Breaking the Risk Illusion: From Causes to Consequences in UK Policy
Rethinking the National Risk Register
In The Emperor’s New Clothes, an emperor, blinded by fear of appearing foolish, parades in imaginary garments. It takes a child’s honesty to reveal the truth: "But he isn’t wearing anything!" This fable warns of the dangers of unchallenged consensus - a theme echoed in how we assess and prioritise risks today.
A real-world parallel can be found in the story of Nick Brown, a middle-aged MSc student who challenged Professor Barbara Fredrickson’s celebrated “positivity ratio.” This widely-accepted and peer-reviewed concept, immortalised in her bestselling book, claimed that human flourishing required a precise ratio of 2.9 positive emotions to every negative one. Brown’s scrutiny exposed critical flaws in the theory’s mathematical underpinnings, reminding us that even well-intentioned frameworks must be rigorously examined to ensure they do not perpetuate false assumptions.
For years, I have argued that risk management frameworks often fall into similar traps. In my previous articles, The Illusion of Mathematical Certainty and Stop Trusting Likelihood, I critiqued the over-reliance on probability-based assessments. While these models appear precise, they often obscure the complexity of interconnected systems. By reducing risk to a simple calculation of likelihood multiplied by impact, such frameworks risk creating a dangerous illusion of control.
Building on this foundation, this critique of the recently published 2025 National Risk Register (NRR) seeks to strengthen its methodology and utility. The NRR is not merely a document; it is the model on which much of the nation’s risk management strategy is built. If the credibility or usability of the NRR falters, so too does the resilience planning that relies on it. As the UK’s foundational framework for resilience planning, the NRR must be robust enough to stand up to scrutiny, so with that in mind there are three areas which merit study:
1. Risks or Causes? A Question of Focus
The NRR claims to be “cause agnostic,” asserting that it focuses on the shared consequences of risks rather than their origins. However, a closer examination reveals that it identifies 89 causes of risk. These causes - such as pandemics, cyberattacks, and terrorism - are presented as distinct risks, but this approach prioritises the origins of potential crises rather than their consequences. For instance, critical infrastructure failures can stem from various causes, including cyberattacks, natural disasters, or industrial accidents. However, the NRR fragments these into separate categories, making it harder to address shared vulnerabilities.
It is important to acknowledge the operational value of understanding specific causes. Sector-specific expertise is essential for developing tailored mitigation strategies. Yet focusing exclusively on causes risks obscuring the broader, cascading consequences that transcend individual sectors.
A genuinely cause-agnostic approach would group risks by shared impacts, such as mass casualties, economic disruption, or infrastructure collapse. For instance, pandemics and cyberattacks could be linked by their potential to cause widespread public health crises or large-scale infrastructure failures. This shift would enable a more unified and adaptive approach to resilience planning.
2. The Illusion of Precision in Likelihood Calculations
The NRR assigns likelihood scores to risks on a 1–5 scale, often relying on assumptions and expert judgement. While this approach offers a useful comparative framework, it introduces significant challenges when applied to risks characterised by fat tails - those rare but catastrophic events that defy traditional modelling.
Speculating About Rare Events
Assigning precise likelihoods to low-probability events, such as pandemics or catastrophic infrastructure failures, creates a misleading sense of certainty. These events involve complex, evolving variables that historical data cannot reliably predict.
For example, the NRR assigns a likelihood score of 3 (1–5%) to a pandemic caused by a novel respiratory pathogen with an assumed attack rate of 50% and a case fatality ratio of 2.5%. While such probabilities provide a starting point, they obscure the uncertainty inherent in forecasting unprecedented scenarios.
领英推荐
Questioning Confidence Levels in Fat-Tailed Risks
The concept of confidence levels presupposes that the likelihood of a risk can be reasonably bounded, but this assumption becomes problematic for fat-tailed risks. By their nature, fat-tailed distributions capture extreme, rare events that often fall outside existing data and models. Attempting to assign confidence levels to such events risks creating a veneer of precision where none exists.
