Sam Hilton – Written evidence (RSK0092)

Research Affiliate at the Centre for the Study of Existential Risk, University of Cambridge

Summary

1. The authors of this evidence have identified a number of ways that the UK’s National Security Risk Assessment (NSRA) and the UK’s risk planning processes could be improved. This work is based on twelve interviews with civil servants and an analysis of how well prepared the UK was for COVID-19.

2. Much of the evidence provided here is from: Risk management in the UK: What can we learn from COVID-19 and are we prepared for the next disaster? [1].

On the NSRA

3. The NSRA does not sufficiently explore high-uncertainty risks (risks where estimating the likelihood is difficult), high-impact low-probability risks and emerging risks. The lack of attention to these kinds of risks led the UK to prepare for influenza but not for other new emerging diseases (such as Coronaviruses) which were seen as lower risk [2] [3] [4].

4. The use of Reasonable Worst Case Scenarios and capped 5-point scales in the NSRA is very unclear, makes the NSRA hard to use, limits transparency, and downplays high-impact risks. For example the worst case scenario for influenza was based on what was challenging yet reasonable to plan for, rather than being based solely on the scale of the possible impacts [5].

5. The NSRA process could benefit from even greater use of external expertise and greater transparency.

On the UK’s risk planning process

6. There is limited oversight of or support for risk planning. There is no central accountability mechanism to ensure that departments draw up adequate plans and there is no pool of expertise available to assist departments in developing high-quality plans. As a result there is significant variation in the quality of risk preparedness plans across government

Overall

7. Overall the UK has a very good risk assessment process compared to other countries. That said there are lessons to be learnt following COVID-19 and gaps in the process that need to be closed, otherwise the UK may be unprepared for future risks. Departments need to be better supported in and held accountable for developing high-quality risk plans.

8. There are also lessons that can be learned from elsewhere, in particular from the private sector, such as the three-lines-of-defence approach to risk management, the role of Chief Risk Officers, the use of vulnerability assessments and the importance of not overly relying on highly speculative estimates.

Introduction

9. This evidence is written by Sam Hilton, research affiliate at the University of Cambridge’s Centre for the Study of Existential Risk.

10. In 2020 Caroline Baylon and Sam Hilton wrote: Risk management in the UK: What can we learn from COVID-19 and are we prepared for the next disaster? [1]. This paper was looking to answer many of the same questions as this committee and was written alongside working for Lord Rees on advocating for this committee to be set up. The paper was based on extensive interviews and evidence from a dozen current and former civil servants (that mostly took place prior to COVID-19), and with academic and industry experts on risk management.

11. The paper, with the benefit of post-COVID hindsight, identifies and then looks to explain the most visible ways in which planning prior to COVID-19 appears to have been insufficient. In particular it picks out that:

●        The UK prepared for pandemic influenza but did not prepare significantly for other pandemic scenarios. For example the NRR underestimated the risks of non-influenza pandemics stating that “emerging infectious diseases” could lead to “”up to 100 fatalities” [2]. The Department of Health focused pandemic preparedness plans on the specific influenza scenario identified [6].

●        The Departments of Health’s pandemic influenza strategy was a fixed strategy with very limited options. The pandemic influenza strategy had minimal discussion of methods to reduce the R-number, except for “possible school closures” and isolating the ill and had no discussion of lockdowns [6]. Yet in contrast (irrespective of their effectiveness) lockdowns have been the dominant strategy adopted by developed countries to counter the COVID-19 pandemic. A well designed flexible strategy should have discussed options for limiting disease spread through a variety of non-pharmaceutical interventions, such as lockdowns.

12. This submission of evidence draws from that earlier paper to answer the committee's questions. It does not look in as much depth at the COVID-19 specific cases identified above and as such we would encourage the committee to read the original paper at: https://www.cser.ac.uk/resources/risk-management-uk/

13. This submission of evidence does provide a few new perspectives that were not in the earlier paper, both to answer the committees questions and in light of the recently published 2020 National Risk Register. These new points are in green text.

