The National Risk Register's Value to Business and Communities


The 2013 National Risk Register (NRR) of civil emergencies was published by the government on 11 July. The risk profile for most communities and businesses remains complex and unpredictable, heightening the value of the general measures of resilience and business continuity planning that the NRR promotes.

What is the National Risk Register?

The National Risk Register (NRR) is a catalogue of the main kinds of emergency that could affect public, private and voluntary sector organisations and businesses, and members of the public in the UK.

The first NRR was a product of the first National Security Strategy in 2008. This concluded that the UK's domestic risk profile was complicated and difficult to predict and, in its most extreme forms, potentially as dangerous as international security threats. A higher level of national resilience was needed, as part of a strategy to promote not just the security of the nation but also the safety of its people.

Resilience - even then a relatively new term in the security lexicon - comprised the ability to anticipate, respond to, maintain essential supplies and services throughout, and recover from, a wide range of emergencies. Professional front line responders would have a main responsibility.  But, especially in larger scale emergencies, resilience was everyone's business. And information on the risks would have to be much more widely available.

The obvious source of information was the National Risk Assessment (NRA) - a confidential assessment of the risks of all kinds of emergency updated by the Cabinet Office every year since 2005.   The NRA assesses the likelihood and likely impact of some 80 to 90 types of emergency. In 2010 it provided much of the underpinning evidence for the Government's National Security Risk Assessment, supplying examples of the major domestic risks posed by international terrorism, natural hazards, and cyber attacks.

Producing a public risk register brought obvious challenges:  public mistrust of government publications of this kind;  and how to set out enough detail to be useful without itemising every type of emergency, or implying that the past is expected to repeat itself in the future.  The 2008 model of a clear but dispassionate document, designed to inform but not compel work by organisations to improve their resilience, has been built on.   But later editions have been less inhibited by considerations of classification - a significant problem given the secrecy surrounding much of the government's risk assessment work - and more driven by what people have said they want to know and by advances in the science of emergency risk assessment. The 2013 edition follows this trend, being more open both about the risks and about what is not in the register.

What Does the 2013 National Risk Register Show?

This is demonstrated most clearly in the matrices on page 10 of the Register. These provide  broad-order comparisons, using a scale for comparing likelihood where the lowest probability events are four orders of magnitude less likely than the highest. The impact scale is similarly stepped.  Taking the 'top tier' of risks in the National Security Risk assessment first, the NRR shows that:

  • The highest impact risks posed by international terrorism are that terrorists might obtain effective mass impact biological agents or a functioning nuclear device. The likelihood of this happening in the next few years is said to be low but not negligible. These continue to be a government priority for the 'Prepare' programme under the 'Contest' strategy.
  • The highest risks of natural disasters are of an influenza pandemic, coastal flooding, and a gas-rich volcanic effusion on the scale of the 1783-84 Laki eruption in Iceland. The latter is distinguished from the 'ash cloud' risk which scientific opinion rates the lesser of two kinds of risk from Icelandic volcanic eruptions.
  • Interestingly, the NRR is more sanguine about the near term risks of cyber attack than the NSRA is for the longer term, both reflecting a government view that the risks here are likely to grow as the UK economy and its peoples' way of life increasingly rely on the internet.

The more common risks fall in the low to mid range of impact - serious but not game-changing in the way disasters in say Japan can be. Their disruptive effects are often more pronounced than the threat they pose to life and limb.  Of these, the events most likely to disrupt our lives are, unsurprisingly:

  • Extremes of weather: an increasing feature of life in Britain as the climate continues to change, and even as average temperatures and sea levels continue gradually to increase: the extremes include low temperatures and heavy snow but also heatwaves, storms and gales.
  • The consequent risks - also rising over time - of inland flooding, and conversely of drought particularly in water-stressed areas of the South-East, which the government's 2012 climate change risk assessment has identified as two of the early onset symptoms of climate change. The new kid on the block here is the risk of severe wildfire, particularly on the urban fringes, with the 2011 Swinley Forest providing a cautionary tale.
  • Relatively localised terrorist attacks using 'conventional' weapons (bombs or firearms). In this the NRR follows the assessment in the latest annual Contest report that, although depleted in numbers and capability, Al-Qa'ida remains capable of conducting terrorist attacks in the UK and other countries, and that Al Qa'ida affiliates around the world have become a relatively greater threat in their own right to UK interests including in this country.
  • Risks of non-pandemic infectious disease - with the risk of SARS providing the reasonable worst case pending a review of these risks that should take into account the Chief Medical Officer's concerns about anti-microbial resistance. The NRR also notes the rising risk of zoonotic and non-zoonotic animal disease which - as the 2001 and 2007 outbreaks of Foot and Mouth Disease showed - can cause significant disruption even when the outbreaks are effectively contained as they were in 2007.

