Select Committee on Risk Assessment and Risk Planning
Corrected oral evidence: Risk Assessment and Risk Planning
Wednesday 25 November 2020
10.30 am
Members present: Lord Arbuthnot of Edrom (The Chair); Lord Browne of Ladyton; Lord Clement-Jones; Lord Mair; Baroness McGregor-Smith; Lord O’Shaughnessy; Lord Rees of Ludlow; Lord Robertson of Port Ellen; Baroness Symons of Vernham Dean; Viscount Thurso; Lord Triesman; Lord Willetts.
Evidence Session No. 1 Heard in Public Questions 1 - 14
Witness
I: Roger Hargreaves, Director, Civil Contingencies Secretariat.
USE OF THE TRANSCRIPT
22
Q1 The Chair: Welcome to this, the first evidence session of the Select Committee on Risk Assessment and Risk Planning. I would particularly like to welcome the witness, Roger Hargreaves, the Director of the Civil Contingencies Secretariat. You will find that all the members of the Committee, before their first question, will set out their interests. This will be a tedious but necessary process, and just in this first session. A transcript of the meeting will be taken. It will be published on the Committee’s website and you will have the opportunity to make corrections, where necessary.
I have to declare my interests. I am chair of the advisory board of Thales UK, member of the advisory board of Montrose Associates, chair and owner of Electricity Resilience Ltd, chair of the Information Assurance Advisory Council, and member of the board of advisers of the Electric Infrastructure Security Council.
Can you tell us a bit about the National Security Risk Assessment and what it covers? Perhaps you could take the opportunity to tell us a bit about yourself.
Roger Hargreaves: I am the Director of the Civil Contingencies Secretariat, which is the unit within the Cabinet Office responsible for preparing for, responding to and learning lessons from major emergencies. We foster planning across and beyond government. We also maintain central government crisis machinery such as the COBR facilities. I have been in post about six weeks, so I am probably less able to offer a reflection on personal experiences of the past in relation to this process, but I can tell you a lot about what we do and what we are planning to do.
The National Security Risk Assessment is both a process and a series of products. Essentially, it is a cross-government, scientifically rigorous, evidence-led process to generate a register of the most serious malicious and non-malicious risks facing the UK and our overseas interests. The process is run through periodically. We concluded the last NSRA at the end of 2019 and its public manifestation, the National Risk Register, is likely to be published around the end of this year.
The NSRA covers around 130 risks in a whole series of areas. To give you a sense of the range, they are terrorism, cyber, serious and organised crime, hostile state activity, natural and human hazards, human and animal disease, societal risks, accidents and system failures, geopolitical and diplomatic incidents, and conflict and/or instability. The 130 fall into those broad categories. The overwhelming majority of the 130 appear both in the classified NSRA and in the public form, the NRR.
The Chair: Thank you very much. That is very helpful.
Q2 Lord Willetts: My interests that are particularly relevant to this Committee are a membership of the board of Surrey Satellite Technology and a membership of the board of UK Research and Innovation.
To follow up from the answer you have just given, do you think that the current risk assessment process is rigorous, wide-ranging and consistent? Are there particular challenges that we should be looking at as a Committee to ensure that it is?
Roger Hargreaves: This process has been running since about 2005 and has developed over time into a genuinely rigorous and objective assessment of the risks facing the UK and its interests. We benefit from doing this periodically. It is not done in a tremendous rush. It is built up steadily, in a systemic way that not only reflects views inside government but draws on expertise beyond government. The NSRA process is recognised very positively by Governments across the world, who regard it as a gold standard when it comes to the assessment of risk. It has been adopted by many countries and is promoted by many international organisations.
Could it be better? There are certainly elements that we are looking to improve as we iterate with each version, but as a basic process it is pleasingly free of any sense of political interference. It is thoroughly objective and it draws on a great deal of expertise.
Lord Willetts: What issues are you looking at, given that no system is perfect, as you look to strengthen it? Could you identify those for the Committee, please?
Roger Hargreaves: The biggest question for us is how best to draw on the maximum amount of external expertise. When we are looking at 130 risks covering almost every facet of life, the number of academics, business leaders or other people beyond government we could talk to is vast. There has to be a manageable process that allows us to take on board those views in a pretty systematic way.
We are thinking about the extent to which we can make the next process one that opens up the workings of the dialogue we have with academia and, effectively, allows people to choose to engage in the process. Rather than us forming groups of experts, we allow experts to volunteer information to us, so that we get something more proactive from the academic community, which reflects their concerns.
There is a risk that we find ourselves overwhelmed with contributions. There are other areas where it does not add a lot of value because there is such scientific consensus on particular topics. Nevertheless, we feel that we could do more on that front. We are exploring ways to do it with our technical advisers at the moment for the process that we will run through next year to develop the next iteration of the NSRA.
Lord Willetts: Could you outline the reasoning, which may be relevant to what you just said, behind the amalgamation of the N ational Risk Assessment and the N ational S ecurity R isk Assessment?
Roger Hargreaves: Some of this comes down to what this process is for. This is not an academic exercise; it is done for the purpose of providing people who prepare for emergencies with a guide to what they should be focusing their resources on. Even if, in parts of government, we maintain a clear distinction between people who deal with malicious threats and people who deal with other kinds of risk on the non-malicious side, a lot of planners, for example in local government, are dealing with that basket of risks and need to manage it accordingly.
Therefore, having a single consistent product coming out of government that assesses all risks on the same basis and allows people to judge malicious and non-malicious risks alongside each other is very valuable as an aid to planning. It is more valuable than a system where we have two registers alongside each other, using different methodologies , which makes that ‘compare and contrast’ harder. That was the rationale. We have been able to integrate the two very successfully and we have a product that now takes the best of both worlds but presents it as a coherent package.
Q3 Lord Clement-Jones: If I could declare my interests, I am chair of Ombudsman Services Ltd, chair of council of Queen Mary University of London, consultant to DLA Piper LLP UK and member of the advisory board of Airmic, the Association of Insurance and Risk Managers in Industry and Commerce.
