The UK government released the National Risk Register today. You can find the full document here.
The National Risk Register is an essential tool for enhancing the UK’s resilience, offering increased transparency and fostering mutual comprehension of the threats we confront. By delivering priceless insights, this report equips us with the tools needed to invest, prepare, and react more effectively.
Below we summarise and look into the 12 highest-scoring risks.
The National Risk Register (NRR) aims to prepare the UK for various potential risks by assessing their likelihood an’ impact via a tested methodology. It outlines a ‘reasonable worst-case ‘scenario” for each risk, which are not predictions but the worst plausible manifestations. This allows for proportionate planning. The NRR also includes the required capabilities to respond and recover should the risk materialise.
The NRR focuses on ‘acute’ risks, i.e., discrete events requiring an emergency response. ‘Chronic’ risks, or long-term challenges, aren’t covered by NSRA’s NRR, requiring a separate process for identification and management, which the government is also working on.
This edition of the NRR is based on the National Security Risk Assessment (NSRA), an internal classified risk assessment used within the government, developed from expert inputs and substantial data. The NSRA’s underpinning methodology has been updated to ensure comprehensiveness, accuracy, and usability, focusing on acute risks and extending non-malicious risk assessment timescales to five years.
The NRR aligns with the NSRA for the first time since its inception in 2008, declassifying more risk information than ever before for a transparent approach, barring a few exceptions for national security or commercial reasons.
Here we will go a little deeper into each of the highest-scoring risks.
Navigating a global pandemic involves understanding its spread, symptoms, immunity, treatments, and impact on healthcare. As per experts, respiratory pathogens could most likely cause future pandemics. However, the UK goverUK’st is prepared for various scenarios covering different transmission routes, both known and unknown. Leapandemic’sm exercises and incidents, including COVID-19, help shape the response strategies.
Worst-case scenarios consider an unmitigated respiratory pandemic that could last 9+ months, potentially impacting half of the UK’s population, with significant hospitalisations and fatalities.
While it’s challenging to predict each pandemic’s exact impact, preparedness measures include disease surveillance, early detection, rapid testing, procurement of pharmaceutical countermeasures, effective non-pharmaceutical inteUK’stions, and managing excess deaths. Every sector, including health and social care, would be affected and need capabilities to respond. Post-pandemic recovery may take years, mainly if multiple waves occur.
Conventional attack: civil nuclear
Civil nuclear power is vital for the UK’s energy resilience and transition to clean energy. The Office for Nuclear Regulation ensures nuclear power sites are equipped to counter advanced attacks potentially causing loss of nuclear material or radiation release.
While extremely unlikely, the UK is legislatively required to plan for scenarios including physical attacks leading to off-site radiological contamination at civil nuclear installations, which may also necessitate active counter-terrorist operations. Scientific modelling informs these plans and potential countermeasures. Varying scenarios could see smaller-scale attacks with lessened impact.
The response would require a multi-agency effort, including counter-terrorism policing, comprehensive communication with the public, and swift implementation of protective measures. Significant long-term security, health, environmental, and economic impacts would necessitate sustained recovery in affected areas.
Conventional attack: electricity infrastructure
The UK prides itself on a highly resilient electricity network, with industry continuously working to minimise the risk of unplanned disruption. Though a successful attack on our electricity infrastructure has yet to occur, plans are in place to handle any significant disruption based on past attempts and international incidents.
The reasonable worst-case scenario would involve a conventional attack on major electricity infrastructure, leading to instant regional power cuts. The network operator would quickly act to stabilise the grid and reconnect most customers. Preparations to support broader recovery and maintain operations across multiple sectors, such as telecoms and emergency services, would be necessary.
While most customers couldUK’sect to be reconnected within 24 hours, recovery could take several weeks in cases of widespread damage or remote network impacts due to accessibility issues and the time required for physical repair. Full restoration of the affected infrastructure might take 6-12 months.
The UK’s fuel supply infrastructure, critical for fuel production, import, and distribution, could be disrupted by those with malicious intent, impacting regional fuel supply and posing severe risks to the onsite workforce.
Our reasonable worst-case scenario involves a physical attack on a vital segment of our fuel supply infrastructure, causing production, importation, and regional distribution disruptions due to physical damage or operational loss. The fuel sector would need time to fully adapt to such a critical asset’s temporary or permanent loss.
Response to this scenario involves proactive engagement with public bodies like the police and execution of contingency plans listed in the National Emergency Plan for Fuel. This plan includes potential fuel prioritisation for emergency services and retail customer rationing under the Energy Act.
