How to Unlock the National Security Strategy

On 19 September, Parliament’s Joint Committee on National Security Strategy reported on the UK’s national security machinery. It identified serious weaknesses in the government structures that deal with national security – as evidenced by the handling of the pandemic and the withdrawal from Afghanistan.

Those structures span foreign policy, defence, security and intelligence and beyond and they have to deliver the 2021 Integrated Review. That includes re-working the National Security Risk Assessment, establishing a new Situation Centre and a new national Emergency Alerting system and setting up a new Civilian Reserve and a new College for National Security. As Paymaster General, Penny Mordaunt also announced the development of a National Resilience Strategy for 2022.

Yet, all this does not yet add up to systemic activity that will deliver more than the sum of its parts. The new National Security Advisor has reviewed the relevant processes and structures but we do not yet have his blueprint for a good 21st century national security system that can take advantage of long-term opportunities and manage the risks already identified in the Integrated Review.

There are five keys that will unlock progress: a coherent national structure; a skills and talent plan; clearly allocated responsibilities for delivery; a world class risk identification and alerting system; and relentless focus on what is important, not just what is urgent.

A Coherent National Structure

The most important driver of any reform is the wholehearted support of all involved from the strategic level to those on the ground. They must understand why reform is needed in the face of future threats and believe in a coherent, well-resourced plan. This requires convincing the insiders, who have seen many initiatives announced with fanfare but fail to deliver on the ground, but also the many different public and private sector organisations (each with their own priorities and cultures) that they are valued players with distinctive contributions to make. The CONTEST counterterrorism strategy has, for example, done that for almost 20 years. It provides a common strategic objective and programmes of action, which involve all who can contribute to reducing the risk to the public from terrorism. This goes beyond those directly involved in the pursuit of terrorist networks, and includes the training of emergency services, private sector protection of critical infrastructure, investment at a local level in greater resilience and working with partners overseas. Today’s national security agenda is even wider but we need the equivalent clarity over the missions and cross-cutting plans for delivering the components of the Integrated Review. For example, ideas in the Integrated Review could be pulled together to create a framework to counter digital subversion.

The central capability for strategic thinking and risk management will need strengthening. Not to centralise executive responsibilities, or to set up new capabilities where they already exist, but to produce a centrally directed common story, language and processes. Strategic thinking takes place in all government departments and assessment bodies but is not always brought together effectively. The centre does not fully benefit from the intellectual firepower of departments and analytical bodies, and there is a lot of duplication. The wiring diagram for thinking and deciding is not clear. The trick will be to refine the structures so that the centre can see how the relevant work of every department and agency fits into national security decision-making and avoids sub-optimal choices being taken within individual pillars.

A Skills and Talent Plan

The second essential key to translate vision into results are people of the right experience, skills and passion who really understand what is likely to happen on the ground when central levers are pulled, and who can make it happen. Many of those now needed may be working on national security related subjects somewhere in government, or have recently served there. Many of them are frustrated and believe there is more to do to liberate them to contribute their experience and reduce the static noise that prevents the release of huge latent capability within the civil service.

It would be surprising if the distribution of talent today matched that needed by the future national security agenda. A key to progress has to be a ‘people programme’ to redeploy talent for immediate priorities and to grow the skills and experience capability. It is a lesson of past major reforms across private and public sectors that, when the time for hindsight arrives, there is regret that more attention was not given to getting the right people in the right posts quickly and getting on with positive career management to develop the experience base for the future ensuring that staff are properly trained and qualified for the posts they hold. That does not happen by accident.

Clearly Allocated Responsibilities for Delivery

Ownership and responsibility for coherent work packages has to be laid on individuals, with responsibility and authority aligned to drive delivery. That is only possible if there is a strategic design which sets out how government should analyse and manage its risks and opportunities. The design has to be simple and explicable to all concerned. The inevitable underlaps and overlaps in responsibility of individuals and departments have to be exposed and argued out to a resolution. It should be absolutely clear who has responsibility for what: the objective must be to have every task only performed once and in one place.