Mr Hargreaves, you very helpfully talked about the NSRA. In the CCS paper, you say that the NSRA assesses the likelihood and impact of the most serious malicious and non-malicious risks facing the UK or its interests overseas. It is an objective assessment, as you have talked about, but free from the influence of political trends. I wondered if you could explain how you would prioritise those risks. Is it sensible to exclude political trends in doing so?
Roger Hargreaves: There is a distinction worth making here between the risk assessment process itself and the actions we choose to take as a consequence. The process for developing the NSRA is objective; we ground it in evidence. That provides for us a hierarchy of risk. It is not a straightforward hierarchy, because some risks are very high impact but low likelihood. There is an imperative to plan for those because of the scale of the impact. At the other end, there are risks that are much more likely to occur but slightly smaller in scale and impact. There is an emphasis on planning for those, because they are more likely to happen.
There are choices to be exercised about how we deal with all 130, which is where political judgment comes in. In preparing to deal with risks, there is a choice to be made about the allocation of resources. We could prepare for all 130 risks exhaustively but, in truth, as with any bit of public sector activity, there will be limits on the resources we can commit. That is where we put advice to Ministers. Ministers then make choices collectively about the risks that should attract the greatest support for planning work, and the risks that we might deal with through other means that are less dependent on government support.
There is a political element here. An example of that would be how much the Government chooses to spend on flood defences. It is a really important way to mitigate the impacts of flooding but every year there is a debate about how much we should be spending on it. The return on investment for flood defences is excellent. The appetite and the list of projects available to improve flood defences far exceed the available budget, but a choice is made there, and the same would be true of all other risks. It is an objective process to determine the risks but a judgment by Ministers and others about where priorities lie when it comes to resourcing preparedness.
Lord Clement-Jones: You set out the set of priorities, but Ministers then overlay that with the political judgments. You therefore, presumably, present them with options.
Roger Hargreaves: Yes, and we give them the objective basis for making those judgments. Before 2005, you could have a meeting where you talked about these risks and everyone would empty their brains of every conceivable horrible situation that they could imagine. That takes you to a strange place in planning, because you are driven by people’s perceptions, perspectives and prejudices.
The risk assessment process gives people a very solid, objective basis for comparing different risks. It gives weighting to those risks, so we understand the scale of the potential problems we face. That allows for a reasonable political judgment about where priorities should lie, but it does not give all the answers, so you have the options that you described.
Lord Clement-Jones: I am a little confused, therefore, that you are using language such as “free from the influence of political trends”. If you are weighting those suggestions and priorities, you are bound to be making some political comment on a change of Administration in the States, the nature of a Russian Government or whatever it may be.
Roger Hargreaves: Our assessment process is objective. If there are changes to the political environment, they would have an impact on the risks that relate to the overall political environment, but many of the risks do not. When we have made that assessment, Ministers, departments and other public bodies have a choice about how that informs their planning and what they choose to put their emphasis on. That necessarily, because it involves the commitment of resources, involves a political judgment about where priorities should lie.
Q4 Lord O'Shaughnessy: I just want to declare my interests and those that are particularly relevant for this inquiry. I am a vice-chair of the All-Party Parliamentary Group for Longevity and a visiting professor at the Institute for Global Health Innovation at Imperial College London.
Mr Hargreaves, thank you for being with us and for the paper you sent us in advance. What provision exists to assess and prepare for high-impact, low-probability or even very low-probability risks in the work you do?
Roger Hargreaves: It is fair to say that all the risks in the NSRA are, in a sense, low probability. We are talking about a set of things that we do not expect to happen in the normal course of business. This is not, for example, the annual flu season or expected levels of winter flooding on a local scale. We do not include within the NSRA risks that fall below a minimum likelihood threshold. This is consistent with international best practice. These are real, extreme events. I was characterising it to someone the other day by saying that this is not a scriptwriting meeting for a Hollywood disaster movie. We are not imagining the most terrible things possible. We are taking the evidence and creating a series of reasonable worst cases.
There are some things that we debate about whether we should include. One example is a large-scale meteor strike. That sits right at the cusp. Clearly, it would be serious, but the extent to which we can assess and meaningfully plan for it means that it is beyond the scope. It is the kind of thing at the margins that we debate.
Lord O'Shaughnessy: If it is not your secretariat’s responsibility, ought there to be someone somewhere in government thinking about highly extreme or highly unusual risks? It might fall outside the remit of the NSRA, but would that be valuable?
Roger Hargreaves: It is not simply a question of whether government thinks about it, but whether someone is thinking about it somewhere. Some of these more extreme risks sit more sensibly under academic consideration. The process that I talked about earlier, the dialogue with academia and other risk experts, is designed to test those boundary points and see whether there is anything that should be drawn in. If we can further expand the work that we do with academia and open up the invitation to ask, “Does anyone have anything we should be thinking about?”, it gives us a chance to explore the things that fall beyond the scope of the NSRA but where there might be a case for including.
Lord O'Shaughnessy: How well do the current processes allow for the identification and assessment of risk where there has not been a recent historical precedent? That might be in a couple of forms, such as the risk of AI and something that has never occurred before, for obvious reasons, or indeed risks that look similar to the ones you have planned for but are different. The current pandemic might fall into that category: preparing for flu but getting something else of this kind that we have not had for a long time.
Roger Hargreaves: This is a really interesting point on the methodology of the risk assessment process. The 130 scenarios are all plausible, but not all of them have happened before. There are some areas where historical data is hugely helpful. Flood risk is an example, with return periods for flooding. It is not the only data source we have and there are changes to the built environment that might affect flood risk, as well as longer-term trends such as climate change, but it is still a useful component of what we do.
This is particularly true on the non-malicious risks side and less so on the malicious risks side, where it is more intelligence-led. While we might understand something about capabilities from historical examples, it is trickier to determine future intent on the basis of past behaviour. There are a range of different things at play there.
