Why we really do risk management

It’s encouraging to see the Cabinet Office publish a National Risk Register, which sets out the Government assessment of the likelihood and potential impact of a range of different risks that may directly affect the UK. It’s primarily designed to increase awareness.

The problem with risk registers is that when you combine risks at such a high level, they become so generalised and vague that they fail to serve much of a useful purpose. Take the section on electronic attacks, for example. It states that:

“The risk and impact of electronic attacks on IT and communication systems varies greatly according to the particular sectors affected and the source of the threat… There is a known risk to commercially valuable and confidential information in some government and private sector systems from a range of well resourced and sophisticated attacks.”

That’s not much use to anyone. But the fault is not with the Cabinet Office. It’s the flawed process of risk management, which takes elaborate views of threats and exposures and shoe-horns them into an oversimplified set of categories, losing all the richness of the original assessment. It’s clearly a process that’s designed to tick a compliance box, not deliver a business benefit.