Risk management in the UK: What can we learn from COVID-19 and are we prepared for the next disaster?

Published on 12 November 2020


It is important that governments use COVID-19 as an opportunity to learn in order to be able to protect citizens from future pandemics or other disasters.

This paper assesses how prepared the UK was for a pandemic and suggests ways to ensure it is prepared for future disasters. The shortcomings identified should be seen as opportunities for improvement, rather than criticisms – as no risk assessment or risk plans will look perfect in hindsight. Evidence is drawn from both desk research and interviews with current and former UK civil servants from across government, and comparisons of UK government processes with best practice internationally and in the private sector.

There are areas for improvement with the National Security Risk Assessment (NSRA):

  • The NSRA does not sufficiently explore high-uncertainty risks (risks where estimating the likelihood is difficult). This is due to the exclusion of low-probability risks and emerging risks, and too great a focus on recent events.
  • The NSRA categorises and compares risks in a potentially misleading manner, with descriptions of risks being based on what is considered reasonable to plan for.
  • The NSRA process could benefit from greater use of external expertise.
  • In the light of COVID-19, it is notable that the NSRA focused too much on influenza rather than other diseases. For example, the most recent National Risk Register claimed that “emerging infectious diseases” (which would include COVID-19) could lead to “up to 100 fatalities”.

There is also scope for improving the UK’s risk planning:

  • There is no set process, body of expertise or oversight mechanism in place to ensure that departmental risk plans are adequate.
  • In the light of COVID-19, it is notable that the UK’s pandemic influenza strategy did not make any plans for a lockdown, despite this being one of the dominant response strategies to COVID-19.

The UK has good risk management processes by international standards, yet the issues with the NSRA are sufficiently serious that major risks to the UK may be going unidentified. We hope the government will recognise the importance and urgency of addressing this.

Some of these issues are symptomatic of broader political and civil service short-termism. We therefore welcome the focus on long-term, expert-led thinking in the government’s civil service reform agenda. Other issues can be addressed with simple fixes. We hope that the recommendations in this paper will help the government to address them, and we offer our ongoing support.

Recommendations for government

  1. In learning the lessons from COVID-19, the government must not focus solely on pandemic risks, as the next catastrophe may be entirely different. All parts of the government responsible for aspects of national risk management should be reviewed or undertake internal exercises to learn from COVID-19.
  2. The UK should take the lead in ensuring that risk management improves globally by encouraging commitments to spend a target percentage of GDP on risk prevention, convening a global network of government Risk Officers, and sharing best practices.
  3. Ensure the NSRA captures high-uncertainty risks, so as to close gaps in the risk assessment process. This can be achieved by including low-probability and emerging risks in the NSRA, by looking beyond the recent past, by using techniques such as red teaming and tabletop exercises, and by greater use of a vulnerability based approach to risk assessment.
  4. Improve how the NSRA categorises, compares and communicates risks, so that policy makers have a clear understanding of the risks. In particular consider moving from reasonable worst case scenarios to pre- and post-mitigation worst case scenarios and finding additional ways to highlight uncertainties.
  5. The NSRA process should make greater use of external experts so as to minimise the risk of blind spots and groupthink. For example, consider giving a mandate to review and provide feedback on the full NSRA to an independent body.
  6. Establish a government Chief Risk Officer (CRO) and associated unit. This unit would carry out depoliticised risk assessments, support departments in developing flexible risk plans, assign responsibility for acting on risks to ministers, and hold ministers to account for the quality of their department’s risk plans. This unit should have a degree of independence from Ministers.

Read full report

This paper was produced by the authors, who are Research Affiliates at the Centre for the Study of Existential Risk. The opinions expressed in this publication are those of the authors and do not necessarily reflect the views of the Centre for the Study of Existential Risk.
An earlier version of this paper was submitted to the House of Commons Science and Technology Defence Committee in response to a call for written evidence

Subscribe to our mailing list to get our latest updates