In this week’s bulletin, Charlie discusses the usefulness of the UK’s National Risk Register and categorises the risks depending on the area they may affect.
A couple of weeks ago, we had a two-day ‘away day’ at PlanB Consulting, looking at our plans for the next year but also reviewing our service delivery to ensure that all consultants provide similar quality and consistent business continuity products. One of the discussions was about BIA (business impact analysis) and risk and how to identify risks. There was some debate about the usefulness and utility of several risk reports that were released in 2025, including the UK National Risk Register, the Allianz Risk Barometer (which identifies major business risks for 2025), and the Global Risks Report 2025 by the World Economic Forum. I was challenged to look at the registers and assess whether we could use these reports to help our clients better understand and prepare for their risks.
I haven’t assessed all three risk reports, but as a good starting point, I looked at the UK National Risk Register and see what is useful within it for us. The report is fairly comprehensive, covering 96 risks split into the following categories: Terrorism, Cyber, State Threats, Geographic and Diplomatic Risks, Accidents and Systems Failure, Natural and Environmental Hazards, Human, Animal and Plant Health, Societal, and Conflict and Instability.
Chapter 4 covers the risk summaries, and breaks down each of the 96 risks into a possible scenario of how the risk could materialise, assumptions within the scenario, the response capacity required, and then the recovery actions. For each risk, there is a likelihood and impact matrix. Within the document there is also an overall 5×5 risk matrix, with impact levels ranging from Minor to Catastrophic, and likelihood ranging from <0.2% up to >25%. Rather frustratingly, the risks it covers are not the same set as those in Chapter 4.
The risks the document covers are risks to the whole of the UK rather than risks that could affect individual organisations. As such, the document is taking a top-down approach rather than identifying risks that could have an impact on individual businesses, which is what we, as practitioners, would be looking at. I conducted an assessment of all the risks in the document, reviewing their relevance to business continuity practitioners. I categorised each risk into the following categories. It should be noted that some risks were categorised in more than one box. The risks were reviewed as follows:
| Number | Category | Explanation |
| 1 | Business Continuity Risk | Is this a risk relevant to a business continuity manager? Should they consider it, and, depending on the possible impact on their organisation, prepare a contingency plan or exercise their response? These are the risks where I think the risk register can add value by providing a scenario and assumptions about the risk. |
| 2 | Beyond Maximum Scale of Incident | There is a concept where an incident’s impact is so large that the business continuity team does not plan for it. An example could be an organisation where most staff work in one office, and a plane that crashed into the building kills all staff. In this case, there is nobody left to continue the business. Some catastrophic events are more about individual and family survival, rather than maintaining business continuity. |
| 3 | Local Incident or No Widespread Impact | This refers to an incident with a localised impact that does not extend to the wider county or region. If our organisation is situated near the incident, it will be affected, but the disruption remains contained rather than widespread. |
| 4 | Societal Issue | Business continuity incidents are most critical when they affect only your organisation. If the impact is widespread and affects many organisations simultaneously, the reputational risk to any single organisation is reduced. |
| 5 | No Impact (unless it directly affects your organisation or delivery of services to you) | This type of incident only has an impact if your organisation is directly affected by it. For example, a malicious aviation incident would only affect your organisation if your staff were on the plane. |
| 6 | Business-as-Usual Issue | This is more of a business risk rather than a business continuity risk. |
There are a number of risks in each category. Please click here to download the spreadsheet for individual impacts.
The majority of the risks fell into the category of ‘No impact (unless it directly affects your organisation or delivery of services to you).’. For the business continuity manager assessing risks, I think this serves as a useful checklist of risks to consider. There may be some risks on this list that you might not have previously considered.
The impact/likelihood matrix for each individual risk, as detailed in the risk register, may be of some use, but the risk to an individual organisation may be different from the risk to the country as a whole.
Similarly, incidents categorised as ‘Local incident or no widespread impact’, may not be too useful unless we have a definite exposure to one of the risks. A rail accident is a risk, but it would only affect an organisation situated next to a railway. When assessing these risks, they must be considered in context and may or may not be relevant.
When reviewing business continuity risks, again, the document provides a good checklist of risks to consider. For example, as an organisation, we should consider risks such as ‘Simultaneous Loss of All Fixed and Mobile Forms of Communication’, but we must decide whether this falls beyond our maximum scale of incident. If there is little we can do in response because our business model relies on IT delivered over a network, then it might not be a priority. However, it may be worth considering whether we could implement manual workarounds if this happens.
Where the document is useful is in outlining possible scenarios for each risk. When planning exercises or assessing risks, we often encounter debates about whether a scenario is realistic or whether an incident would play out in a particular way. By using the government’s scenario planning assumptions, we can align our planning with government expectations rather than relying on speculation.
In reviewing the UK National Risk Register, I found it to be a useful document for reminding us of the risks we face and ensuring that we align with the risks identified by the government. There is some value in using the scenarios provided and examining the impact and likelihood of particular incidents. However, its limitation is that it focuses on UK-wide events. The organisations we serve need to assess specific risks relevant to their operations. For example, a cyber attack on our organisation may be catastrophic, but in the risk register, cyber risks are addressed at the sector level rather than focusing on individual business impacts. Overall, the National Risk Register serves as a useful reference document, but for me, it is not much more than that.