Acronyms

14. Please note we use the following acronyms:

●        NSRA – National Security Risk Assessment, the UK government’s risk assessment process

●        NRR – National Risk Register, the published writeup of the NSRA

●        CCS – Civil Contingencies Secretariat, the team in the Cabinet Office that carries out the NSRA and publishes the NRR.

Q1. … What do you understand the term ‘extreme risk’ to mean?

15. We understand risks as being the potential loss of life, injury, or destroyed or damaged assets which could occur to a system, society or a community in a specific period of time [7]. Extreme risks would be those that have a potential of causing 1000s of fatalities or harming 10,000s of people or causing significant long lasting damage.

Q2. Are there types of risks to which the UK is particularly vulnerable or for which it is poorly prepared? What are the reasons for this?

16. The UK is likely to be poorly prepared for high-uncertainty risks (risks where estimating the likelihood is difficult) and high impact low probability risks as the NSRA does not capture these risks well. (For full details see paragraphs 24, 27, 28 and 31 below.)

17. The UK may also be somewhat poorly prepared for emerging risks, for linked and compounding risks and for the common consequences of risks. It is a positive feature of the government’s approach that all of these issues are all flagged in the NSRA. But it is not clear that government risk planning sufficiently considers these issues. (For full details see paragraphs 26 and 37 below.)

Q3. How could the Government’s approach to risk assessment be strengthened to ensure that it is rigorous, wide-ranging and consistent?

18. The CCS engages relevant experts both within and outside government as part of the NSRA process. However academic risk experts we talked to expressed concern that their voices are not sufficiently heard [1] and some voices from within government echoed similar concerns [8]. The CCS could reach and invite input from a broader range of individuals and academic experts, make more of the NSRA public or refer the entire NSRA to an academic institute for an independent second opinion, as is done in Switzerland (see paragraph 47 below). This would help to ensure unbiased assessments and to avoid groupthink.

19. Government departments may be over- or under-playing specific risks to affect their prioritisation. This concern was raised in the 2019 Parliamentary Office of Science and Technology report on risk assessment [9] and similar comments were made by those we interviewed. The CCS needs to have the power to push back on departmental risk estimates and ensure the process is fully depoliticised.

20. Political and civil service short-termism undermine the risk assessment process. Those we interviewed highlighted how political short-termism has reduced the incentive for thorough investigations of longer-term risks, and how insufficient long-term thinking, systems thinking, futures thinking and technical expertise across the civil service reduces the ability of staff to manage risks and to work with situations of high-uncertainty [10] [11]. There should be an independent government Chief Risk Officer (CRO) and associated unit to oversee the risk assessment process and civil servants should be trained in the skills needed to understand and work with risk and uncertainty.

Q4. Given the range of possible national risks, and the need to achieve a balance between efficiency and resilience, what level of assurance should the Government be seeking on the UK’s resilience to hazards? What would effective national risk management achieve, and how could its success be measured?

What level of assurance should the Government be seeking on the UK’s resilience to hazards

21. Decisions about how much to spend on risk prevention should be made on a case by case basis, yet there are some key principles that should be adhered to:

●        Decisions should be made with the aim of maximising value for money and welfare over the long run. There is evidence that previous UK governments have been under-invested in preventative spending [11] [12]. Disaster prevention has been shown to save money over the long term [13].

●        Decision makers should not ignore high-impact low-probability risks solely by virtue of being low-probability and should not ignore high-uncertainty risk solely due to the challenges of planning for high-uncertainty situations.

●        There should be a consistent approach taken between risks and over time. There is a tendency to prepare heavily immediately after a risk has occurred for a risk of that type. But preparation for other risks does not happen and investments drop off over time. For example, financial regulations are often brought in after a financial crisis but then reduced prior to the next financial crisis [14].

22. Measuring the success of risk assessments requires transparency. Published quantified estimates of the number of and scale of disasters and of close calls would allow risk assessors to be held to account and improve their risk assessments. Much of our own work in this space has only been possible because the NRR publicly quantified the scale of disease risks. That estimates, which have a reasonable chance of being questioned, are made public should be recognised as a positive feature of the NRR. There is scope for more transparency still (see paragraphs 47 and 49 below).

