No matter how much we plan, some risks can never be fully predicted. That’s why, earlier this year, the UK Government updated its National Risk Register (NRR) to help businesses fully account for every possibility when measuring risk.
The National Risk Register
For the first time, the NRR is based directly on the government’s internal, classified National Security Risk Assessment. It focuses on acute risks that require a rapid response as opposed to long-term, chronic risks that are addressed with more strategic decision-making.
There are 89 risk scenarios in total covering everything from terrorism and cyber threats to those scenarios relating to health, societal issues, and natural disasters. They all have the risk posed to “lives, health, society, critical infrastructure, economy and sovereignty” in common.
A Matrix of Risks
These are organized as a matrix where the Impact of each risk scenario is plotted alongside its Likelihood to provide a point of comparison. While the impact and likelihood of some risks, such as earthquakes, are considered minor in the UK, a civil nuclear accident sits at the other end of the impact scale despite being considered unlikely.
Collectively, it paints a complex and interconnected picture of where each type of risk fits, giving stakeholders a reference point for developing contingency plans.
While the NRR isn’t targeted at the general public, its intended audiences include businesses, including SMEs, who must understand how risks could “impact their business continuity.” Of course, the hope is that the UK rarely has to deal with the risks included within the NRR, but for many organizations, even low-impact, low-likelihood risks have the potential to cause disruption.
How to Make Use of the National Risk Register
A good place to start for businesses is to review the risks and the impact/likelihood matrix to see what might be relevant from a management perspective. When doing this, it’s important to link risks to organizational objectives, leaving out all those that aren’t going to impact decision-making policies or processes.
This insight can provide a useful foundation for creating scenarios to inform operational risk, business continuity, and resilience strategies. For some organizations, this might be as simple as borrowing content straight from the report or, at the very least, using it as the basis for creating something more tailored and specific that more closely aligns with the organization.
These risk scenarios can then be used to test continuity, incident management, and crisis response plans to ensure that a full list of relevant risks has been considered and that existing processes are fit for purpose.
Beyond this, it’s also good practice to consider how each organization’s own risk methodology and philosophy could be impacted by strategic partners. Ideally, they should also be focused on effective risk planning and incident response themselves.
However, modern supply chains are becoming increasingly complex, so extended planning can be essential. It is useful to ask yourself, how much information, for example, can key suppliers share about their risk planning and resilience? Are our risk appetites aligned?
Risks for International Businesses
For international businesses, the task becomes more complex when factoring in differing national risk priorities and the extent to which they overlap. Scenarios that might be considered high risk in one locality, could be almost irrelevant elsewhere. Effective planning takes these nuances into account to ensure an incident response strategy is properly tailored.
Improve Business Resilience with Regular Risk Reviews
Although risks can never be eliminated, with proper planning and testing of response strategies, even unlikely events can be managed. The NRR serves as a useful starting point, but effective risk management means going beyond a generic view and analyzing an organization’s unique risk profile carefully.
Organizations can continue to improve their resilience with regular reviews of the risk register, as well as their continuity plans and crisis simulations to help ensure readiness in an ever-evolving risk landscape.
Gary Lynam Bio
Gary Lynam is the Managing Director – EMEA at Protecht. Gary has a strong track record of delivering large-scale and complex engagements across the financial services industry, specializing in risk and compliance solutions. He is a member of the Global Association of Risk Professionals and has an MSc in Finance and Capital Markets. Gary has over 10 years of experience consulting and providing advisory services to a wide range of clients both locally and overseas. He has an MSc. in Finance and Capital Markets. Prior to Protecht, Gary spent time with three global banks consulting on risk and strategic change. He started his career in Risk Advisory at KPMG.