Written evidence submitted by Sam Hilton (Research Affiliate at the Centre for the Study of Existential Risk, University of Cambridge)




  1. The author of this evidence has identified a number of ways that the UK’s risk planning processes could be improved, including the National Security Risk Assessment. This work is based on twelve interviews with civil servants and an analysis of how well prepared the UK was for COVID-19. Its examination of how well equipped the UK government was to respond to COVID-19 may be useful for this inquiry into the effectiveness of our national security machinery.


  1. Much of the evidence provided here is from: Risk management in the UK: What can we learn from COVID-19 and are we prepared for the next disaster? [1].


On the NSRA


  1. The NSRA does not sufficiently explore high-uncertainty risks (risks where estimating the likelihood is difficult), high-impact low-probability risks and emerging risks. The lack of attention to these kinds of risks led the UK to prepare for influenza but not for other new emerging diseases (such as Coronaviruses) which were seen as lower risk [2] [3] [4].


  1. The use of Reasonable Worst Case Scenarios and capped 5-point scales in the NSRA is very unclear, makes the NSRA hard to use, limits transparency, and downplays high-impact risks. For example the worst case scenario for influenza was based on what was challenging yet reasonable to plan for, rather than being based solely on the scale of the possible impacts [5].


  1. The NSRA process could benefit from even greater use of external expertise and greater transparency.


On the UK’s risk planning process


  1. There is limited oversight of or support for risk planning. There is no central accountability mechanism to ensure that departments draw up adequate plans and there is no pool of expertise available to assist departments in developing high-quality plans. As a result there is significant variation in the quality of risk preparedness plans across government




  1. Overall the UK has a very good risk assessment process compared to other countries. That said there are lessons to be learnt following COVID-19 and gaps in the process that need to be closed, otherwise the UK may be unprepared for future risks. Departments need to be better supported in and held accountable for developing high-quality risk plans.


  1. There are also lessons that can be learned from elsewhere, in particular from the private sector, such as the three-lines-of-defence approach to risk management, the role of Chief Risk Officers, the use of vulnerability assessments and the importance of not overly relying on highly speculative estimates.




  1. This evidence is written by Sam Hilton, research affiliate at the University of Cambridge’s Centre for the Study of Existential Risk.


  1. In 2020 Caroline Baylon and Sam Hilton wrote: Risk management in the UK: What can we learn from COVID-19 and are we prepared for the next disaster? [1]. This paper was looking to answer many of the same questions as this committee and was written alongside working for Lord Rees on advocating for this committee to be set up. The paper was based on extensive interviews and evidence from a dozen current and former civil servants (that mostly took place prior to COVID-19), and with academic and industry experts on risk management.


  1. The paper, with the benefit of post-COVID hindsight, identifies and then looks to explain the most visible ways in which planning prior to COVID-19 appears to have been insufficient. In particular it picks out that:


       The UK prepared for pandemic influenza but did not prepare significantly for other pandemic scenarios. For example the NRR underestimated the risks of non-influenza pandemics stating that “emerging infectious diseases” could lead to “”up to 100 fatalities” [2]. The Department of Health focused pandemic preparedness plans on the specific influenza scenario identified [6].


       The Departments of Health’s pandemic influenza strategy was a fixed strategy with very limited options. The pandemic influenza strategy had minimal discussion of methods to reduce the R-number, except for “possible school closures” and isolating the ill and had no discussion of lockdowns [6]. Yet in contrast (irrespective of their effectiveness) lockdowns have been the dominant strategy adopted by developed countries to counter the COVID-19 pandemic. A well designed flexible strategy should have discussed options for limiting disease spread through a variety of non-pharmaceutical interventions, such as lockdowns.


  1. We would encourage the committee to read the original paper at: https://www.cser.ac.uk/resources/risk-management-uk/


  1. This submission of evidence does provide a few new perspectives that were not in the earlier paper, both to answer the committees questions and in light of the recently published 2020 National Risk Register. These new points are in green text.




