Written Evidence Submitted by

Researchers at the Centre for the Study of Existential Risk, University of Cambridge and the Future of Humanity Institute, University of Oxford

(C190076)
 

 

Executive Summary

 

This submission is written by researchers at the Centre for the Study of Existential Risk at the University of Cambridge and the Future of Humanity Institute at the University of Oxford. We focus on the Committee’s request for evidence on “The UK’s readiness for future outbreaks, including a consideration of: the National Risk Register” (NNR).

 

Preparing well for future risks is challenging

 

Good risk management is vital for safety and security of the UK. Before assessing the UK readiness for future risks we identify three key challenges to good risk management:

        There is a tendency to prepare to fight the last battle.

        Risk preparation happens after disasters occur, but can peter out over time.

        Many of the risks that affect us are global and need a global approach.

 

The National Risk Register (NRR) identified the wrong pandemic risks

 

The NRR is based on the UK’s National Security Risk Assessment (NSRA). At first glance the NSRA poorly assessed pandemic risks. Although highlighting influenza as a risk the 2017 NRR estimated that “emerging infectious diseases” could lead to “up to 100 fatalities”. This grossly underestimated the current situation, was out of line with the available evidence in 2017 and led to pandemic plans overly focusing on influenza. The bulk of this submission seeks to understand how such an error happened.

 

The National Security Risk Assessment process is not fit for purpose

 

Our research was based on interviews with numerous civil servants, and comparisons with best practice in industry and internationally, and our own expertise in risk management. We saw that the UK does reasonably well at risk management compared to other state actors, although is behind industry best practice. The NSRA provides detailed analysis of risks and there is good use of horizon scanning and foresight capability.

 

However we conclude that the lack of concern given to emerging infectious diseases was not a one-off error, and that the UK’s NSRA process has numerous flaws. We note that:

        Research that highlights novel risks, future risks and low probability risks is systematically ignored. These problems are indicative of short-term decision making and a governance structure that does not support civil servants to speak truth to power.

        The way evidence on risks is presented can be misleading to decision makers, not capture the full range of risks or the uncertainty inherent in risk assessments. There are problems in how risks are delineated, compared and presented as specific scenarios

        Better use could be made of external experts and sources of information from outside of government.

 

There is no clear process from risk identification to risk planning

 

We also address risk planning: after a risk has been identified how does this lead to appropriate government action? There appears to be no cross-government accountability mechanism to ensure that risks receive adequate attention, that adequate plans are drawn up or that the latest science and research leads to changes in risk policy.

 

Conclusion

 

Failure at the initial step of assessing the risks to the UK played a crucial role in weakening and delaying our response to COVID-19. These were not one-off errors, but the systematic exclusion of and failure to accurately present relevant scientific data, research and expertise. This means that the UK may well be underprepared for future risks, pandemics or otherwise.

 

Recommendations

 

We recommend:

  1. The government must not just focus on pandemic risks. The government must take a holistic approach to improving risk management, and avoid “fighting the last war”.
  2. The UK should take the lead in ensuring that risk management improves globally by encouraging commitments to spend a target percentage of GDP on risk prevention, convening a global network of government Risk Officers and by sharing best practice.
  3. The NSRA must capture novel risks, future risks and low probability risks. This could involve ensuring these risks are not actively excluded, using more futures techniques like red teaming and tabletop exercises, and greater engagement with external experts.
  4. Reviewing and improving the UK risk assessment process in line with best practice from business and elsewhere. This could involve using a vulnerability assessment approach, producing public quantifiable forecasts and using pre- and post-mitigation worst case scenarios.
  5. The creation of an independent Chief Risk Officer (CRO) and an associated unit that carries out depoliticised risk assessments, supports departments in developing flexible risk response plans, assigns responsibility for acting on risks to ministers and holds them to account for their department’s risk response plans.

Introduction

 

  1. This evidence has been collected and submitted by:

        Sam Hilton, Research Affiliate at the Centre for the Study of Existential Risk at the University of Cambridge. Former civil servant working on risk related policy including: nuclear safety policy and financial stability policy.

        Toby Ord, Senior Research Fellow at the University of Oxford's Future of Humanity Institute. Author of “The Precipice: Existential Risk and the Future of Humanity”.

