In January 2020, the severity of the coronavirus outbreak caught most people by surprise. Public attention was glued to terrorism. While the health risk to individuals received immediate attention, it took time for the media and authorities to recognise the wider societal consequences of the pandemic, including its impact on the health system. As Luka Biong Deng Kuol writes in a recent PRIO blog post on African responses:

COVID-19 has exposed serious cracks in systems of government, capacities of states and public policies. Importantly, it has underscored the need to revisit how security is perceived, planned, managed and delivered to the citizens. The coronavirus has shown that human security is less at risk of the threat from the build-up of a nuclear arsenal than by a pandemic that can hardly be fought by conventional weaponry.

This broader social and political focus is exactly the point of departure of National Risk Assessments (NRAs). Like vaccines, their purpose is to confront decision-makers with vulnerabilities to a country’s ‘immune system,’ thereby preventing or reducing future disasters. Reinforced by the fact that many all-hazard NRAs – like those of the UK, Netherlands, Norway, Sweden and Denmark – identified a pandemic as the most serious type of risk to society, one might therefore expect calls for increasing the political role of NRAs in the years ahead.

NRAs are already a key component of the EU crisis management system that will be further strengthened in response to the pandemic (see here). NRAs also have a central role to play in the UN Sendai Framework for Disaster Risk Reduction (§24b) that the UN General Assembly has put at the centre of its COVID-19 response and recovery policy. Combined with the UN Sustainable Development Goals, the Paris Agreement and the New Urban Agenda, the Sendai Framework forms part of a vision of ‘risk informed sustainable development’ (for background, see Chapter 1 of this report from UNDRR).

Building back better with NRAs?

Spearheading this agenda, the Special Representative of the Secretary-General for Disaster Risk Reduction, Mami Mizutori, has stated that the dual COVID-19 and climate change crises make it evident ‘that the epoch of hazard-by-hazard risk reduction is over and time has come for all-of-society- and all-of-government approach to manage disaster risk reduction with a multi-hazard approach, and with a clear understanding of the systemic nature of risk.’ In this vein, a report from the Climate Security Expert Network on the interconnections between COVID-19, climate change and security risks maintains that ‘building back better’ from the pandemic requires the introduction of ‘integrated analyses of risks and vulnerabilities’ as a first priority.

Before upgrading NRAs to ‘policy-making machines’ in preparation for the next disaster, it is necessary to consider what the wider political consequences of such a move might be. In a study of the NRAs of the UK, Netherlands and Switzerland from 2012, Jonas Hagmann and Myriam Dunn Cavelty warned that the political role of NRAs was highly problematic because they were presented as objective, glossing over the political decisions, limited information and scientific uncertainties that they are based on. Resonating with debates on general technocratic and depoliticising tendencies in European politics, they conclude that the NRAs facilitate unwarranted forms of paternalism where ‘claims to protection are articulated on behalf of the civil population, but not by the civil population’.

Since then, the politics of NRAs has received scarce attention in security research and public debate. Meanwhile, the political trend has accelerated, with ever more countries producing increasingly advanced NRAs and discovering their political potential. As a background for critical reflection on this development, the next section provides a closer look at the emergence of NRAs as a political instrument in Europe.

A new genre of security politics emerges

In continuation of a broadening of European security policies from military defence to civil protection, the genre of all-hazard national risk assessments (NRAs) evolved since the early 2000s. Instead of compartmentalising security policies into policing, disaster management, industrial safety and private security, these risk assessments facilitate the coordination of these domains by covering all ‘civil’ security risks to the citizens of a country. Some even include military risks, although this is still the exception.

As documented in the OECD report National Risk Assessments: A Cross-Country Perspective (2018), NRAs come in many shapes and forms, and also go by names like national risk registers and national threat assessments. Some are based on selected scenarios, while others seek to cover all actual risks to a state and its citizens.

Compared to a traditional threat assessment, the focus on risk implies that if there is a significant danger of earthquakes or a foreign military attack, for example, the risk can still be low if the vulnerability to this threat is low and the capability for handling it is high. NRAs may thereby help in identifying the domains where resources are most needed. In effect, the assessments require an advanced overview of the actors, institutions, material structures and social systems of a country.

In addition to informing governments, municipalities, city councils and designated agencies, the public NRAs are supposed to assist private corporations, voluntary organisations and individual citizens in the management of disaster risks – mobilising all of society in the spirit of ‘resilience’.

The pioneering public NRAs of the UK and Netherlands have already influenced political priorities since their introduction in 2007/8. The UK National Security Strategy has rested on a ‘National Security Risk Assessment’ since 2010, entailing an all-hazard and ‘all-of-government’ approach to national security. The 2019 Dutch NRA was requested by the government with the specific purpose of informing its new long-term National Security Strategy from 2019. In the resultant strategy, national security is conceptualised as a matter of risk management: ‘This NSS lays the foundations for a risk management system that will develop into a strategy that spans the entire breadth of Dutch society’.