Post-UK’sdent, fuel stocks would quickly recover once the affected site resumes operation. However, the restoration timeframe depends on the extent of infrastructure damage, regional stock levels, the number of sites depleted, and demand levels.
Positioning, Navigation, and Timing (PNT) services, key to the UK’s infrastructure, enable vital functions across various sectors like telecommunications, transport navigation, and timing. A loss of PNT services due to technological failures or malicious activities can have catastrophic effects locally and worldwide.
Our reasonable worst-case scenario involves a severe technical failure in a Global Navigation Satellite System constellation due to hardware failure or human error, resulting in corrupted data delivery. This failure would lead to significant disruptions in transport, communication networks, financial services, energy, and emergency services within a few hours.
Variations include severe and organised crime, jamming and spoofing activities, state threats to PNT services, and severe space weather disrupting satellite provision. While the impacts would likely be similar, the required responses and recovery times would differ.
Response capabilities need resilient backup systems for critical infrastructure and enhanced national and global space situational awareness. Full recovery could take several weeks, with partial ongoing service issues. Mitigation strategies include accessing other satellite services and alternative PNT sources.
Severe winters with low temperatures and heavy snowfall can significantly impact human welfare, essential services, and the economy, as demonstrated by the ‘Beast from the East’ event in 2018.
The worst-case scenario involves snowfall across multiple UK regions for at least a week, with snow depths exceeding 30cm and temperatures below -3°C. Vulnerable communities, particularly older people and those with pre-existing conditions would be significantly affected, leading to increased falls, injuries, road accidents, hypothermia, and potentially excess deaths. Significant disruption to transport networks, power, heating fuel supplies, telecommunications, water supplies, schools, and businesses would likely occur.
This scenario assumes that all impacts experienced during previous cold and snow events would occur. High-level and rural communities would likely be affected for longer. Variations could include lonAgency’sts, more widespread coverage, and significant drifting. Events affecting the rest of Europe could disrupt supply chains.
The Met Office National Severe Weather Warning Service provides advance warnings for severe weather, enabling individuals and organisations to plan and mitigate potential impacts. UK Health Security Agency’s Adverse Weather and Health Plan improves existing guidance on weather and health, building on measures taken by the government, its agencies, NHS England and local authorities to protect individuals and build community resilience.
Longer-term impacts from low temperatures and heavy snow are not anticipated. However, secondary impacts such as increased utility system failures or flooding due to snowmelt might extend recovery time.
Emerging infectious diseases, including new or newly recognised diseases, could cause significant illness. High Consequence Infectious Diseases like Ebola and Middle East Respiratory Syndrome require an enhanced response system due to their high fatality rate, difficulty in rapid diagnosis, and limited effective treatment options.
In a worst-case scenario, a novel respiratory-transmitted virus originating zoonotically (from animals to humans) in another country could cause a regional epidemic. The virus could be from diverse families like influenza, coronaviruses, or Nipah. Notably, the disease could also spread via any of the five mainOutbreakssion routes: respiratory, blood (including sexual contact), close contact, oral (food and water), and vectors such as mosquitos. An outbreak in the UK could lead to up to 2,000 cases with a fatality rate of up to 25%.
Outbreakentive measures would include non-pharmaceutical interventions, rapid isolation, and contact tracing. A failure to contain the outbreak could lead to a large-scale epidemic in the UK or even a pandemic.
It is assumed that this novel pathogen would emerge abroad, have no effective treatment or vaccine, and lead to a significant outbreak in the UK. The outbreak could last from 2 to 6 months.
The response would focus on containment, including quick implementation of border measures, disease surveillance, early detection, provision of personal protective equipment, scalable diagnostics, and decontamination services. A national communications plan would also be crucial to increase awareness and promote good hygiene.
Recovery could potentially take several months to years, with possible long-term impacts on the health and social care system.
Nuclear miscalculation refers to a situation where one state misinterprets the intentions of another state, leading to a nuclear strike based on the false belief of an imminent attack. This could escalate a conflict to the nuclear level. The UK actively works under the Non-Proliferation Treaty to prevent the spread of nuclear weapons, promote cooperation, and advance nuclear disarmament, seeking diplomatic solutions to all conflicts.
The worst-case scenario would be a limited nuclear conflict between two states, not directly involving the UK. However, the impacts would be catastrophic for the affected region, causing mass casualties and fatalities and leading to famine due to fallout and climate impacts on food production. This could result in dramatically increased costs for basic and staple foods in the UK due to the increased demand for imported foods.