        Haydn Belfield, Academic Project Manager at the Centre for the Study of Existential Risk at the University of Cambridge

 

  1. This evidence is based on interviews and meetings with current and former civil servants, including government scientists. We also talked to academics who worked with government on this area and examined the relevant policy papers and literature.

 

  1. From the in the terms of reference for this call to evidence, this submission focuses on:

7. The UK’s readiness for future outbreaks, including a consideration of:

• the National Risk Register;

 

  1. For the purpose of this submission we define:

        Risk assessment: the process whereby the risks are understood

        Risk response: the steps taken once risks are understood. This includes mitigation to reduce risks, planning to reduce vulnerability and acceptance of damages that cannot be mitigated or prevented.

        Risk management: the combination of risk assessment and risk response.

 

  1. The UK National Security Risk Assessment (NSRA) assesses serious acute national risks that have a reasonable likelihood of occurring within 2 years. Risks are assessed, amalgamated into broad categories (for example “emerging infectious disease” is a single risk) and represented by “reasonable worst case scenarios” (RWCS). The process is led by the Civil Contingencies Secretariat (CCS) and each risk is owned by a Government department. The NSRA is used to inform national resilience planning. A public version of the NSRA is known as the National Risk Register (NRR). [1][2] A full explanation of this process is in Appendix A.

 

 


The challenges of preparing well for future risks

 

  1. It is useful to highlight some general challenges of risk management:

        Firstly, there is the tendency to always prepare to fight the last war. This is a known issue within security and was raised by those we interviewed.

        Secondly, risk preparation happens after disasters occur, but can peter out over time. For example financial regulations are brought in after a financial crisis but then reduced prior to the next financial crisis.[7] Protecting budgets or making long-term commitments could help addressing this.

        Thirdly, in our modern interconnected world, many of the risks we face are global, such as the 2008 financial crisis and now COVID-19.

 

  1. The tendency to prepare to fight the last war is useful for understanding the COVID-19 response. An influenza pandemic topped lists of UK concerns since Swine Flu in 2009, and the UK prepared for influenza.[3] Meanwhile, countries that had outbreaks of SARS (a coronavirus) in the early 2000s had better plans to handle COVID-19. [4][5][6]

 

  1. If the UK Government’s response to COVID-19 is just to better prepare for pandemics, or even worse just to better prepare for zoonotic pandemics or coronavirus pandemics, then the UK would be making this same mistake again. The next global catastrophe could be something else. As such, we recommend:

 

Recommendation 1:

The government must not  just focus on pandemic risks. The government must take a holistic approach to improving management, and avoid “fighting the last war”.

 

  1. In line with risk being global we also recommend:

 

Recommendation 2:

The UK should take the lead in ensuring that risk management improves globally. This could be done by encouraging commitments to spend a target percentage of GDP on risk prevention, convening a global network of government Risk Officers and by sharing best practice.

 

 

 


The National Risk Register and COVID-19

 

  1. There are some potential failings of risk management that COVID-19 has highlighted.

 

  1. Most notably, the UK drastically underestimated the risks of emerging diseases. The most recent version of the National Risk Register[8] (NRR) states that “emerging infectious diseases” could lead to “several thousand people experiencing symptoms, potentially leading to up to 100 fatalities”. This is both a gross underestimation of the current COVID-19 situation and out of line with the scientific evidence available at the time. (Multiple academic sources and other risk assessments available in 2017 highlight the risk of emerging pandemics).[9][10][11]

 

  1. The NRR did highlight the risk of pandemic influenza – listing it as the biggest non- malicious risk to the UK. However COVID-19 is not influenza and although the work done as a result of prioritising influenza risks has proved useful in some ways the focus on influenza has led the government astray.[3] For example the government expected an influenza vaccine to be available four to six months after a pandemic began.[8]

 

  1. Secondly, despite prioritising pandemic influenza the detailed plans to address pandemic influenza have clear flaws. Most starkly the lengthy pandemic influenza plans had no discussion of lockdown or other methods to reduce the R number (except for “possible school closures” and isolating the ill). The strategy aimed for a herd immunity type approach and recommended against closing travel.[12] Yet the strategy followed by the UK and other countries has been the opposite of this. There have been other problems with the influenza plans, for example instead of stockpiling PPE the government put in place “just in time” contracts that predictably did not work due to the global need for PPE.[13]

 

  1. These failures in the response to COVID-19 could be indicators that:
  1. The UK government’s risk assessment process is not accurately assessing the greatest risks to the UK and as such is not fit for purpose;
  2. Even where risks are seen as high priority by the UK government the resultant plans produced are not adequate to respond to the risks.