We have to be careful about not fighting the last war, in simply looking at the risks we had before and saying, “These are the risks that will occur in the future”. We guard against that by using a series of buckets of information. We have the historical data, which is very useful. We also go through the process of looking at trends and where trends might take us, which is helpful. The work with academia, the horizon scanning and the conversation about where this could go is also important.
It is worth saying that we are not trying to predict the future. We are looking to create a guide for the people who plan for emergencies and give a sense of what the boundaries, the scale and the nature of emergencies might be. That affects how we think about things. It means that there is probably a tendency to think about what has happened before, but we are not immune to the idea that there will be things that might occur that have not previously.
Q5 Lord Rees of Ludlow: I should declare an interest as a member of Cambridge University and as a co-founder of a centre at that university whose main remit is to try to assess these extreme risks of various kinds.
I would like to ask the witness why, in the 2019 National Security Risk Assessment, there was only a two-year horizon. This seems surprising because, even if we are talking about a risk that is constant from year to year, you would want to make some long-term investments to encourage resilience, et cetera. There must be a number of risks that are emergent and increasing year by year for the next decade or two, such as bio and cyber. Can you explain why there was this two-year horizon?
Roger Hargreaves: The shorter the timeframe, the more nuanced a story we can construct about the risk. On longer timeframes, we have a greater degree of uncertainty about the direction the risk takes. This is an important factor, because ultimately the purpose of this is not to make the best possible articulation of what the risk might be; the purpose is to aid planning. Therefore, that greater specificity has benefits for organisations as they are choosing what to focus their planning on.
Planning is also important when it comes to the time horizon, in the sense that the response to the overwhelming majority of these emergencies can be improved within a relatively short timeframe. Two years, one year or months is enough to make a very significant step forward in preparedness, should the expectation for a particular risk area significantly shift from one risk assessment process to the next. Practically, it works for us as a tool to facilitate planning.
It is worth recognising that, in the narrative we put around those risks, we explain where they are part of longer-term trends. We talk about slightly longer-term planning horizons, where we think that would be useful. By and large, when it comes to malicious threats, the shorter the timeframe, the more useful the information is. With non-malicious threats, longer timeframes start to matter more. That two-year block seems to strike the right balance between the two. We have that data coming in from the risk-owners about longer-term trends and we do supply that as part of the process.
There is also an issue about the distinction between risk assessment and policy. An example here would be climate change. A significant proportion of government activity is directed towards tackling the effects of climate change. The risks it poses over the long term are well-understood within the policy community rather than the emergency response community, and they are the ones dealing with that long-term risk. We are the ones dealing with the short-term manifestation, and that is why we have that shorter-term focus.
Lord Rees of Ludlow: I understand that climate change is quite different. It is predictable, in a sense, but on a timescale of decades before the worst effects come. Going back to what you were saying, let us take what is in the news now: the lack of stores of special protective clothing for the present pandemic. The stuff could be there for 10 years awaiting use, and it would have been reasonable to expect that a pandemic such as this would happen once in 20 years or something, given that we had had MERS and SARS. Is that not a case where it would be sensible to say, “The chance of something like this happening may be less than 5% per year, but let’s keep a stock of things that survive for 10 or 20 years, so we’re prepared”? I do not see why it does not help to think longer term for all these risks.
Roger Hargreaves: It helps to think longer-term, which is why we supply the information to departments and other organisations that plan for longer-term trends identified through the risk assessment process. We have simply made a choice that the two-year planning horizon is the best way to focus planning work in those organisations. Many organisations that are planning will choose to prepare for risks over a longer timeframe, whether that is maintaining equipment, stockpiles or whatever else.
If you look, for example, at our preparedness for dealing with major flooding events, which has the potential to be a really serious risk, we have stockpiles of equipment and capabilities built up there because we know that this is an enduring risk and that the very largest events, even if we do not know that they are going to occur soon, are likely to occur over that longer timeframe.
Lord Rees of Ludlow: They are also likely to become more probable as time goes on.
Roger Hargreaves: Yes.
Q6 Lord Triesman: Mr Hargreaves, good morning. I am a director of Salamanca Merchant Bank, of the European Leadership Network and of the Clean Growth Leadership Network, and I am the chairman of BioFarma Innovations.
Going slightly more deeply into the questions that you just answered for Lord Rees, is it right that longer-term risks such as climate change and antimicrobial resistance are assessed outside the national risk assessment process? How do external assessments of these risks feed in, when you need them to, to the risk-planning process?
Roger Hargreaves: This is a point on which we have made a choice. The cake can be cut in any number of ways. When it comes to longer-term risks such as climate change and antimicrobial resistance, we are, essentially, deciding that they are long-term policy challenges that need to be addressed through the policy process. That is not to say that there is no systematic consideration of the kinds of risks that might develop over time.
Both those things are reflected in various forms within the NSRA, but the Government also produces the Climate Change Risk Assessment, for example. They have the five-year Action Plan on Antimicrobial Resistance. These are areas where there is a systematic assessment of risk; it is just that it is dealt with less through the vector of emergency planning and response and more through policy intervention that takes place alongside other policy activity within departments.
We work quite hard to make sure we have alignment between that long-term policy work on strategic risks and our short-term preparedness. It is an area where we will continue to need to do more work to make sure that we have got it right. It is about where we choose to cut the cake. The choice could be made differently, but we find that this way of approaching things works, particularly for the very large systemic challenges such as climate change, which is all about a long-range policy response and less about just developing mitigation capabilities.
Lord Triesman: Can I press that point a tiny bit further? A number people would argue that, while climate change is a long-term issue which systematic long-term policy is an appropriate way of addressing, we may cross a Rubicon much more quickly unless we intervene much more quickly; in other words, this could go beyond a tipping point in quite a short time. There are climate scientists, such as Sir David King, who have argued that. I wonder whether the borderline between policy and the emergency planning vector that you describe is perhaps a little harder to distinguish than it may look on the surface.
