In recent times we have experienced major and cumulative risk events. From an unprecedented heatwave in the UK (temperatures in excess of 40°C in July 2022); to increased pressures on an already-stretched health service due to COVID-19 and seasonal flu-related hospitalisations; and including the cost of living crisis; power supply vulnerability; and widespread industrial action.
There are more examples that could be added, like ongoing cyber insecurities, including the media reported distributed denial-of-service (DDoS) attacks on NATO members, for example on major US hospital networks and German infrastructure and government websites in retaliation for pledges of increased military aid to Ukraine.
Concurrent events and cascading effects
Against this background, we can see that risks may be concurrent, with far-reaching cascading effects through society or our infrastructure. As risk practitioners it is more important than ever to recognise that risks do not materialise in a vacuum, and to be mindful of this complexity and volatility, and the threat of concurrent events and cascading effects.
Although there is academic debate around terminology, a single event may result in a ‘domino effect’ of cascading effects. An example of this is wide-area power loss, with various impacts. Related impacts can range from health (heating and ventilation, spoiled food, drinking water and wastewater, and healthcare); through school and workplace closures; and transportation (public transport, traffic signals, fuel pump operation); to online banking and ATM operations. This is illustrated in the open-source study by UCL.
There is also the risk of concurrent events with potentially unrelated causes, amplifying the effects of an incident or emergency, and putting additional pressures on already-stretched communities and resources.
As a related point, we often see secondary disasters with emergencies. For example, the immediate aftermath of the recent Turkey-Syria earthquake. The primary event revolved around those trapped, but a secondary tragedy unfolded, involving millions of survivors without food, water, clothing or shelter, in freezing weather and unsanitary conditions.
Resilience
In late 2022 a collection of government documents were published emphasising the importance of understanding the complexity and interconnectivity of risk in today’s volatile threat landscape.
While resilience practitioners awaited the publication of the delayed National Resilience Strategy (UK Government Resilience Framework), the Joint Committee on the National Security Strategy published its report into Critical national infrastructure in an age of climate change in October 2022.
This report highlights interdependencies between infrastructure sectors, and cascading risks, citing Storm Arwen and the near-flooding of the National Blood Bank among examples. The report warns that we should recognise the ‘hugely volatile’ nature of climate change, adding that ‘what might seem impossible and even implausible can happen, and it can happen tomorrow’.
In December 2022 the UK Government Resilience Framework was published. It is the the result of a consultation into a proposed National Resilience Strategy launched in July 2021, following an undertaking in the Integrated Review of March 2021.
The Framework emphasises the importance of resilience in a volatile, complex risk landscape. The Ukraine conflict; the growing impact of climate change; ongoing impacts of COVID-19 and the threat of new pandemic and emerging infectious disease; and rapidly evolving cyber threats are some elements of today’s risk landscape.
The Framework was preceded in October 2022 by the publication of the long-awaited updated classified National Security Risk Assessment (NSRA). This is available on a restricted basis via the secure Civil Contingencies information sharing platform, Resilience Direct.
The NSRA acknowledges the impacts of climate change on the risk landscape. It has expanded the impacts categories used to reflect cross-societal effects, and emphasises the importance of understanding interdependencies between risks, and the amplifying effect of concurrent events.
The National Risk Register (NRR) is the public-facing version of the classified NSRA. The NRR summarises key risks to the UK over a two-year horizon. The current NRR was published in December 2020, with an updated version still awaited at the time of writing. With the NSRA having moved away from a siloed approach to viewing risks, it is hoped that the NRR will represent a useful contribution to achieving the Framework’s ambitions to promote a shared understanding of risk within a whole-of-society approach.
Although today’s risk landscape can feel somewhat bleak and tumultuous, and maybe even overwhelming, it emphasises the value of the approach to risk embedded in the Civil Contingencies Act 2004 and supporting guidance. This is that once risks have been identified and treated, we should focus on cause-agnostic mitigations for their effects. In the organisational setting, these would include clear, current, accessible, action-based, validated and tested incident and business continuity plans.
These plans should be based on agreed arrangements rather than aspirations. They should be understood by those with roles in them, supported by mapped and tested interdependencies. These should include the provision made by key support services such as digital services and facilities management; and provide for resilient incident communications and staff welfare arrangements.
If we can widen information-sharing, partnership working and collaboration to promote a whole-of-society shared appreciation of the complexities of risks facing the UK today, this can only be a positive step towards genuine societal resilience.