Airmic – Written evidence (RSK0053)
A consideration of risk assessment and risk planning in the context of disruptive national hazards
Airmic (The Association of Insurance and Risk Managers) exists to promote and further the professions of risk and insurance. Airmic is for everyone who has a responsibility for risk and/or insurance for their organisation.
Members include risk professionals, insurance professionals, internal auditors, company secretaries, and general counsel, as well as those working in business continuity, facilities management, security, information security, finance, and human resources, who have an interest in or responsibilities for risk and/or insurance.
Airmic supports members in a range of ways:
Why Airmic is submitting a response
We all have a role to play in building a safer, more resilient, and more prosperous UK. Governments, individuals, communities, and businesses across all four nations, along with international partners, can and must work together. By doing so, we can help to ensure we are as informed about the risk landscape as possible, take the right actions to strengthen our resilience and proactively tackle both current and future challenges.
- HM Government, “National Risk Register – 2020 edition”
Risk management is an integral component of good management and governance. It is an iterative process consisting of steps which, when undertaken, enable a continual improvement in decision making. Risk management is the term applied to the system establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risks associated with any activity, function or process in a way that will enable organisations to avoid or mitigate losses and identify opportunities.
Airmic’s thought leadership initiatives include developing world class practice in managing resilience and in managing systemic events such as the current pandemic.
Airmic provides a platform for commercial risk and insurance professionals to stay in touch, to communicate with each other, and share knowledge, ideas, and information.
Airmic has joined forces with three leading professional membership organisations to form the Resilience Alliance, with the aim of developing and promoting resilience globally. Airmic, ASIS International, The BCI, and the Institute of Workplace and Facilities Management, will address the implications of changes and sudden disruptions, such as those experienced during the current pandemic. The goal is to convert the benefit of the collective specialisms of member organisations through collaboration, and to develop and promote a common mutual understanding of what is meant by the term ‘resilience’.
Airmic’s position equips the association to provide insight into how risk and resilience is managed in the UK as regards extreme risks and emergencies. Airmic has gathered opinions from Airmic members and these are incorporated within this submission.
The level of risk is its magnitude. Magnitude is estimated by considering and combining the consequences and likelihoods of risk. A level of risk can be assigned to a single risk or to a combination of connected risks.
Levels of risk categories include extreme risk, but there is no commonly accepted definition of extreme risk and it does not form part of the International Organization for Standardization (ISO) risk taxonomy Guide 73. Consequently, it is important for every organisation to consider a definition of extreme risk to ensure the approach and communication of managing risk across an oganisation is consistent with the strategic, tactical, and operational objectives of an organisation and its risk appetite.
Typically, an extreme risk is considered to be an event that would impact the achievement of the strategic objectives of an organisation, or an event that would impact at a global, regional or national infrastructure level.
Examples of extreme risk include:
So far, threats from the commercial sector do not appear to be well considered. For example, the recent pandemic demonstrated the reliance on supermarket chains to provide food to society. Had supermarkets closed (i.e. staff refusal to come to work) or their logistics failed, the resulting societal breakdown could have been catastrophic for the UK.
The “Orange Book” and associated family of guides produced by HM Treasury and the Government Finance Function are widely respected but infrequently updated. Like other guides, they have typically not kept pace with developments in practices used by corporate risk professionals. Knowledge of these guides is not effectively communicated to the commercial world, yet despite some shortcomings, they would add value as guidance and as a benchmark for government suppliers on how the Government manages risk.
Key to effective and efficient risk assessment is the gathering, analysis, and application of data using consistent taxonomy, data sets, metrics, and methodologies. The Government appears to use a range of approaches which can inhibit the ability to aggregate and analyse data from different risk assessments.
Engaging professionals with commercial risk management experience to join those who educate government risk management professionals, and taking part in exercises such as horizon scanning, scenario analysis and risk assessments, would help the embedding of current commercial good practice.
Introducing commercially experienced professionals into non-executive roles as part of Government committees could increase the diversity of these groups and improve the bandwidth of Government risk governance.