Roger Hargreaves: It is certainly true that, within the NSRA process, we make a pretty fulsome consideration of risks that we know will be exacerbated by climate change. We have coastal flooding, river flooding, surface water flooding, storms, extremes of temperature, heatwaves, droughts, environmental disasters overseas affecting our interests, and wildfires, so we are considering the potential impacts of climate change within our NSRA process.
Ultimately, it is Ministers who choose how dramatically we want to pursue policies that are designed to reduce the rate of climate change. We are dealing with the consequences of pursuing or not pursuing those policies, but those policies are separately well informed by an assessment of the risks that arise, long term, from climate change.
Q7 Lord Mair: I will begin by declaring my interests relevant to this inquiry. I am emeritus professor of civil engineering and director of research at the University of Cambridge, a fellow of the Royal Academy of Engineering and of the Royal Society, a partner and consultant in Geotechnical Consulting Group, a past-president of the Institution of Civil Engineers, chair of the Department for Transport’s science advisory council, chair of the taskforce appointed by Network Rail to review its management of earthworks, a member of the independent tunnelling expert panel advising the Department for Transport and HS2 Ltd, and a member of the Committee on Climate Change risk assessment expert advisory panel.
Mr Hargreaves, how do you ensure that there is consistent rigour in the impact and likelihood assessments used by different government departments?
Roger Hargreaves: Ultimately, the central convening role played by the Civil Contingencies Secretariat is crucial to ensuring that we achieve that consistency of outcome. At the heart of this, I chair a risk assessment steering board, which manages the integrity of the overall process and looks to drive structure and consistency around everything that is done by departments. We set out a centrally mandated process with agreed standards, frameworks and measurements that are used by departments when they are looking at individual risk areas.
We set out standards for moderation by experts. We take those returns from departments and put them through a process. We establish a series of expert review groups, which CCS manages, that review and challenge all the likelihood and impact assessments that are generated through departmental processes. We are scoring against our own consistent standard after we have asked departments to do the first pass against that consistent standard.
Once we do that, the information flows back to the lead government departments, including their chief scientific advisers, so they can check our workings. Then we take things through a centralised approval and assurance process, where the Government Chief Scientific Adviser, the Deputy National Security Advisers and relevant committees within government look across the whole piece and make a judgment about whether things are consistent. Ultimately, the final set of documentation is signed off by officials and Ministers at the most senior level.
It is a very consistent methodology that is implemented consistently, reviewed centrally with a degree of independence, checked with departments and risk owners, and then reviewed by the most senior people within government who have responsibilities for risk, science, analysis and security.
Lord Mair: How is that process that you have described co-ordinated across government departments, particularly when a risk impacts more than one department? Does that work well?
Roger Hargreaves: By and large, it has worked very well. Even where we have a lead government department responsible for the risk assessment, the expectation on it within the process is that it convenes discussions with all departments that hold an interest in that risk. If we take pandemic influenza, for example, the Department of Health and Social Care’s assessment of the risk is developed in consultation with other government departments. For example, it would talk to the Department for Transport about the potential impacts on the transport system or to the Department for Business, Energy and Industrial Strategy about the potential impacts on business continuity and business interruption.
In the Civil Contingencies Secretariat, we play a refereeing role in this and look to ensure that departments are having those conversations, but also arbitrate where there are differences or look to bring other people in, should that be required.
This is an area that we would identify for improvement, once we have made that risk assessment, and that other plans the departments should develop. We track some of them very closely and others less so. There is more we can do on that front but, ultimately, departments have quite a strong sense of ownership because we have this lead government department principle. We need to keep working quite hard to make sure they involve all departments that have an interest, but we have a mechanism for doing that.
Lord Mair: I would like to follow up on the question of external expertise raised by Lord Willetts. We have heard criticism that there is not enough engagement with independent experts during the risk assessment process. Are you able to outline the points in the process where independent expert advice is sought and the opportunities for scrutiny of the risk assessment process by independent experts and organisations? Could you say a bit more about that?
Roger Hargreaves: There are several ways in which it happens. Departments, as they carry out their own assessment of individual risks, will involve external experts from a variety of backgrounds in that process. It is very normal for departments to have that dialogue with, for example, academia, and they do it in a structured way as part of this risk assessment development.
We then use external experts in the expert review groups that CCS manages. That is a further level of check involving external expertise, which challenges departments and brings a fresh perspective to the assessment that they have made. The involvement of their chief scientific advisers and so forth means that we are tapping into their networks. They will take their own advice where there is a need to do so. We also talk to independent experts about the overall risk assessment methodology that we employ. Various universities have a risk assessment specialism and we talk to them to make sure that our methodology is right on that front.
All that said, there is scope in the next iteration to broaden out that academic participation in the process. Inevitably, if we convene committees, they are convened of people we have chosen to draw in, and there is always a risk that, in every facet of government activity, you choose people you know or who share your view about how the world should be. Finding a way to inject some independent challenge is probably our highest priority for the next round.
We cannot just open the floodgates and have everybody with any passing interest in any risk throwing in their two penn’orth because they feel they have some thoughts on what we should be doing. We have to find a way to get genuinely independent but genuinely expert voices into the process, which inject genuine challenge and fresh thought.
Lord Mair: How do you avoid an unstructured style of expert solicitation that prioritises the loudest or most senior voice in the room?
Roger Hargreaves: In my experience, that is always a risk in pretty much any meeting that you have. In a process such as this, it becomes very important to guard against it in quite a structured way. There are means by which we can do that. The expectation that we rely heavily on evidence and that any view on risk we form is as heavily evidence-based as possible becomes central to that story.
