Human-Ai.Institute - Written evidence (RSK0089)

 

Q1 – Risk identification:

Most significant & extreme risks and whether those are discrete (D), linked (L) or systemic (S)?

 

Your inquiry asks for submissions to highlight the “most significant & extreme risks” without being more specific. Further, it attributes those risks to a variety of events which cause significant human, economic, environmental and infrastructure damage. This would suggest external, somewhat suddenly occurring events.

Whilst our response will address those, we have also highlighted internal events (i.e. made / caused by UK government action or inaction) that, in some cases may occur over a longer time-horizon. These are often more difficult to assess from a risk perspective as the real hazard may not be a sole impact or event but behaviors (or misbehaviors) that have become embedded over a longer period, often leading to detrimental policy decisions and unintended consequences. You may also consider those as primary and secondary risks

The COVID-19 pandemic is a good example where continuously wrong or haphazard policy decisions have led, over time, to a policy-induced exacerbation of the original risk. Due to their longevity, they may not be “extreme” in the traditional sense, however, the impact on the nation can indeed be extreme and felt over a long period of time. Several examples where such policy-decisions, with both prospective and retrospective impact, have and continue to impact the UK are given further below.

Coming from a traditional operational risk and enterprise-wide risk management background, we would interpret your question as risks with a high impact (in terms of causing losses to the UK).

In addition, we would add that such risks can occur often (high likelihood) or relatively seldom (low likelihood).

Regardless of how often or over what time horizon these risks arise, we would consider both high/low likelihood risk with a high impact within this context of your question.

 

The following provides a non-exhaustive list of such risks:

              New & disruptive technological risks on humanity (and by extension, the UK population), including Artificial intelligence, Neurotechnology & Robotics (S)

              CyberRisk, in particular where critical infrastructure is concerned (i.e. NHS, Power stations, Utility supplies). This may also be extended to the Internet-of-Things (IoT) incl. medical apparatus in hospitals (i.e. ventilators), Smart meters as well as similar IoT devices in private households and, increasingly, autonomous vehicles (and, eventually also, drones). (S)

              Genetically modified crops (D)

              Institutionalized misconduct by public services (i.e. HM Treasury & HMRC) and the detrimental impact of failed policy-decisions causing substantive ignorance of both Human Rights and The Rule of Law. The level of both prospective uncertainty (i.e. lack of government support for >5mio self-employed during the Covid pandemic) and retroactive/retrospective uncertainty (i.e. HM Treasury’s / HMRC’s 2019 Loan Charge) caused by such misbehaviors will likely continue impacting large numbers of the UK’s population for many years to come. (S)

              A widening Digital skills gap that will impact the UK’s competitiveness. (L)

              Extreme weather risks and climate change (both global warming & cooling) and the impact on food supplies. (L)

 

Q2 – Risk vulnerabilities & sensitivities:

        Types of risks to which the UK is particularly vulnerable / poorly prepared and why?

 

              Risks causes by new & disruptive technological risks including Artificial intelligence, Neurotechnology & Robotics

              Crisis management within a global pandemic context

              Transparency (or lack of) UK government policy decisions and the drivers behind those

              Supply chain challenges (due to its particulars as an island and the recent change of its relationship with the European Union)

              Systemic risk, uncertainties and unintended consequences introduces by short-sighted and retrospective policy-making

 

Q3 – Risk assessment process & governance:

         How could the UK government’s approach to risk assessment be strengthened?

It is not necessary to reinvent the wheel in terms of risk assessment & governance approaches:

Good examples for both exist globally and the UK government would be well advised using standardized approaches and methods that are readily available incl. for example:

              ISO 31000:2018 - Risk management guidelines, https://www.iso.org/standard/65694.html

              IEC 31010:2019 - Risk assessment techniques, https://www.iso.org/standard/72140.html

              ISO Guide 73:2009 – Risk management vocabulary & Taxonomy, https://www.iso.org/standard/44651.html

              UNECE GRM’s excellent thematic reports, such as:

o              “Managing Risk in Regulatory Frameworks”, https://unece.org/DAM/trade/wp6/Recommendations/Rec_R_Eng.pdf

o              “Crisis Management within a Regulatory Framework”, https://unece.org/DAM/trade/wp6/Recommendations/Rec_P_Eng.pdf

o              The Guidebook "Risk Management in Regulatory Frameworks", http://www.unece.org/index.php?id=31684&L=0

o              “Standards for Disaster Risk Reduction” (Background paper), https://unece.org/DAM/trade/wp6/AreasOfWork/RiskManagement/paper_UNECE_final.pdf

o              “Standards & Regulations for Sustainable Development”, http://www.unece.org/DAM/trade/wp6/Recommendations/Rec_T_en.pdf

o              The Universal Conduct Risk Paradigm (UCRP), https://www.unece.org/fileadmin/DAM/trade/wp6/documents/2017/GRMF2F/2017_02_22_1400_Krebsz_UCRP_-_Draft_version_22_Feb_2017.pdf

 

Q4 – Risk assurance:

         What level of assurance should the UK government be seeking on the nation’s resilience?

