Response to the National Risk Register 2023
The Government has published the National Risk Register 2023 (NRR ‘23), which follows previous versions in 2017 and 2020 and is the eighth edition since the first publication in 2008.
The risk registry is vital at a national level to identify the most significant risks that could occur, and provide information about what’s being done about them.
Strikingly, for the first time this edition includes many risks previously only covered in the confidential National Security Risk Assessment (NSRA). This means 89 individual risks feature in NRR ‘23, compared to just 38 in the 2020 edition. The target audience is stated to be a broad range of risk and resilience practitioners, who should welcome the greater degree of transparency here, as well as the proposed digital tool to facilitate online engagement. To build understanding of the risks faced and the importance of investing in resilience, we would encourage the use of innovative engagement with the broader public, for example via an interactive online survey.
Overview
There is much to commend in NRR ‘23. It is transparent, it recognises that the UK faces an ‘ever-changing and growing set of risks’, and it emphasises the need for preparedness and fortified resilience to them.
We welcome the increase in the assessment timescale for ‘non-malicious’ risks from two to five years, and on the biosecurity side the recognition that pandemic risk is usually caused by novel pathogens — with reference to the WHO’s ‘Disease X’ approach — and that larger-scale CBRN [1] biological scenarios could have catastrophic impacts. The report acknowledges that a more pathogen- and transmission route-agnostic approach to pandemic risk is required, supported by detection/surveillance capability, scalable diagnostics and stockpiled countermeasures. In the AI space, there’s a welcome emphasis on a new ‘central risk function’ to identify and monitor AI risks, which was first proposed in the AI white paper earlier this year.
Ten areas for further development
With a view to continuing to improve the NRR and resilience more generally, we’d suggest considering the following areas:
1. Artificial Intelligence
AI risks and their implications are missing from the acute risks covered in this NRR, albeit it recognises that they span chronic and acute risks. Examples of acute impacts include AI's potential to exacerbate accidents as well as cyberattacks and mis/disinformation.
2. Biosecurity
The reasonable worst-case scenario impact numbers for pandemic risk still look to be anchored to pandemic influenza and appear understated (the 4% of symptomatic infections requiring hospitalisation with 2.5% case fatality ratio mentioned are derived from the 2011 Influenza Pandemic Preparedness Strategy).
As a result, the proposed generic pandemic scenario approach lacks breadth. This should be addressed by complementing data from past events with an assessment of future risk based on what is feasible and possible. As the Government’s Scientific Pandemic Influenza Group on Modelling in November 2018 stated, ‘A pandemic with a case fatality ratio above 2.5% cannot be ruled out’.
Progress has been made since the 2017 edition’s estimate of up to 100 fatalities in the case of a non-influenza emerging infectious disease, but further work is clearly required in this area.
3. Great power conflict
Given the significant fragmentation seen in the international order, scenarios around potential great power conflict should be further developed. The current Defence Secretary has recently highlighted his view that the UK will be in conflict within this decade.
The risk related to attack on a non-NATO ally or partner is scored here at the highest likelihood although its impact is stated to be moderate. Risks related to an attack on a NATO member, or to conventional or nuclear attacks on the UK are left unscored (at least in the public-facing NRR).
Other scenarios are left unexplored. What would be the implications for the UK and globally of a clash followed by sustained conflict between the US and China in the South China Sea? Or the destruction by a hostile state of North Sea gas and oil pipeline infrastructure cutting off supply from Norway to the UK and Europe? (Sub-Atlantic telecommunications infrastructure is covered but North Sea energy infrastructure isn’t, nor are the potential conflict implications around both in case of attacks).
4. Vulnerability assessment
The implication in the new NRR is that the assessment methodology for acute and chronic risks will be different (the refreshed Integrated Review 2023 — IR ‘23 — refers to a cross-government exercise to identify vulnerabilities related to chronic risks, and thereby to a shift away from considering only likelihood and towards looking at broader preparedness).
Our view is that vulnerability assessment should also be applied to acute risks in the NRR, to complement likelihood assessment. It should cover existing mitigations and their effectiveness, crisis response plans/capability and the source/velocity of the risk.
5. Interconnected risks
Interconnectedness of risks and their compounding/cascading effects should be explored. What, for example, would happen if an attack on a NATO member occurred at the same time as crippling cyber attacks on the UK’s National Electricity Transmission System (NETS) and telecommunications infrastructure, and the release of a biological agent in London?
6. Risk ownership and risk management framework
Ownership and accountability for risks, especially those which are cross-cutting, should be assigned by department/team in the register. This should be linked to a cross-cutting risk management framework (see the risk governance section of our response to the Resilience Framework).
7. Risk mitigations
Further mitigations and related actions/deadlines should be identified and assigned by department / team. The NRR '20 contained short sections on 'what's being done about the risk' [2] — this version skips to 'response capability requirements' and 'recovery', omitting most preparedness measures.
8. Audit process
The audit process around these mitigation actions and around exercising programme follow-ups should be clarified.
9. Adaptive capacity
Adaptive capacity - responsive, forward-facing and agile learning capability - should be established in the NRR process. According to the IR '23, the NSRA is now subject to rolling, iterative review [3] — there’s clearly a question as to how this will inform the NRR to ensure it's kept equally dynamic. More broadly, there’s also the question of how the NRR links to the strategic objectives outlined in IR ‘23, and how these are iteratively reviewed in the context of the risks to them.
10. Chronic risk assessment and timeframe
The removal of chronic risks from the NRR makes their timely and thorough assessment important; this should include extreme risks and be conducted across a 15-25-year timeframe.
Overall the NRR ‘23 represents a step in the right direction towards the UK becoming more resilient, but much work remains to be done. We look forward to playing our role in supporting the government as it continues to build preparedness and to explore and assess chronic risks.
Footnotes: [1]: CBRN = Chemical, biological, radiological and nuclear [2]: 2020 National Risk Register, pg. 25: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/952959/6.6920_CO_CCS_s_National_Risk_Register_2020_11-1-21-FINAL.pdf
[3]: 2023 Integrated Review Refresh, pg. 46: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1145586/11857435_NS_IR_Refresh_2023_Supply_AllPages_Revision_7_WEB_PDF.pdf