We investigate these two areas. If these statements are correct this could mean that the UK is grossly underprepared for future risks and urgent work should be undertaken to address this.

 

 


Evidence collected

 

Conversations with key actors

 

  1. This evidence is based on interviews and meetings with current and former civil servants and government scientists, across multiple government departments.

 

  1. Those we talked to highlighted a number of best practices that are crucial for good risk management. These included:

        Flexibility and agility – to be able to handle uncertainty and adapt flexible plans.

        Good individuals – senior champions and long-term staff with relevant expertise. Training in systems thinking

        Effective communication and coordination – to ensure decision makers are aware of the options and uncertainties, and to ensure cross-government working.

        Depoliticisation – including consideration beyond parliamentary timescales and consistency from government to government.

        Cross-border collaboration – sharing information and best practice

 

  1. Those we spoke to however identified a number of challenges that they or the government faces with risk management. They highlighted:

        Short term thinking is easier and less risky. It is difficult to raise issues about new and novel risks, it is hard to find the funding for long term preventative policy, and Ministers care most about risks that might happen in their tenure.

        Difficulty in communicating risks and uncertainty. Unless risk analysts can be very clear that something concrete is coming towards us then decision makers will not engage.

        Risk management is a difficult and evolving field. For example the UK prepares for identified risks but preparing for consequences, closing vulnerabilities or preparing for extreme scenarios may be better.

 

  1. Additional information and, where we have permission, quotes and notes from conversations are included in Appendix B.

 

 

Comparison to industry best practice

 

  1. Risk management is a rapidly evolving field in industry. Innovation has been driven especially by development of enterprise risk management in the finance sector since the last financial crisis. Areas where there are useful lessons to be learned are:

        Worst case scenarios. Current best practice is to use two sets of scenarios. The first set illustrates the scale of the risk and expected damage pre-mitigation – this allows risks to be compared. The second set illustrates the level of residual risk and damage expected after mitigation – this highlights to executives the level of damage they are still willing to accept. The current UK government use of RWCS provides neither of these functions.

        Vulnerability assessment. Industry is moving to an approach of primarily assessing risks in terms of the scale of the risks and the level of vulnerability of the business to those risks. This highlights gaps and supports flexible risk planning. It is unclear how appropriate this would be at a national level but this nociably differs from the current government approach which focuses largely on assessing and comparing risks based on their scale and likelihood.

        Chief Risk Officer (CRO). The CRO is a board level executive with responsibility for risk assessment and risk planning across a firm. This helps ensure that the risk assessment is independent and that there is a strong voice at a senior level to raise risk issues. The UK does not have a CRO equivalent role.

 

 

Comparison with international counterparts

 

  1. Internationally, government risk management is poor. For example the 2019 Global Health Security Index concluded that the UK was one of the most prepared countries for a pandemic but that “National health security is fundamentally weak around the world.”

 

  1. The UK does reasonably well at risk management compared to other state actors. In the past the UK has been a world leader in this space and the UK still has a more comprehensive risk assessment process than most countries.

 

  1. It is hard to tell from the outside if funding is a key challenge in the UK. We note that the Civil Contingencies Secretariat (CCS) has 94 staff and that this is smaller than other similar agencies. For example Korea’s NEMA has 435 staff,[14] Switzerland’s FOCP has 330 staff[15] and Norway’s DSB has 670 staff (though it also covers cybersecurity).[16]

 

  1. Due to the variety of national approaches and differing standards for national risk assessments (NRA) it is hard to draw out a comprehensive picture of lessons that the UK can learn from other countries. Some areas of best practice to note that may be relevant for the UK to consider are: [17]

        Publishing risk assessments and involving external experts. For example Switzerland refers their risk assessment to academics for a second opinion.

