Most businesses and organisations have a risk register. Unfortunately, too often this is a document that the Board considers right at the end of the meeting when time is short and people are already packing up their papers – and their attention – ready to go.
Nations and their governments have their own equivalents. In the UK, there has been a public version of the National Risk Register for the last fifteen years and the seventh edition (NRR23) has just been issued. It emerged quietly in the first week of August with Parliament in recess (its predecessor came out just before Christmas in 2020). Perhaps low-key publication is the equivalent of the item at the end of a meeting agenda.
There is no doubt that this version is the most detailed and sophisticated so far: the 2008 register (45 pages) highlighted twelve risks; the 2023 version (191 pages) includes information about 89.
The risks are grouped into nine risk themes: terrorism; cyber; state threats; geographic and diplomatic; accidents and system failures; natural and environmental hazards; human, animal and plant health; societal; and conflict and instability. The uneasy ‘fit’ of some of the risks demonstrates the complexity of the risk landscape, and the not insignificant challenge of navigating it.
Each risk is considered in terms of a “reasonable worst-case scenario” with highly unlikely variations discounted. The risks are then assessed in terms their likelihood of occurring in the assessment period (five years for non-malicious risks and two years for malicious risks) on a logarithmic scale where those scoring 5 have a more than 25% chance of occurring through to 1 for those with a chance of less than 0.2%. This is coupled with an assessment of the impact of the risk concerned – again on a five-point scale – with the lowest category envisaging up to eight fatalities, 16 casualties and an economic cost in the millions of pounds and the highest – catastrophic – assuming over a thousand fatalities, 2,000 casualties and an economic cost in the tens of billions of pounds.
These are then plotted on a matrix with the assessed “reasonable worst-case” impact shown on one axis and likelihood on the other. The good news is that there is no risk listed as falling in the catastrophic box with a likelihood of greater than 25%.
There are, however, five risks shown as being catastrophic but with lower levels of likelihood. Another pandemic falls in the second highest band with a 5-25% chance of occurring in the next five years. A failure of the National Electricity Transmission System and a largescale CBRN attack are shown as being catastrophic but with likelihoods of 1-5%, while a civil nuclear or a radiation release from an overseas nuclear site might have similar effects but are seen as having a likelihood of less than 0.2%.
In the highest category of likelihood (ie over 25% in the next two years, but with less than catastrophic impacts) are various types of terrorist attack, the assassination of a high-profile public figure or an attack on a UK ally or partner outside NATO. Also seen as being in the highest category of likelihood are a technological failure in UK critical financial market infrastructure, a disaster in one of the UK’s Overseas territories or a major outbreak of the plant pest xylella fastidiosa.
The Register goes on to give a brief description of each of the risks covered with an outline of the reasonable worst-case scenario, the assumptions behind that scenario, possible variations to it, what responses might be necessary and the longer-term impacts arising. These are necessarily quite sketchy and no further detail seems yet to be publicly available even via the new digital platform that has been established by the Cabinet Office to improve access.
Such detail is important. In practice, each of the headline risks draws on a number of scenarios with different impacts and likelihoods (although it is by and large the reasonable worst case scenario that is described). An assessment is also made of the levels of uncertainty that surround particular risks and, in some instances (but not all), that is indicated in the commentary.
For malicious risks, likelihood combines a number of factors: intent and capability of a hostile actor, along with the vulnerability of the target. Presumably, more detail is given within the classified National Security Risk Assessment. Its absence here presents a challenge for organisations, however – to plan a proportionate response they need to understand how these factors interact in terms of their own status.
This raises the first big question about NRR23: who is it aimed at?
The document itself says that it “is not targeted at the general public”. Instead, there are existing focused campaigns to help people protect themselves against specific threats – “Run, Hide Tell’ is cited in respect of terrorism, along with ‘WeatherReady’ to help individuals, families and communities prepare for and cope with severe weather, and ‘Cyber Aware’ that provides advice on how to stay secure online. Presumably, new campaigns will be added to that list as they emerge.