Risk is typically viewed in Government as something negative to be minimised or avoided. There is a focus on strengthening risk frameworks and processes, tightening risk assessments, reinforcing oversight arrangements, and improving monitoring and reporting processes, with an emphasis on compliance and prudence. This can be to the exclusion of the upside or value creation aspects of risk and associated opportunities. This approach makes the assessment of long-term risks more difficult.
An understanding of enterprise risk management (ERM) does not appear to be at the heart of Government, and there is a disconnect between governance and intent.
There appears to be limited capability in Government in managing emerging risks. Emerging risks demand a different approach. In practice, although a robust discussion of key or principal risks would also likely capture emerging risks, a formal process for identifying emerging risks is required. While the approach for emerging risks should be analytical, it should also be creative and pragmatic, reflecting the complexity of uncertainties to secure buy-in and actionable results.
The approach to developing the National Risk Register requires enhancement to address risk connectivity and the application of the register to an integrated controls environment – for example, developing a linkage between national risks and the role of Government as “insurer of last resort” in supporting solutions for systemic risk which the insurance industry is not equipped to provide (see comments at question 12).
A sense of the timescales associated with the risks in the National Risk Register may also help enhance the approach. Threats which can arrive immediately (e.g. terrorist act) may need to be considered differently than threats which evolve over time (e.g. poor air quality)
The National Risk Register should form part of the ‘bible’ for corporate risk professionals. However, given the scale and velocity of change in the external environment, the Register should be updated more frequently than it typically has been, otherwise organisations will be using a Register as a benchmark which will not be synchronised with their reality, nor reflect the velocity of change, and which could act as a lag on developing and using a shared understanding.
The Government should determine their risk appetite (The Orange Book supplement on risk appetite October 2020 assists in that regard). An understanding of risk appetite will help to drive the level and prioritisation of assurance the Government should be seeking. The Government must understand key priorities at all levels to implement a strategic response to disruptions – key indicators will inform resilience performance and decisions.
Risk management should be part of all Government activities and processes, including strategic planning, operational, financial, legal, IT, project, and change management. It should be integrated into processes where decisions are made and discussions are held, to enable the Government to grasp new opportunities whilst reducing the risk of threats in a controlled manner.
Risk management should be integrated into a consistent framework to ensure that robust assurance can be provided on the effectiveness of the controls in place. The ‘Three Lines Model’ is an example of a framework used globally primarily in financial institutions, but which can be modified to suit all organisations including the Government. Used as a tool, rather than as a standard, this can help organisations by helping to identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk management – through adopting a principles-based approach which should be adapted to the organisation; focusing on the contribution risk management makes to achieving objectives and protecting and creating value; understanding the roles and responsibilities represented in the model and the relationships between them; and implementing measures to ensure activities and objectives are aligned with the interests and prioritisation of stakeholders front of mind.
The Government should consider adopting a more corporate approach to managing risk, and learn from the knowledge and experience of corporates. The National Risk Register could provide the agenda for a national conversation about risk.
Current ways of characterising risk have not worked effectively with the pandemic where a worst-case scenario should be adopted and constantly updated – current practice has erred towards optimism. Preparing for the less serious is not preparing for the worst.
The challenge to any model, and especially those with pre-determined ‘scores’, is the loss of flexibility at the expense of consistency. An extreme event such as the pandemic does not conform to the pattern of many other extreme events – it has not been a ‘textbook’ crisis, it is an ‘event’ with multiple crises and recoveries, operating concurrently.
Any scoring should be supplemented by intelligent risk management involving informed people from across all stakeholders constantly considering scenarios in concert with other risk management systems informing the process.
The interconnectedness of one event may have on other risks should be taken into account when assessing the overall threat.
No further evidence.
The communication of contingency plans is patchy. Without a consistent process, it is difficult to comment on whether plans are understood. We question whether accepted good contingency practice is adopted as this would include communication and feedback and the cascading of lessons learned across all stakeholders.
Contingency planning should form part of an integrated approach to risk management and, as such, should form part of scenario planning exercises involving a range of scenarios conducted by professionals from all disciplines. There is a tendency in some organisations and in some professions to ring-fence this process. Without agreed consistent metrics and communication of performance against these, how can those who govern in Government or business have confidence that this process is effective?