Q5. How can the Government ensure that it identifies and considers as wide a range of risks as possible? What risks does the inclusion criteria for the National Security Risk Assessment exclude and what effect does this have on long-term resilience?

How to ensure a wide range of risks are considered?

23. The NSRA often evaluates risk likelihoods largely on the basis of recent past events of a similar nature. In many cases looking at past events is often a useful approach for evaluating risk, however there are two potential concerns:

24. High-uncertainty risks, emerging risks or particularly large-scale risks [15] should not be evaluated based on past events as their unfamiliarity means that the past will not be applicable. The NSRA process does include horizon scanning, yet we expect that greater use of techniques such as red teaming, tabletop exercises and discussions with a broad range of experts could be useful for fully capturing risks of these types.

25. When using historical data the NSRA should not focus only on the recent past. There is a tendency for the NSRA to focus on recent events and this may lead to risks being overlooked. For example, the risk from volcanic ash was only added to the NRA in 2012 after the 2010 and 2011 Icelandic eruptions [16], despite the availability of significant historical evidence from the 1700s that suggested such an event was highly probable [17] [18]. Pandemic estimates were based on events in the relatively recent past, notably Spanish flu in 1918, SARS in 2002, and Ebola in 2013 [19]. The NSRA did not consider historical events, such as Cholera pandemics in the 1800s or various plague epidemics.

What is excluded from the NSRA process

26. The NSRA excludes emerging risks beyond a two year time horizon. This excludes risks that have a low chance of occurring in the next few years but a higher chance of materialising beyond that timeframe, such as risks from new technologies and other ongoing trends. We recognise that the NSRA discusses the influence of future trends, that it can be useful to assess risks that may be rapidly evolving over shorter timescales, and that other government documents provide a longer perspective [20]. However we think the two year threshold is inadequate for capturing the full range of risks. For example the risk of disinformation, which has been an ongoing trend for a while has been ignored until after it led to attacks on UK 5G infrastructure. Disinformation is a new addition in the 2020 NRR [21].

This short term approach may also be inadequate for making decisions regarding risks that need significant planning or infrastructure to address, such as floods or wildfires [9]. It is notable that this short-term approach has recently become even shorter: in 2019 the NSRA process shifted from a five year forward look with longer-term considerations to a two year forward look with much of the long-term thinking removed [9].

27. The NSRA excludes low-probability risks. It excludes low probability risks by only listing risks that are more likely than their threshold of 1 in 100,000 year scenarios. Low probability risks are considered by the CCS as part of the NSRA process but risks below the threshold do not make it into the NSRA document. Yet some low-probability high-impact risks could result in the death of millions of UK citizens but could be prepared for relatively cheaply [22]. The threshold used is inconsistently low relative to how carefully risks are managed elsewhere [23].

28. The NSRA excludes high-uncertainty risks. A particular problem of the threshold approach (in the previous paragraph) is that it rests on the assumption that a reasonably accurate estimate of likelihood can be generated. But for high-uncertainty risks this is not the case. This threshold approach forces risk assessors to exclude risks based on extremely speculative estimates of likelihood. This is in stark contrast to best practice in the private sector that cautions against putting too much weight on uncertain likelihood assessments. This, combined with the evaluation of risks based on recent past events, and the exclusion of emerging risks, means that the NSRA may not be capturing many high-uncertainty risks.

What affect this has

29. These gaps in the NSRA led to the NSRA underestimating the risk of emerging infectious diseases and focusing attention solely on influenza. This focus on influenza was:

●        Considered to be reasonable by civil servants. Those we talked to in government saw the 2017 estimates as justifiable given the evidence available at the time.

●        Out of line with the evidence available. Academic papers available in 2017 [24] [25], other assessments of global risks [26] [27]  and surveys of academia [28]  highlighted that non-influenza pandemics could kill millions.

●        Detrimental to preparedness. For example, affecting the government’s strategic planning [6] stockpiles [3] and vaccine development plans [2][4].

30. If these gaps are not closed the UK may well be unprepared for future risks. Closing these gaps can be achieved by including low-probability and emerging risks in the NSRA, by looking beyond the recent past, by using techniques such as red teaming and tabletop exercises, and by greater use of a vulnerability based approach to risk assessment (see paragraph 52 below).