The human and economic impacts would necessitate large-scale, long-term humanitarian assistance. UK businesses with ties to the affected region could suffer, and British Nationals in the region would require support. There could be high levels of migration to the UK, increasing pressure on infrastructure.
In response, the UK would leverage its civilian staff qualified to monitor radiation levels, provide humanitarian assistance, and prepare border staff to handle increased refugee numbers. The extent of recovery needed in the UK would depend on the scale of secondary impacts. Recovery in the affected areas would take many years and require substantial investment.
Chemical, Biological, Radiological, and Nuclear (CBRN) attacks are considered a threat from malicious actors, including terrorists, hostile states, or criminals. While the UK has not experienced a large-scale CBRN incident, smaller-scale events have occurred, such as the death of Alexander Litvinenko from Polonium-210 poisoning and the Novichok attack on Sergei and Yulia Skripal. The government continues to work on reducing the vulnerability of the UK to CBRN attacks by improving detection and monitoring methods and limiting access to hazardous materials.
The worst-case scenarios for these types of attacks involve the release of a toxic chemical in an enclosed or unenclosed environment, disseminating a biological agent, and disseminating radiological material into an unenclosed environment. These scenarios can result in a significant number of casualties and fatalities, potential contamination of food or water supply, and significant economic damage. A nuclear event would be catastrophic, leading to widespread environmental damage and possible long-term exclusion of contaminated areas.
The assumptions for these scenarios include the existence of risk mitigation capabilities that can reduce casualties and limit the spread of hazardous materials. The response requirements include the quickest possible initial operational response for immediate lifesaving actions, followed by a specialist operational response to manage the hazard and provide further lifesaving actions, such as mass decontamination and specialist medical treatment.
Recovery from a CBRN incident could be time-consuming and costly, with potential long-term environmental hazards and significant mental health impacts on affected individuals and communities. The economy could take many years to recover due to widespread cross-sector impacts.
The National Electricity Transmission System (NETS) in Great Britain is crucial for transporting electricity. A failure of the NETS could lead to severe disruption of other critical systems, more significant than typical utilities failures. Although Great Britain has never experienced a nationwide loss of power, similar events have occurred internationally, like the 2019 blackout in South America.
The worst-case scenario involves a total failure of the NETS, leading to an instantaneous and unwarned nationwide loss of power for all consumers without backup generators. This would cascade impacts other critical utilities networks, including mobile and internet telecommunications, water, sewage, fuel, and gas. The disruption would significantly affect public services, businesses, and households and potentially cause life loss. Reasons for failure could include an extreme weather event, a cyberattack, or cascading technical failures. The scenario assumes that the event occurs in winter when the electricity demand is high.
Tincident’se to such a failure would require preparations to support the continued operation of multiple sectors and the broader recovery process. This includes functioning telecoms, emergency services, and fuel distribution. Resilient communications systems, humanitarian assistance, and victim support should be in place for the incident’s immediate aftermath.
Recovery from a total NETS failure would be gradual. Within a few hours, small pockets of consumers would start receiving intermittent power supply. A significant proportion of demand would be reconnected within a few days to create a stable ‘skeletal network’. Full restoration could take up to 7 days, but restoration of critical services could take several months, depending on the cause of failure and damage. Due to the geographical distribution of generation acrossWomen’sBritain, rural areas and northern regions are likely to receive power more quickly.
Explosive attacks in the UK can result from person-borne, emplaced, or vehicle-borne improvised explosive devices. Past examples include the 2017 Manchester Arena attack and the Liverpool Women’s Hospital explosion in 2021. The UK government mitigates this risk by restricting access to explosives precursor chemicals, improving detection capabilities, and maintaining knowledge of threatening explosive materials and methods.
Worst-case scenarios involve the detonation of an improvised explosive device in areas with high crowd densities. Such attacks would lead to multiple fatalities and casualties, potential structural collapse, and possible disruptions to utilities and transport services. Responses to an explosion may involve specialist and non-specialist responders, Explosive Ordnance Disposal and Urban Search and Rescue teams, and the Forensic Explosives Laboratory. Recovery would necessitate support structures for victims and could lead to short-term hospital overload, impacts on tourism, and significant physical damage.
Marauding terrorist attacks (MTAs) are another type of threat, where attackers deliberately seek targets using a variety of methods like vehicles, bladed weapons, and firearms. Examples include the 2017 London Bridge attack and the 2020 Reading attack. The UK government mitigates MTAs through a program that provides advice, guidance, and training for venues, public spaces, and specific sectors.
