Main Image Credit Courtesy of allexxandarx
The UK’s National Risk Register ought to be more than a list of bad things which can happen to us. To learn the lessons from the coronavirus pandemic, it needs to be anchored in an improved risk management system which uses empowered analysis to anticipate – and therefore reduce – shocks.
The UK government published the updated National Risk Register (NRR) on 18 December 2020, with relatively little fanfare. The NRR catalogues malicious and non-malicious risks that could affect the UK over the next two years, and provides resilience guidance for the public. It is the public-facing version of the National Security Risk Assessment (NSRA), a classified cross-government, scientifically rigorous assessment of the most serious risks facing the UK and its interests overseas. It is maintained by the Civil Contingencies Secretariat within the Cabinet Office, working closely with government departments. Given the (reasonable) criticism that while the previous risk register had correctly identified a pandemic as being the most significant potential risk this had not translated into an adequate degree of preparedness, it is right to ask whether the new risk register addresses this issue.
Managing risk is about coping with uncertainty. It requires you to know what you want to achieve and what you want to protect, and then to understand and track a) the risks which might stop you achieving what you set out to achieve and b) the likelihood that the threats to what you want to protect materialise. In theory, if you banish the risks and obstacles to achieving your goals, and you defend successfully against threats, then the outcome should be closer to what you intend than if you did nothing. In an organisation the strategic risk register should sit alongside – and mirror – the strategic plan. You run your organisation through a programme of work which at the very least ensures that nothing on the risk register happens. At the end of the year, therefore, you ought to have achieved what you set out to do. An organisation should be confident that it is tracking those risks it has identified, that it can swiftly act when they escalate and that it has a means to identify new risks.
It is time for the creation of a Central Risk Assessment function in the Cabinet Office
The 2020 NRR is a reasonably exhaustive list of bad things that could be done to us, by someone else, by ourselves or by nature. These risks include: environmental hazards (flooding, severe weather, severe space weather, volcanic eruptions, poor air quality, earthquakes); human and animal health (human diseases, animal diseases, antimicrobial resistance); major accidents (widespread electricity failure, system failures, major transport accidents, industrial accidents, major fires); societal risks (industrial action, widespread public disorder, serious and organised crime, organised immigration crime and modern slavery, firearms, drugs, bribery and corruption and child sexual abuse); malicious attacks (attacks on publicly accessible locations, on transport systems, on infrastructure, chemical, biological, radiological and nuclear attacks, cyber attacks and disinformation); and risks occurring overseas. Three of these – serious and organised crime, disinformation and hostile state activity – are new additions.
It does not, however, include threats to plans and opportunities, or the risks to the achievement of the country’s goals. Does the UK have a national strategic plan? The postponement of the Integrated Review, and the allocation of Defence spending separately, means it is still not clear yet. Take, for the sake of argument, ‘Global Britain’. The UK’s newly independent trade policy was announced by the International Trade Secretary on 11 January 2021, and seeks to position the UK at the centre of an advanced network of trade deals as a global services and technology hub. A complete NRR should list what would have to not happen to achieve the objectives of the Global Britain project. ‘Break-up of the UK’ would presumably classify as a high-impact/increasing probability event. ‘Not inventing the right things’ (following the 5G debacle), or ‘changes in the international regulatory framework’ might go on such a register. These would lead to strands of work to develop the right industrial strategy to ensure that the international framework enabled the UK’s endeavours.
It is not clear under current arrangements what the mechanism is by which the UK can measure the risks to and impacts on its ambitions, and through identification take the first step to addressing them. When the Integrated Review is produced, it ought to be possible to translate this into a set of strategic aims, and then to work out what would thwart them. If this missing half of the risk register were developed, it might usher in a genuinely new era of coherent and collaborative cross-departmental effort.
Warnings and shocks
Having a good risk register, however, is not the same as having a good system of risk management. Despite so much discussion of the importance of good forecasting, and the current national obsession with the primacy of science, we seem again to have fallen into the main trap of the risk register, which is to assume that by organising the threats according to statistical likelihood we are on the way to managing them. Risk registers on their own do not enable the anticipation of strategic surprises. A strategic shock (or ‘warning failure’) is a consequence both of a failure to interpret information and a failure to respond to the interpretation. The first is an analytical failure and the second is a choice. The focus should therefore be on improving the analysis and assessment which underpins the tracking of all risks, and on improving the flow of that information to enable the best possible decision-making.
At the heart of the 2020 NRR is a matrix which plots the risks in terms of likelihood and impact. It tells us that the ‘impact scale is logarithmic and is reflected by the matrix boxes increasing in size’. It warns us that ‘amendments to the NSRA’s underpinning method, including the impact and likelihood scales, have shifted where risks are plotted in the 2020 NRR matrix compared to the 2017 iteration’. This is a pictorial representation of risks with a logarithmic basis, rather than a risk-management system. For example, there is only one very low likelihood/high-impact event: an accident in the nuclear industry. There are two moderate likelihood/very high-impact events: larger-scale chemical, biological, radiological or nuclear attack; and pandemics. There are three moderate likelihood/high-impact events: coastal flooding, river flooding and widespread electricity failure. The placing of these categories on the matrix of impact and likelihood is based on input from relevant departments and mathematical computations to enable comparison between such very different things.