For example, a cascading failure in critical infrastructure, such as a widespread blackout or systemic financial collapse, might be assessed with a confidence level based on existing data. However, fat-tailed risks are inherently shaped by unforeseeable factors - such as interdependencies, feedback loops, or novel threats - that make such confidence levels inherently speculative. The act of assigning a confidence interval, in these cases, may simply reinforce an illusion of control.
Fat-tailed risks challenge traditional approaches by introducing profound uncertainty. Confidence intervals, while useful in stable systems, falter when applied to inherently unknowable phenomena. Rather than providing clarity, they can distort understanding by implying that uncertainty is containable.
3. Challenges in the Risk Matrix
False Equivalence
The NRR’s risk matrix combines likelihood and impact scores to create composite risk assessments. While this simplifies comparisons, it can create false equivalences between fundamentally different risks.
Risks with similar composite scores but vastly different implications are treated as equally significant. For example, a pandemic with a likelihood of 3 (1–5%) and catastrophic impact of 5 (up to 840,000 fatalities) scores 15, and a regional power outage with a likelihood of 5 (>25%) but a moderate impact of 3 (short-term disruptions to households and businesses) also scores 15.
This equivalence fails to reflect the qualitative differences between these risks: one poses an existential threat, while the other involves manageable disruptions.
The Elusive 89
The NRR tells us that it assesses 89 distinct risks spanning nine thematic areas, including terrorism, cyber, natural hazards, and societal risks. However, trying to identify all 89 risks and how they fit into the matrix or broader assessment is anything but straightforward. The matrix itself only explicitly visualises 63 risks, leaving a 26-risk gap that requires readers to dig into detailed summaries and infer where these additional risks might exist. Many of these gaps stem from:
As a result, even diligent readers may struggle to reconcile the total number of risks, let alone understand how they’re scored or prioritised, thereby reducing the NRR’s utility.
Strengthening the NRR for Resilience
The role of the NRR in informing resilience planning is vital. However, to fulfil its potential, it must address its methodological challenges. By placing greater emphasis on shared impacts the NRR could better serve policymakers and practitioners.
It’s easy to criticise from the sidelines without offering an alternative so, in an upcoming article, I will propose a structure for an alternative NRR framework using newly available AI-powered analytical tools, that prioritises impacts over causes, integrates uncertainty more transparently, and equips policymakers with a practical, adaptable baseline for resilience planning.
Head of Operational Resilience, 3rd Party Assurance and Threats at the Phoenix Group | ex-Apple
1 个月Thoughtful read. Thank you.
Risk & Governance Expert - Enterprise Risk Management, Risk Governance, Performance Management, Risk Financing/Transfer. Innovator and thought leader.
1 个月Dennis thanks for posting this interesting article. I agree with your general point that uncertainty and to a lesser extent many risks are far more complex and nuanced by cause and that frameworks and analysis techniques do not take this into account. I look forward to reading your follow up article. Just sent you an invitation to connect.
Empowering organizations through systems thinking, ethical leadership, ISO 31000 training, and team alignment for better decision-making and continuous improvement.
1 个月I just submitted an article to the Journal of Risk Research with the title: "Developing a conceptual model for understanding and managing risk by employing an etymological, ontological and epistemological exploration approach." In that article: Scholars who view risk solely through a mathematical lens often focus on quantifiable elements like probabilities and statistical models, overlooking the broader nature of risk. While these tools offer valuable insights, they fail to address uncertainties that cannot be easily measured. Risk inherently involves unknowns that vary based on context, information levels, and emergent factors. Thus, effective risk management requires more than calculations, it demands qualitative methods such as dialogue and consultation to address the full spectrum of risk. Ontologically, risk is the effect of uncertainty on objectives, and while some uncertainties can be quantified, others, such as those arising from human behaviour, organizational culture, or strategic decisions, are ambiguous and resist mathematical modelling. Dialogue generates trust, gathers contextual insights, and explores subjective uncertainties that cannot be reduced to numbers but are vital for understanding risks in complex systems.
what’s missing for me is also a reference to combined or compounded risks - does degraded infrastructure lead to higher risk of flooding for example?