It is less about hanging on an individual meeting or transaction and more a recognition that departments are managing a process that is based on a standard methodology and has a large number of conversations. That is separately reviewed in the centre by CCS, working with expert groups that are different in composition to that first set of voices. It is then further reviewed by the Government Chief Scientific Adviser and his colleagues, who draw on a third set of voices. You get a diversity of thought there that is, I hope, helpful. It does not stop that risk in any individual meeting, but we feel that it injects enough challenge and firebreaks within the process to stop one particular voice dominating.
Lord Clement-Jones: Mr Hargreaves has explained the process of risk assessment development very usefully. You talked about the political judgments earlier on in assessing priorities. I wanted to ask at what point in the process those political judgments as to priorities were made and by whom within those different departments. Is there a process for that, which is very clearly set out?
Roger Hargreaves: That political judgment comes after the end of the risk assessment process. We conclude our judgments on a technocratic basis. At that point, Ministers begin to exercise choices over what to do about those risks. If you are the Secretary of State for Health and Social Care, for example, you will have to make judgments about which parts of your departmental budget you commit to different aspects of the health services. As part of that, one line item for you is the amount of money you spend on preparedness for this emergency or for that emergency. Departments will exercise those choices within the overall financial envelope that they have, and they will weigh emergency preparedness alongside day-to-day priorities. In that sense, emergency preparedness is no different to any other aspect of political priority within a department’s or local authority’s business.
Q8 Lord Browne of Ladyton: I am the vice-chair of the Nuclear Threat Initiative and a visiting researcher at the Centre for the Study of Existential Risk, the organisation that Lord Rees referred to earlier and which he had significant responsibility for creating.
I am conscious of two things in asking this question of you. First, you have been six weeks in the job. Secondly, the NAO published a report today on the supply of PPE during the COVID -19 pandemic, an issue that was referred to, again, by Lord Rees.
What can you tell us about how the risks are managed once they have been identified and assessed? What oversight is there to ensure that mitigating actions that are recommended or planned are taken?
Roger Hargreaves: The single most important principle here is the lead government department principle: the idea that responsibility for ownership of the risk and preparedness to deal with the risk sits with an individual lead government department. We perform a function where it is necessary to co-ordinate plans between departments or where there are certain risks or capabilities that can be developed only on a cross-government basis.
Most risks do not sit neatly within the boundaries of an individual government department, which is why we talk about lead government department responsibility. Rather than it being a single government department responsibility, the expectation is that lead government departments will manage a process that draws in expertise or builds capability in partner organisations, as required, to deal with the risk.
Ultimately, because you have lead government department responsibility, the Secretary of State is responsible for preparedness for that particular risk, and they will, with their teams of officials, build a plan for implementation of mitigations. Depending on the nature of the risk, those mitigations will vary, as will the scale of the programme required either to build or to maintain capability.
There are other things that we do to assist managing risk from the centre. A very important one is about assurance and capabilities of people. We run exercising programmes and we maintain the Emergency Planning College, which plays a very significant role in training those people who are involved in preparing for and responding to emergencies.
It is probably fair to say that we do not carry out some formal audit process. We are not there to call in every department’s plans every year and assess them all for their completeness in a formal assurance model. We bring pressure to bear on departments if we think that there are risks that are not being dealt with properly. We would use our convening power in the Cabinet Office, the authority of the Prime Minister and so forth, to be clear about the expectations on departments to manage their risks well. That does not shift the accountability from the Secretary of State, but it means that we are clear about the importance of taking these things seriously and offering the support and convening power that we can, where risks run across boundaries in a difficult-to-manage way.
Lord Browne of Ladyton: Is that an ad hoc process? Does it depend on the individual risk, the department and the set of circumstances, or is there a process somewhere? Do you have a plan as to how you will do this consistently across the board, given that what informs this whole process appears to be some sense of consistency, so that things are dealt with appropriately?
Roger Hargreaves: It is a bit of both, really. We pay closest attention to the most serious risks or those where we are worried that the department’s planning is deficient in some way or needs to be improved. By and large, departments take their lead government department responsibilities extremely seriously, and we find ourselves very infrequently in the place of having to cajole departments to begin work on something, because they understand their responsibilities well.
We will tend to cycle the biggest risks through our committee structures and through ministerial committees, as appropriate, to refresh our understanding of where things are and to put pressure on departments within that government system, so that they do not feel like they can sit idle, not that they are, or sit quietly in the corner and have no one looking at what they are doing.
It becomes more ad hoc where we have emerging risks and departments need to deal with a situation that is developing, ideally in a phase where we can prepare rather than the phase where we are responding. In those situations, CCS often plays a convening role in bringing departments together because, where those risks emerge, often they cross departmental boundaries and we can support the lead government department. We do so rapidly and on an ad hoc basis, because we need to deal with the problem and bring it more into the mainstream of regularised planning.
Lord Browne of Ladyton: We were provided with a very helpful brief from the Cabinet Office. In more than one part, it made reference to the National Security Risk Assessment being used in the context of spending reviews. We have just come to the end of a spending review and, apparently, the results of that will be announced today. Can you tell us how that works? How is it used to inform investment decisions during the spending review? You have some recent experience, presumably, to draw on.
Roger Hargreaves: The NSRA becomes a very valuable tool for departments constructing spending review bids. There is the authority that comes from having a consistent, cross-government process informed by evidence, which means that there is greater power to the case being made internally within departments and onwards to the Treasury as part of the spending review process. It is not the only evidence available within the spending review process. Departments are going to the Treasury and making a case across a wide variety of priorities, of which emergency planning is only one.
It does mean that, where departments have work that absolutely needs to be done, they can pray in aid the NSRA as a consistent basis for their concern. Likewise, it aids the Treasury, because it allows it to compare and contrast risks in different departments and to judge whether something is very serious and deserves that additional support. We would work closely with the Treasury in that context and provide it with everything that it needed, so that it could understand whether the things it was dealing with should attract additional funding or be caught up within normal departmental spending limits.
Q9 Lord Browne of Ladyton: I have a question about resilience, which will interest our Committee quite a lot. To help us, can you tell us what options are open to the Government to encourage resilient behaviour from industry, those responsible for infrastructure, individuals, and communities?