Q6. How effectively do current ways of characterising risks (for example, the use of a five-point scoring system of a ‘reasonable worst case scenario’) support evidence-based policy decisions? What other information would be useful?

The five-point scale

31. The NSRA’s five-point impact scale downplays high impact risks. The NSRA’s risk matrix has a logarithmic scale that goes up to 5. Summarised below:

If this scale was extended beyond 5, following the same pattern, then the current Coronavirus crisis would be at 7 or 8 (100,000+ fatalities) and the 2008-09 financial crisis (estimated economic cost of £1tn+ [29]) could reasonably be at 7. These high impact risks are happening, two have happened in the past two decades. Other risks may be higher impact still. The NSRA does not actively ignore such risks but capping the scale at 5 downplays the magnitude of such risks and makes it difficult for policy makers to prepare for high-impact scenarios.

32. It is also unclear to us that sufficient care is taken to ensure risk assessment scales are comparable across categories. The NSRA assesses the various impacts of each risk on scales from 1 to 5. However, it is unclear, for example, what steps have been taken to ensure that a 5 on “human welfare” impacts is the same as a 5 on “security” impacts. Furthermore where these scales are logarithmic, care needs to be taken in how they are combined.

The use of Reasonable worst case scenarios (RWCS)

33. The 2020 NRR defines RWCS as representing “the worst plausible manifestation of that

particular risk (once highly unlikely variations have been discounted)”. It is unclear what this means, especially given that each risk has a different likelihood. It is unclear how RWCS are chosen and how the CCS ensures they are comparable to one another. Some of these worst case scenarios appear to be lower than risk estimates made elsewhere. For example the RWCS for a “financial crisis” in the 2020 NRR [21] appears to be 10 times less likely and 10,000 times less impactful than other government estimates of a financial crisis [29]. (This criticism should not in any way minimise the strongly positive decision by the CCS to make a public estimate of financial risk and to include it on the NRR for the first time in 2020 [21].)

34. Looking at other sources suggests that RWCS are designed as scenarios that would be a challenge for government to respond to yet reasonable to expect government to prepare for [30][31]. For example the UK’s worst case influenza pandemic scenario was chosen on the basis of what was “reasonable for the NHS to plan for” [5]. If this is correct then the RWCS are not based solely on the nature of the risks but incorporate policy assumptions regarding what is expected of government. This is highly problematic because the NSRA uses these RWCS as if they were objective measures of risk. The RWCS are used for mapping the scale of risks, comparing risks, and generating planning assumptions. Using RWCS in these ways leads to incorrect conclusions and is misleading to policy makers. Furthermore it is not made clear to readers of the NRR (and maybe also to readers of the NSRA) that these scenarios are developed in this way.

35. More work is needed to ensure that the RWCS are comparable to one another, and are objective and not based on what is reasonable yet challenging. The CCS could also consider discouraging decisions being made based on comparing RWCS or moving from RWCS to pre- and post-mitigation worst case scenarios (see paragraph 51 below.)

What other information would be useful?

36. The NSRA and the NRR could better highlight uncertainty. Some of the recommendations from the 2012 Blackett Review [32] could be adopted, such as quantitative probability estimates of risks combined with a score to communicate the quality of evidence for each risk.

37. The NSRA does identify cascading, compound and linked risks and the common consequences of risks. However it is possible that more could be done to highlight these factors. We note that practitioners we spoke to flagged a lack of attention given to cascading, compound and linked risks [1] and, as discussed, the government’s pandemic influenza plans appear to be focused on the specific influenza scenario in the NSRA rather than planning for the common consequences of any disease risk. It is also notable that the common consequences of risks are not included in the public NRR [21]. For example the UK may be vulnerable to food supply issues [33], which are raised in the NSRA [34] as a common consequence of various risks. Yet although it could be helpful for the public and businesses to prepare for or know how to respond to a food shortage, it is not included in the NRR.

Q7. How effectively do Departments mitigate risks? Does the Risk Assessment process and the Civil Contingencies Secretariat adequately support Government departments to address risks within their remits? Is further oversight or accountability required, and if so, what form should that take?