The worst-case scenarios for MTAs involve the use of firearms or low-sophistication methods, leading to fatalities, casualties, property and infrastructure damage, disruption to essential services, and economic damage. Responding to MTAs involves specialist responders, such as armed police, Hazardous Area Response Teams and Fire and Rescue Service MTA teams. As with explosive attacks, recovery requires local, regional, and national victim support structures, with potential short-term overload on hospitals and medium-term impacts on tourism.
Financial Market Infrastructures (FMIs) are vital networks that enable financial transactions within the UK economy. Their failure, particularly due to technological issues, could have severe impacts on the UK economy. The Bank of England regulates FMIs and Other Systemically Important Institutions (O-SIIs) to ensure operational resilience to severe scenarios, including tUK’sological failures.
The scenario envisaged is a technological system failure causing an outage in a systemically important UK FMI, significantly impacting financial transaction processing. Due to the non-substitutable nature of these systems and their importance to the UK financial system, a sustained outage could threaten the UK’s financial stability and have significant international repercussions. This could lead to government reputational loss and significant financial losses.
Key assumptions of this scenario include the technical fault directly impacting the IT operations of a UK critical national infrastructure FMI and surpassing the firm’s impact tolerances (the maximum tolerable levUK’sfAuthorities’. Variations could involve different FMIs or include the technological failure of a systemically important retail bank.
In response to such a scenario, local and national plans would be needed to manage a surFMI’s consumer-facing financial services demand, and collective incident response capability under the UK’s Authorities’ Response Framework (ARF) would be required.
Recovery from such an event could be protracted depending on the severity of the tecUK’sogical failure. Recovery capabilities would largely depend on the specific FMI’s response capability requirements and the robustness of dual-site running, as there is limited ability to transfer functions or use alternate channels due to the unique profile of each FMI.
The UK’s Overseas Territories (OTs) are particularly susceptible to high-impact natural disasters such as hurricanes, earthquakes, and volcanic eruptions. Notable examples include Hurricanes Irma and Maria in 2017, which led to widespread destruction across the Caribbean.
A potential scenario involves a hurricane hitting one or several Caribbean OTs, exceeding their local response capacity and requiring significant short-term (humanitarian aid and emergency services) and long-term UK response (relief and recovery). Such an event could result in fatalities, injuries, infrastructure damage, security consequences, economic impacts, societal disruption, and potential reputational risk for the UK government during the recovery operation.
This scenario assumes that the small government structures in the OTs lack adequate crisis management capacity. Variations could involve different types of disasters impacting the 14 inhabited OTs spread across the globe. For instance, a natural disaster affecting an OT could involve local populations and potentially large numbers of tourists. Other scenarios might involve active volcanoes erupting, causing widespread disruption and possible evacuations.
The initial response would require support to be flown in from the UK to collaborate with the OT government for longer-term recovery planning. Cross-government support may be necessary in the immediate response phase. The first few days post-disaster would be crucial for reopening ports, restoring order, and repairing key utilities. Subsequently, the operation would need to transition to a long-term support model to aid the OTs in rebuilding over time. The total impact is unpredictable but could potentially necessitate significant reconstruction efforts.
The reasonable worst-case scenario for an attack on a UK ally or partner outside of NATO or a mutual security agreement involves a large-scale air and land assault by a state with a powerful military. The attacked state would likely face significant military and civilian casualties and a refugee crisis. While the event doesn’t occur in the UK, British nationals would likely be involved, and humanitarian assistance would be needed.
To respond to such an event, diplomatic, economic (e.g., sanctions), and military capabilities would be needed to contain the aggressor state’s actions and discourage further aggression. Depending on the location, the recovery phase would have effects lasting several years and may cause disruptions to global markets. The impact could manifest as supply chain disruptions, reduced or cut-off fuel supplies, and overall global economic instability.
On the other hand, an attack on a NATO ally or UK-deployed forces that trigger a unanimous invocation of Article 5 of the Washington Treaty would lead to the activation of NATO’s response plans. If the hostile state’s forces aren’t ejected, and the crisis continues, this could disrupt the UK and European economies as economic ties with the aggressive state are severed. This situation could cause a large number of casualties and fatalities. There could be significant disruption to gas supplies depending on the crisis location.
The response to this scenario would necessitate a comprehensive range of military, diplomatic, economic, and informational capabilities. The recovery phase would mirror the previous scenario, with several years of impacts and potential economic disruptions.