        The publication of quantifiable predictions. Producing quantifiable predictions allows an organisation to learn from its errors and improve. This is done by the US Intelligence Community Prediction Market as well as by the Office for Budget Responsibility (OBR) in the UK for economic forecasts.[XXX]

        The adoption of CROs. There has been widespread adoption of Enterprise Risk management practices and CROs within government agencies.[18]

 

 


Analysis of the Government’s risk assessment process

 

  1. There is a lot to commend about the UK government’s risk analysis process: the centrally coordinated collation of acute risks into a single document, the level of detail provided on these risks, and the consideration of linked and compound risks. However we have identified a number of serious flaws with the NSRA process:

 

There is a lack of consideration of and interest in novel, future and low probability risks

 

  1. The NSRA has a number of practices that lead to novel risks, like COVD-19 being under-considered.

        The NSRA actively excludes future risks. The NSRA looks forward 2 years at a time. Emerging risks, with a very low chance of happening in the next two years but a high chance after two years, are excluded.

        The NSRA excludes low probability risks. The NSRA only includes risks that are more likely than 1 in 100,000 year scenarios, even if these risks could kill millions, or if the probability estimate is highly uncertain. This is inconsistent with how carefully we manage risks elsewhere (such as health and safety)[19]. [20]

        The NSRA evaluates risk likelihoods largely based on looking at past events of a similar nature. This is a sensible approach in most cases but is not appropriate for novel risks, risks affected by long-term trends or risks from new technology or very large scale risks (that cast an “anthropic shadow”[21]). It is not clear to us how novel risks are evaluated or considered. We also note a tendency to focus on only the most recent past events.

 

  1. These methodological flaws are problematic but our research has highlighted that these are symptoms of broader systemic and cultural problems that lead to government ignoring scientists and experts who try to highlight low probability risks, long term and unusual issues. The key underlying issues are:

 

  1. Political disinterest. We understand that the short term nature of the NSRA is in part because politicians did not (and do not) use the long-term information that researchers had pulled together. As the civil service exists to serve Ministers there is minimal incentive for government experts to keep producing forward looking information (for evidence see Appendix B, Section 2).

 

  1. There is a lack of long-term thinking, systems thinking, futures thinking and technical expertise across the civil service. A number of those interviewed highlighted a tendency of civil servants to ignore risk concerns or long-term planning. There is movement in the right direction to improve this: the work of GoSci to improve foresight capability access government and work on horizon scanning at the outset of the NSRA. But more could be done in this space.

 

Expert information is presented in a misleading way that prevents comparability

 

  1. Risks do not fall into neat clearly delineated categories. Complex scientific topics and expert conclusions need to be communicated to policy makers to guide actions. To do this risk assessors need to differentiate and compare risks. There is much to commend about the NSRA: the categorisation of risks, risk severity ratings, the acknowledgment of uncertainty and of compound risks.

 

  1. However, the NSRA’s use of RWCS is highly misleading. These RWCS are designed to prompt policy action – they are not actual worst case scenarios but scenarios that would be challenging for government to respond to. For example on the worst case pandemic scenario Professor Neil Ferguson recalls [22]:

 

the reasonable worst case is, of course, that bird flu becomes transmissible and we get a 60% case fatality rate. That was felt certainly to be a worst case but almost unpreparable for. So from the point of view of something reasonable for the NHS to plan for and reasonable in terms of cost, that is why the Spanish flu example was used.

 

The NSRA uses these RWCS as a basis for mapping the scale of risks, to compare between risks and to generate planning assumptions. But this mix of risk assessment tempered by considerations of government capability leads to incorrect conclusions.

 

  1. There are also some areas for potential minor communication improvements:

        Uncertainty could be better communicated. The Blackett Review recommends expressing uncertainty with quantitative probabilistic estimates and using a score/ranking to communicate the quality of evidence for each risk.

        The way risks are compared could be improved. Risks are assessed on 1-5 scales. It is not clear to us that the scales themselves are comparable nor that the way they are combined makes sense.

        Greater attention given to compound and linked risks. Although these are mentioned in the NSRA some who we spoke to flagged that not enough attention is given to these risks.

 

 

Better use could be made of external experts

 

  1. Academic risk experts have expressed concern that their voices are not heard and they do not have access to input into risk assessments. External experts are consulted in the NSRA process, however we expect more could be done to invite input on both risks and the risk assessment methodology. Information security challenges pose a barrier but could be overcome by sharing redacted information or by providing more security clearance checks. There appears to be greater use of external experts in other countries (such as Norway and Switzerland).

 

  1. The 2019 POST report on risk assessment raises the concern that departments may be over- or under-playing specific risks to affect their prioritisation,[2] and we have heard similar comments. We also believe the NSRA appears to rely too heavily on internal government information sources (see: Appendix B, Section 1). CCS needs to be drawing on multiple sources of information, ensuring that risk assessments are not political, and have the power to push back on departmental risks estimates. We think this may have improved in recent years but would like to see steps taken to ensure that this is happening.