NRR23 also contains a chapter aimed at “organisations that might have a role in communicating preparedness information to members of the public or to employees” with a series of “examples of actions that could be suggested to individuals”. This rather begs the question as to why the opportunity has not been taken for a version of the Risk Register to be prepared specifically for the general public and containing – as practical advice – the actions described in the chapter. Other Governments seem to be able to guide their citizens in this way – see, for example, the Swedish booklet for households, “If Crisis or War Comes”. The booklet format is important – citizens are unlikely to proactively search for the latest advice on a website, unless they first know it exists. A hard copy would act as a physical reminder of the need to be prepared and could be quickly and easily consulted even in the midst of power outages or internet failure – two of the risks on the Register.
The Register is ostensibly designed for “a broad range of risk and resilience practitioners”. Examples given include those in voluntary and community sector organisations who may be involved in responding to emergencies. It might have been helpful , then, to have included information, explicitly aimed at practitioners, that suggests what they might actually do to respond to and prepare for the risks identified.
Businesses are also expected to use NRR23 to “understand the most serious risks that could impact their business continuity”. This is an important aspiration, but the broad category of ‘businesses’ encompasses small- and medium-sized enterprises alongside those who operate the critical national infrastructure. The risks in the Register are described very broadly, with only high-level information about the potential impact and response requirements. Useful guidance for those who operate a corner shop will need to be very different from that which is relevant for those who run a manufacturing business with 300 people working for it. And that in turn will need to be different from what will be useful for a CNI supplier that may be international and have 20,000 or more employees.
The second big question about the Register is what it leaves out. The Deputy Prime Minister in his foreword says “information has only been excluded where there is a specific reason to do so, for example for national security reasons or for commercial confidentiality”. No one would argue with that.
In focussing only on ‘acute’ risks (defined as “discrete events requiring an emergency response”), NRR23 deliberately omits ‘chronic’ risks which are described as “long-term challenges that gradually erode our economy, community, way of life, and/or national security”. There is a rationale for this: emergency practitioners (a target user group) will need to focus on and respond to sudden events. NRR23 does acknowledge that ‘chronic’ risks will also require a “robust government-led response” and alludes to a forthcoming process for assessing such risks However, the ‘chronic’ will inevitably affect society’s ability to be prepared and resilient so as to deal with the ‘acute’. It would be a strange business organisation that decided – as a matter of policy – that it would exclude from its risk register underlying threats to its future existence or well-being.
Chronic risks require us to be prepared and to build resilience, just as ‘acute’ risks do – but with the effects of chronic risks manifesting over a longer timeframe, there is a real risk of wandering off course whilst attention is focused on more proximate or tangible risks. The four examples listed as being ‘chronic’ and therefore excluded are:
- Climate change. This is – for most rational people – undeniable and its consequences, including more intense and more frequent extreme weather events, are impacting on virtually every part of the world including the UK. There is, of course, a wider Government Net Zero Strategy (although commitment to it sometimes seems to waver), but climate change is potentially all-embracing. It will precipitate or exacerbate ‘acute’ events and risks – not just weather-related. There will, for example, be impacts on supply chains, along with the consequences of international population movements and associated upheaval. There is a pressing need for individuals, organisations, businesses, and communities, as well as government and its agencies, to build in preparedness and resilience for the impact of climate change over the next ten years and beyond – and this should be part of current planning.
- Anti-microbial resistance (AMR). This causes around 7,600 deaths in the UK each year. Again, government has a risk-specific strategy. However, AMR will impact on the capacity of the health service to deal with future pandemics and other health-related threats. Moreover, some of those threats will be intensified by an AMR component. Given our high dependency on anti-microbial drugs, this is a strange exclusion.
- Serious and organised crime. This undoubtedly has the capacity to erode the resilience of the UK’s economy and be damaging to the cohesion of local communities. The National Crime Agency has the lead role in assessing the threat and in coordinating work with other parts of law enforcement to address the problem. However, serious and organised crime may exacerbate the management of many of the threats in NRR23 and undermine public trust in public authorities, so its interaction with the ‘acute’ risks is important.