In the wake of the 2010 EU Internal Security Strategy, all EU member states were requested to carry out all-hazard NRAs, and in 2013 this was turned into a requirement of submitting a summary of risk assessments at the national level every three years from 2015. The reported findings are summarised by the European Commission in an Overview of natural and man-made disaster risks the European Union may face.

The influential EU guidelines on NRAs from 2010 were informed by NRA initiatives in the UK, Netherlands, Germany, Sweden, France, the US, Australia and Canada among others. Like these, the guidelines rest on standard 31010 (updated in 2019) of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). This standard specifies three steps of risk assessment: risk identification, risk analysis and risk evaluation. When preceded by the step ‘establishing the context’ and followed by ‘treatment of the risks,’ these are the five main steps of ‘risk management,’ as defined in the underlying ISO standard 31000. ISO 31000 was first developed in the context of risk management in Australia and New Zealand, and is presented as being ‘applicable to all organizations, regardless of type, size, activities and location,’ and to cover ‘all types of risk’.

There are several reasons why most European NRAs exclude military risks. Firstly, military threat assessments are usually classified and therefore at least left out of the public versions of NRA reports. Second, military intelligence agencies tend to focus on actual threats in real-time rather than potential future risks and therefore do not fit the NRA methodology. Moreover, in an EU setting, military affairs fall outside the scope of the EU internal security policy and were thus excluded from the EU guidelines. This nonetheless goes against the idea of an all-hazard approach that can inform a truly comprehensive security policy, and the NRAs of the Netherlands and Finland do now include risks of a military kind. Arguably, the ‘return’ of war as a security concern in Western politics makes the introduction of military risks to other NRAs expectable.

According to the above mentioned OECD report (pp. 24-25), it was actually the coupling with financial risk management in a G20 setting that sparked the commitment of European governments and the EU to invest in NRA capacity (note the place of finance in the above picture from the Finnish security strategy). Indeed, the most comprehensive all-hazard risk assessment to date is not actually a NRA but the survey based Global Risk Report by the World Economic Forum. This report draws on expertise and practices of risk assessment in the fields of private insurance, business management and trading that surpass the scale of public risk assessments by far. This makes the failure of the report to highlight the risk of pandemics even more noteworthy.

A call for reflection

It remains to be seen how NRAs will affect the decision-making of states, international organisations, corporations and individual citizens in the years ahead. To be sure, more attention is warranted not only to the conclusions of NRAs but their production, uses and effects – especially when augmented in preparation for the next disaster.

For instance, the threat of terrorism is variously presented as a problem of warfare, crime, religion, mental health, social exclusion, poverty, global injustice, immigration, racism, globalization or the internet. The evaluation of these dimensions is not only politically contentious: it also divides experts within and across professions, specialised agencies and scientific disciplines.

Critical reflection on the scientific and political premises of NRAs is therefore not only necessary for how they are used but for ensuring the quality of their results. This is recognised in the latest version of the ISO 31000:2018 standard on risk management (§6.4.3), which states that:

The risk analysis may be influenced by any divergence of opinions, biases, perceptions of risk and judgements. Additional influences are the quality of the information used, the assumptions and exclusions made, any limitations of the techniques and how they are executed. These influences should be considered, documented and communicated to decision makers.

Provided that ISO 31000 was developed for organisations, its authors are presumably baffled by the fact that it is being applied to countries as a whole – making their warning on subjectivity and biases ever more pertinent.

This leaves us with the question of whether all-hazard NRAs as an instrument for policy-making at an aggregate national level is justified. Are NRAs actually more able to identify the most severe security problems of a country than politicians and the average citizen? Would their political role be problematic even if the answer is yes, or can they be used in a manner that takes their scientific and political limitations into account? As remarked by Marieke de Goede in a lecture on pre-emption and precaution in European security culture, ‘precautionary security programmes raise very significant questions regarding human rights, civil liberties and democratic accountability’ – implying that the idea that ‘prevention is better than cure’ may be misleading at best under the wrong circumstances’.

Like with the meticulous medical trials of the vaccines against COVID-19, the introduction of NRAs as policy-making instruments should thus be preceded by careful political consideration.

Further reading:

– In the field of Critical Security Studies, see the PRIO journal Security Dialogue.

– The Politics of Catastrophe by Claudia Aradau and Rens van Munster (2011) offers intriguing perspectives on efforts at containing future disasters.

– With a focus on the UK, Security as Politics by Andrew W. Neal (2019) analyses the broadening of security politics.

– The open access book Nordic Societal Security, edited by Sebastian Larsson and Mark Rhinard (2020), describes similar political dynamics in the Nordic context.

– For an exploration of the fascinating world of risk standards, see Standardization and Risk Governance, edited by Olsen et al (2019) – also open access.

– See also my previous policy brief National Risk Assessments and the Politics of Public Risk Communication and the report Norms and Ethics in Security Preparedness.