Skip to content

Is the National Risk Register useful?

The UK Government released the latest update of its national risk register in August 2023. It’s a hefty tome at 192 pages – so is there something inside its covers for risk professionals in the United States? We think so. Let’s explore how.

In this blog we will cover:

Overview of the report

The report outlines 89 risks – perhaps better framed as scenarios. They are assessed on a severe but plausible basis across nine themes:

  • Terrorism
  • Cyber
  • State threats
  • Geographic and diplomatic
  • Accidents and systems failures
  • Natural and environmental hazards
  • Human, animal and plant health
  • Societal
  • Conflict and instability

As a national risk register, they are naturally focused on threats, including ‘threats to lives, health, society, critical infrastructure, economy and sovereignty’.

Here are some notable observations about how the report or risks are presented:

  • A distinction is made between acute and chronic risks. By design, the report only includes acute risks that require swift response rather than strategic decisions
  • While risks are plotted on a risk matrix, some risks are grouped, highlighting the complexity and interconnectivity of risk
  • They outline the approach to assessing impact and likelihood, which are on logarithmic scales. Uncertainty about the assessment is also plotted on the risk matrix
  • Several scenarios could easily fit into more than one theme, again highlighting interconnectivity and overlap

Linking back to objectives

There is a lot of potential here for any risk, business continuity or operational resilience professional, including in the United States. The report even suggests that small to medium enterprises can use it to assess their business continuity capability.

In our piece earlier this year about economic threats and the WEF global risk report, we highlighted the point that risk is in the eye of the beholder. By its nature, the UK National Risk Report focuses on impacts at the national level. For organizations, those uncertain events must affect organizational objectives to matter. While we wouldn’t wish any of these events to occur, specific scenarios may even benefit some organizations. Take ‘disruption to global oil trade routes’. For those dealing in alternate fuels, this may be beneficial.

So how can you make use of it?

Here are a few things to consider to get value from the report:

Skim the list of risks

The baseline is to just read the name of each of the risks, and tag any you might have overlooked that could affect your own organization. The caveat is not to use it to create an ever-growing doom list – make sure they link back to your objectives. If it’s not something you are going to action or change the way you make decisions, don’t include it.

Update existing information you have about the risk

You may have already captured the risk, or a similar one. While each risk entry in the report isn’t too verbose, you can leverage the extensive work already completed. It might cause you to see a risk from a new perspective, or a scenario at the national level might be a causal driver for a different risk in your risk profile.

Create scenarios

Perhaps the biggest value add is to use the key information to develop scenarios as part of your operational risk, business continuity or operational resilience programs. Depending on your circumstances, you might be able to lift them straight out of the report or use them as inspiration to create more salient and relatable story elements for scenarios adapted to your context.

You can then compare these scenarios against your own capability. Will your business continuity plans, incident management or crisis response stack up?

Account for second and third order effects across the extended enterprise

Consider not just how these risks might affect your own organization, but your key strategic partners. While they should be managing their own risks, the interconnectivity of our supply chains and dependence on vendors is becoming increasingly complex. For severe but plausible risks that might impact them directly, you may wish to seek assurance over their own resilience. If they provide you resources to support your important business services, you might even include them in your operational resilience scenarios.

Adapt to your context

You need to consider your organizational objectives, but also adapt to the broader context. If you operate in another region or globally, you might localize some of the animal disease outbreaks. Instead of oil trade routes, perhaps there are other commodity trade routes that aren’t critical at the national level, but are critical to you.

Conclusions and next steps for your organization

Like any risk register or list of risks, what is relevant in one context might not be relevant in another. But with just a little bit of creativity and imagination, we can adapt scenarios to bring them to life and make them applicable in our own context.

To find out more about how you can bring risk scenarios into your organisation's risk management and risk governance structure, you can download and read our free Enterprise Risk Management: What does it mean to manage risk effectively in the enterprise? eBook:

Find out more


Subscribe to our Knowledge hub to get practical resources, eBooks, webinar invites and more showing the latest developments in risk, resilience and compliance, direct to your inbox:

Subscribe now

About the author

Michael is passionate about the field of risk management and related disciplines, with a focus on helping organisations succeed using a ‘decisions eyes wide open’ approach. His experience includes managing risk functions, assurance programs, policy management, corporate insurance, and compliance. He is a Certified Practicing Risk Manager whose curiosity drives his approach to challenge the status quo and look for innovative solutions.