- Artificial intelligence (AI) and its capabilities. AI is developing at an extremely rapid rate. While many applications may be beneficial and support efforts to mitigate the ‘acute’ risks in the Register, AI also has the potential to exacerbate the threats from hostile actors and is also likely to have unanticipated consequences in all of the domains considered in NRR23. More specifically the use of AI by hostile actors to undermine public confidence and trust in public authorities must be considered a real and present danger.
These ‘chronic’ risks are all capable of overlapping with the ‘acute’ risks considered in NRR23 and this highlights the third question about the Register: where is the consideration of simultaneous or overlapping risk events that may amplify each other and create cascading consequences?
A simple and current example is industrial action in the NHS which is leading to increased backlogs of people waiting for treatment on top of those who have already had their treatment delayed because of the Covid pandemic. The two backlogs combined create a vulnerability in the ability of the health system to respond to any other threat that may produce large numbers of casualties or people seeking care. Indeed, implicit in the ‘response capability requirements’ listed against each of the risks on the Register is an assumption that the support services needed will all be functioning optimally at the time that they are required.
Most of the risks described refer to a need for health system response and many point to longer term requirements from both physical and mental health systems. The capacity of support services and systems is managed by the responsible Government department, but the link between preparedness and surge capacity and the responses required by risks in the Register needs to be explicitly drawn.
More fundamentally, it is not clear whether systemic risk is really being addressed in NRR23 and, if so, how? The Government’s approach is that each risk should be “owned” by a lead government department (LGD), which has the responsibility for ensuring that appropriate action is taken on risk identification and assessment, on prevention/preparation and emergency response, and on recovery after the event. Unfortunately, the relevant LGD is not listed against each of the risks considered in NRR23.
Another guidance document (“The Roles of Lead Government Departments, Devolved Administrations and Other Public Bodies”) was published at the same time as NRR23 that sets out some of this. This is undoubtedly very useful, but the list of emergencies – although pretty comprehensive – does not read across neatly to the listings in NRR23. The guidance does at least acknowledge that “an emergency may occur where it is unclear which department should take the overall lead” and under those circumstances the Cabinet Office is expected to advise the Prime Minister on which is the most appropriate LGD and coordinate the response until an LGD is confirmed. Surely there is a case for explicitly stating that the Cabinet Office will be the designated LGD for systemic, overlapping or complex risk scenarios?
The final question about NRR23 is what steps are being taken to mitigate and prepare for the various risks listed? Most organisational risk registers would list against each risk the steps being taken to minimise the likelihood of the risk arising and to limit the consequences if it were to occur. It may be the intention that this will be covered in another document – perhaps the promised Annual Statement to Parliament on civil contingencies risk and performance on resilience. Unless this is done, the Register is in danger of merely being a litany of the bad things that might happen. Surely more assurance needs to be given that appropriate action is being taken?
Despite these reservations and unanswered questions, the new National Risk Register is undoubtedly an improvement on its predecessors. It is to be hoped that NRR25 will be even more comprehensive with versions that are more appropriate to the needs of different types of users.
Most businesses and organisations have a risk register. Unfortunately, too often this is a document that the Board considers right at the end of the meeting when time is short and people are already packing up their papers – and their attention – ready to go.
Nations and their governments have their own equivalents. In the UK, there has been a public version of the National Risk Register for the last fifteen years and the seventh edition (NRR23) has just been issued. It emerged quietly in the first week of August with Parliament in recess (its predecessor came out just before Christmas in 2020). Perhaps low-key publication is the equivalent of the item at the end of a meeting agenda.
There is no doubt that this version is the most detailed and sophisticated so far: the 2008 register (45 pages) highlighted twelve risks; the 2023 version (191 pages) includes information about 89.
The risks are grouped into nine risk themes: terrorism; cyber; state threats; geographic and diplomatic; accidents and system failures; natural and environmental hazards; human, animal and plant health; societal; and conflict and instability. The uneasy ‘fit’ of some of the risks demonstrates the complexity of the risk landscape, and the not insignificant challenge of navigating it.
