Updated: 6th February 2009
Last August the Cabinet Office published the first UK-wide National Risk Register, setting out the government’s “assessment of the likelihood and potential impact of a range of different risks that may directly affect the UK”. Inevitably, the register has been drafted largely as a consequence of the very real security threats that face the country, but also with regard to other potential national threats such as a bird flu pandemic.
The register provides a national risk assessment of the most significant crisis and emergencies that the UK, it’s citizens and key organisations, such as utilities, could face over the next five years.
The implementation of a risk register in itself is not new. What is new is the range of corporate activities that an effective, modern risk register should cover and the extent to which all organisations should now consider adopting one, or refreshing their existing register, and underpinning risk assessment, if one already exists.
In a world wise to the potential of terrorist attack after 9/11 and 7/7, as well as a growing number of integrated threats (such as the proceeds from financial crime being used to fund terrorism), an integrated response is required in the form of a sophisticated and comprehensive risk register. Statistically, the frequency with which a major incident hits an organisation is now down to once every 1.7 years, a fall from once every 3.8 years not so long ago.
Every successful business of any real size operates a significant number of critical business processes: for example, how vulnerable are they to attack and has that vulnerability been assessed and is it being managed?
The key to producing a meaningful and effective corporate risk register is the initial risk assessment process. The starting point is to confirm the overall purpose and critical corporate objectives of the business. From this first step, every potential threat and risk to the achievement of those objectives and the effective functioning of the organisation should be brainstormed and recorded, no matter how improbable or remote. This process really does require open thinking, devoid of any prejudices, restrictions or self-imposed barriers. No-one in the US government supposedly ever thought that terrorists would fly planes into the World Trade Centre buildings because it was considered too unbelievable.
However, post 9/11, the US Pentagon and intelligence community engaged the Hollywood film industry to consider potential threat scenarios, as well as potential solutions to those threats. It was deemed that they possessed the necessary imagination that had previously been lacking in defence and security planning. Indeed, the US government’s own national risk register and disaster recovery plan was overhauled partly on the basis of this new approach. The cross-fertilisation of ideas and specialisms for the collective good is one of the cornerstones in current thinking about risk assessment and risk management.
In February 2007, the UK government established the Centre for the Protection of the National Infrastructure (CPNI), formed from the merger of the National Infrastructure Security Co-ordination Centre and a part of MI5, the National Security Advice Centre, to disrupt threats to national security. It provides security advice to the businesses and organisations that make up the national infrastructure, working with a variety of partners in the public and private sector to reduce the vulnerability of the national infrastructure, focusing in particular on critical national infrastructure.
For utility companies, reviewing the Cabinet Office’s National Risk Register and visiting the CPNI’s website is a start to updating their own corporate risk registers. Certain corporate risks have less to do with national security than with consumer and shareholder confidence, as well as brand reputation.
In the current economic climate, consumers and other stakeholders want to be certain that their essential supplies and services are free from attack (for example, that water reservoirs are free from contamination, or that gas, petrol and oil supplies are not vulnerable to disruption) or other destabilising factors. Additionally, unlike other corporate sectors, its role in the national infrastructure network also makes the utilities industry more susceptible to government scrutiny.
The message, then, is that preparing for the worst the future can throw at you can provide a real corporate advantage today.
Julie is a law graduate who qualified with Price Waterhouse in 1994. Julie joined Smith & Williamson in 1997 and became a partner in 2001. With Mike Stevenson, Julie set up Middleton Partners offices in Salisbury and Southampton, both of which are now part of Begbies Traynor.
Julie is a member of the Insolvency Practitioners Association and is a Fellow of The Association of Business Recovery Professionals. Julie deals with all aspects of Corporate Recovery and turnaround work and takes all form of personal insolvency appointments.