 

  1. We note that the UK has world leading research in this domain. Our own institutions, the Centre for the Study of Existential Risk at the University of Cambridge and the Future of Humanity Institute at the University of Oxford produce a significant quantity of high quality research on risks.

 

 

COVID-19 analysis: The NRR estimate of “up to 100 fatalities”

 

  1. As discussed the NRR estimated that an emerging infectious disease could kill “up to 100 people”. The UK planned for these scenarios, focusing most of our efforts on the influenza risk. This was damaging to the UK’s ability to respond well to COVID-19. [3]

 

  1. There are a number of steps that appear to have gone wrong here, that correlate closely with the flaws in the NSRA mentioned above:

        Risk estimates were based primarily on recent past events. Reading through old versions of the NRR it appears that the estimates for an emerging infectious disease were based primarily on SARS in 2002 and Ebola in 2013, rather than historical events (eg black death).

        A lack of attention was given to emerging trends. The risk of pandemics is higher than historically due to increased interconnectedness, and the possibility of accidental lab releases or deliberate malicious releases of pathogens.

        The way risks were categorised was flawed. The risk of a mass infectious disease was explicitly linked to influenza. (See Appendix D for an example of how risks could have been categorised better.)

        The RWCS for pandemics were developed to be scenarios that were “reasonable for the NHS to plan for rather than to be truly comparable scenarios illustrating the scale of different risks.

        Academic research with contrary information was ignored and relevant academics not consulted.

 

 

Conclusion on the UK risk assessment process

 

  1. In some ways the UK risk assessment is the top of its game internationally, yet the NSRA process has a number of specific flaws. In particular:

        Evidence and research that highlights novel risks, future risks and low probability high impact risks is systematically ignored. These problems are indicative of short-term decision making and a governance structure that does not support civil servants to speak truth to power.

        The way evidence on risks is presented can be misleading to decision makers, and does not capture the full range of risks or the uncertainty inherent in risk assessments. There are problems in how risks are delineated, compared and presented as specific scenarios.

        Better use could be made of external experts and sources of information outside the UK government.

 

  1. We conclude that the prediction of an “emerging infectious disease” causing “up to 100 fatalities” was not a one off bug or mistake but an inevitable feature of a flawed system. We are not convinced that the UK risk assessment process has not missed other risks and as such we do not think it is fit for purpose. We recommend:

 

Recommendation 3:

Ensure the NSRA captures novel risks, future risks and low probability high impact risks. This could involve ensuring these risks are not actively excluded, using more futures techniques like red teaming and tabletop exercises, and greater engagement with external experts.

 

Recommendation 4:

Review and improve the UK risk assessment process in line with best practice from business and elsewhere. This could involve using a vulnerability assessment approach, producing public quantifiable forecasts and using pre- and post-mitigation worst case scenarios.

 

 

 


Analysis: The UK government’s risk response strategies

 

  1. The focus of this submission is on the use of and communication of science and evidence in the NSRA. It is also relevant to look at what happens after the NSRA is produced and how it feeds into risk response and government action.

 

  1. There are good practices to commend in this space. It is good that each national risk is the responsibility of a specific department. There is also some support for departmental risk planners: the CCS support departments to understand the risks including mapping out compound and linked risks and the Emergency Planning College does a decent job in supporting departments to train for risk scenarios.

 

  1. However there are a number of limitations:

        Oversight is non-existent. There is no accountability mechanism to ensure that risks are addressed, that adequate plans are drawn up or that the latest science and research leads to changes in policy.

        There is limited support on developing high quality risk plans, or ensuring that they are broad and flexible enough to account for uncertainties. There is no central government pool of expertise in this area.

        More could also be done to ensure that civil servants have the skills and the incentives to understand risks issues. There could be greater use of foresight methodologies, tabletop exercises, red teaming systems thinking and scientific expertise.

        Austerity has damaged preparedness. With a need to find efficiency savings under austerity Departments have cut back on prevention. (See Appendix B, section 4).

 

  1. We see the same flaws that affect risk assessments also affecting risk response. For example, the tendencies to prepare for the last battle and to ignore the unfamiliar. As these issues affect both areas they can compound and lead to greater unpreparedness.