A proper understanding of how the most important risks are changing depends on a strong assessment capability across government
The bigger question is whether placing these events in certain boxes on a table is likely either to reduce the likelihood that they will happen or enable their prevention, and that will depend on the quality of the assessment and analysis of how the risk changes, and how this analysis feeds into central judgements about resource, mitigation and preparedness. Forecasting is a part of this, and is listed as a mitigation for some but not all of the risks in the NRR. We can get confused about forecasting: only some of it is useful. Long-term future scenarios set a broad hypothetical outline, but in this kind of risk management the best kind of forecasting is produced by analysts whose role is to monitor changes constantly, which enables sufficient situational awareness to allow for nimble, anticipatory action. Curiously, while it is a central part of the mitigation of the ‘Environmental Hazards’ risk, as you would expect because the Met Office and other agencies have established forecasting procedures and indeed a warning function which they discharge continually, forecasting is not listed as a mitigation in the section on ‘Human and Animal Health’, where arguably one of the key lessons from the pandemic is the need for an ability to anticipate the risk and to get ahead of the science. A better word for forecasting would be anticipation.
How then might it be best performed?
As with any crisis, we should expect a ‘lessons learned’ review at some point, and the best reviews take the opportunity to amend structural weaknesses. At this important ‘learning point’ moment, it feels right to ask what the government’s risk-management system looks like and how it might be improved. What is the role of the Civil Contingencies Secretariat in balancing a warning function across all those risks? As Lord True, Minister of State at the Cabinet Office, explained in his reply to a question by Lord Warner on 22 April 2020: ‘Government departments are responsible for identifying and assessing risks. Each department is also responsible for overseeing levels of preparedness within their sectors, ensuring they have up-to-date plans to mitigate and respond to risks contained in the National Risk Register’. However capable the Civil Contingencies Secretariat, it cannot possibly manage these risks effectively if the means by which it relates to the risk owners is opaque. The responsibility for monitoring the risk and deciding when to act is delegated to departments or agencies with differing analysis and response capabilities and thresholds for alarm. Some of these departments have louder voices at the centre than others, which may mean their risks are prioritised because they get more attention.
What does the Civil Contingencies Secretariat plug into? How does the wiring work? Could it be made more efficient, more decisive, with better command and control and better information flows? Where is all the information held and who is monitoring it? The NRR includes in the mitigation boxes phrases such as ‘improved observation’, ‘collaboration’ and ‘understanding’, but what does this mean in practice?
The creation of a National Situation Centre in the Cabinet Office may be a step in the right direction, but it is really only half a step. Although it includes a welcome emphasis on situational awareness, it still seems to be focused on crisis response and ‘data-led analysis’ to ‘drive evidence-informed action’ and ‘data-driven decision-making’. Sometimes, paradoxically, too much data leads to a lack of clarity. Data is not the answer unless you have a comprehensive assessment system to turn it into understanding. If you wait for evidence you will fail to anticipate. Data has a role to play as an input into a risk-assessment process, but the judgement and instinct of analysts who track the risk 24/7 is the critical component.
It is very hard to get warning right. At its best it is clear and authoritative, one voice which is heard by the people who need to respond. The warning element of the risk-management system needs one empowered central point into which it feeds, to ensure that the risks are being monitored in real time and weighed against each other. At the moment there is no one government body or process which manages this. None of the current assessment bodies have either a wide enough remit or a strong enough warning function to perform this role. The Joint Intelligence Committee (JIC), which sits in the Cabinet Office, has no formal warning function; there is an increasingly strong argument to be made that it should. If the risk register were complete, the JIC would be able to monitor international developments against the UK’s national security and foreign policy priorities and produce reports which offered not just insight into the problem but took responsibility for notifying when a risk was escalating. This would then require action to be taken. Other assessment bodies already have a formal warning function – such as the Joint Terrorism Analysis Centre (JTAC) and now the Joint Biosecurity Centre – and have demonstrated the value and return on resource investment. The Met Office and the Environment Agency are constantly making judgements about how much to warn. In a perfect world, responsibility for each risk would be allocated to one of the assessment bodies which carried responsibility for warning of changes.
A national risk-management system will only work if the gap in the centre is filled. It is time for the creation of a Central Risk Assessment function in the Cabinet Office which coordinates the assessment and analysis across all risks and has a formal role in signalling when risks are changing in real time, not as part of a periodic review. This should be fed by subject matter expect analysis centres (such as JTAC) which are held responsible not just for tracking of known risks but the anticipation of new risks and sounding the alarm. A proper understanding of how the most important risks are changing depends on a strong assessment capability across government which would feed the central function. The act of creating such a system will also demonstrate where the current assessment structures are too weak to carry this anticipatory responsibility.
At a time of limited resource, a working risk-management system will guide decisions on how much should be devoted to a potentially redundant mitigation capacity, to ensure maximum preparedness without excessive expenditure on contingencies. It will help address the perennially thorny issue of planning for the high-impact/low likelihood event, the unlikely risk that nonetheless could happen. It is not possible to be on constant standby for every possible disaster, and it will be skilful, vigilant assessment which will tell when the terrorists might strike, what a hostile country might do next, or when the flood wall will breach.
The creation of a central risk assessment function to match the NRR would require investment in building assessment capability and training of its professional analysts. This would be money well spent: the better the situational awareness and anticipation, the better the decisions and the less need for costly damage limitation. It would require some radical reshaping and breaking down of vested interests. But it just might work. And if it enabled the UK to be alert and ready for whatever happens next, it would be worth it.
The views expressed in this article are the author's, and do not represent those of RUSI or any other institution.