Roger Hargreaves: There are differences between those categories. There are some aspects of industry and infrastructure that fall more obviously within various government regimes. Some have obligations under the Civil Contingencies Act to co-operate and share information with local responders. Some, because they form part of our Critical National Infrastructure, have a different relationship with the government agencies that supply them with threat information or support the development of protective security and other measures. That is one bucket. They are closer to government and local government. Therefore, getting them to behave in a resilient way is more straightforward, because there is either a legal obligation or obvious and direct government support.
There are then two separate groups: industry and business at large, and the public at large. We have historically done less with those two groups, and there are a variety of reasons for that. What has been instructive about the last nine months is the process of engaging business at large and the public at large in what has been the largest collective resilience effort since the Second World War. That is striking, because it tells us something about the extent to which government can encourage particular types of behaviour by the public and the extent to which, for certain kinds of emergency, the role of the public is utterly vital in achieving an effective response.
There is a bit of a chequered history here. There have been efforts at mass public engagement on preparedness for emergencies before. Anyone who recalls the Cold War era will remember “Protect and Survive” and other measures to get the public to think about what they would do in response to a particular kind of emergency. Other areas such as vigilance around terrorism, which are far more successful, have resonated with the public.
About 15 years ago, the Government sent a booklet called Preparing for Emergencies to every household in the UK. Essentially, it said, “These are the emergencies you need to be thinking about. These are the actions you can reasonably take”. In practice, for most people, that meant knowing to phone 999 if there was a fire and knowing to call your local police station if you spotted something suspicious. Because these are very low-probability emergencies, big emergencies do not intrude into most people’s lives, so that did not land particularly brilliantly.
There is a choice here. We can seek to engage the public and business at large more actively, but how we do it is tricky. Do we do it for particular emergencies, as dictated by need on an ad hoc basis, or do we seek to raise the level of resilience among business and the public at large in a systematic way? Will that work or will it just be a waste of money? I do not think I have a straightforward answer to that, but we are looking at this issue in the round on the back of the overall COVID-19 situation and thinking about whether more should be done. It is an open policy question as far as we are concerned, rather than one where we have a defined answer now.
Lord Browne of Ladyton: That has certainly given us food for thought. Thank you.
The Chair: That was a very interesting answer. Thank you.
Q10 Baroness McGregor-Smith: Good morning, Mr Hargreaves. It is a pleasure to meet you. Just to let you know, my relevant interests are that I am president of the British Chambers of Commerce, chair of the Airport Operators Association, a non-executive director of the Department for Education and the Tideway Tunnel, and a senior independent adviser to Mace Group.
I would like to talk about the COVID-19 pandemic. I would like to understand what plans you have, if any, to review and change the National Security Risk Assessment process in light of any of the lessons you have learned from the pandemic. I am particularly interested in the weaknesses you think the pandemic exposed.
Roger Hargreaves: This is a live situation, so there will, I suspect, be plenty of people carrying out plenty of reviews in the fullness of time as to what happened and the pros and cons of things. I can talk a bit about how this relates specifically to the NSRA and the NRR. Fundamentally, we had a risk that has always been at the top of the risk register. Prod any emergency planner in the country and they would say that the thing they were worried about most and gave most thought to was pandemic flu. We probably found ourselves at the start of this year very well prepared for pandemic flu and being very highly regarded internationally for our preparedness. Our risk assessment had pandemic flu as a top risk.
We had a high-consequence infectious disease outbreak as a separate risk. That is something such as Ebola, SARS or MERS. In simple terms, pandemic flu was the risk on which there was absolute consensus: this was the manifestation of a pandemic. This was the thing you should plan for. It is not like we ignore some significant vocal minority saying, “It is coronaviruses that you need to worry about”. Pandemic flu was the thing that everyone always worried about and, in the future, it will remain the pandemic that we worry about most. The feeling was always that high-consequence infectious diseases would burn themselves out quickly, as they had done on previous occasions within the last 20 years.
We ended up in a spot, essentially, between those two risks. The big difference with coronavirus versus pandemic flu was, first, asymptomatic spread, which you would not get with pandemic flu; and, secondly, the pace at which a vaccine was achievable. Our pandemic flu planning would assume that you get symptomatic spread and that you have a vaccine within four to six months. Some of the things we have ended up doing—the lockdowns, border closures and so forth—were just never an appropriate part of the response to what was regarded as the likely pandemic show in town. There is a process of logic based in evidence around our risk assessment that took us to the place where we saw pandemic flu at the top of the list.
The pandemic flu planning that we did was incredibly useful in delivering a rapid response in some areas. We had a lot of the legislation and other government architecture prepared, which allowed us to move very quickly in standing up some of the measures that were introduced nationally. We had done a lot of work on things such as vaccine manufacture and purchasing, which we are now seeing the benefits of, and the UK has more vaccine doses per head of population than anywhere else on earth. More morbid topics like death management, for example, were well understood. We have been able to roll out plans there and avoid some of the scenes that have hitherto been seen in other countries.
There was a lot there that was of value. As for the change that we would make within the NRR, there has to be an element of common sense. We cannot say, “There is still no evidence to point towards us experiencing this”, when we are staring at the lived experience of everybody. In practical terms, the way to do this in planning and risk assessment is simply to adjust our pandemic flu top risk to being pandemic risk, because many of the capabilities are similar. We have learned a lot about the toolkit that we have in government and what business and the public will do, in areas such as financial intervention and social distancing, and on specific issues such as PPE.
Those are all big lessons that can form part of our anti-pandemic armoury. They would not have necessarily done a year ago, but they can now. We reflect that in the risk register by talking about pandemics rather than pandemic flu. We still maintain high-consequence infectious disease as a risk, but it stays further down the risk register because we maintain the view that things such as Ebola will always burn themselves out very quickly.