Each risk is considered in terms of a “reasonable worst-case scenario” with highly unlikely variations discounted. The risks are then assessed in terms their likelihood of occurring in the assessment period (five years for non-malicious risks and two years for malicious risks) on a logarithmic scale where those scoring 5 have a more than 25% chance of occurring through to 1 for those with a chance of less than 0.2%. This is coupled with an assessment of the impact of the risk concerned – again on a five-point scale – with the lowest category envisaging up to eight fatalities, 16 casualties and an economic cost in the millions of pounds and the highest – catastrophic – assuming over a thousand fatalities, 2,000 casualties and an economic cost in the tens of billions of pounds.
These are then plotted on a matrix with the assessed “reasonable worst-case” impact shown on one axis and likelihood on the other. The good news is that there is no risk listed as falling in the catastrophic box with a likelihood of greater than 25%.
There are, however, five risks shown as being catastrophic but with lower levels of likelihood. Another pandemic falls in the second highest band with a 5-25% chance of occurring in the next five years. A failure of the National Electricity Transmission System and a largescale CBRN attack are shown as being catastrophic but with likelihoods of 1-5%, while a civil nuclear or a radiation release from an overseas nuclear site might have similar effects but are seen as having a likelihood of less than 0.2%.
In the highest category of likelihood (ie over 25% in the next two years, but with less than catastrophic impacts) are various types of terrorist attack, the assassination of a high-profile public figure or an attack on a UK ally or partner outside NATO. Also seen as being in the highest category of likelihood are a technological failure in UK critical financial market infrastructure, a disaster in one of the UK’s Overseas territories or a major outbreak of the plant pest xylella fastidiosa.
The Register goes on to give a brief description of each of the risks covered with an outline of the reasonable worst-case scenario, the assumptions behind that scenario, possible variations to it, what responses might be necessary and the longer-term impacts arising. These are necessarily quite sketchy and no further detail seems yet to be publicly available even via the new digital platform that has been established by the Cabinet Office to improve access.
Such detail is important. In practice, each of the headline risks draws on a number of scenarios with different impacts and likelihoods (although it is by and large the reasonable worst case scenario that is described). An assessment is also made of the levels of uncertainty that surround particular risks and, in some instances (but not all), that is indicated in the commentary.
For malicious risks, likelihood combines a number of factors: intent and capability of a hostile actor, along with the vulnerability of the target. Presumably, more detail is given within the classified National Security Risk Assessment. Its absence here presents a challenge for organisations, however – to plan a proportionate response they need to understand how these factors interact in terms of their own status.
This raises the first big question about NRR23: who is it aimed at?
The document itself says that it “is not targeted at the general public”. Instead, there are existing focused campaigns to help people protect themselves against specific threats – “Run, Hide Tell’ is cited in respect of terrorism, along with ‘WeatherReady’ to help individuals, families and communities prepare for and cope with severe weather, and ‘Cyber Aware’ that provides advice on how to stay secure online. Presumably, new campaigns will be added to that list as they emerge.
NRR23 also contains a chapter aimed at “organisations that might have a role in communicating preparedness information to members of the public or to employees” with a series of “examples of actions that could be suggested to individuals”. This rather begs the question as to why the opportunity has not been taken for a version of the Risk Register to be prepared specifically for the general public and containing – as practical advice – the actions described in the chapter. Other Governments seem to be able to guide their citizens in this way – see, for example, the Swedish booklet for households, “If Crisis or War Comes”. The booklet format is important – citizens are unlikely to proactively search for the latest advice on a website, unless they first know it exists. A hard copy would act as a physical reminder of the need to be prepared and could be quickly and easily consulted even in the midst of power outages or internet failure – two of the risks on the Register.
The Register is ostensibly designed for “a broad range of risk and resilience practitioners”. Examples given include those in voluntary and community sector organisations who may be involved in responding to emergencies. It might have been helpful , then, to have included information, explicitly aimed at practitioners, that suggests what they might actually do to respond to and prepare for the risks identified.
Businesses are also expected to use NRR23 to “understand the most serious risks that could impact their business continuity”. This is an important aspiration, but the broad category of ‘businesses’ encompasses small- and medium-sized enterprises alongside those who operate the critical national infrastructure. The risks in the Register are described very broadly, with only high-level information about the potential impact and response requirements. Useful guidance for those who operate a corner shop will need to be very different from that which is relevant for those who run a manufacturing business with 300 people working for it. And that in turn will need to be different from what will be useful for a CNI supplier that may be international and have 20,000 or more employees.
