Why we really do risk management

It’s encouraging to see the Cabinet Office publish a National Risk Register, which sets out the Government assessment of the likelihood and potential impact of a range of different risks that may directly affect the UK. It’s primarily designed to increase awareness.

The problem with risk registers is that when you combine risks at such a high level, they become so generalised and vague that they fail to serve much of a useful purpose. Take the section on electronic attacks, for example. It states that:

“The risk and impact of electronic attacks on IT and communication systems varies greatly according to the particular sectors affected and the source of the threat… There is a known risk to commercially valuable and confidential information in some government and private sector systems from a range of well resourced and sophisticated attacks.”

That’s not much use to anyone. But the fault is not with the Cabinet Office. It’s the flawed process of risk management, which takes elaborate views of threats and exposures and shoe-horns them into an oversimplified set of categories, losing all the richness of the original assessment. It’s clearly a process that’s designed to tick a compliance box, not deliver a business benefit.


Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

David, I agree with your conclusion that our current risk assessment methods are immature. I'd also take it further by saying that I don't believe we fully undertstand the risks of using a risk based approach too. I'm looking forward to many positive future developments in this area.
I agree with your view that the main purpose of the National Risk Register is to increase awareness. Though, I believe it could go considerably further in this respect if it had an element of self assessment and required a degree of ‘proactivity’ on the part of companies in assessing their vulnerabilities. As the Register successfully sets out a number of possible threats, making a company’s job of establishing threats easier, but due to its generalizations they still have to go further to assess their susceptibility to the threat. I agree that the generalizations, such the one you point out with the Risk of Electronic attack, do little to help a company when you are evaluating the level of risk to them. Though, a company checking the register for this type of threat is likely to know that, due to the nature of their business it is already at risk of electronic attack, and consequently is likely to have sufficient measures in place to mitigate the threat. It is for smaller companies, or companies who have failed to foresee the numerous ways electronic attacks can be a threat, where a self assessment would be useful.