Baroness McGregor-Smith: There is one weakness that I thought you might mention. Looking at what has happened with the pandemic, when you have identified a risk, every time we introduce new measures, where is the back-up as to why we do so? Although we have identified risks, we do not necessarily have all the processes in place to manage them going forward. Through this pandemic so far, there has been an interesting set of measures taken at times, where we have not always seen what the impact or the evidence is. I wondered what your thoughts were on that.
Roger Hargreaves: There are definitely some areas on that line where we have learned something about how government responds. There is a point about risk interdependencies. The most catastrophic of risks, the things that really disable our way of life, create a range of interdependencies and interconnections that are very difficult to manage and can overwhelm the system. There is a question about how well prepared we are to respond to the most catastrophic of situations.
There is a really important point about data and data streams. People have expectations about data. It is going through a revolution. What people can access and expect to access has really shifted. Some of our systems for recording information are some way away from real time. When it comes to managing a situation such as this, we need to make them more like that. We have made huge strides specifically in relation to COVID-19 on that front, but there is a more general question about data flows into the central crisis management machinery that we have worked hard on for the pandemic. There is an enduring lesson that we might pursue there.
There is then a point about flexibility of plans. We had a pandemic flu plan, which formed the basis of what we did. Did we flex quickly enough away from that? I was not in this job at that point, so it is very hard for me to say. It will doubtless feature in future reviews and inquiries into what happened. To one of the earlier questions, how precise are we in the risks that we describe? If we are too precise, it is hard for people to flex away when the situation is not precisely as previously described. If we are too general, planning is not fast enough. There are some methodological or structural choices there about how much we focus on specific plans and how much we focus on generic capabilities.
Q11 Baroness Symons of Vernham Dean: Welcome, Mr Hargreaves. My interests to declare are that I am chairman of the British Egyptian Society, a board member of the British University in Egypt, chairman of the Arab-British Chamber of Commerce, and chairman of the Saudi British Joint Business Council. I am an adviser to the DLA legal partnership, a governor of my local primary school and a fellow of Girton College, Cambridge.
Has the way in which the public and communities generally have responded to COVID -19 prompted you to have any consideration of whether the risk assessment process should be made more transparent and, very particularly, whether the public should be more involved in the process of risk planning and risk mitigation?
Roger Hargreaves: It is a really interesting question, because this vast exercise in national response to the COVID-19 crisis has hugely relied upon the actions of the public. It is absolutely dependent on them to make the whole response work. It is also true that, for most emergencies, the interaction between the authorities and the public, and the behaviour of the public, are key determining factors in the success of any response, and getting that right is critical. There is an open question about whether those things are best done by having people who know what they are doing just telling the public what to do, or whether you try to generate some response in the public that is heading in the right direction from the off. There will be some differences between different kinds of emergencies and benefits in both approaches.
There is a bit of a chequered history of engaging with the public in these kinds of things and getting them to do something as a consequence. There are probably two points. The first is whether there is a moral case for involving the public in these sorts of things. Do people have a right to know that these are the risks that can potentially affect them? Flowing from that, people might make individual choices about risks that could impact their lives. The second is the point about effectiveness. Do you get a more effective response to emergencies because you have pre-engaged the public and got them to think about what they would do and to behave in the right way?
We do not have a straightforward answer to that at the moment, but it is clear that we could do more with the public. It is also clear that we have a bit of an opportunity now, because of these high levels of engagement, to have a deeper conversation with the public about this next year. Quite what outcome that takes us to, I am genuinely not clear. There might be something that we could do here. We might decide to deal with it just for specific emergencies or to leave it alone, but we need to have that conversation in quite an open way, because the answer is not straightforward.
Baroness Symons of Vernham Dean: When you were answering Lord Browne’s questions, you said that the most important principle is the lead department: the people who have the real expertise. Most of us would understand that in relation to a nuclear threat or some form of natural disaster, where very particular skills are needed. Health is a very different question, and a pandemic particularly so, because the public have to buy into the way that the risk is being dealt with. We have to have public co-operation. Sometimes, one has felt that, because the process of what goes on with SAGE has been such a direct relationship only with Ministers, and not in formulating what is to happen and advice on the basis of some public participation, it has not worked as well as it might.
Roger Hargreaves: This is partly about the question of what we tell the public, whether it is useful for them to understand the decision-making process, and whether you get some value from that in emergency response. When I talked about the lead government department principle being of critical importance, I was talking there about how government organises itself. Clearly, there is a difference between government and the rest of the world. There is real life out there.
You are right: you have to carry the public with you when you are expecting mass public action to make response work effective, but what form that takes is the tricky bit. We could hold all SAGE meetings in public, but the proportion of the public who sat through those sessions and listened with intent would be small. Yes, journalists would listen to and write about them, and there would be greater openness and awareness, but a lot of the individual decisions would not necessarily benefit or change significantly.
There is a trick to this. It is right that, for some of our most significant emergencies, we have to do a better job of engaging with the public in advance and to help them understand what we are doing and why. It is inevitably going to be one of the central lessons from the COVID-19 experience. How we do that is the tricky bit and there is no ready answer, because it is not as straightforward as saying, “Let us just be more open”. Then you end up with a slightly larger but still small set of informed people, and a large number of people who are none the wiser about what they might do to prepare themselves or to mitigate the effects of future emergencies. All ideas are welcome on that front. If the Committee has a view on that, it would be extraordinarily helpful.
The Chair: We will do our best.
Q12 Viscount Thurso: I have no relevant interests to declare. Good morning, Mr Hargreaves. I have two questions for you, but I will run them into one, as we are running a little short of time, and ask for a crisp answer.
How effectively are Local Resilience Forums supported in developing local resilience plans in line with risks identified in the National Security Risk Assessment process? How much support does government give in that? How do you ensure consistency across different Local Resilience Forums and their effectiveness in conducting risk assessments and risk planning?