This is a rare opportunity to introduce systemic reform, rather than follow the pattern of earlier generations adding more piecemeal activity, and thus risking incoherence. New organisations and processes always have to be designed so as to have appropriate plugs and sockets to link to existing structures. An example is the Joint Intelligence Committee (JIC), established in 1936 but now serving customer departments that have evolved piecemeal ever since so that it is practically impossible to draw the wiring diagram for understanding and decision-making. Even the welcome creation by the previous National Security Advisor of ‘Senior Responsible Owners’ (SRO) was complicated by the fact that in some instances it was not clear whether the SRO was also in a position really to be the ‘Risk Owner’. In creating a College for National Security, it will have to be clear from the outset exactly how it augments rather than duplicates the activities of the other bodies that already exist for overlapping disciplines such as the Foreign Office’s International Academy, the Defence Academy, the Intelligence Assessment Academy and the training organisations of individual agencies and civil departments. Failure to grasp such nettles early on leads to the dissipation of the clarity of the original vision.

Doctrine is a term used in defence to describe the fundamental principles by which military forces guide their actions in support of objectives. We need a modern national security doctrine for the same reason. This would become the core of the syllabus for the new College for National Security. The doctrine would describe the cycle by which the government sets prioritised strategic objectives, tasks collection of information, organises and analyses that information, considers it, and then devises and recommends policy so that timely decisions can be taken and acted on. We do not underestimate just how difficult it will be to write down the British way of national security, that it may seem counter-cultural to our empirical seat-of-the-pants tradition, and that there will be many arguments on the way. But the effort alone will justify the results on the well-established Churchillian principle that it is planning not plans themselves that has the greatest value.

A World Class Risk Identification and Alerting System

Most of modern security is risk management not risk elimination. In the private sector this is how successful businesses operate. But at the moment, there is no central government risk management process; departments have their own risk management systems to manage departmental risk, but the links between the National Security Strategy and monitoring and mitigation of threats to that strategy are convoluted. We are told ‘that Lead Government Departments are responsible for risk management, which includes reviewing risk profiles routinely, horizon scanning, planning and preparedness work’. That assumes that the Lead Government Departments are adequately resourced to conduct the kind of monitoring and mitigation which proper risk management needs. The UK government tracks and prepares for over a hundred national risks. Most involve cross-cutting responsibilities. It is difficult to see how this can be managed without an empowered central risk office based in the Cabinet Office which not only designates lead risk owners for each risk but knows how those risks are being monitored, mitigated, prepared for, what the warning system is and who is responsible for responding to the warning. More than just the identification of a possible future risk is needed. Risks need to be monitored and assessed with alerts fed into an effective warning process that ensures risk mitigation decisions are taken and if action is not being taken that that is a result of a considered decision.

In terms of the traditional ‘three lines of defence’ of risk management, the most urgent question for the UK government is about the quality of the first line: the identification, monitoring, mitigating and warning of risks. But the second line (oversight, possibly by a Chief Risk Officer) and third line (independent assurance) are also vital. A fully functioning risk management system would include:

• A strategic plan and a strategic risk register. This would contain those things which matter most to the government, either because they are a threat or hazard which endangers what the country wants to keep safe (like its citizens, its infrastructure, or its economy) or because unchecked it will make it impossible for the government to achieve its strategic objectives.
• Prioritisation of risks.
• Delegation of each aspect of the risk cycle, being clear who has responsibility for the identification, monitoring, mitigation, preparation and escalation of the risk into a central alerting system.
• Analysis of changes in risks by sufficiently resourced analytical teams.
• A central alerting (or strategic warning) system which ensures that sufficiently senior attention is given to significant changes in perceived risk (all the way up to the National Security Adviser having the authority to put a risk issue to the National Security Council).
• Clarity over who will manage the mitigation, response and recovery for highlighted risks.
• A programme of exercising against identified risks.
• Regular centralised strategic review of how risks are changing, aligned to response.