  1. Please note we use the following acronyms:

       NSRA – National Security Risk Assessment, the UK government’s risk assessment process

       NRR – National Risk Register, the published writeup of the NSRA

       CCS – Civil Contingencies Secretariat, the team in the Cabinet Office that carries out the NSRA and publishes the NRR.



How well does the National Security Council and/or Cabinet Office ensure that preparedness plans are resourced and exercised, and how their lessons are learned/implemented?


  1. The UK is likely to be poorly prepared for high-uncertainty risks (risks where estimating the likelihood is difficult) and high impact low probability risks as the NSRA does not capture these risks well.


  1. The UK may also be somewhat poorly prepared for emerging risks, for linked and compounding risks and for the common consequences of risks. It is a positive feature of the government’s approach that all of these issues are all flagged in the NSRA. But it is not clear that government risk planning sufficiently considers these issues.


How effectively do Departments mitigate risks?


  1. This varies hugely from department to department. There is no consistent approach.


  1. We looked in depth at pandemic preparedness, where we have the advantage of hindsight given COVID-19. The Department of Health’s pandemic influenza strategy was a fixed strategy with very limited options (e.g. no discussion of lockdowns). We looked to understand why this was the case. We noted that there was a lack of understanding as to the need for highly flexible adaptive plans to account for high uncertainty, and that there was a lack of systems thinking and speculative political thinking [1]. We also noted that the plans were not regularly updated, for example they were not updated in line with the 2014 Department of Health reviewed on the evidence on restricting gatherings [35] or following Exercise Cygnus in 2019 [3].


  1. Yet other parts of government do plan extremely well. A strong positive example is the Thames Estuary 2100 risk plan [36]. It is an adaptive plan designed to be flexible to different rates of sea level rise and changes affecting the estuary.


Are Government departments adequately supported to address risks within their remits?


  1. It is positive that risks are assigned to individual departments, rather than being centrally planned for. The CCS helps departments to better understand risks. The Emergency Planning College supports departments to train for disaster response.


  1. However, beyond this, Government departments are not supported to address risks. CCS’s focus is risk assessment, so its support is limited to helping departments understand the risk assessment. There is limited centralised oversight of or support for departmental risk planners. There is no central accountability mechanism across all risks to ensure that departments draw up adequate plans to address risks. There is no pool of expertise available to assist departments in developing high-quality risk plans.


  1. Furthermore it is unclear that sufficient civil servants have skills and incentives to understand and work with risk and uncertainty. Some civil servants expressed concern to us that unless they can be very clear about a concrete imminent risk, decision-makers will not engage.


  1. The UK does reasonably well at risk management compared with other countries. The UK has been a world leader in this space. Internationally, government risk management is poor. COVID-19 has highlighted a fact that was already known: that governments do not sufficiently prepare for disasters. For example, the 2019 Global Health Security Index [37], found that the UK was one of the most well prepared countries for a pandemic but that every country had significant weaknesses. In particular the UK still has a more comprehensive risk assessment process than most countries [38][30].


  1. Much of this paper has set out ways that the UK risk assessment and risk management process can be improved, and must be improved. But this critical look should not take away from recognising the great work that has gone on to date, the strengths of the risk management process, and the continuous improvement that this process goes through on an ongoing basis.


  1. That said there are lessons to be learned from best practice elsewhere.


Lessons to be learned from other countries risk management processes include:


  1. Seeking expert and public feedback on risk assessments. The Swiss government refers its risk assessment to the multi-disciplinary Paul Scherrer Institute for an independent second opinion. The Norwegian government has a wide consultation process that has driven feedback from all sectors at all levels [30].


Lessons to be learned from other parts of the UK government include:


  1. A degree of independence. Those bodies in the UK that most successfully produce depoliticised research or facilitate long-term government planning tend to be, or be overseen by, bodies that are independent from ministerial departments. For example the Committee on Climate Change, the Office for Budget Responsibility or the Educational Endowment Foundation.