The second big question about the Register is what it leaves out. The Deputy Prime Minister in his foreword says “information has only been excluded where there is a specific reason to do so, for example for national security reasons or for commercial confidentiality”. No one would argue with that.
In focussing only on ‘acute’ risks (defined as “discrete events requiring an emergency response”), NRR23 deliberately omits ‘chronic’ risks which are described as “long-term challenges that gradually erode our economy, community, way of life, and/or national security”. There is a rationale for this: emergency practitioners (a target user group) will need to focus on and respond to sudden events. NRR23 does acknowledge that ‘chronic’ risks will also require a “robust government-led response” and alludes to a forthcoming process for assessing such risks However, the ‘chronic’ will inevitably affect society’s ability to be prepared and resilient so as to deal with the ‘acute’. It would be a strange business organisation that decided – as a matter of policy – that it would exclude from its risk register underlying threats to its future existence or well-being.
Chronic risks require us to be prepared and to build resilience, just as ‘acute’ risks do – but with the effects of chronic risks manifesting over a longer timeframe, there is a real risk of wandering off course whilst attention is focused on more proximate or tangible risks. The four examples listed as being ‘chronic’ and therefore excluded are:
These ‘chronic’ risks are all capable of overlapping with the ‘acute’ risks considered in NRR23 and this highlights the third question about the Register: where is the consideration of simultaneous or overlapping risk events that may amplify each other and create cascading consequences?
A simple and current example is industrial action in the NHS which is leading to increased backlogs of people waiting for treatment on top of those who have already had their treatment delayed because of the Covid pandemic. The two backlogs combined create a vulnerability in the ability of the health system to respond to any other threat that may produce large numbers of casualties or people seeking care. Indeed, implicit in the ‘response capability requirements’ listed against each of the risks on the Register is an assumption that the support services needed will all be functioning optimally at the time that they are required.
Most of the risks described refer to a need for health system response and many point to longer term requirements from both physical and mental health systems. The capacity of support services and systems is managed by the responsible Government department, but the link between preparedness and surge capacity and the responses required by risks in the Register needs to be explicitly drawn.
More fundamentally, it is not clear whether systemic risk is really being addressed in NRR23 and, if so, how? The Government’s approach is that each risk should be “owned” by a lead government department (LGD), which has the responsibility for ensuring that appropriate action is taken on risk identification and assessment, on prevention/preparation and emergency response, and on recovery after the event. Unfortunately, the relevant LGD is not listed against each of the risks considered in NRR23.
Another guidance document (“The Roles of Lead Government Departments, Devolved Administrations and Other Public Bodies”) was published at the same time as NRR23 that sets out some of this. This is undoubtedly very useful, but the list of emergencies – although pretty comprehensive – does not read across neatly to the listings in NRR23. The guidance does at least acknowledge that “an emergency may occur where it is unclear which department should take the overall lead” and under those circumstances the Cabinet Office is expected to advise the Prime Minister on which is the most appropriate LGD and coordinate the response until an LGD is confirmed. Surely there is a case for explicitly stating that the Cabinet Office will be the designated LGD for systemic, overlapping or complex risk scenarios?
The final question about NRR23 is what steps are being taken to mitigate and prepare for the various risks listed? Most organisational risk registers would list against each risk the steps being taken to minimise the likelihood of the risk arising and to limit the consequences if it were to occur. It may be the intention that this will be covered in another document – perhaps the promised Annual Statement to Parliament on civil contingencies risk and performance on resilience. Unless this is done, the Register is in danger of merely being a litany of the bad things that might happen. Surely more assurance needs to be given that appropriate action is being taken?
Despite these reservations and unanswered questions, the new National Risk Register is undoubtedly an improvement on its predecessors. It is to be hoped that NRR25 will be even more comprehensive with versions that are more appropriate to the needs of different types of users.
Share this story
Related posts