On Monday, the UK Government published its Resilience Framework, long-awaited by resilience experts across all sectors. It is a welcome first step to enhance the UK’s preparedness and ability to prevent major risks.
The Framework follows on from the Integrated Review’s commitment in 2021 to build the UK’s resilience to “low probability, catastrophic-impact events”. [1] Initially envisaged by then Cabinet Office Minister Penny Mordaunt in July 2021 as a fully fledged strategy which would signify a “fundamental step change” [2] in UK resilience, acknowledging the need to “develop our understanding of questions about the prospects of humanity against AI, hostile acts and natural disasters at a scale not seen before.” [3]
Overview:
There is much to commend. The Framework sets out a vision for UK resilience which is already in train and looks out to 2030. In Whitehall, it introduces a Head of Resilience, a Resilience Directorate and a new resilience sub-committee of the National Security Council. It commits to reinvigorating the National Exercising Programme and building a new National Resilience Academy. In Parliament, there will be an annual statement on resilience.
The Framework also promises clear ownership of all risks, including complex and catastrophic risks. If done thoroughly, with external expert input, this would represent a major improvement in our national resilience. Furthermore, the National Security Risk Assessment, the Government’s analysis of the UK’s greatest threats, has been overhauled. It will look further ahead than previously, moving from a 2-year to 5-year time horizon for some risks.
It isn’t yet clear whether funding will be readily available to cement the UK’s role as a resilience world leader, but there are two initial promising signs. Firstly, the Framework rightly acknowledges that investing adequately in crisis prevention is more cost effective than merely responding to them. Secondly, it commits HMG to a “coordinated approach to [its] investment in resilience”, [4] and will track current and future levels of investment across departments on resilience.
Six areas identified for further work:
At the same time, we have identified six areas where further work is needed over the course of 2023 and beyond to ensure an acceptable level of national and global resilience:
1. Risk governance
There remains insufficient separation between risk ownership, oversight and assurance in Government. This will change if Government instigates an overarching risk management framework based on the “three lines of defence” model, with a Government Chief Risk Officer (CRO), but this is not mentioned in the Framework. It is possible that the new Head of Resilience could have a role akin to a CRO, but this would depend on them having a clear and fully empowered oversight role. They would need a dual reporting line into a) the chair of the NSC sub-committee (ideally the Prime Minister) and b) the chair of an independent resilience institute. The Climate Change Committee, established by statute, provides a useful model —— it sits outside of government, providing external expertise and scrutiny and reporting to Parliament.
2. Risk assessment, mitigation and budget
Consideration of impacts and vulnerabilities is mentioned but left unexplained. Vulnerability assessment should be carried out alongside likelihood and weighed against impact. This will help identify further mitigation work required to plug gaps, which should be assigned to accountable owners over specified timeframes. Though “concentrated investment” [5] into “identified gaps” [6] is promised, it remains unclear where this funding will come from and by when.
3. National Security Risk Assessment time horizons
The time horizon for chronic catastrophic and existential risks needs to be set at 15-25 years, as the extended 5-year horizon will not be sufficient to capture all of them. They may also need a separate register.
4. Bespoke focus on extreme risks
Extreme risks related to AI, climate and biosecurity should feature more prominently as originally called for by the Cabinet Office when beginning this work. They’ll require extensive prevention and preparedness efforts over a sustained period.
5. Bouncing forward
Resilience should facilitate “bouncing forward”, not simply bouncing back. There needs to be more emphasis in the Framework on adaptive capability. The risk registry must be kept dynamic via regular review and challenge. It must also be responsive to both emerging risks and interdependencies which may trigger compounding effects.
6. International resilience
Extreme risks are global in nature, and there is more the UK could do to play a leadership role in enhancing global risk governance. One way of achieving this is by advocating for a dedicated multilateral resilience forum to tackle extreme global risks, which might itself be partial mitigation for the increasing fragmentation we currently see in the international order.
Overall, the Framework is a promising step on the road to transforming UK and global resilience to major risks, but there is more to be done to achieve the “fundamental step change” [7] we should be targeting. The Framework rightly puts a “whole of society” [8] approach front and centre, since everyone has a stake in building a resilient world. At CLTR, we look forward to playing our part in this in the months and years to come.
Footnotes:
[1]: Integrated Review, pg. 88: https://www.gov.uk/government/publications/global-britain-in-a-competitive-age-the-integrated-review-of-security-defence-development-and-foreign-policy
[2]: https://www.gov.uk/government/speeches/paymaster-general-speech-on-national-resilience-strategy-delivered-on-13-july-2021
[3]: https://www.gov.uk/government/speeches/paymaster-general-speech-on-national-resilience-strategy-delivered-on-13-july-2021
[4]: Resilience Framework, pg. 52
[5]: Resilience Framework, pg. 52
[6]: Resilience Framework, pg. 52
[7]: https://www.gov.uk/government/speeches/paymaster-general-speech-on-national-resilience-strategy-delivered-on-13-july-2021
[8]: Resilience Framework, pg. 1