Resilience and risk assessment

National Security Risk Assessment Methodology Review

In 2021, the Royal Academy of Engineering was commissioned by the Cabinet Office Civil Contingencies Secretariat to undertake an external review of the 2019 National Security Risk Assessment (NSRA) methodology.

The NSRA is a classified assessment of the risks that could cause a national-scale emergency in the UK and informs plans to mitigate those risks. . A publicly available version, the National Risk Register, provides information on the most significant risks that could occur in the next two years, and is used to inform the public, businesses and communities.

The NSRA explores risks by using scenarios: significant but plausible manifestations of a given risk. Scenarios can be used to judge impact, and the scale of impact informs proportionate planning. Our review builds on engineering best practice for the design of scenarios, exploring the interdependencies between different risks, and how to build resilience thinking across an organisation.

Principles for good practice

Through case studies and interviews with major private and public sector risk owners, we have drawn out seven principles for good practice relevant to risk owners of all types:

1. Ensure a joined-up approach

   Building a shared understanding of risk and resilience activities across organisations can provide opportunities for collaboration so that prevention and mitigation strategies deliver greater resilience than individual actions.

2. Encourage participation and communicate clearly

   Collaboration is critical when building networks for fast response to emergencies. Bringing diverse stakeholders together can help identify interdependencies, groups facing disproportionate impact, or cascades of consequences that one person, team, or department alone might not anticipate.

3. Focus on impact

   Decision-making should be driven by impact and preparedness – linked to capability across prevention, mitigation, response, and recovery – with less focus on likelihood.

4. Explore the interdependencies

   By bringing together risk owners from different parts of the system with a variety of experiences and expertise, interdependencies can be uncovered and planned for that may not be revealed when risks are assessed in isolation.

5. Consider a range of scenarios

   Considering multiple scenarios can help with robust planning and in identifying a range of different response capabilities that might be needed. It also supports the exploration of cascading risks and consequences with systematic impacts.

6. Embed new data and metrics

   Data is vital in informing likelihood and impact assessments, providing early warnings, and in monitoring unfolding emergencies, but confidence in the data must be high and models must be carefully evaluated and paired with real-world information.

7. Review based on need

   The timeline for assessing risks should be set based on need – how sensitive those risks are to technological and societal changes – rather than on a standard time interval. Assessments should be responsive to any change in the provision of mitigations, and reviews should incentivise long-term planning.

These principles are designed to help organisations to employ a joined-up approach to risk assessment that strengthens resilience in practice.

The seven principles for good practice

We are calling upon all those with a stake or responsibility in risk management to reflect upon the extent to which the following principles for good practice are incorporated in their risk assessments, and to act upon them. All organisations, both in industry and government, need to consider how their risk assessment processes translate into action and prepare them for a broad range of impacts. Risk assessments should be clearly communicated to and challenged by diverse stakeholders so that dependencies and vulnerabilities can be identified, understood, and planned for, increasing our societal resilience to a wider range of risks.

Related Projects