 

 

COVID-19 analysis: risk planning

 

  1. The UK’s influenza pandemic preparedness plan was long and detailed, clearly drew on the available scientific evidence and considered the impact of an influenza pandemic on all sections of society and a good level of detail. Risk plans will never be perfect and it is important not to just blame the planners. We think it is useful to note the following systemic failings that appear to have hampered the development of pandemic risk planning, that might lead to problems in other domains.

 

  1. Firstly, the plans made did not sufficiently account for uncertainty – they were not sufficiently flexible. The UK planned too much for influenza and not for other risks. In part this was a failing of the NSRA process but flexible planning could have mitigated this.

 

  1. Secondly, there was a lack of imaginative thinking and systems thinking. For example, a basic systems thinking approach would note that PPE contracts could not be delivered in a global pandemic.

 

  1. Thirdly, there was no check and balance or accountability mechanisms to identify failures of risk planning. An accountability mechanism or national audit of preparedness plans could well have picked up on problems with plans.

 

  1. These points all correspond to government-wide issues that are systemic to the risk planning process, not just specific to health plans, and as such should be addressed before the next disaster hits.

 

 

Conclusion on the UK’s process for developing risk response strategies

 

  1. The UK does plan for identified future risks. However in the case of pandemic influenza the plans were not sufficiently flexible nor imaginative. Ultimately we do not have a full answer as to why the plans were not up to scratch but we see a need to improve general expertise for risk preparedness and we identify a cross-government trend away from investing in forward looking risk prevention policy with long run returns.

 

  1. As such, drawing on our consideration of industry best practice and the points raised in the previous section about the need for better governance of risk assessments we recommend:

 

Recommendation 5:

The creation of an independent Chief Risk Officer (CRO) and an associated unit.

 

  1. This unit should carry out depoliticised risk assessments, support departments in developing flexible risk response plans and assign responsibility for acting on risks to Ministers and hold them to account for their department’s risk response plans. This unit should ideally report directly to Parliament and to an independent audit body. Departments would still maintain ownership of specific risks and Cabinet Office would still coordinate national level crisis response.

 


 

Conclusion

 

  1. Failure at the initial step of assessing the risks to the UK played a crucial role in weakening and delaying our response to COVID-19. These were not one-off errors, but the systematic exclusion of and failure to accurately present relevant scientific data, research and expertise. This means that the UK may well be underprepared for future risks, pandemics or otherwise.

 

 

 


Appendix A: Background

 

Overview of the UK risk management system

 

  1. Until recently the UK has had two cross-cutting risk assessments, the National Risk Assessment (NRA) and the National Security Risk Assessment (NSRA). As of 2019 these have been combined into a single risk assessment, called the National Security Risk Assessment (NSRA) that brings together domestic, international, malicious and non-malicious risks. [1][2]

 

  1. The NSRA includes risks that can cause serious damage, that are acute (single events or emergency situations[20]) and that have a reasonable likelihood of occurring within 2 years of the risk assessment date. Risks are combined together, for example “emerging infectious disease” is a single risk and effort is made to ensure that the risks can be compared in terms of likelihood and impact.[1][2] Risks are represented by “reasonable worst case scenarios” (RWCS) that provide a “challenging yet plausible manifestation of the risk”.[17]

 

  1. The NSRA process is carried out by the Civil Contingencies Secretariat (CCS) that sits inside the Cabinet Office. Each risk is owned by a Government department and initial assessments of impact and likelihood are carried out by departments (who themselves draw on available expertise). The CCS supports departments in this work and compiles the risk estimates. The estimates undergo a stakeholder scrutiny process that includes a range of government officials and academics. The CCS works to ensure this process is continually improving. [1][2]

 

  1. The NSRA is used to inform national resilience planning and underlies a set of national resilience Planning Assumptions. Each department is responsible for the risks they own. The NSRA is also used by risk planners in the Devolved Administrations and local level responders. [2][21]

 

  1. A public version of the NSRA is known as the National Risk Register (NRR).[22] This is for use by the public and businesses.[2] The NRR has been made available at least every other year from 2008 until 2017.[22] There was however no publication of the NRR in 2019, (potentially due to Brexit related factors).

