The National Risk Register’s Value to Business and Communities

Posted on July 3, 2013 at 12:54 pm

RUSI Analysis, 26 Jul 2013 By John Tesh CBE, Associate Fellow

The 2013 National Risk Register (NRR) of civil emergencies was published by the govt. on 11 July. The danger profile for many communities and businesses remains complex and unpredictable, heightening the cost of the overall measures of resilience and business continuity planning that the NRR promotes.

Nov08MONUKFloodsFRSCOPYRIGHT

What is the National Risk Register?

The National Risk Register (NRR) is a list of the major sorts of emergency which can affect public, private and voluntary sector organisations and businesses, and members of the general public within the UK.

The first NRR was a fabricated from the primary National Security Strategy in 2008. This concluded that the UK’s domestic risk profile was complicated and hard to foretell and, in its most extreme forms, potentially as dangerous as international security threats. a better level of national resilience was needed, as portion of a methodology to advertise not only the safety of the nation but in addition the security of its people.

Resilience – even then a comparatively new term inside the security lexicon – comprised the flexibility to anticipate, reply to, maintain essential supplies and services throughout, and get over, quite a lot of emergencies. Professional front line responders would have a major responsibility.  But, especially in larger scale emergencies, resilience was everyone’s business. And knowledge at the risks must be a lot more widely available.

The obvious source of knowledge was the National Risk Assessment (NRA) – a confidential assessment of the hazards of all types of emergency updated by the cupboard Office annually since 2005.   The NRA assesses the possibility and certain impact of a few 80 to 90 kinds of emergency. In 2010 it provided much of the underpinning evidence for the Government’s National Security Risk Assessment, supplying examples of the key domestic risks posed by international terrorism, natural hazards, and cyber attacks.

Producing a public risk register brought obvious challenges:  public mistrust of presidency publications of this type;  and the right way to set out enough detail to be useful without itemising every kind of emergency, or implying that the past is anticipated to copy itself sooner or later.  The 2008 model of a transparent but dispassionate document, designed to tell but not compel work by organisations to enhance their resilience, have been built on.   But later editions were less inhibited by considerations of classification – a big problem given the secrecy surrounding much of the government’s risk assessment work – and more driven by what people have said they need to grasp and by advances inside the science of emergency risk assessment. The 2013 edition follows this trend, being more open both in regards to the risks and about what’s not within the register.

What Does the 2013 National Risk Register Show?

This is demonstrated most clearly inside the matrices on page 10 of the Register. These provide  broad-order comparisons, using a scale for comparing likelihood where the bottom probability events are four orders of magnitude less likely than the best. The impact scale is in a similar fashion stepped.  Taking the ‘top tier’ of risks inside the National Security Risk assessment first, the NRR shows that:

  • The highest impact risks posed by international terrorism are that terrorists might obtain effective mass impact biological agents or a functioning nuclear device. The possibility of this happening within the following couple of years is expounded to be low but not negligible. These remain a central authority priority for the ‘Prepare’ programme under the ‘Contest’ strategy.
  • The highest risks of natural disasters are of an influenza pandemic, coastal flooding, and a gas-rich volcanic effusion at the scale of the 1783-84 Laki eruption in Iceland. The latter is distinguished from the ‘ash cloud’ risk which scientific opinion rates the lesser of 2 forms of risk from Icelandic volcanic eruptions.
  • Interestingly, the NRR is more sanguine concerning the near term risks of cyber attack than the NSRA is for the long run, both reflecting a central authority view that the hazards listed below are prone to grow because the UK economy and its peoples’ life-style increasingly depend on the net.

The more common risks fall within the low to mid range of impact – serious but not game-changing within the way disasters in say Japan could be. Their disruptive effects are sometimes more pronounced than the threat they pose to life and limb.  Of these, the events likely to disrupt our lives are, unsurprisingly:

  • Extremes of weather: an increasing feature of life in Britain because the climate continues to alter, or even as average temperatures and sea levels continue gradually to extend: the extremes include low temperatures and heavy snow but in addition heatwaves, storms and gales.
  • The consequent risks – also rising over the years – of inland flooding, and conversely of drought particularly in water-stressed areas of the South-East, which the government’s 2012 climate change risk assessment has identified as two of the early onset symptoms of climate change. The hot kid at the block this is the chance of severe wildfire, particularly at the urban fringes, with the 2011 Swinley Forest providing a cautionary tale.
  • Relatively localised terrorist attacks using ‘conventional’ weapons (bombs or firearms). During this the NRR follows the assessment within the latest annual Contest report that, although depleted in numbers and capability, Al-Qa’ida remains able to conducting terrorist attacks inside the UK and other countries, and that Al Qa’ida affiliates around the globe became a comparatively greater threat of their own right to UK interests including on this country.
  • Risks of non-pandemic infectious disease – with the danger of SARS providing the reasonable worst case pending a review of those risks that needs to take note of the manager Medical Officer’s concerns about anti-microbial resistance. The NRR also notes the rising risk of zoonotic and non-zoonotic animal disease which – because the 2001 and 2007 outbreaks of Foot and Mouth Disease showed – may cause significant disruption even if the outbreaks are effectively contained as they were in 2007.

