The Government has formally announced and published an updated version of the National Risk Register. It is the external version of the National Security Risk Assessment, and provides the government’s updated assessment of the likelihood and potential impact of a broad range of risks that may directly affect the UK and its interests. In accordance with the principles of the UK Government Resilience Framework to communicate risk information in a more open and accessible way, this version is more transparent than ever. Nonetheless, some risks in the NSRA remain classified.
The Government makes a distinction between:
- ‘acute’ risks: discrete events requiring an emergency response; and
- ‘chronic’ risks: long-term challenges that gradually erode our economy, community, way of life, and/or national security.
The NRR focuses on acute risks only.
The NRR includes information about 89 risks, within 9 risk themes – although several risks could be categorised under more than one theme. These are:
- State threats
- Geographic and diplomatic
- Accidents and systems failures
- Natural and environmental hazards
- Human, animal and plant health
- Conflict and instability
For each of the risks report sets out a “reasonable worst case scenario” (RWCS) – ie one that discounts extremely unlikely events. This is then assessed for likelihood and impact.
- “Likelihood” is an expert assessment of the chance of the reasonable worst-case scenario occurring within 5 years for non-malicious risks and 2 years for malicious risks;
- “Impact” is assessed over a range of 7 broad categories but is boiled down into three main areas: number of fatalities (with “Catastrophic” being over 1,000); casualties (over 2,000) and financial (tens of billions of pounds).
The risks are then displayed in a table. In the version below, we have focused on the catastrophic risks (regardless of likelihood) and the most likely risks regardless of impact. We have also listed the risks with “Significant” impact in the 5%-25% likelihood range.
The risk of another pandemic is the most likely catastrophic event, upgraded in likelihood from the assessment 3 years’ ago. Looking back at pandemics since 1900, and of course learning from the recent one, experts believe the RWCS to be an unmitigated respiratory pandemic, but the Government is planning for a range of others, including “Disease X”, an unknown pathogen.
The related risk of an outbreak of an emerging infectious disease (such as Ebola or MERS) is assessed as being slightly less impactful (“significant” – up to 1,000 deaths), but clearly merits close attention.
Failure of the National Grid would also be “catastrophic” and, although having a slightly lower impact, the related risks of an attack on energy infrastructure and severe space weather are rather more likely. These are scenarios explored by Oliver Letwin in “Apocalypse How?”.
Nuclear radiation risks, whether due to an attack or accident, are also potentially catastrophic. Even though assessed as lower likelihood (even down to being classed as “remote”) must not be dismissed.
Technological failure at a UK critical financial market infrastructure is one of the highest impact most likely risks, and perhaps the one with the most commercial impact. Arguably, it could have been rated as “significant” impact given the systemic effect it would have on the economy. The report recognises that their criticality to the functioning of UK financial systems means a sustained outage could threaten the UK’s financial stability, with impacts felt across the economy. However, it may feel that finance sector organisations will have ensured that their critical business services are resilient to severe but plausible scenarios.
Terrorist attacks of various kinds are given high likelihoods, with the risk of “assassination of a high-profile public figure” featuring for the first time. The murders of MPs David Amess and Jo Cox provide evidence for this, and the increasingly vitriolic environment of social media tends to support the assessment. The impact of these events is assessed as “Limited“, though the report does accept that there could be civil outrage directed at communities to which perpetrators are believed to be affiliated.
Large organisations should probably consider the need for contingency plans for all 89 risks, and all 9 themes. Thinking through the implications of the more likely and more impactful risks is the least that needs to be done.
In many cases, organisations can build some generic resilience responses – “risk-agnostic” preparations and disaster recovery plans.
Written by Huw Williams, SAMI Principal
The views expressed are those of the author(s) and not necessarily of SAMI Consulting.
Achieve more by understanding what the future may bring. We bring skills developed over thirty years of international and national projects to create actionable, transformative strategy. Futures, foresight and scenario planning to make robust decisions in uncertain times. Find out more at www.samiconsulting.co.uk.
If you enjoyed this blog from SAMI Consulting, the home of scenario planning, please sign up for our monthly newsletter at firstname.lastname@example.org and/or browse our website at https://www.samiconsulting.co.uk