Have you taken advantage of the National Risk Register yet?

Julie Nel, Founder and CEO of B4 Secure, recently sat down with IFSEC Insider for a detailed conversation on the application and relevance of the latest National Risk Register (NRR) published by the government.

The discussion, intended to advise organisations within every industry on how to benefit from the government’s risk assessments, is covered in two parts – Corporate Security and Risk Management and Organisational Resilience and Business Continuity.

Julie Nel, CEO of B4 Secure

Corporate Security and Risk Management

Could you tell us a bit about the National Risk Register (NRR) and what it means for businesses within the UK?

Julie Nel (JN): Essentially, the government is using their internal and more classified national risk assessments to understand the risks that the UK is likely to face. It is then advising the UK PLC of these risks through the NRR.

Governments have access to more geopolitical information and to the overall global situation than businesses generally do, so sharing this insight with non-government affiliated entities helps them prepare for big challenges too.

The idea here is to try and support businesses and organisations across the UK and give them a heads-up about what the government considers ‘big risks’. The NRR enables enterprises to integrate them into their risk registers and take advantage of government-backed support in navigating challenges.

This insight should feed into their business planning, their preparation, their policies, and how they ultimately respond.

How does the NRR impact corporate security heads and what should they look to understand from the register?

JN: First of all, it shouldn’t be just the security heads looking at the NRR. In fact, the roles of security professionals have now evolved significantly, especially at the director or top-management level. Many of their titles now include the terms “resilience” or “risk”. They may have even dropped the conventional “security” label and adopted titles like “Head of Business Resilience” or “Head of Continuity.”

As such, looking at the NRR should be a collaborative effort that extends across the entire business. Directors from all different areas of the business should look at how these risks will impact their specific role.

This means examining how it is going to impact operations. How is it going to impact, resourcing and staff? How is it going to affect finances? It shouldn’t just be the security lead’s responsibility to look after it all.

Therefore, my advice to corporate security heads would be, don’t think you are on your own, you need to encourage other members of the organisation to become accountable and support.

The NRR highlights 89 risks within nine risk themes. How should an organisation choose where to place its focus?

JN: Any organisation must start by honing in on different areas of the register itself. The NRR has categorised risks under comprehensive headings. There are certain areas that are very specific, for example, “animal disease” which may not have a direct impact on your business if you’ve got nothing to do with agriculture, farming, animal food, or something within that area.

In that sense, some risks may not apply to your business at all. However, as with all risks, it is important to keep in mind that there could be follow-on impacts. For instance, anything to do with a food shortage will have a direct impact on your staff.

As a business you will have to look at the impact of the risk happening on your business against the likelihood of it occurring to assist in prioritising which risk you need to be most concerned about. This can be done using the red-amber-green scale to help highlight these.

The next step is then to look at what affects your partners. What’s going to affect your supply chain? What is going to directly affect your staffing and resourcing? So, it is about pulling the relevant risks out and looking at them in different layers and the knock-on effect they can have.

Some of the threats included in the register are on a macro level and there is very little a security professional can do to influence them. Does that mean they can be taken off the threat monitoring radar?

JN: Many people tend to misconstrue ‘risks’ for ‘threats’. Risk is the likelihood and the level of impact an issue could have on your business. Whereas threats are the enabling factors for risks coming to fruition. Therefore, the majority of your risk register will likely be at a macro level.

The risks in the NRR, even if on a macro level, could have an impact on your business. For instance, terrorism is going to have an impact, but it is up to you to monitor the likelihood of it occurring.

Only you know your organisation, stakeholders, partners, supply chain, and staffing. As such, you will be able to then pick how “Terrorism” as that main heading, will affect your organisation. The same with diseases, utility shortages, and any of the other macros. It is then about drilling down underneath and understanding what part of that would affect you.

Organisational Resilience and Business Continuity

How can global and national threats impact or inform organisational resilience planning?

JN: So in a nutshell, you’re always going to get what we call the ‘Black Swans’, which are incidents that just haven’t been predicted by governments or security services. For instance, Israel did not see the Hamas terrorist attack coming and we did not see the global pandemic coming. This is because we live in an unpredictable world of humans, however, there is also a lot you can prepare for.

Businesses must remember that the biggest negative impact on their organisation may not aways be from an obvious, closer-to-home incident; it is often the unpredicted, ripple effects of an incident that could cause more damage. As the saying goes, “the flapping of the wings of a butterfly can be felt on the other side of the world”.

For instance, China looking at perhaps invading Taiwan may seem a long way away to impact your business. However, they are the largest manufacturer of semiconductors. Therefore, if such a situation arises, you must ask yourselves if you use any of these high performing chips? What happens if that supply chain dries up and you’re no longer able to get your IT products? It is that type of knock-on effect that organisations must prepare for.

It doesn’t mean you’ve suddenly got to go and spend thousands; it is all about understanding the possibilities and being prepared with a contingency plan.

It is about making sure that the business intelligence you’re getting through your strategic threat assessments/horizon scanning and perhaps some of your tactical threat assessments is feeding into your policies, training, business continuity plans, and processes.

What advice would you give to security professionals developing business continuity strategies?

JN: Oh, that’s simple. You’ve got to be informed. Ask yourself how do you get informed? How can you try and prevent or mitigate a risk? How can you even understand a risk if you haven’t been told about it?

There are a lot of companies offering business intelligence and threat assessments. You’ve got to decide as a business what suits your set up more.  If you’ve got a Business Intelligence Unit that is constantly scanning the environment for you, then make sure it’s giving you the answers you need as a policy and a decision maker.

These reports should be going up to C-Suite level, so that the directors from every area of the business can use them to help them run their respective domains.

How do you think businesses can keep on top of the risks highlighted in the NRR as they evolve with changing social, economic, and political landscapes? Are there any tools that you would recommend?

Credit: PantherMedia/AlamyStock

JN: I would strongly advise using professionally qualified analysts who are able to give you the assessments correctly and in a qualified manner because they are the experts. They also need access to or to be trained in open-source intelligence and know how to get the best out of the multitude of data out there.

You need to have your own systems that are picking up any incidents occurring internally because all of these things can lead to indicators and warnings about a risk suddenly becoming a real problem for you.

The way we, at B4 Secure, operate is by using various analytical tools, including PESTEL, which examine the political, economic, social, environmental, and legal aspects impacting an organisation externally and internally.

It is all about looking at the tri-factor of intent, capability, and capacity. While the intent or the viability of the threat is relevant, the presence of the capacity and the capability is required for any threat to carry through. The weather can always be unpredictable and you could always have a flood, but if you’re in the middle of a drought right now, there is a lack of the capability or the capacity for a flood.

As highlighted in the NRR, all your threat assessing should be conducted examining the likelihood and probability of the risk materialising. The probability yardstick used in the NRR should be utilised by any professional intelligence provider you employ.

Further reading:

• Why Enterprise Security Risk Management should incorporate mental health and wellbeing processes
• Securing executive buy-in: Using quantitative risk information for evidence-based corporate security management
• Bringing balance to security risk management – “Let’s fix the wobbly chair!” 

Free Download: The Video Surveillance Report 2023

Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!

Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.

Download The Video Surveillance Report