How effectively do Departments mitigate risks?

38. This varies hugely from department to department. There is no consistent approach.

39. We looked in depth at pandemic preparedness, where we have the advantage of hindsight given COVID-19. As mentioned in paragraph 11, the Departments of Health’s pandemic influenza strategy was a fixed strategy with very limited options (e.g. no discussion of lockdowns). We looked to understand why this was the case. We noted that there was a lack of understanding as to the need for highly flexible adaptive plans to account for high uncertainty, and that there was a lack of systems thinking and speculative political thinking [1]. We also noted that the plans were not regularly updated, for example they were not updated in line with the 2014 Department of Health reviewed on the evidence on restricting gatherings [35] or following Exercise Cygnus in 2019 [3].

40. Yet other parts of government do plan extremely well. A strong positive example is the Thames Estuary 2100 risk plan [36]. It is an adaptive plan designed to be flexible to different rates of sea level rise and changes affecting the estuary.

Are Government departments adequately supported to address risks within their remits?

41. It is positive that risks are assigned to individual departments, rather than being centrally planned for. The CCS helps departments to better understand risks. The Emergency Planning College supports departments to train for disaster response.

42. However, beyond this, Government departments are not supported to address risks. CCS’s focus is risk assessment, so its support is limited to helping departments understand the risk assessment. There is limited centralised oversight of or support for departmental risk planners. There is no central accountability mechanism across all risks to ensure that departments draw up adequate plans to address risks. There is no pool of expertise available to assist departments in developing high-quality risk plans.

43. Furthermore it is unclear that sufficient civil servants have skills and incentives to understand and work with risk and uncertainty. Some civil servants expressed concern to us that unless they can be very clear about a concrete imminent risk, decision-makers will not engage.

Q11. What can be learnt from local or corporate risk management processes, or those of other countries? Are there any specific examples of practices, processes or considerations which could improve the UK’s national risk resilience? …

44. The UK does reasonably well at risk management compared with other countries. The UK has been a world leader in this space. Internationally, government risk management is poor. COVID-19 has highlighted a fact that was already known: that governments do not sufficiently prepare for disasters. For example, the 2019 Global Health Security Index [37], found that the UK was one of the most well prepared countries for a pandemic but that every country had significant weaknesses. In particular the UK still has a more comprehensive risk assessment process than most countries [38][30].

45. Much of this paper has set out ways that the UK risk assessment and risk management process can be improved, and must be improved. But this critical look should not take away from recognising the great work that has gone on to date, the strengths of the risk management process, and the continuous improvement that this process goes through on an ongoing basis.

46. That said there are lessons to be learned from best practice elsewhere.

Lessons to be learned from other countries risk management processes include:

47. Seeking expert and public feedback on risk assessments. The Swiss government refers its risk assessment to the multi-disciplinary Paul Scherrer Institute for an independent second opinion. The Norwegian government has a wide consultation process that has driven feedback from all sectors at all levels [30].

Lessons to be learned from other parts of the UK government include:

48. A degree of independence. Those bodies in the UK that most successfully produce depoliticised research or facilitate long-term government planning tend to be, or be overseen by, bodies that are independent from ministerial departments. For example the Committee on Climate Change, the Office for Budget Responsibility or the Educational Endowment Foundation.

49. The publication of quantifiable predictions. This allows an organisation to learn from its errors and to improve and be accountable for its mistakes. The UK Office for Budget Responsibility already does this publicly for economic forecasts [39].

Lessons to be learned from corporate risk management processes include:

50. A “three lines of defence” approach to risk governance. This is common in the private sector. The first line of defence is risk ownership which is spread across the business. This is because it is important that risk planning and risk mitigation are firm-wide and not seen as someone else’s job. The second line of defence is a Chief Risk Officer (CRO), a board-level executive with responsibility for risk management policies and for the risk assessment process that provides an oversight function and ensures that all parts of a firm are acting to address risks. The third line of defence is an audit function that has a degree of independence from the day-to-day work, reports to the board and acts to ensure that risk management is working.

