Perhps it is not the risk comittee at fault?
Being in charge of risk for a huge, quasi-govermental organization I can tell you that very often the alarm sounded for specific risks (such as running XP) is ignored. Naturally, once the barn is on fire (thanks WannaCry) the IT side of the house desperately wants to lock the door.
The solution is to put the risk squarely on the group demanding the risk be taken. If I go to the "x-ray' department & say "XP is putting the entire place at risk here are options for things to do to reduce that risk" and their response is "It is cheaper to keep our old X-ray machines" Then THEY have to sign off that THEY accept the risk, not us. If we did not warn them or gave them poor information that would be our fault.
My guess is the risk folks at NHS arm's are tired from waving like mad men trying to call attention to the situation & the same old 'legacy apps' shit was all they were given.