  1. The publication of quantifiable predictions. This allows an organisation to learn from its errors and to improve and be accountable for its mistakes. The UK Office for Budget Responsibility already does this publicly for economic forecasts [39].


Lessons to be learned from corporate risk management processes include:


  1. A “three lines of defense” approach to risk governance. This is common in the private sector. The first line of defence is risk ownership which is spread across the business. This is because it is important that risk planning and risk mitigation are firm-wide and not seen as someone else’s job. The second line of defence is a Chief Risk Officer (CRO), a board-level executive with responsibility for risk management policies and for the risk assessment process that provides an oversight function and ensures that all parts of a firm are acting to address risks. The third line of defence is an audit function that has a degree of independence from the day-to-day work, reports to the board and acts to ensure that risk management is working.


  1. Worst case scenarios to compare risks and highlight residual acceptable risk. Current best practice in the private sector is to use two sets of scenarios [40]. The first set illustrates the scale of the risk and expected damage pre-mitigation (using the assumption that there is no risk management) – this allows risks to be compared. The second set illustrates the level of residual risk and damage expected post-mitigation – this highlights for executives the level of risk and damage they are still willing to accept and the cut-off point at which further mitigation is deemed too costly.


  1. Vulnerability assessments. The private sector is moving to an approach that primarily assesses risks in terms of both their scale and the level of vulnerability of the business with regard to them. This highlights the gaps that need to be closed in the current system and supports flexible risk planning. (This approach is also time-independent, so avoids the issue of different risks needing to be assessed according to different timelines.)


This differs from the more traditional approach of risk assessment based on the scale and likelihood of the risk. In the areas of the private sector where likelihood assessments are still used, risk assessors caution against putting too much weight on highly uncertain likelihood estimates and caution against overusing cost benefit analysis for prioritising risks, as these techniques can give a false impression of precision [23].


How could the Government’s approach to risk assessment be strengthened?


  1. The CCS engages relevant experts both within and outside government as part of the NSRA process. However academic risk experts we talked to expressed concern that their voices are not sufficiently heard [1] and some voices from within government echoed similar concerns [8]. The CCS could reach and invite input from a broader range of individuals and academic experts, make more of the NSRA public or refer the entire NSRA to an academic institute for an independent second opinion, as is done in Switzerland. This would help to ensure unbiased assessments and to avoid groupthink.


  1. Government departments may be over- or under-playing specific risks to affect their prioritisation. This concern was raised in the 2019 Parliamentary Office of Science and Technology report on risk assessment [9] and similar comments were made by those we interviewed. The CCS needs to have the power to push back on departmental risk estimates and ensure the process is fully depoliticised.


  1. Political and civil service short-termism undermine the risk assessment process. Those we interviewed highlighted how political short-termism has reduced the incentive for thorough investigations of longer-term risks, and how insufficient long-term thinking, systems thinking, futures thinking and technical expertise across the civil service reduces the ability of staff to manage risks and to work with situations of high-uncertainty [10] [11]. There should be an independent government Chief Risk Officer (CRO) and associated unit to oversee the risk assessment process and civil servants should be trained in the skills needed to understand and work with risk and uncertainty.


  1. Decisions about how much to spend on risk prevention should be made on a case by case basis, yet there are some key principles that should be adhered to:


       Decisions should be made with the aim of maximising value for money and welfare over the long run. There is evidence that previous UK governments have been under-invested in preventative spending [11] [12]. Disaster prevention has been shown to save money over the long term [13].


       Decision makers should not ignore high-impact low-probability risks solely by virtue of being low-probability and should not ignore high-uncertainty risk solely due to the challenges of planning for high-uncertainty situations.


       There should be a consistent approach taken between risks and over time. There is a tendency to prepare heavily immediately after a risk has occured for a risk of that type. But preparation for other risks does not happen and investments drop off over time. For example, financial regulations are often brought in after a financial crisis but then reduced prior to the next financial crisis [14].


