The UK Government Resilience Framework was released in December 2022 and has since undergone scrutiny by the National Security Strategy Joint Select Committee. Robert Hall considers the Committee’s views and subsequent Government response, exploring the implications for future resilience across the UK.
The UK Government Resilience Framework was published late last year . The 79-page document was welcomed in certain quarters as a step in the right direction. However, it has also been described by some critics as underwhelming, a missed opportunity, incomplete, and not the fundamental step change called for.
For an authoritative assessment, the Joint Committee on the National Security Strategy took oral evidence from a small group of non-government witnesses in March 2023 . It summarised the views in an open letter dated 14 June to the lead government minister in the Cabinet Office who is also the Deputy Prime Minister . A response was received on 10 July .
This article looks at some of the main points made in the former and analyses the responses in the latter. It aims to shed light on some of the important issues raised. The UK Government Resilience Framework did state that it was: ‘the first articulation of how the UK Government will deliver on a new strategic approach to resilience’ so further revisions can be expected.
Framework v strategy
The Committee said that: ‘The publication of a Framework, in contrast to the Integrated Review’s commitment to a “comprehensive national resilience strategy”, prompted witness concerns that resilience had been downgraded as a Government priority. The Framework itself acknowledges that the Government had not yet agreed on a working definition of resilience activities and capabilities, nor mapped current UK Government resilience capabilities.’ (These points were also made in a separate analysis in Reference 5.)
As expected, the reply stated that: ‘Strengthening our national resilience is a priority for this Government.’ It went on: ‘Whilst the Cabinet Office had previously consulted under a holding title of the ‘National Resilience Strategy’, the title of the final publication was changed so that it more clearly reflected the focus on the structures and capabilities that underpin our resilience to all risks. The Resilience Framework addresses the core areas raised by stakeholders and experts during this consultation, and has been well received by the partners with whom we are now implementing its commitments.’
One cannot help but question whether, with structures, capabilities, and core areas being the focus, a stronger input – at no greater length – could have delivered a fully-fledged strategy rather than a framework: the drafting had been gestating for two years. This would have put the document – a declared ‘priority’ – alongside other important government strategies such as the Biological Security Strategy, the Cyber Security Strategy, the Net Zero Strategy, the Energy Security Strategy, the International Development Strategy, etc. Resilience runs across all these domains.
A strategy or strategic plan should provide the principles, long-term quantifiable objectives and priorities, competencies, governance, resources (including funding), and milestones to deliver a declared purpose . A framework, on the other hand, is commonly understood to be but a scaffold or loose concept or vision which outlines the anticipated direction of travel. One of the witnesses to the Committee said that: ‘In my view, a strategy implies that there are deliverables against which you can be measured. I am not sure that you can have deliverables against which you can be measured for a framework.’ Another witness to the Committee stated that: ‘… perhaps, the ambition is not as great as it could have been’.
To be fair, the Resilience Framework does address some crucial strategic themes against two milestones, 2025 and 2030. There are declared action plans with desired objectives. Yet, these are more ambitions than solid deliverables with stated outcomes. Actions such as ‘strengthen’, ‘expand’, ‘grow’, ‘build’, etc, are commendable but hard to measure and therefore determine success. Hopefully, one of the future ‘articulations’ around resilience will address these points and emulate the detail in, for example, the Cyber Security Strategy. In addition, the promised annual statement to Parliament could well be strengthened by the passing of a National Resilience Act (like the Climate Change Act) as advocated by a previous lead minister .
The Resilience Framework described resilience as a ‘whole of society’ endeavour, ‘so we must be more transparent and empower everyone to make a contribution. We need to prepare and respond to emergencies on a whole of system, whole of society scale.’ As a result, the Committee asked: ‘What further plans does the Government have to communicate directly with the public on resilience and preparedness, before the next crisis occurs?’
The reply indicated that while the Government currently provides tailored, actionable information to the public on specific risks e.g. Run, Hide, Tell, it is: ‘exploring additional ways to make communications on risk personalised and more relevant, actionable and accessible’. This will involve an annual survey of public perceptions of risk, resilience and preparedness. It also includes the use of the Emergency Alerts service that was introduced in the UK this summer.
One should ask if well-intentioned central messaging and targeted communications are sufficient to reflect a whole-of-society engagement, one that has both top-down and bottom-up channels. This two-way process should allow input from the private sector, voluntary organizations, communities, NGOs, unions, etc. Only in this way will it be possible to engage with many more stakeholders across the nations. Yet, and despite assertions in the Framework to improve the dialogue, the record of the Government to engage effectively with business, communities and the voluntary sector is not great. ‘It is not geared up to do that’, said one witness.
The Government’s introduction of a UK Resilience Forum is a partial and welcome move to improve the situation but the forum has met only three times since its inception in July 2021 and its membership is hardly reflective of a wider societal input, with the CBI alone representing wider business interests.
Three lines of defence
A witness to the Committee said that the absence in the Resilience Framework of what is called the three lines of defence in the private sector meant that it: ‘will not achieve clear accountabilities for exactly who owns and mitigates different risks . As a result, the Committee asked: ‘Why has the Government not yet introduced a three lines of defence model of risk management, in line with this Committee’s recommendation and private sector best practice?’
The reply stated: ‘… whilst we recognise many businesses manage complex risks to a complex set of interests, we think there are material differences to the task of Government, which is to prepare for and treat risks to the nation at large.’ Instead, the Government applies the Lead Government Department model, with the Cabinet Office ‘providing support and challenge… in particular on cross-cutting or complex risks’. The new NSC (Resilience) subcommittee will hopefully clarify roles and responsibilities within the Lead Government Department model of risk ownership.
The response seems to run counter to the view expressed by a number of witnesses who felt that this structure would not avoid the traditional siloed approach from different departments which has inhibited response in the past. It is additionally not conducive to a whole-of-society approach. ‘There is also a danger that those lead departments just think in terms of that area of activity. They may even be too close to some of the key providers in that area and not look at the wider context.’
In fact, there are valid arguments to say that business and government are on the same page regarding the nature of modern threats and the scale of the response. Large private-sector organizations have nationwide footprints – around 80 percent provide the critical national infrastructure – and have larger risk management and security departments than many Government departments. They are also in the front line of knitting together public- and private-sector responses. A common three lines of defence approach would therefore be beneficial and could help to find mutually beneficial solutions.
National Risk Register
Besides future ‘articulations around the Resilience Framework, we are told that: ‘The 2023 National Risk Register (NRR) will be published shortly. This iteration of the NRR is aimed at expert practitioners, such as those in businesses and voluntary sector organizations who do not have access to the internal National Security Risk Assessment, ensuring they have a sufficient level of information to support their risk assessment work and contingency / business continuity planning.’ This will be welcomed, especially as it will scan over five years rather than the current two, as well as include multiple scenarios and interdependencies.
Despite the deficits and criticisms, it seems that national resilience is moving in the right direction but one can ask why it takes so long to produce a document worthy of the critical importance of the subject that justifies strategy in the title.
Robert Hall is former Executive Director of Resilience First Ltd (2018-2022). His book ‘Building Resilience Futures’ was released by Austin Macauley Publishers Ltd in June 2023.
- Three lines of defence in resilience could be organized around the following circles: (1) locally (owners of risk), (2) nationally (oversight and compliance) and (3) parliamentary (audit and assurance).