The Global Health Security Index released in November 2019 examined whether countries across the world were prepared to deal with an epidemic or a pandemic. The index analysed preparation levels by focusing on whether countries have the proper tools in place to deal with large-scale outbreaks of disease. Measured on a scale of 0 to 100, where 100 is the highest level of preparedness, the United States came first, followed by the UK and the Netherlands. By March 2020, the UK appeared to lose this leadership position. Some businesses that were relying on guidance from the Government to tailor their disease response strategies underestimated the potential impact of the eventual pandemic, and generally were too slow to respond.
Business leadership has been challenged by a lack of useful intelligence and data to support business decisions during the pandemic, leading to some knee-jerk, short-term reactions. Some supply chains were caught off guard, with limited contingency plans for strategic sourcing options in an interconnected global crisis. At an operational level, the processes of many businesses were found wanting around the long-term business impacts to office spaces – for example, the ability to supply home workers with laptops, monitors and basic office furniture to make working at home possible, safe, and healthy.
Crisis management has not been set up to deal with long-term crisis. The pandemic should modify crisis management practice. Government and business will need to be comfortable dealing with increased uncertainty, allowing them to better identify opportunities and threats, and rise to the extreme long-term event.
The concept and application of ‘Red Teaming’ should be explored. This helps teams to ask better question and challenge embedded assumptions.
The Edelman Trust Barometer is a useful source of trust indicators. From the 2021 report: “Government briefly seized the high ground, emerging as the most trusted institution in May 2020, when people entrusted it with leading the fight against Covid-19 and restoring economic health. But Government failed the test and squandered that trust bubble, having lost the most ground in the last six months (down 8 points globally).”
Ineffective information and communication will threaten public engagement and pandemic recovery. Education is the starting point. This topic could be included in the school syllabus as an investment in building and embedding awareness, responsibility and raising the level of trust in stakeholders.
Resilience is a term that is not consistently defined or understood which inhibits the development of good practice. Member organisations of the Resilience Alliance (see the Introduction to this Submission) plan to publish a good practice guide for resilience and would be pleased to collaborate with the Government to develop this.
An untested plan is doomed to fail. Exercises should involve all stakeholders including suppliers and other third parties, who often embed their expectations on resilience standards, event notification and event response within supplier contracts. This will be a component in the above guide.
Airmic provides a platform for sharing and developing good risk management and resilience thought leadership, practice, learning and development at a UK and Global level.
Roads to Ruin, Roads to Resilience and Roads to Revolution are thought leadership reports produced by Airmic which are considered world class
Airmic is an active member of the International Organization for Standardization (ISO) and the BSI (British Standards Institution). Both bodies develop standards and guidance including those in the areas of risk, resilience, business continuity, crisis management and security.
The insurance industry provides insurance and associated services which support resilience at a national and organisation level. Airmic partners with the majority of the world’s leading reinsurers, insurers, brokers, loss adjusters, and associated service providers, to support solutions designed to improve and support resilience, risk management, and risk financing.
“The UK government has a responsibility to protect the population and provide stability. As a result, the government bears risks, and incurs costs when unforeseen events occur. These risks and costs typically arise because they cannot be adequately insured by the private sector and the government should take them on. This is known as the government’s role as insurer of last resort. […]
“Taking on these risks creates liabilities that are uncertain but might lead to future expenditure if specific conditions are met or specific events happen. These liabilities are known as contingent liabilities. These types of contingent liabilities are an increasingly important policy tool to support economic growth and safeguard the economy in times of stress. The risks need to be managed carefully.
“Coronavirus is an example of an external shock that could affect the government’s portfolio of contingent liabilities.”
- HM Treasury, “Government as insurer of last resort: Managing contingent liabilities in the public sector,” March 2020
The proposal in the report should be also considered in the context of the private sector – there is much to be gained from considering the public and private sectors in concert as many of the issues, risks, controls, and lessons addressed are shared.
28 January 2021