Roger Hargreaves: We are very clear that local responders are the foundation and building block of effective response, so we look to give them maximum support. We achieve consistency because we have a legal obligation that sits on all local responders, through the Civil Contingencies Act. Among a variety of obligations, it specifies that they need to carry out risk assessments in their local area and publish local risk registers that local communities can consider and that drive their planning efforts. They are funded to carry out that emergency planning work.
We provide a lot of support. We provide formal regulations and guidance, which specify some of the terms on which this happens, and we provide training and other advice. We supply them with copies of the NSRA, and that gives them a clear sense of how government judges risk across the country as a whole. They can then make judgments about how that manifests locally, based on their own assessments. We will provide support to individual local authorities around particular risk, which they all seem to find helpful.
Viscount Thurso: To what extent do you see the CCS as a facilitator to risk owners elsewhere and to what extent do you see yourself as the owner in the national risk process?
Roger Hargreaves: We own the national risk process. The integrity of it and the responsibility for that integrity sits with us. The responsibility for planning, aside from a few cross-cutting risks, will sit with lead organisations, whether in government or beyond. The general effort is one of support rather than audit. We look to encourage departments to do the planning in the right way. We look to support Local Resilience Forums through the provision of information, advocating for greater funding, training, people, access to military support and so on. The general tone is one of support. It is carrot rather than stick.
Q13 Lord Robertson of Port Ellen: Thank you very much, Mr Hargreaves, for a very informative session here today. I have to announce in advance my interests that might be relevant. I am an adviser to BP and to the Cohen Group in Washington. I am chairman of Western Ferries and of the FIA Foundation. I am in the court of Trinity House and on the international advisory board for Bahrain of Equilibrium Gulf.
Mr Hargreaves, throughout this evidence I have been very conscious of the fact that you say that you have been in the job only six weeks. You came in in the middle of a pandemic, with all the problems associated with that. How many people are in your unit? What is the turnover in the unit? From what department did you come?
Roger Hargreaves: We have a core of around 150 people but that number will flex upwards or downwards, depending on emergencies that we might be dealing with or preparing for. For example, a large number of staff surged into CCS at the start of the pandemic. We also have a surge of staff to deal with potential issues that might arise at the end of the Transition Period, but the core is around 150. Turnover rates are slightly below the Civil Service average or certainly the policy centre of government. We benefit from deep expertise from quite a lot of long-established staff, particularly around our crisis management structures, the operation of COBR and things such as that.
I joined from the Department for Transport, where I was Director of Maritime, including being responsible for Trinity House.
Lord Robertson of Port Ellen: Indeed, I remember you being mentioned on a number of occasions. I am interested in international comparisons. What do you derive from the experience in other countries or inputs from other countries to the process that is involved?
Roger Hargreaves: We are the UK’s representative organisation when it comes to international crisis management discussions. NATO has a civil preparedness forum. There is an European Civil Protection Forum, which I have been engaged in. There are UN disaster risk reduction programmes as well. By and large, we have been more in the mode of sharing information about our approach. What we do on risk assessment is regarded as a gold standard, so people tend to copy what we do. We have been quite proactive in looking to encourage that because there is always the prospect that we deal with risks that manifest in other countries, given our global interests.
We meet regularly with other countries to talk about what we do and to share ideas. We talk about boundary risks, so our continental near neighbours and Ireland in particular are close partners in that respect. We meet regularly with other key international strategic partners, such as the US and certain Gulf states. We have been pretty active on this front but a lot of it is sharing what we do.
There are some areas where we can benefit from what others do. I talked about our challenge of drawing in the broadest range of academic perspectives. Some countries may do that better than we do; we are still exploring that point. We talked about emerging risks, such as those derived from climate change. Talking to the Australians about how we deal with wildfires will always be an interesting and informative experience. Some countries engage the public more actively in resilience questions, on either a national or a local basis. As we look to explore more on that front, that will be a key topic for discussion.
Roger Hargreaves: That is quite possible. I would not know the detail, I am afraid, from the last process. An important point, though, is that we are talking here about the most extreme events. Trinity House and the other lighthouse authorities deal on a daily and weekly basis with incident s as part of business as usual. While their work is excellent and world-leading, it is, in a sense, what they do day to day. Our focus in this process is consideration of the most significant risks. When it comes to maritime risks, the most significant are likely to be major transport accidents, for example oil spills or shipping incidents that lead to loss of life. For those kinds of incidents, the Maritime and Coastguard Agency has primacy, and it has been involved in the process historically through the Department for Transport. That would be my expectation, but I am slightly flying blind on that, having not been involved in the previous iteration.
Q14 Lord Browne of Ladyton: I have a very specific question about the role of the politician in this process. I am not asking you to go back over what we have got very strongly from you about the assessment process being completed and then reported, and the lead government department and the politicians who lead that taking responsibility for the planning.
I understand from the briefing we have received that the process of reviewing and reporting on the departmental risk landscape is the responsibility of the department. The department then has a responsibility to assess the reasonable worst-case scenario. That informs the assessment process. Is it your understanding that the Ministers in those departments have no role in that process, because that is a part of the assessment process? I will be honest with you: I was a Minister in a number of departments and, honestly, I would have been horrified that that information was being given to you without it crossing my desk.
Roger Hargreaves: I am pretty sure that departments would all sign off their final returns with their Secretary of State, because it is a significant product and a significant commitment by the department into the wider system of government. The obvious follow-up is whether that provides an opportunity for Ministers to exert political influence on the process.
It is more the case that it presents to Ministers the outcome of an extended process that has followed the standard methodology. If Ministers want to elevate or deprioritise certain risks, they have choices to do that in the allocation of resources. I see a genuine belief on the part of Ministers in the integrity of the process and the realisation that we have something that generates a portfolio of risks, which forms the basis for sensible activity in government.
Ultimately, they are accountable. Ministers make choices and we offer advice. In anything we do, there is the prospect that there will, quite rightly, be political influence on outcomes, but I do not see interference. I see taking accountability seriously.
The Chair: Thank you very much indeed, Mr Hargreaves.