What Does it not Show?

To those using the NRR to enhance their preparedness for emergencies, knowing what it doesn’t cover can also be important. Adoption of the definition of an emergency from the Civil Contingencies Act, and a definition of likelihood that excludes implausible events or those whose return periods will not be known and can’t be guessed, implies that the NRR is not going to assess the possibility of serious asteroid strikes or earthquakes in populated areas  although these are at the ‘reserve list’ of risks which the cupboard Office maintains for annual review. The NRR eschews ‘composite’ emergencies where two or more other kinds of emergency coincide, for the reason that difficulties of assessing likelihood here will be formidable.   Everyday events equivalent to street crime, which many would view as being more threatening than large scale disasters., are excluded because  the purpose of the NRR is to aid the nation and its people handle unusual circumstances as opposed to to itemise all the pieces that may make life a misery.

Assessment

In 2009, the OECD praised the NRR as ‘innovative best practice in risk communication to the public’, observing that its publication was “the beginning of a dialogue with the general public” and so – in effect – praising the initiative while reserving judgment on how effective this was more likely to be.

Five years later, the product is still improved, and portion of this seems to be as a result of increased demand from one of many key stakeholders: businesses increasingly curious about business continuity but strapped for resources and wanting an accessible, objective, but authoritative catalogue of emergency planning scenarios.

Infrastructure Resilience

Pressure from big businesses, particular within the infrastructure sectors, to make accessible more of the detail underpinning the National Risk Register is growing. Key business sectors are showing a better interest in embedding disaster risk management of their business processes, and to comprehend the character of a few of the dangers – just like the risks of non-nuclear electro-magnetic pulses emanating from the sun – which require the type of cross-disciplinary scientific analysis it is increasingly the hall-mark of the NRA.  

This year’s Global Assessment Report on Disaster Risk Reduction (GAR ’13), highlighting the effect of disasters on long-term business competitiveness and sustainability, will whet business appetite for objective data at the risks. And the publication of ‘sector resilience plans’ for every of the most UK national infrastructure sectors shows that there’s at the very least the beginnings of a move to balance investment in reducing vulnerabilities with business continuity; and to factor the future risks into investment plans for brand spanking new build infrastructure.

Business Continuity

In the meantime, government efforts to advertise business resilience – including publication within the NRR of entry level data on risks to business – could have helped to advertise the broader reason behind improved business continuity planning.   A 2012 CMI survey[i] showed that, between 2008 and 2012, business continuity management increased from 42% to 60% in not-for-profit organisations surveyed, and from 43% to 52% in private sector organisations. Business continuity planning in medium sized organisations increased from 42% to 61%;  but micro and small businesses still lag behind for the apparent reason that they probably think they can not afford even an entry level investment in resilience. The collaborative, public/private sector, publication of a ‘Dummies’ Guide’ to business continuity – in keeping with the NRR – may change that.

Community Resilience

The NRR – and community risk registers which tailor the national risk picture to local circumstances – was a status reference document for Community Resilience since 2008. The hot Peer Review Report of the UK’s progress in implementing the Hyogo Framework for Action on Disaster Risk Reduction (HFA), while generally complimentary of the UK’s efforts, points to the difficulties:

‘The public has access to lots of knowledge, but it surely just isn’t clear whether people actually take action in keeping with this risk information. It sounds as if … citizens aren’t yet especially willing to do so themselves at the ground …. changing people’s behaviour and making individuals personally responsible remains a challenge: the culture of prevention and risk awareness continues to be seen as low (reportedly around 12 per cent one of the general population).’

In resilience, as in such a lot of other areas of public policy, it remain the case that you’ll be able to take a horse to water but can’t force it to drink.

 Note

1. The Chartered Management Institute: ‘Planning for the worst: the 2012 Business Continuity Management Survey’, March 2012

Further Analysis: , ,

Bookmark and Share

Posted in Security Systems