51. Worst case scenarios to compare risks and highlight residual acceptable risk. Current best practice in the private sector is to use two sets of scenarios [40]. The first set illustrates the scale of the risk and expected damage pre-mitigation (using the assumption that there is no risk management) – this allows risks to be compared. The second set illustrates the level of residual risk and damage expected post-mitigation – this highlights for executives the level of risk and damage they are still willing to accept and the cut-off point at which further mitigation is deemed too costly.

52. Vulnerability assessments. The private sector is moving to an approach that primarily assesses risks in terms of both their scale and the level of vulnerability of the business with regard to them. This highlights the gaps that need to be closed in the current system and supports flexible risk planning. (This approach is also time-independent, so avoids the issue of different risks needing to be assessed according to different timelines.)

This differs from the more traditional approach of risk assessment based on the scale and likelihood of the risk. In the areas of the private sector where likelihood assessments are still used, risk assessors caution against putting too much weight on highly uncertain likelihood estimates and caution against overusing cost benefit analysis for prioritising risks, as these techniques can give a false impression of precision [23].

Conclusion

53. Preparing for risks can be challenging. The UK has a good risk assessment process, but there are some gaps and areas for improvement that need to be closed to ensure we are not under-prepared for future risks. There is also a need to improve accountability and support for risk planning across government. For more on the general challenges of risk preparedness and for the specific lessons highlighted by COVID-19 see our paper: Risk management in the UK: What can we learn from COVID-19 and are we prepared for the next disaster?

References and quotes

[1]  Centre for the Study of Existential Risk (2020). Risk management in the UK: What can we learn from COVID-19 and are we prepared for the next disaster?

[2]  Cabinet Office (2017). National Risk Register Of Civil Emergencies 2017

[3]   Institute for Government (2020). How fit were public services for coronavirus?

[4]   Professor Van-Tam (2020) DQ1008 Oral evidence: UK Science, Research and Technology Capability and Influence in Global Disease Outbreaks

[5]   “so the reasonable worst case is, of course, that bird flu becomes transmissible and we get a 60% case fatality rate. That was felt certainly to be a worst case but almost unpreparable for. So from the point of view of something reasonable for the NHS to plan for and reasonable in terms of cost, that is why the Spanish flu example was used.” Professor Neil Ferguson (2011). Question 82. House of Commons - Scientific advice and evidence in emergencies - Science and Technology Committee

[6]   Department of Health (2011). UK Influenza Pandemic Preparedness Strategy 2011

[7]   United Nations Office for Disaster Risk Reduction (2015). Terminology: Disaster risk

[8]   “[The National Risk Assessment is] far too attached to the Intelligence machinery, paying too little attention to open source material and other governments’ policy development.” Baroness Neville-Jones, former Minister for Security and Counter Terrorism (2020). Risk management in the UK: What can we learn from COVID-19 and are we prepared for the next disaster?

[9]   Parliamentary Office of Science and Technology (2019). Evaluating UK natural hazards: the national risk assessment

[10]  “At one stage there were some discussions around how useful people found the longer-term view of risk. When people look at risk they’re often looking at much more certain, or higher-probability, higher-impact risks. When they develop a risk register, that’s where people tend to.” UK civil servant (2019). Risk management in the UK: What can we learn from COVID-19 and are we prepared for the next disaster?

[11]  “It’s a natural tendency in some ways, when budgets are going down, to prioritise the immediate needs. I've been in that position myself and it is hard to make long-term decisions ... I think we do need structures which allow decision makers to break out of short-term political cycles.” Former civil servant who worked on public health policy (2020). Risk management in the UK: What can we learn from COVID-19 and are we prepared for the next disaster?

[12]  National Audit Office (2018). Improving government's planning and spending framework (Summary).

[13]  Shreve and Kelman (2014). Does mitigation save? Reviewing cost-benefit analyses of disaster risk reduction

[14]  IMF (2018). Regulatory Cycles: Revisiting the Political Economy of Financial Crises, WP/18/8, January 2018

[15]  Cirkovic, Sandberg and Bostrom (2010). Anthropic Shadow: Observation Selection Effects and Human Extinction Risks

[16]  Centre for the Observation and Modelling of Earthquakes, Volcanoes and Tectonics (2016). Quantifying health and aviation hazards from Icelandic volcanic eruptions to inform government policy

[17]  Thordarson and Self (2003). Atmospheric and environmental effects of the 1783–1784 Laki eruption: A review and reassessment

[18]  Cabinet Office (2015). National Risk Register of Civil Emergencies chapter 2: risk summaries

[19]  This is based on reading through previous copies of the NRR at National Risk Register (NRR) of Civil Emergencies, and drawn from our conversations with civil servants.

