Today’s post is written by Andy Evans, CEO at Xactium. Andy writes about his experience of attending a recent lecture by Professor Sir John Beddington, on the UK's National Risk Register, hosted by Nottingham Trent University.
Sir John is Government Chief Scientific Adviser (GCSA) and played a major role in providing scientific advice to Government during the 2009 swine flu outbreak and the 2010 volcanic ash incident. The GCSA has also been responsible for increasing the scientific capacity throughout the government by leading state departments to each appoint a Chief Scientific Adviser.
Managing Risk in Government
Sir John gave an overview of the purpose of the Risk Register, which is primarily to provide advice on how people and businesses can better prepare for civil emergencies.
The national risk register covers a range of UK and worldwide risks, including:
Flooding and climate change
Volcanic hazards, including the recent flight restrictions
Severe space radiation hazards
Industrial accidents, and
Further details of the national risk register can be found on the Cabinet Office’s website, including guidance on Civil Emergencies, Commercial implications and Community and Family considerations.
Emerging risks for financial markets
Sir John spoke about emerging risks resulting from new technologies, for instance, the use of computer trading in the financial markets, which has already been blamed for a number of "flash crashes" in the equities market. However, little in the way of risk mitigation was covered, offering few opportunities to learn about current strategies in place. (This may be linked to the national risk review currently being undertaken by the government).
Room for further improvement?
While the register is clearly a starting point, and a big improvement over an ad-hoc approach to national risk management, there did seem to be some clear gaps and opportunities that could be filled by better use of Risk Management technology. In particular:
Whilst the register makes use of standard impact vs likelihood ratings, it comes across as quite unstructured, being more a series of informational points and examples
The risk register misses key information that one would normally expect in a commercial risk register, including a clearly defined list of actions being undertaken to address specific risks, and a list of controls that have been put in place to address those risks so far.
A clear list of controls would be a big advantage, as it would provide a baseline for assessing their effectiveness, for example testing and auditing existing policies and procedures in the context of risk.
Key Risk Indicators were almost entirely missing: these would seem to be a powerful way of recording key data points for the government to monitor and analyse as an indicator of emerging risk events.
Links to Risk Events: while there is a national Incident management system in place, it was unclear how incidents recorded in the national system were linked to specific risks in register, and through to their controls.
Perhaps this is something that the government has in place, however, there does appear to be a need for a more structured risk reporting and tracking system across the UK.
Certainly with the advent of the cloud, and the new G-Cloud infrastructure there is the opportunity to put in place a powerful risk infrastructure for the UK that could reach across all the agencies involved in protecting the country.
Such a risk system would enable the integration of key risk and mitigation information across the UK: from risk identification and assessment, through to mitigating controls and actions, to risk events and KRI's. As Sir John explained, risk cannot be avoided, but much can be done to prepare for it!
Learn more about the cloud and risk management in our white paper: 10 Compelling Reasons for cloud-based Risk Management.