Risk, resilience and security are a shared responsibility, writes Robert Hall.
The director general of the Security Service (MI5) has warned of serious and growing risks facing the UK. His annual threat update on October 8 was complemented by an article, co-authored by the chief executive of the CBI, in a national newspaper on the same theme. In that article, the authors state that the threat from states that seek to undermine our security and economy is not one ‘that can be dealt with by our government and security services alone. Raising our national resilience is a shared responsibility, and one that’s ultimately in everyone’s interest.’
These comments are significant as they emphasize the whole-of-society and whole-system efforts required if we are to aspire to greater national resilience. Such an idea has gained traction in recent years on the back of the Covid-19 pandemic but much still needs to be done if it is to be assured across the board and across regional boundaries in all circumstances. Two further points emanate from the comments, both important in their own right.
Cause and effect
The first point is that resilience is a response to a shock or stress, usually brought about by a disaster or trauma. If these facets are not present, there should be little need to be resilient. In other words, resilience is predicated on the fact that there will be a breach in defences to initiate a resilient response. That response should be agile and adaptive – not only to bounce back (status quo ante) from the perturbation but also to bounce forward to a new status. As there is no such thing as absolute security, breaches can be expected. The key question is how we prepare for all eventualities and then respond and adapt.
The challenge should shift the focus from the analysis of the potential causes to dealing with the practical consequences. The causes will continually morph and multiply. (The list of risks in the National Risk Register increased by 134 per cent from 38 in 2020 to 89 in 2023 – see article). The consequences can be equally varied but we should identify generic measures to cater for as much variance (i.e. knowns and unknowns) as possible. Examples of simple, common practices are alternative locations and supply chains, plus good cyber and medical preparations. Enterprise resilience management rather than enterprise risk management would therefore be a good and meaningful switch of emphasis.
The UK government has made tentative steps on improving national resilience by, for instance, introducing a resilience framework, an emergency alert service and a prepare campaign for national adoption. But much more needs to be done to motivate, prepare and then activate the whole population. Other countries, albeit with different threat profiles, have gone further with nation-wide publications, education in schools, creation of civil reserves, and regular training between key players from both the public and private sectors together. This is a model to follow and the UK journey should be accelerated in the face of the growing threats. The new head of the British Army has said that Britain must be ready to fight a war in three years: such action could well be a whole-of-society endeavour.
Sharing intelligence
The second point of this article is that any call for ‘shared responsibility’ should be meaningful and extensive. As a welcome marker, the previous government created the UK Resilience Forum in 2021: it met five times before February of this year. Yet, there was only one collective business organisation invited, namely the CBI: it was present for two of the five sessions according to the published minutes. To increase representation, other private-sector representative organisations should be considered in future meetings. For example, as there were 5.6 million SMEs in the UK in 2023, making up 99 per cent of the private-sector businesses, it might be prudent to invite the Federation of Small Businesses.
The need for closer engagement between the public and private sectors has been acknowledged in the national resilience framework: ‘The UK Government must work with businesses to encourage an active partnership in resilience, and to itself learn from the experiences of businesses. This must be a joint endeavour, with the UK Government doing more, through consultation with businesses, to set standards, and share guidance and information’. To help move this objective forward the last government established the Economic Security Public-Private Forum in December 2023. Eleven businesses across a wide range of sectors were invited and received the ‘first of its kind’ declassified but confidential threat briefings. Dissemination of the information to a wider business audience is unclear.
New thinking
Having established some laudable footholds, this is a moment for the new government to look afresh at the resilience portfolio and see how it could be improved further. There appears to be a myriad of departments and fora with national resilience and/or security responsibilities. This effort could be rationalised while expanding the work to implement a whole-nation approach.
One aspect that deserves serious attention is the requirement for a standing national information exchange between government and law-enforcement agencies with all of business. We need to move away from the small closed groupings with varying attendance and repeated messages, and adopt a true two-way (i.e. send and receive) national dialogue that stimulates participation with feedback, furthers the collection and dissemination of all-source information, and enhances the public-private collaboration that is vital for wide-area responses.
One model that is worth re-examining is provided by the Overseas Security Advisory Council (OSAC) in the USA. OSAC is a public-private partnership between the US Department of State’s Diplomatic Security Service and security professionals from US organisations operating abroad. Together, OSAC members share timely security information and maintain strong bonds for the protection of US interests overseas. Authorised partners in the UK can receive OSAC product and value it highly for its content and timeliness.
The idea of a UK equivalent to OSAC was first proposed in 2016. It was rejected then as it could take away primacy and confidentiality from government agencies and give undue weight to business. To adopt an organisation co-directed by government and business to serve commerce was seen as a step too far in the face of vested interests. This reservation needs to be re-evaluated in the light of the growing threat landscape and the acknowledged need for shared responsibilities in delivering both security and resilience – two sides of the same coin. To address the requirements of the whole of business would be a positive step to making solutions fit for the whole of society. It will be interesting to see how the new government adapts the national resilience and security endeavour.
About the author
Robert Hall is co-founder and former executive director of Resilience First Ltd. He is author of Building Resilient Futures (2023, ISBN: 97810 3581262). His book, The Resilience Mindset, will be out at the end of this year (ISBN: 97810 35878284). The third book in the series on resilience, Nature’s Resilience, will be released in early 2025 (ISBN: 97810 35878260).
He served in the British Army from 1974 to 1992; after, worked for for Jane’s Information Group, Barclays, BAT, the security multi-national G4S and the risk insurance brokers Marsh. He retired in 2022.
