On Monday, the UK Government published its long-awaited Integrated Review Refresh 2023. Its emphasis on resilience — especially at a time of heightened volatility — is a welcome step. But resilience to systemic and extreme risks must be enhanced by implementing an overarching risk management framework across Government, based on the ‘three lines of defence’ model.
We highlighted these key points in our November 2022 evidence submission to the FAC inquiry into the IR refresh, as well as in our December 2022 response to the UK Government Resilience Framework.
Below, we detail some of the main strengths of IR23 (Integrated Review Refresh 2023), as well as areas of concern that we think need addressing.
Positives:
1. Recognition that the risk environment is increasingly volatile: ‘We are now in a period of heightened risk and volatility that is likely to last beyond the 2030s.’ This is ‘a difficult and dangerous decade’.
2. Resilience remains a key pillar of IR23, with the stated aim to ‘address vulnerabilities through resilience’.
3. IR23 builds on the UK Government Resilience Framework, with a greater emphasis on ‘dealing with strategic vulnerabilities’ and identifying underlying dimensions of vulnerability; a cross-government exercise will be conducted to identify vulnerabilities, and eight known areas of existing vulnerability and actions within each are broadly summarised.
4. Mention of ‘health resilience’ and in particular the collaboration of the new Centre for Pandemic Preparedness with the US National Center for Epidemic Forecasting and Outbreak Analytics is welcome - we’re excited to see the upcoming Biosecurity Strategy.
5. The NSRA becomes iterative with a rolling review of risks - thereby potentially much more dynamic.
6. Longer timescales and multiple scenarios will be applied to risk assessment.
7. External challenge is included in risk assessment, and red-teaming and other challenge activity is mentioned as having been conducted on IR23.
Areas of concern:
1. No specific reference is made to ‘low-probability, catastrophic-impact events’ as mentioned in IR21, or to extreme risks. These might be included in the category of ‘chronic risks’, now separated from the 'acute' in the NSRA, but extreme risks can also be acute and may not be ‘enduring’ or low-probability. Given their impact they should be specifically referenced.
2. Our key recommendations to build on the Resilience Framework still stand:
i) Resilience requires the separation of risk ownership, oversight and assurance - which provides for clear accountabilities. Improved risk governance is vital if resilience is to be enhanced and cross-cutting systemic risks properly managed. It should include an overarching risk management framework across government based on the ‘three lines of defence’, a government Chief Risk Officer and an independent National Resilience Institute reporting to Parliament.
ii) Identification of vulnerabilities is mentioned but the process, the resulting actions and the budget dedicated to improving resilience are largely unexplained. Thorough vulnerability assessment should be carried out across the risk registry (covering both ‘acute’ and ‘chronic’ plus emerging risks) and weighed against impact, producing an impact:vulnerability matrix. The output of this will help identify further mitigation work required to plug gaps, which should be assigned to accountable risk owners over specified timeframes, and the budget and trade-offs involved.
iii) Extreme risks are global in nature, and there is more the UK could do to play a leadership role in enhancing global risk governance. One way of achieving this is by advocating for a dedicated multilateral resilience forum to tackle extreme global risks, which might itself be partial mitigation for the increasing fragmentation we currently see in the international order.
3. AI is consistently referenced as an innovation opportunity. It should also be recognised as a risk, with particular highlight in the areas of disinformation, cyber and critical infrastructure security. Managing and regulating against this risk won’t inhibit innovation, but will help ensure it’s reliable and safe.
4. ‘Security through resilience’ is quoted as a new model for national security, to be driven by the new NSC subcommittee on resilience. There’s a danger that resilience becomes increasingly seen through a national security lens, and sight is lost of the broader spectrum of risks which require this subcommittee’s consideration.
5. The ‘bouncing forward’ aspect of resilience is overlooked, with a definition that ends with recovery (or ‘bouncing back’). (The work of the vaccine task force could be seen as one example of resilience that left the UK in a better position than it had been pre-pandemic, thanks to the agility in its establishment and operation).
6. Adaptive capacity isn’t mentioned in relation to the refreshed IR. The FAC recommended that a National Resilience Strategy be subject to regular cross-Government meetings that ‘discuss shared efforts to improve UK’s resilience to threats across all policy areas’. The IR can be kept adaptive, dynamic and forward-looking by being subjected to the same regular cross-government challenge (perhaps best done in cross-departmental workshops) so as to keep up with the fast-changing risk environment. As with the NSRA, updating it shouldn’t be a biennial review exercise but a rolling, adaptive process.
7. The Foreign Secretary's statement and the ensuing Commons debate focused on Ukraine, state threats, the defence budget and the Indo-Pacific 'tilt', with very little mention of or focus on resilience. This was a missed opportunity to advocate the global leadership role which the UK could take on enhancing resilience to extreme risks if it builds on the Resilience Framework in the ways recommended above.