The former Paymaster General argued that ‘we need to think about enhancing our whole system to identify and manage risk, developing our overall capabilities to anticipate, prevent, respond and recover, and giving this work importance in our culture and through our investments. We need action on roles and responsibilities in government’. The Joint Terrorism Analysis Centre (JTAC) was set up on those lines after a perceived warning failure. It has access to all the information held across government on the threat from terrorism, and plays a part in a much wider risk management system by operating the terrorism warning function. The critical aspect, however, is that roles and responsibilities are absolutely clear, which enables departments to support – not compete – with each other.

The hardest part of operating a risk management system is when to make the call that the likelihood of the risk materialising is rising to a point of real concern. Even slow burn crises have a tipping point where a threshold of warning is reached. That warning must be timely, authoritative and sufficiently clear about why it matters to policymakers – it must be listened to as well as heard. Responsibility for warning usually sits with assessment or analysis bodies and it is important that they are able to operate autonomously, regardless of how unwelcome the warning may be to policymakers. The warning must be able to form the basis of a rapid policy analysis of the possible response options and their advantages and disadvantages.

Wherever possible – including for threats to biosecurity or supply chains, for example – an analytical body should be responsible for such warning. For national security risks where there is not already a mission-focused body responsible for warning, this role could fall to the Joint Intelligence Organisation (JIO) and the JIC or a JIC group. If the JIC chair is seen as the senior experienced impartial figure attending the National Security Council, having the traditional warning responsibility but updated for current needs, then it seems appropriate to coordinate the identification and analysis of the different classes of potential threats and the relevant hazards that pose risks for national security within the JIC structure, further enhanced as necessary. Analysis would continue to be based on both secret and open-source intelligence. Policy staff would receive the alerts of rising risk and prepare options for ministers, preserving the distance between analysis that uses intelligence and policy advice.

The warning system would be more user friendly if it included ways of drawing attention to an escalating risk, such as JIO papers carrying (when appropriate) a formal early warning indicator notice. This would ensure that the paper was noted by the departments responsible for those risks who would either take appropriate action or account for why not. If the JIO were to decide to do this, it would need to be standardised, controlled and authoritative – and right most of the time – to endure. It is much easier to flag escalating risks in hindsight than at the time. The JTAC model offers a possible comparator; the National Risk Register would be a starting point for identifying what are the issues within their remit on which the JIC should be seeking to provide early warning indicators, and if not the JIC, which other body is responsible for wider classes of risk.

Maintaining Focus

Running a world class analysis and assessment capability that enables a virtuous circle of prioritisation and response requires relentless attention and clarity of purpose as to the outcomes sought. The analysis of threats, hazards and opportunities requires the capability to work on ‘open source’ as well as more highly classified intelligence simultaneously. That means organising and accessing structured and unstructured data, involving drawing inferences from the huge quantities of data now available as well as the small shafts of light that can be the difference between success and failure in warning. In these resource-constrained times, machine learning and data science may speed up analysis or cover areas for which there is simply not enough human resource, but it will act as an enhancer not a substitute for skilled analysts.

Conclusion

We conclude by returning to the people with the diverse skills needed to make all this possible: the data analysts, subject matter experts and experienced policy officials. The best teams are composed of a diverse mixture of minds and skills, and the analytical process must be designed to discourage groupthink and to create space for imaginative thinking. Risk assessments should cut across disciplines to identify opportunities as well as monitor and warn of threats. If the processes are working properly in the right structure, then the analytical teams will have the satisfaction of knowing that they are responsible for communicating how threats or hazards are changing and that their work is directly contributing to the safety and security of the public.

The views expressed in this article are the authors’, and do not represent those of RUSI or any other institution.