From risk to resilience
Dr Simon Harwood on why our approach to national security threats requires a radical re-think
The UK needs to wake up – and fast. The Coronavirus pandemic has exposed our vulnerabilities – as individuals, in society, within businesses and as a nation state. It has made us realise that threats are interconnected, how a pandemic can affect the price of your house, how it can lead to food shortages or adversely, improve our air quality. We need to act now to make changes that will ensure we are better prepared to react to future threats, whatever they may be.
The world has changed, however, the threats to our national security remain the same, but it has become apparent that our process of evaluating and dealing with these risks is not sufficient. The Coronavirus pandemic has served to highlight what many among us in the academic community have been saying for some time now: we need a radical re-think of how we manage our national security risks.
The way in which we currently deal with the risks we face is simply not fit for purpose, and I share the fear of many in the security sector about how poorly prepared we may be to handle some of these risks as a result.
Currently, the threats facing the UK at home and abroad are assessed on a national security risk register, which looks at the calculated likelihood of them happening at the present time against their potential impact if they did.
Risks are demarcated into different categories, including whether they are viewed as domestic, foreign, natural or manmade risks. This is far too simplistic and is woefully inadequate for the complexity of the modern world, where risks cannot be viewed in isolation and are at best linked, if not actually systemic in the way in which they connect.
For example, a cyberattack will be listed separately from a perceived physical threat, such as the UK power grid going down. But, if the power grid does go down, it is quite likely to have been caused by a cyberattack. Likewise, there are connections to be made between terrorism and the natural world. Imagine a terrorist group blows up a dam, causing a flood. Was the risk the terrorist attack or the environmental catastrophe of the flood? The answer is that it was both.
The changing nature of the world around us means that the threats we face are increasingly interconnected, complicated by the online society in which we live. So we need to be looking not just at the risk alone, but the complex interconnectedness of those risks and our ability to recover, or resilience, to them.
The current open-source national security risk register contains little detail, and certainly not enough to enable the people who are required to deal with the risks to question, debate or experiment with the position of different threats, or our preparedness to face them. This leaves us vulnerable, as it hampers the ability of those able to mitigate these risks to do so.
It is absolutely right and proper that the Government should ‘own’ these risks overall, but our leaders are not wholly responsible for mitigating them: the public and industry have their roles to play in that. So, we need a framework that allows people to interact with those risks to enable them to be truly informed, to challenge where necessary, to plan and to prepare.
Finally, there is an alarming focus on what I call the ‘comfort’ of known threats. These so-called ‘grey swans’; those things that we know about and thus are somewhat comfortable with. But what about the ‘black swans’: those big risks that lurk ahead that we know nothing about? Do we have robust processes in place to identify those? If not, how can we seek to mitigate and properly manage them?
To ensure that we’re prepared for both the foreseen and the unforeseen, we need to move towards a model of anticipatory risk assessment – a permanent orientation towards understanding and embracing the risks we face, not just in the short-term, but in the medium to long-term as well, long term being 30 years+. We need to stop viewing risk management as an isolated issue or task, and instead embed risk assumptions into all areas of state reach.
But what use is simply having an ever-expanding list of risks that we do nothing about? It’s all very well to identify the likelihood of such risks occurring, but what would we do about each of them if they were to happen tomorrow?
As well as changing how we identify and document national security risks, it’s time for us to re-think how we assess those risks and move towards a comprehensive resilience framework that looks beyond the risk itself to include our ability to mitigate it. In other words, we need to be thinking about connected-resilience. The UK’s lack of resilience in some key sectors has now become a risk in itself, as exposed most recently by the Coronavirus pandemic. Of course, threats from a pandemic are always prominent on the national risk register, but they had been considered generally to be low-probability occurrences. So, if you think about the ‘business case’ for preparing for one – whether that’s in private industry or national security – why would you invest to mitigate a low probability event?
Well, the answer is that you invest to avoid some of the disruption, chaos, financial hardship, mental anguish and more we have experienced as a nation over the past 12 months and more.
We see now, more clearly than ever, that we’ve built organisations that are razor sharp in terms of resources that are mapped tightly against a clear business case, but that also means the operations are razor thin. We’ve done the same with our national security. Well, Covid has exposed everything that’s brittle about making efficiency the priority for both the public and the private sector.
As has so often been the case in recent years when extraordinary events – be they widespread flooding, foot and mouth disease, disruption of the petrol supply chain, Ebola – have occurred, our Armed Forces have again been drafted in to help manage the situation. What if they had been deployed extensively overseas on a mission? What would we have done then? We simply cannot continue to rely on our Armed Forces to ‘save the day’. There has to be a better way.
What if we had assessed our national security risks based on connected resilience – our ability to mitigate those risks – 18 months ago? Would that have made any difference? What about two years ago? Three?
We’ll never know, hindsight is 100 percent, but what we can be certain of is that we have an opportunity now to ensure different outcomes in the future. Coronavirus has exposed the vulnerabilities of risk assessment and business planning for efficiency rather than resilience. It is incumbent on us now to act to re-think how we assess national security risks and how we manage major crises.
We’ve got to better allow people who respond to such crises to prepare, better empower policy-makers and regulators to make informed decisions, and better enable industry to undertake robust resilience planning.
I believe this calls for leadership and decision-making from a dedicated national body that’s capable of working nationally, internationally and globally. This new ‘national emergency agency’ would not only determine the likelihood of different threats occurring, but also take responsibility for understanding to what extent they could be mitigated, setting out how that could be achieved and ensuring a plan for recovery in the worst circumstances.
This body would act as a source for public information and – crucially – highlight areas for new and emerging research and development to look at some of the risks and resilience.
It would also make use of one of – in my opinion – the best resources we have at our disposal to help manage such crises: the public, by mobilising an army of volunteer reservists trained to work across communities in the event of another crisis. This would, in effect, become a fourth emergency service, a group drilled to take its place alongside local councils and the emergency services, able to bring together, administer training and medical skills, perform crowd control and handle logistics and communication.
Under our current approach, we’re managing risks based on the narrow expertise of whoever is perceived to be responsible for addressing that threat, but matters of national security don’t follow the lines of Government departments or agencies. If you think about unmanned aerial systems as a threat that needs to be mitigated – who is responsible for that? Is it the Police or Home Office? Border Force? The Ministry of Defence? The Department for Transport? Or DEFRA, if they’re poisoning the food supplies we grow? The threats we face simply don’t fit into these simplistic models.
We need to look at how we undertake the operationalisation or management of mitigating these kind of threats, moving from individual expertise around a particular risk to looking at the interconnected nature of that threat. A new national emergency agency would enable us to do that.
Of course, there is no business case for any of this – we’re talking about low probability events and a high cost of implementation, and there are lots of other things to spend money on. But now, more than ever, we have got to start making the assessment of where we should be mitigating some of the risks we face, rather than just simply looking at a lists of risks alone. As a nation, can we really afford to keep making decisions about risk and resilience based on crude equations? There has got to be a better way we can work together in the interests and protection of this country.
Dr Simon Harwood has worked for Her Majesty’s Government as well as in the private defence sector prior to entering academia. He is currently Director of Defence and Security at Cranfield University.