate, not just react.

Strengthening assurance frameworks

To detect silent risks, boards and assurance committees must adopt robust, forward-looking frameworks. The Three Lines Model—operational management, risk oversight, and independent assurance—remains a cornerstone, but its application must evolve. The 2024 revision of HM Treasury’s Orange Book emphasises risk appetite and resilience, urging organisations to define what risks they are willing to accept and stress-test their systems accordingly.

Practical steps for 2025 include:

1. Challenge the status quo: Boards should foster a culture of constructive challenge, encouraging questions such as ‘what are we not hearing?’ Scenario planning and red-team exercises can uncover blind spots.
2. Diversify assurance inputs: Beyond financial and operational data, boards should seek qualitative insights from staff surveys, patient feedback, and external audits. ICSs, with their collaborative ethos, offer opportunities to share intelligence across organisations.
3. Invest in expertise: Emerging risks such as cybersecurity or AI require specialist knowledge. Boards should consider co-opting experts or commissioning targeted assurance reviews.
4. Stress-test systems: Regular simulations, informed by pandemic lessons, can test how assurance processes hold up under pressure, revealing gaps before they widen.
5. Embed risk appetite: Clearly articulated risk appetites, aligned with strategic objectives, help boards prioritise and focus assurance efforts.

Learning from the pandemic and beyond

We are on the brink of a rapid escalation of the current wars and should be looking back to the COVID-19 pandemic for lessons about governing during a global crisis. The pandemic was a stress test for governance, exposing both strengths and weaknesses. The UK COVID-19 Inquiry has revealed how fragmented decision-making and unclear accountability hindered early responses. Yet it also showcased resilience, with NHS trusts and local authorities adapting rapidly to unprecedented demands. ICSs, designed to foster integration, aim to build on this resilience, but their success depends on robust assurance to navigate competing priorities and financial constraints.

The pandemic also highlighted the human element of governance. Staff courage and innovation were critical, yet burnout and moral injury were often the silent risks—the dogs that didn’t bark. In 2025, assurance must prioritise people, ensuring that workforce wellbeing and patient safety are not sidelined by financial or operational metrics, or the vulnerable are left without access to local authority services.

Listening for silence

The dog that doesn’t bark is a powerful reminder that what goes unsaid can be as critical as what is reported. In an era of local government reform, ICSs, financial austerity, and emerging risks such as AI and cyber threats, NHS boards, councillors and public sector leaders must sharpen their assurance processes to hear the silence. By challenging assumptions, diversifying inputs, and embedding resilience, they can ensure that no risk goes unnoticed, safeguarding trust and delivering better outcomes for communities.

GGI remains committed to supporting organisations in this journey, offering tools, training, and insights to make assurance a proactive, not reactive, force. Let us listen for the dogs that don’t bark—and act before they bite.

This is an updated version of an article originally published in June 2020 in the context of the pandemic.