 

  1. In 2012 the Government’s Blackett Review of High Impact Low Probability Risks concluded “The most notable over-arching factor in these recommendations is the repeated need for the inclusion of external experts and readiness to consider unlikely risks”[23]

 

 


Appendix C: How to categorise disease risks

 

It may be useful to illustrate how the NSRA could have better categorised potential disease risks into 3 distinct risk groupings.

 

  1. Firstly, a risk of a highly infectious essentially uncontainable disease with a low but not insignificant fatality rate. A RWCS could be modelled on the 1918 flu but should recognise that it is highly plausible for there to be uncontainable diseases that are not influenza.

 

  1. Secondly, a risk of a somewhat infectious but still containable disease with a high fatality rate A RWCS could be based on SARS or Ebola.

 

  1. Thirdly, a scenario of highly infectious uncontained disease with a high fatality rate. A RWCS could be based on the back death or on a red-teaming exercise with experts to develop scenarios.

 

To the best of our knowledge (unless this work is happening behind closed doors) this final worst case scenario is plausible but has not been prepared for and is still being ignored.

 


FOOTNOTES

 

[1] Cabinet Office. (2019). National Security Risk Assessment (visible at: The Guardian. (2020). What does the leaked report tell us about the UK's pandemic preparations?)

 

[2] Parliamentary Office of Science and Technology. (2019). Evaluating UK natural hazards:

the national risk assessment

 

[3] Professor Van-Tam. (2020) DQ970 Oral evidence: UK Science, Research and Technology Capability and Influence in Global Disease Outbreaks

 

[4] The Guardian. (2020). Experience of Sars a key factor in countries’ response to coronavirus

 

[5] Aios. (2020). SARS made Hong Kong and Singapore ready for coronavirus

 

[6] Fortune. (2020). SARS taught Taiwan how to contain the coronavirus outbreak

 

[7] IMF. (2018). Regulatory Cycles: Revisiting the Political Economy of Financial Crises, WP/18/8, January 2018

 

[8] Cabinet Office. (2017). National Risk Register Of Civil Emergencies

 

[9] World Economic Forum. (2016). The Global Risk Report 2016. This paper highlights that an emerging infectious SARS like disease could lead to 10s of millions of fatalities. (p59)

 

[10] Future of Humanity Institute. (2008). Global Catastrophic Risks Survey. This survey of shows consensus academic consensus of emerging infectious diseases being one of the largest existential threats.

 

[11] Global Challenges Foundation. (2017).  Global Catastrophic Risks 2017. This paper highlights the risks of emerging infectious diseases that could kill 10s or 100s of millions including the scenario of a SARS type outbreak that is worse than the previous outbreak.

 

[12] Department of Health. (2011). UK Influenza Pandemic Preparedness Strategy 2011

 

[13] Financial Times. (2020). Britain’s £5.5bn bill for procuring emergency PPE brings scrutiny

 

[14] Wikipedia. National Emergency Management Agency

 

[15] Federal Office for Civil Protection BABS. Organisation of the FOCP

 

[16] Wikipedia. Norwegian Directorate for Civil Protection

 

[17] OECD. (2017). National Risk Assessments: a Cross Country Perspective

 

[18] Wall Street Journal. (2019). Enterprise Risk Management, Long Used by Companies, Takes Hold in Government

 

[19] Health and Safety Executive (HSE). (1992). The tolerability of risk from nuclear power stations, p30. HSE asks UK nuclear power stations to reduce their total risk of a single death to any 1 member of the public to less than an estimated 1 in 100,000 years.

 

[20] We also note the scale for impact of risks cuts off at 5, which correspond roughly a 1% mortality rate. However some threats to the UK are many times worse. For example the UK had 30%+ mortality in the Black Death, less than 1,000 years ago. considering high impact low probability risks would likely require an extended scale for impact.

 

[21]  Cirkovi, Sandberg, and Bostrom. (2010). Anthropic Shadow: Observation Selection Effects and Human Extinction Risks

 

[22] Professor Neil Ferguson. (2011). Question 82. House of Commons - Scientific advice and evidence in emergencies - Science and Technology Committee

 

[20] UK Government. (2004). Civil Contingencies Act 2004

 

[21] Gov.uk (2013). The role of Local Resilience Forums

 

[22] Gov.uk. (2017). National Risk Register (NRR) of Civil Emergencies

 

[23] Government Office for Science. (2012). Blackett Review of High Impact Low Probability Risks

 

 

(July 2020)