 

Please refer to our answer to Q3. In addition, we suggest the Canadian government’s “Guide to Integrated Risk management” as a tried and tested tool:

https://www.canada.ca/en/treasury-board-secretariat/corporate/risk-management/guide-integrated-risk-management.html

 

Q5 – Risk taxonomy & Inclusion criteria:

 

UK government needs to adopt a holistic and Enterprise-wide Risk management (EWRM) approach, the “enterprise” being the whole of the UK incl. both public and private sectors.

In addition, the UK government also needs to see themselves as part of a global system and not just an isolated island.

That means that the UK’s economy is intrinsically linked to the global economy both from a supply chain / goods trade as well as a digital trade perspective. From a pure risk taxonomy and inclusion criteria perspective, any National Security Risk Assessment strategy must look beyond its visible / physical borders and adopt a global system thinking.

The rapid global spreading of the COVID-19 pandemic is a good example as is the adoption of a national vaccination rollout within the context of world vaccine supplies.

It seems that to date, the UK government has adopted a nationally focused approach and, naturally, has often missed the bigger picture.

A more holistic and systemic risk methodology may help overcoming those philosophical and policy constraints.

 

Q6 – Risk indicators and KxIs:

 

In order to effectively understand, measure and mitigate risks, the UK government needs to adopt a proactive approach focused on the so-called KxIs:

              Key Performance Indicators (KPIs)

              Key Risk Indicators (KRIs) and

              Key Control Indicators (KCIs).

 

We are currently co-authoring a research paper on this topic, with a focus on ecosystem risk management, but the underlying core principles can easily be deployed for a national risk strategy.

If this is of interest, please get in touch with us.

 

Q 7- Risk mitigation by departments / Oversight & Accountability

 

We cannot comment on departments in general. However, following on from the example of institutionalized misconduct given in Q1, we have - over a period of more than 5 years - observed that departments such as HMT / HMRC as well as the Financial Conduct Authority (FCA), which are incredibly important for the UK nation’s finance, have in reality very little if any oversight by UK government in general and the Chancellor of the Exchequer and/or the Financial Secretary of the Treasury specifically.

Further, it would seem that these departments are not accountable to anyone within UK government resulting in a seemingly free reign when implementing policies – very often with a hugely detrimental effect on large cross-sections of the population (e.g. Self-employed / Gig-economy workers / SMEs / “Excluded” / “ForgottenLtd.” and “Loan charge victims” to name a few).

We would recommend consulting with relevant national cross-party parliamentary bodies such as existing APPGs as to how both oversight and accountability within the public service can be improved.

In conclusion, a lot of work is required in this particular area.

 

Q8 – National contingency plans and communications

We are not able to answers this question sufficiently, but believe there is a current lack of visibility of those plans, certainly at local level.

Some of the references provided for Q3 wrt. Disaster Risk Recovery plans may provide additional information and guidance.

 

Q9 – Individual in relationship to national crisis / Transparency

The UK government’s response to the COVID-19 pandemic has to date, in our view, been disastrous.

This was not helped by the likes of Mr. Cummings, several high-profile MPs, members of the Police force and other public services as well as some of the medical advisors who have been caught breaching the rules, in some cases even breaking the rules of their own departments.

We would argue that in times of national crisis, every single individual becomes part of the risk management strategy, but this only works if you manage to secure buy-in of the population.

This of course relies much on the ability of the UK government to establish a level of rapport and trust with the public, which over the last 12 months or so has seemingly much been diluted by both the UK government and public services undermining its own policies.

 

Further, there does not appear to be much regard by the UK government, cabinet, and ministers for the “seven principles of public life” which has further helped undermining how the general population will respond to policies aimed largely at protecting both them and the NHS capability to weather this ongoing global pandemic. More explaining as well transparency of policy-decisions is needed urgently.

One lesson learnt is that UK government does not seem to inwardly reflect upon its past mistakes and manages to continue the haphazard trajectory laid out in the previous section.

Again, as mentioned in Q7, there is a current lack of oversight & accountability of officials which may require a strategic rethink of UK government’s internal management (and, by extension, risk management) systems.

 

Q10 – Developing risk resilience capability

 

Given the rapid technological changes, such as the increasing use of Artificial intelligence (Ai) it is important that those new innovative technologies are continuously tested, particularly with a focus on resilience to Cyber risks. Some of the publications referred to earlier on provide pointers as to how this can be achieved.

 

Q11 – Risk management best practices

 

Please refer to our response to Q3 for best practice references.

 

Q12 – Economic behaviors

 

Adopting a more corporate EWRM approach throughout government would help modernizing UK government’s crisis response processes. “VIP lane” procurement for instance of the PPE equipment must be outlawed and both accountability / oversight of departments’ involvement in purchase decision needs to adopt a corporate stance and be measured with robust KxIs.

Personal conflicts of interest (by government ministers) should be transparently addressed/eliminated/mitigated and full decision-making transparency with the public (i.e. the taxpayers) is paramount to improve overall governance.

 

28 January 2021