What Does it not Show?

To those using the NRR to improve their preparedness for emergencies, knowing what it does not cover is also important. Adoption of the definition of an emergency from the Civil Contingencies Act, and a definition of likelihood that excludes implausible events or those whose return periods are not known and cannot be guessed, means that the NRR will not assess the likelihood of significant asteroid strikes or earthquakes in populated areas  although these are on the 'reserve list' of risks which the Cabinet Office maintains for annual review. The NRR eschews 'composite' emergencies where two or more different kinds of emergency coincide, since the difficulties of assessing likelihood here would be formidable.   Everyday events such as street crime, which many would view as being more threatening than large scale disasters., are excluded because  the purpose of the NRR is to help the nation and its people cope with unusual circumstances rather than to itemise all the things that can make life a misery.

Assessment

In 2009, the OECD praised the NRR as 'innovative best practice in risk communication to the public', observing that its publication was "the start of a dialogue with the public" and so - in effect - praising the initiative while reserving judgment on how effective this was likely to be.

Five years later, the product continues to be improved, and part of this appears to be due to increased demand from one of the key stakeholders: businesses increasingly interested in business continuity but strapped for resources and wanting an accessible, objective, but authoritative catalogue of emergency planning scenarios.

Infrastructure Resilience

Pressure from big businesses, particular in the infrastructure sectors, to make accessible more of the detail underpinning the National Risk Register is growing. Key business sectors are showing a greater interest in embedding disaster risk management in their business processes, and to understand the nature of some of the risks - like the risks of non-nuclear electro-magnetic pulses emanating from the sun - which require the kind of cross-disciplinary scientific analysis that is increasingly the hall-mark of the NRA.  

This year's Global Assessment Report on Disaster Risk Reduction (GAR '13), highlighting the effect of disasters on long-term business competitiveness and sustainability, will whet business appetite for objective data on the risks. And the publication of 'sector resilience plans' for each of the main UK national infrastructure sectors shows that there is at least the beginnings of a move to balance investment in reducing vulnerabilities with business continuity; and to factor the longer term risks into investment plans for new build infrastructure.

Business Continuity

In the meantime, government efforts to promote business resilience - including publication in the NRR of entry level data on risks to business - may have helped to promote the wider cause of improved business continuity planning.   A 2012 CMI survey[i] showed that, between 2008 and 2012, business continuity management increased from 42% to 60% in not-for-profit organisations surveyed, and from 43% to 52% in private sector organisations. Business continuity planning in medium sized organisations increased from 42% to 61%;  but micro and small businesses still lag behind for the obvious reason that they probably think they can't afford even an entry level investment in resilience. The collaborative, public/private sector, publication of a 'Dummies' Guide' to business continuity - based on the NRR - may change that.

Community Resilience

The NRR - and community risk registers which tailor the national risk picture to local circumstances - has been a standing reference document for Community Resilience since 2008. The recent Peer Review Report of the UK's progress in implementing the Hyogo Framework for Action on Disaster Risk Reduction (HFA), while generally complimentary of the UK's efforts, points to the difficulties:

'The public has access to a lot of information, but it is not clear whether people actually take action based on this risk information. It seems that ... citizens are not yet especially willing to take action themselves on the ground .... changing people's behaviour and making individuals personally responsible remains a challenge: the culture of prevention and risk awareness is still seen as low (reportedly around 12 per cent among the general population).'

In resilience, as in so many other areas of public policy, it remain the case that you can take a horse to water but can't force it to drink.

 Note


 

1. The Chartered Management Institute: 'Planning for the worst: the 2012 Business Continuity Management Survey', March 2012



Footnotes


Explore our related content