  1. Measuring the success of risk assessments requires transparency. Published quantified estimates of the number of and scale of disasters and of close calls would allow risk assessors to be held to account and improve their risk assessments. Much of our own work in this space has only been possible because the NRR publicly quantified the scale of disease risks. That estimates, which have a reasonable chance of being questioned, are made public should be recognised as a positive feature of the NRR. There is scope for more transparency still.




  1. Preparing for risks can be challenging. The UK has a good risk assessment process, but there are some gaps and areas for improvement that need to be closed to ensure we are not under-prepared for future risks. There is also a need to improve accountability and support for risk planning across government. For more on the general challenges of risk preparedness and for the specific lessons highlighted by COVID-19 see our paper: Risk management in the UK: What can we learn from COVID-19 and are we prepared for the next disaster?


15 February 2021


References and quotes


[1]  Centre for the Study of Existential Risk (2020). Risk management in the UK: What can we learn from COVID-19 and are we prepared for the next disaster?


[2]  Cabinet Office (2017). National Risk Register Of Civil Emergencies 2017


[3]   Institute for Government (2020). How fit were public services for coronavirus?


[4]   Professor Van-Tam (2020) DQ1008 Oral evidence: UK Science, Research and Technology Capability and Influence in Global Disease Outbreaks


[5]   “so the reasonable worst case is, of course, that bird flu becomes transmissible and we get a 60% case fatality rate. That was felt certainly to be a worst case but almost unpreparable for. So from the point of view of something reasonable for the NHS to plan for and reasonable in terms of cost, that is why the Spanish flu example was used.Professor Neil Ferguson (2011). Question 82. House of Commons - Scientific advice and evidence in emergencies - Science and Technology Committee


[6]   Department of Health (2011). UK Influenza Pandemic Preparedness Strategy 2011


[7]   United Nations Office for Disaster Risk Reduction (2015). Terminology: Disaster risk


[8]   “[The National Risk Assessment is] far too attached to the Intelligence machinery, paying too little attention to open source material and other governments’ policy development.” Baroness Neville-Jones, former Minister for Security and Counter Terrorism (2020). Risk management in the UK: What can we learn from COVID-19 and are we prepared for the next disaster?


[9]   Parliamentary Office of Science and Technology (2019). Evaluating UK natural hazards: the national risk assessment


[10]  “At one stage there were some discussions around how useful people found the longer-term view of risk. When people look at risk they’re often looking at much more certain, or higher-probability, higher-impact risks. When they develop a risk register, that’s where people tend to.” UK civil servant (2019). Risk management in the UK: What can we learn from COVID-19 and are we prepared for the next disaster?


[11]  “It’s a natural tendency in some ways, when budgets are going down, to prioritise the immediate needs. I've been in that position myself and it is hard to make long-term decisions ... I think we do need structures which allow decision makers to break out of short-term political cycles.” Former civil servant who worked on public health policy (2020). Risk management in the UK: What can we learn from COVID-19 and are we prepared for the next disaster?


[12]  National Audit Office (2018). Improving government's planning and spending framework (Summary).


[13]  Shreve and Kelman (2014). Does mitigation save? Reviewing cost-benefit analyses of disaster risk reduction


[14]  IMF (2018). Regulatory Cycles: Revisiting the Political Economy of Financial Crises, WP/18/8, January 2018


[15]  Cirkovic, Sandberg and Bostrom (2010). Anthropic Shadow: Observation Selection Effects and Human Extinction Risks


[16]  Centre for the Observation and Modelling of Earthquakes, Volcanoes and Tectonics (2016). Quantifying health and aviation hazards from Icelandic volcanic eruptions to inform government policy


[17]  Thordarson and Self (2003). Atmospheric and environmental effects of the 1783–1784 Laki eruption: A review and reassessment


[18]  Cabinet Office (2015). National Risk Register of Civil Emergencies chapter 2: risk summaries


[19]  This is based on reading through previous copies of the NRR at National Risk Register (NRR) of Civil Emergencies, and drawn from our conversations with civil servants.


