The National Risk Register was published by UK Government last week. Robert Hall, author of a new book on resilience, goes over what’s good and not so good about the register.
Introduction
A new National Risk Register (NRR) was published by the government on August 3. It has been three years since the last one was released and a lot has changed since then – the covid-19 pandemic, the Russo-Ukrainian conflict, global economic turbulence, and the spread of AI to name but a few. On the premise that a risk profile usually precedes and shapes strategy, it is noteworthy that the NRR has been released five months after the Integrated Review Refresh (IR 2023) of security, defence, development and foreign policy, and eight months since the UK Government Resilience Framework (UK GRF) were published.
The NRR is the public version of the classified National Security Risk Assessment. One can reasonably expect the latter to contain a vulnerability profile as threat and vulnerability are the composites of risk. This year it is claimed the NRR is more transparent that hitherto, with evermore detail. That is borne out by the 89 risks (63 listed in the risk matrix) with nine risk categories over 192 pages: compare this with the 2020 version when there were 38 risks in the matrix, detailed over 140 pages.
The latest document would have been even longer but for the fact that the Government decided this year (unlike 2020) to focus only on those acute risks requiring an emergency response. Chronic risks, namely those which are long-term challenges to the ‘economy, community, way of life, and/or national security’, are not included. The authors say this is ‘a reflection of the need for a separate process for identifying and managing these risks’ and it is ‘establishing a new process for identifying and assessing these risks’ ‘through ongoing policy and operational work.’ They do, however, cite previously named chronic risks as climate change, anti-microbial resistance, serious and organised crime, and AI systems and capabilities. It is a shame that these and others could not be updated in the latest edition considering their seriousness. It is also disappointing to see the word ‘cascading’ appearing only twice in relation to linked failures as this is a significant factor across many risk types.
Understandably for an unclassified document, those sections of the risk category on ‘Conflict and stability’ which consider an attack on the UK or its partners, whether they be outside or inside NATO, are not given likelihood and impact assessments. In the current geopolitical setting, they would be interesting to read as markers for the potential dangers ahead.
One observation is that if the number of risk categories are going to expand in the future then perhaps it is time to put more focus on generic consequences, coupled with preparatory measures, than specific causes. This approach would place greater emphasis on resilience management than risk management. In recognition of the importance of resilience, the Deputy Prime Minister says in the foreword to the NRR that: ‘I am determined to build on our national resilience so that we are prepared for whatever the future holds.’
The Risk Profile
Besides the obvious risk categories of terrorism and cyber-attacks in the NRR, they are: state threats; geographic and diplomatic; accidents and systems failures; natural and environmental hazards; human, animal and plant health; societal; conflict and instability. Within these headings can be found risks that range from the chances of assassination of a high-profile public figure to a civil nuclear accident to a major outbreak of African swine fever. It is reassuring to see greater detail on a variety of weather scenarios such as heatwaves and surface-water flooding. Some new risk features such as drone-based attacks, insolvencies in critical sectors, adult social-care issues, and a greater granularity on cyber-attacks in different sectors are all to be applauded. Most assessments offer key assumptions, response capability requirements and recovery statements.
The risk matrix uses the traditional 5×5 matrix, measuring likelihood against impact. Likelihood is presented as the percentage chance of a ‘reasonably worst-case scenario’ (RWCS, see below) occurring at least once in the designated timescale while impact looks at an amalgam of factors but with a single matrix score reflecting fatalities, casualties and cost. A pandemic is the risk with the highest impact while terrorism presents the highest likelihood. One problem with assessments based on probability is that past yardsticks are often no indicators of future events: look how a historic one-in-100 year flooding event has become a modern one-in-three year event in some locales.
Thankfully, the time horizon in the NRR has been stretched (previously two years) to five years but only for non-malicious risks such as a pandemic. This particular risk is given a probability of five to 25 per cent (‘highly unlikely’) over the next five years. For malicious risks such as cyber, the timeframe remains two years. This is too short and for all risks the horizon should be extended to at least ten years. That may seem a long time, and no doubt a lot will change, but it would show that horizon scanning is proactive and innovative. A curtailed timeframe inhibits discussion of emerging risk and those with high uncertainty.
The use of a RWCS to risk assess may remove the extremes and focus on the plausible. Nonetheless, it is a subjective approach that can be misleading as it incorporates a degree government bias and policy assumptions, not least of which is who determines what is reasonable or not. It is also not necessarily the most likely. Take, for example, the UK’s influenza pandemic scenario from 2020 which was chosen on the basis of what was reasonable for the NHS to plan. We know that this was not the scenario that unfolded as Covid-19 is a non-influenza type pathogen and resulted in many more deaths than anticipated. The latest NRR has a generic pandemic scenario which should place a better level of preparedness for most manifestations of the risk. Preparedness is the key element of resilience.
Individuals and communities
Both the 2020 and 2023 editions of the NRR devote a complete chapter to ‘Individuals and communities’. This provides valuable commentary on the steps to take before, during and after an emergence and offers guidance on recovery. The latest chapter reflects the openness and target audience of the document as well as the focus on resilience building. It reinforces the resilience messages made in both the original Integrated Review (IR 2021) and UKGRF documents: perhaps the latter is the more appropriate space for the chapter as it sits rather incongruously in a risk register.
Mention of a ‘whole-of-society’ approach under ‘Supporting communities and volunteering’ recognises the wider engagement of a population in delivering resilience and mitigating risk. It means ‘that where possible, communities recognise their role in, take responsibility [for] and contribute to the UK’s resilience’. What is consistently missing when the whole of society is mentioned in government documents is the means to achieve this through central direction and oversight. This is a vulnerability in contrast to a risk. Both need addressing urgently.
Recovery will remain largely local (and hence deficient for a national disaster) unless co-ordination, funding and impetus are given to mobilising a larger part of the nation than that mustered under the 42 Local Resilience Forums in England and Wales. Covid-19 proved that we could mobilise several hundreds of thousands of volunteers; we should be better prepared to do this again and not on the day.
In conclusion, and echoing the foreword to the NRR, ‘By focusing on our collective resilience, we can help the nation be more safe, more secure – and in turn, more prosperous. This National Risk Register plays a vital role in that process, allowing us to build towards an even brighter future.’ While it is hard to disagree, it is important to distinguish clearly the discrete, yet linked, functions of risk and resilience. One determines what can knock us down, the other whether we get up again.
Robert Hall is former Executive Director of Resilience First. His book ‘Building Resilient Futures’, published by Austin Macauley in June, covers many of the issues outlined here.
Photo by Mark Rowe; medieval defences, Southampton.