[20]  Such as the Climate Change Risk Assessment, and the Global Strategic Trends report.

[21]  Cabinet Office (2020). National Risk Register 2020

[22]  For example, a super volcano that could stop all global food production is a 1 in 100,000 year scenario. It could be inexpensively prepared for by stockpiling mushroom spores and bacteria that could feed off wood, and then be fed to humans. Denkenberger and Pearce. (2015). Feeding everyone: Solving the food crisis in event of global catastrophes that kill crops or obscure the sun

[23]  Health and Safety Executive (HSE) (1992). The tolerability of risk from nuclear power stations, p. 30. HSE asks UK nuclear power stations to reduce their total risk of a single death to any 1 member of the public to less than an estimated 1 in 100,000 years.

[24]  McCloskey, Dar, Zumla and Heymann (2014). Emerging infectious diseases and pandemic potential: status quo and reducing risk of global spread.

[25]  Machalaba and Karesh (2017). Emerging infectious disease risk: shared drivers with environmental change.

[26]  World Economic Forum (2016). The Global Risk Report 2016. This paper highlights that an emerging infectious SARS like disease could lead to tens of millions of fatalities. (p. 59)

[27]  Global Challenges Foundation (2017).  Global Catastrophic Risks 2017. This paper highlights the risks of emerging infectious diseases that could kill tens or hundreds of millions including the scenario of a SARS type outbreak that is worse than the previous outbreak.

[28]  Future of Humanity Institute (2008). Global Catastrophic Risks Survey. This survey of academic risk experts shows some degree of academic consensus on emerging infectious diseases as one of the largest threats.

[29]  UK government estimated the likelihood of a financial crisis at 4.5% and estimated the cost (net present value) of a financial crisis at 63% of GDP (which would be £1.2 trillion given 2020 GDP of $2.638 trillion). These estimates were raised by: Independent Commission on Banking (2011) Final report of the Independent Commission on Banking. These exact figures were used by HM Treasury upto (at least) 2014: HM Treasury (2014) Impact Assessment: Banking Reform: draft pensions regulations. These figures are roughly in line with the Treasury’s analysis in late 2020: HM Treasury (2020) Impact Assessment: Financial Services Bill.

[30]  OECD (2017). National Risk Assessments: a Cross Country Perspective

[31]  Cabinet Office (2011). House of Commons - Science and Technology Committee - Written Evidence

[32]  Government Office for Science (2012). Blackett Review of High Impact Low Probability Risks

[33]  A number of different risks ranging from plant disease to volcanoes to environmental damage to nuclear explosions could lead to a >10% global food shortfall (especially if they occurred in conjunction with one another). At this level food trade (or food aid) may be restricted or otherwise unable to address domestic shortages. Denkenberger and Pearce. (2015). Feeding everyone: Solving the food crisis in event of global catastrophes that kill crops or obscure the sun

[34]  Cabinet Office (2019). National Security Risk Assessment (visible at: The Guardian (2020). What does the leaked report tell us about the UK's pandemic preparations?)

[35]  Department of Health (2014). Impact of Mass Gatherings on an Influenza Pandemic Scientific Evidence Base Review

[36]  Environment Agency (2020). Thames Estuary TE2100 Plan

[37]  ghsindex.org (2019). 2019 Global Health Security Index. The Global Health Security Index was an assessment of global health security capabilities produced by Johns Hopkins, the Nuclear Threat Initiative, and the Economist Intelligence Unit.

[38]  OECD (2017). The UK's National Risk Assessment (NRA)

[39]  Office for Budget Responsibility (2019). Forecast evaluation report – December 2019

[40]  Risk Management Capability Ltd (2013). Capability Guidance: Pre and Post Mitigation Estimates

February 2021