About the National Risk Register

Overview

The National Risk Register (NRR) is the external version of the National Security Risk Assessment (NSRA), which is the government’s assessment of the most serious risks facing the United Kingdom.

The UK faces a broad and diverse range of risks, including threats to lives, health, society, critical infrastructure, economy and sovereignty. Risks may be non-malicious, such as accidents or natural hazards, or they may be malicious threats from malign actors who seek to do us harm.

The risks that meet the threshold for inclusion in the NRR would have a substantial impact on the UK’s safety, security and/or critical systems at a national level. The NRR includes information about 89 risks, within nine risk themes - although several risks could be categorised under more than one theme. These are:

  • Terrorism
  • Cyber
  • State threats
  • Geographic and diplomatic
  • Accidents and systems failures
  • Natural and environmental hazards
  • Human, animal and plant health
  • Societal
  • Conflict and instability

The NRR assesses the likelihood and impact for each risk, following a rigorous and well-tested methodology. Risks can manifest in different ways, with different levels of severity. To ensure the UK is prepared for a broad range of scenarios, the NRR sets out a ‘reasonable worst-case scenario’ for each risk. These scenarios are not a prediction of what is most likely to happen, instead they represent the worst plausible manifestation of that particular risk (once highly unlikely variations have been discounted). This enables relevant bodies to undertake proportionate planning. The NRR includes information on the capabilities required to respond to and recover from the emergency, should the risk materialise.

These are not the only risks facing the UK. The NRR focuses on ‘acute’ risks, which are discrete events requiring an emergency response. In addition, the UK faces a range of serious ‘chronic’ risks, which are long-term challenges that gradually erode our economy, community, way of life, and/or national security. To make the NRR most usable by resilience practitioners, these ‘chronic’ risks are not included in the NRR. This is a reflection of the need for a separate process for identifying and managing these risks, and the government is also focused on this. As set out in the Integrated Review Refresh, the government is establishing a new process for identifying and assessing these risks.

This edition of the NRR is based directly on the NSRA - an internal, classified risk assessment which is used within government and by local resilience forums and their equivalents in Scotland and Northern Ireland. The NSRA is produced using a rigorous and well-tested methodology, based on international best practice. It draws on input and challenge from hundreds of experts from UK Government departments, devolved administrations, the government scientific community, intelligence and security agencies, and independent experts. The process is evidence-led with 25,000 pieces of data used in the latest full assessment, finalised in autumn 2022.

What is different in this edition?

The UK Government Resilience Framework, published in December 2022, set out the core principle that developing a shared understanding of the risks we face is fundamental: it must underpin everything that we do to prepare for and recover from crises. To meet this aim, the government is committed to sharing its assessments externally wherever possible. 

For the first time since the NRR was first published in 2008, this edition of the NRR aligns with the structure and content of the classified internal NSRA, and is based on the same methodology. The government has declassified more risk information than ever before, adopting a transparent by default approach to the NRR, so that risk practitioners can see more clearly how the government identifies and assesses risks. Only in a small number of cases has highly-sensitive information not been included, for national security or commercial reasons.

The 2023 NRR also reflects changes to the underpinning methodology of the NSRA. Over the past two years, the UK Government has led the most substantial review of the NSRA since its inception, including external challenge from the Royal Academy of Engineering. The review was also informed by the House of Lords special inquiry into risk assessment and risk planning. Although the fundamentals of the NSRA remain consistent, we identified a set of significant changes to ensure the NSRA is comprehensive, accurate and usable. Key changes include:

  • Focus on acute risks: as above, to make our risk products most usable by resilience practitioners, they are now focused on discrete events that may require an emergency response. Chronic risks are not included; the government continues to address these through ongoing policy and operational work.
  • Longer assessment timescales: non-malicious risks are now assessed over 5 years as they can be assessed with confidence over a longer timeframe. Assessment timescales for malicious risks remain at 2 years.
  • New and updated impact measures: learning lessons from COVID-19, a new impact indicator was included on the government’s ability to deliver services. Other indicators were updated, such as disruption to education and child services.

COVID-19 pandemic

The most significant risk to materialise in the UK in recent years has been the COVID-19 pandemic. This has impacted all aspects of society and will have consequences into the future.

The risk of a pandemic has long been identified as one of the most serious risks facing the UK. The reasonable worst-case scenario used for planning purposes has in previous versions been based on an influenza like illness pandemic. Any new pathogen transmitted by the respiratory route is likely to share characteristics with influenza in that it can spread rapidly via close proximity, can travel rapidly and there are few easy immediate countermeasures. It has therefore been a planning assumption that a plan for pandemic influenza would have considerable overlap with a plan for other diseases easily transmitted by the respiratory route. 

The lessons from COVID-19 have been incorporated into the government’s risk assessment methodology. The reasonable worst-case scenario has been reshaped into a more generic pandemic scenario reflecting a broader range of possible manifestations, and additional impacts, measures and data have been incorporated into the assessment.

How does the government plan for risk?

The government has comprehensive plans to build resilience to specific risks, including those set out in the NRR. For example, the government has published the Net Zero Strategy, the National Cyber Strategy, the Government Food Strategy, the British Energy Security Strategy, and the UK Biological Security Strategy

However, no risk assessment will ever be able to identify and assess every possible risk. The NSRA uses common consequences of risks - such as mass fatalities and casualties, contaminated environments and disruption to a range of critical services. The government develops generic capabilities that can be used to respond to these impacts, regardless of the risk that caused them. This means the government can respond flexibly to the widest range of risks.

Although the UK Government has an important role to play in assessing and planning for risks, the local level is critical to the UK’s resilience. The 38 Local Resilience Forums (LRFs) in England, the four LRFs in Wales, three Regional Resilience Partnerships (RRPs) in Scotland and Emergency Preparedness Groups in Northern Ireland play a critical role in bringing local responders, such as the emergency services, together to plan for risks. Local resilience partners produce Community Risk Registers (CRRs), which focus on the highest priority risks in each local area. The NRR should be read in conjunction with the CRR for the relevant local area.

Who should use the National Risk Register (NRR)?

The NRR is designed for a broad range of risk and resilience practitioners. This includes, but is not limited to:

  • Practitioners, including in voluntary and community sector organisations, who may play a central role in planning for and responding to emergencies and crises but who may not have formal contingency planning responsibilities.
  • Businesses, including small and medium sized enterprises, and those who operate critical national infrastructure (CNI), who have a need to understand the most serious risks that could impact their business continuity.
  • Academics and experts, from a wide range of disciplines and backgrounds, who play a critical role by providing external challenge.

This edition of the NRR is not targeted at the general public. Instead, government (at both the national and local level) will continue to provide tailored guidance and communications to help people understand the risks that are most likely to affect them, and the specific actions they can take to protect themselves. For example:

  • The ‘Run, Hide and Tell’ campaign helps people stay safe in the event of a marauding terrorist attack.
  • The ‘WeatherReady’ campaign helps individuals, families and communities prepare for and cope with severe weather.
  • The ‘Cyber Aware’ campaign provides advice on how to stay secure online.

In addition, the UK Government has launched the Emergency Alerts service, to get urgent messages quickly to mobile phones when there is a risk to life, and provide clear instructions about how best to respond. While the alert service will initially be used as part of our severe weather and flood warning response capabilities, it could also serve a wider purpose and be used as an emergency response for other scenarios, such as public health emergencies, fires and extreme weather.