The UK Government has just published its latest National Risk Register (NRR) and it is well worth a look in terms of checking against any risk register you may be involved in for your own organisation. Not just in terms of the risks being identified but also for the processes being followed which are classic in nature. This NRR is also an interesting read for those of us that follow developments in crisis management closely as the 2023 report is different to previous iterations in two main ways.
The UK Government has been publishing a National Risk Register since 2008, usually every two or three years. This new version superseded the December 2020 NRR published at the height of the Covid crisis in December 2020. Incidentally, the 2017 version did identify a pandemic as being a 5 on a score of 1 to 5 in terms of impact severity and a 4 out of 5 in terms of likelihood of occurring in the next five years. It was the only risk to score so highly.
The 2023 NRR identifies 89 risks which it groups in nine risk themes: terrorism; cyber; state threats; geographic and diplomatic; accidents and systems failure; natural and environmental hazards; human, animal, and plant health; societal; and conflict and instability. So, this time around the NRR is concentrating on what it terms ‘acute’ threats requiring an emergency response. Previous, NRRs also looked at what are now seen as ‘chronic’ threats or those that may manifest themselves over time. Examples of these, which will be tracked using a new process, include AI and serious organised crime.
Translating this dichotomy into our own crisis communications practice is rather like the oft-used terms of a cobra crisis – that strikes seemingly out of the blue – and a python crisis that unfolds over time rather more slowly but can still crush you (or your organisation’s reputation) to death.
Translating this dichotomy into our own crisis communications practice is rather like the oft-used terms of a cobra crisis – that strikes seemingly out of the blue – and a python crisis that unfolds over time rather more slowly but can still crush you (or your organisation’s reputation) to death. Once the NRR lists the identified risks, it then prioritises them in terms of the impact these have – on a 1 to 5 scale – and the likelihood of such a risk becoming manifest – using a similar scoring process. The risks are then plotted on a matrix. Once again, a pandemic is right up there as a 5 in terms of impact and a 4 in terms of likelihood, exactly as it was in 2017. Also, worryingly some sort of “nuclear miscalculation” is a 4 in terms of impact and in terms of likelihood.
The 2023 NRR again is different to previous iterations as the risks it has identified and the rankings used are now based on the usually classified National Security Risk Assessment. In the NRR itself the Government is saying this greater transparency is necessary given the complexity and interconnectedness of modern society. In the elaboration of each set of risks, it is much more apparent what the implications are of these risks to many public and private organisations. A good reason to read this NRR wherever your organisation sits in terms of the public or private sector. To make sure the UK is prepared, each of the nine risk themes has a ‘reasonable worst-case scenario’ established.
This is reminiscent of the classic ‘bow-tie’ approach to risk management which starts by putting the worst case scenario at the centre of the bow-tie and then on the left hand side the triggers and escalators that help us understand how that risk would come about and on the right hand side the range of possible impacts. Crisis simulations often follow this format with the triggers and escalators piling up to test the responses of the participants as well as the organisation’s processes and policies. The impacts must be properly dealt with too to ensure the organisation can adequately respond and recover.
Finally, there is something in the NRR for all of us as individuals. Chapter Three reads a bit like a rallying call. Maybe it is time to sign up for that first aid course and keep those insurance documents to hand.
Author: Chris Tucker, Chair, CIPR Crisis Comms Network
Discover more from
Subscribe to get the latest posts sent to your email.