[20]  Such as the Climate Change Risk Assessment, and the Global Strategic Trends report.


[21]  Cabinet Office (2020). National Risk Register 2020


[22]  For example, a super volcano that could stop all global food production is a 1 in 100,000 year scenario. It could be inexpensively prepared for by stockpiling mushroom spores and bacteria that could feed off wood, and then be fed to humans. Denkenberger and Pearce. (2015). Feeding everyone: Solving the food crisis in event of global catastrophes that kill crops or obscure the sun


[23]  Health and Safety Executive (HSE) (1992). The tolerability of risk from nuclear power stations, p. 30. HSE asks UK nuclear power stations to reduce their total risk of a single death to any 1 member of the public to less than an estimated 1 in 100,000 years.


[24]  McCloskey, Dar, Zumla and Heymann (2014). Emerging infectious diseases and pandemic potential: status quo and reducing risk of global spread.


[25]  Machalaba and Karesh (2017). Emerging infectious disease risk: shared drivers with environmental change.


[26]  World Economic Forum (2016). The Global Risk Report 2016. This paper highlights that an emerging infectious SARS like disease could lead to tens of millions of fatalities. (p. 59)


[27] Global Challenges Foundation (2017).  Global Catastrophic Risks 2017. This paper highlights the risks of emerging infectious diseases that could kill tens or hundreds of millions including the scenario of a SARS type outbreak that is worse than the previous outbreak.


[28]  Future of Humanity Institute (2008). Global Catastrophic Risks Survey. This survey of academic risk experts shows some degree of academic consensus on emerging infectious diseases as one of the largest threats.


[29]  UK government estimated the likelihood of a financial crisis at 4.5% and estimated the cost (net present value) of a financial crisis at 63% of GDP (which would be £1.2 trillion given 2020 GDP of $2.638 trillion). These estimates were raised by: Independent Commission on Banking (2011) Final report of the Independent Commission on Banking. These exact figures were used by HM Treasury upto (at least) 2014: HM Treasury (2014) Impact Assessment: Banking Reform: draft pensions regulations. These figures are roughly in line with the Treasury’s analysis in late 2020: HM Treasury (2020) Impact Assessment: Financial Services Bill.


[30]  OECD (2017). National Risk Assessments: a Cross Country Perspective


[31]  Cabinet Office (2011). House of Commons - Science and Technology Committee - Written Evidence


[32]  Government Office for Science (2012). Blackett Review of High Impact Low Probability Risks


[33]  A number of different risks ranging from plant disease to volcanoes to environmental damage to nuclear explosions could lead to a >10% global food shortfall (especially if they occurred in conjunction with one another). At this level food trade (or food aid) may be restricted or otherwise unable to address domestic shortages. Denkenberger and Pearce. (2015). Feeding everyone: Solving the food crisis in event of global catastrophes that kill crops or obscure the sun


[34]  Cabinet Office (2019). National Security Risk Assessment (visible at: The Guardian (2020). What does the leaked report tell us about the UK's pandemic preparations?)


[35]  Department of Health (2014). Impact of Mass Gatherings on an Influenza Pandemic Scientific Evidence Base Review


[36]  Environment Agency (2020). Thames Estuary TE2100 Plan


[37]  ghsindex.org (2019). 2019 Global Health Security Index. The Global Health Security Index was an assessment of global health security capabilities produced by Johns Hopkins, the Nuclear Threat Initiative, and the Economist Intelligence Unit.


[38]  OECD (2017). The UK's National Risk Assessment (NRA)


[39]  Office for Budget Responsibility (2019). Forecast evaluation report – December 2019


[40]  Risk Management Capability Ltd (2013). Capability Guidance: Pre and Post Mitigation Estimates