New PM will need to act fast to get a handle on risk-management, report finds
Think tank cites growing cyberthreats and a lack of incentives for policymakers to develop technical skills
Credit: SurveyHacks/CC BY 2.0
A think tank has warned that Boris Johnson’s administration has failed to learn appropriate lessons from the coronavirus pandemic on preparing for extreme risks and that the new prime minister and government will need to do so urgently – with cyberthreats cited as a major growing danger.
The Institute for Government said reorganisation was needed to deliver a “fundamental change in culture giving much greater priority and clout to risk management”.
A new report from the organisation finds that “the kinds of risks” facing government are changing rapidly, not least in the realm of technology and cybersecurity.
“Rapid technological progress has also produced new risks, around biotechnology, for example,” ot said. “Distinguishing between malicious attacks and accidents has become more complex, with increasing cyberattacks and biosecurity threats.”
The government needs to adopt a modified “three lines of defence” model, which separates out responsibilities for risk management, oversight and audit, according to the IfG report.
Managing extreme risks: How government can learn from Covid to be better prepared for the next crisis argues that the first line of defence – day-to-day risk management – should remain with departments, with permanent secretaries explicitly responsible for contingency planning.
- Ransomware: Cabinet minister sounds alarm over ‘greatest cyberthreat to the UK’
- Departments to undergo independent audits of cyber resilience
- NCSC warns UK organisations to bolster defences against Russian cyberthreat
The proposal seemingly endorses civil service chief operating officer Alex Chisholm’s reluctance to create a cross-government chief-risk-officer role, against the recommendations of the House of Lords Risk Assessment and Risk Planning Committee.
However, the IfG said the Cabinet Office should take action to rectify a current lack of incentives to for officials to develop risk-management expertise.
Areas in which the think tank identified a shortfall include “risk analysis, modelling, systems and foresight thinking, biosecurity expertise, AI, and digital, and data and technology skills more generally”.
“Some of this is due to wider issues, including a workforce culture that does not encourage officials to stay in one area and develop specialist skills and expertise,” the report said. “The government has also acknowledged that recruiting individuals with digital, data and technology skills can be hard given pay competition from the private sector. Locating policy makers with the right skills and an interest in working in this area can also be a problem – we heard that this was often reliant on personal networks remembered from previous crises.
Under the IfG’s proposed its three-lines-of-defence model, the second level would involve overhauling the Cabinet Office’s Civil Contingencies Secretariat, giving it heightened powers to hold departments to account for their preparedness.
The report said CCS director Roger Hargreaves had described the secretariat as having a “refereeing role” to ensure that departments were engaging with risk management. However, the secretariat does not have the power to formally audit departments or interrogate their risk plans.
The IfG report said the new CCS risk-management unit should be separate from the crisis response function to ensure it can focus on long-term risk. It added that the second line of defence should also have a “strong minister”, such as the Cabinet Office minister, to convene a new cabinet committee to coordinate the management of cross-government risks and reach agreement on trade-offs.
The third line of defence would be audit. The IfG said parliament and the National Audit Office should strengthen their scrutiny of risk management, with MPs creating a new cross-cutting joint committee to scrutinise preparedness.
It said the government should also consider the case for a new external body, along the lines of the Climate Change Committee or the Office for Budget Responsibility, that would provide expert advice and scrutiny, and which would effectively be a fourth line of defence.
The report also said the Treasury should require departments to explicitly consider risk management in their spending review bids, potentially through inclusion in the “strategic enablers” section of each department’s outcome delivery plan.
Report authors Rosa Hodgkin and Tom Sasse said that although the UK had identified pandemics as a key risk, Covid-19 revealed how departments failed to plan for measures such as economic support and closing schools, and significantly underestimated the potential impact of a new infectious disease.
They said departments had also struggled to prioritise risks alongside other day-to-day pressures, while central coordination was weak, and that a focus on efficiency meant preparedness was generally only assessed when crises occurred.
Hodgkin and Sasse said that “important lessons” from past exercises – some of them recent – had not been applied, while key services had limited spare or adaptable capacity when they entered the pandemic.
They added that although the prime minister had committed to improve risk management, a new National Resilience Strategy was now overdue and was understood to have been given insufficient priority by the relevant senior officials.
“The Covid pandemic has shown the potential costs of failing to prepare effectively,” Hodgkin said. “The new government needs to overhaul the UK’s risk management system to make sure the UK is better prepared for the next crisis.”
Share this page
CONTRIBUTIONS FROM READERS
Please login to post a comment or register for a free account.
Security minister confirms intelligence agency is investigating the video app
Peers to examine possible uses of autonomous weapons, as well as their legal and ethical ramifications
MSPs are issued with advice following consultation with National Cyber Security Centre
Campaigners warn that ‘virtual actions are not adequately addressed’ by existing law or pending legislation