Re/insurance approaches to inform the National Security Risk Assessment methodology review

Introduction

The National Security Risk Assessment (NSRA) is a key planning tool used by decision makers and planners at all levels of government to understand the most significant risks to the UK.

The Civil Contingencies Secretariat (CCS) within the Cabinet Office is responsible for producing the NSRA, and reviews the assessment methodology between iterations. In 2021, CCS commissioned the Royal Academy of Engineering (RAEng) to conduct an external review of some of the core components of the NSRA methodology. The Royal Academy of Engineering have adopted a systems approach and sought to draw on evidence from government, local resilience forums, industry and academia.

In response, the Society’s Disaster Risk Management Professional Practice Group (DRM-PPG) convened a roundtable discussion with the CCS and the Royal Academy of Engineering. This event focused on what the NSRA methodology review could learn from the approaches and practices used by the reinsurance and insurance industries to assess and manage risk.This page summarises the key themes discussed by our roundtable with experts in exposure management and peril specialists from the re/insurance industry, who joined Dr Tina Thomson (DRM-PPG co-Chair and Head of Catastrophe Analytics EMEA West-South at Willis Re) in a one-hour conversation.

 

Speakers

• Alan Godfrey, Head of Group Casualty and Cyber Exposure Management, Axis Capital

• Emma Watkins, Head of Exposure Management, Portfolio Risk Management at Lloyd’s of London

• Dr Emma Bergin, Flood Risk Specialist, Flood Re

• Dr Raveem Ismail, Head of Parametric Underwriting at ASR Re

• Dr Nicola Ranger, Deputy Director of the Centre for Greening Finance and Investment, Oxford Sustainable Finance Programme

• Oli Brown, National Risks Team, Civil Contingencies Secretariat, Cabinet Office

• Dr Alexandra Smyth, Senior Policy Adviser, Royal Academy of Engineering

• Dr Marie-Laure Hicks, Policy Adviser, Royal Academy of Engineering

   

The National Security Risk Assessment (NSRA)

The NSRA is fundamentally a planning tool - assessing the likelihood and impact of the most serious malicious and non-malicious risks facing the UK or its interests overseas. Equally importantly it provides strategic awareness of the main risks the UK faces and the capabilities required to manage them effectively.

It is part of a suite of HMG risk assessment and horizon scanning activity - including the external facing National Risk Register - but is currently the only product to compile all of the most significant risks facing the UK. 

It is not a prediction of the most likely future, and doesn’t make recommendations on how to prepare for civil emergencies. Rather, its primary function is to inform both local and national contingency plans for a whole range of potential emergencies by providing the latest data on the risk landscape. As such it is used by government departments, Local Resilience Forums (LRFs) and the Devolved Administrations (DAs) to inform planning, preparation and funding activity and as the basis for supplementary local risk assessments.
 

Improving collaboration, diversity of perspective and communication are key to understanding the risk and uncertainty.
 

The NSRA is produced by the Civil Contingencies Secretariat (CCS) within the Cabinet Office. The last NSRA was produced in 2019 and the assessment is refreshed approximately every two years. The process itself is a significant one, involving months of work by CCS, departments and other organisations across HMG, and academic experts. Over 100 risk owners produce Reasonable Worst Case Scenarios (RWCS) which are assessed by CCS and are subjected to scrutiny by a wide range of external expert groups, Departmental Chief Scientific Advisers, the Government Chief Scientific Adviser and the Deputy National Security Adviser.

CCS reviews the NSRA methodology ahead of each iteration; in 2021, CCS tasked the RAEng with an external review of core components of the methodology, including how it visualises and presents risk information, highlights interdependencies between risks, and how it uses external experts and inputs during the risk assessment process.

The external review aims to deliver practical, evidence-based and implementable recommendations to government to improve the NSRA methodology. The RAEng's emerging recommendations point to the need to encourage and facilitate a joined-up approach to risk and resilience across government and to consider ways to increase the focus on preparedness and action. Improving collaboration, diversity of perspective and communication are also viewed as key to understanding the scale of the risk and uncertainty.

 

Risk assessment approaches in the re/insurance industry

In the insurance industry, everything is rooted in data. Insurance has a long history of looking back at historical data and claims for risk assessment and pricing of policies, as in life insurance. We need to know the impacts and likelihood of costs from future claims, including on an insurer’s capital funds.

We supplement historical data with modelling what could happen in the future; the models themselves are informed by historical data to forecast or simulate possible outcomes that may not have happened in the past. Raveem Ismail outlined three general approaches the industry uses to establish losses and costs as:

• Counting up exposure: establishing what is the worst case scenario. This can involve a simple adding exercise - regardless of individual probabilities, you need to know the totals.

• Average loss over the next year: this can be done very scientifically to establish the expected loss per year averaged, often referred to as technical price.

• Scenarios: focusing on questions of how market exposure will respond to a given event. Where you can’t fully model the loss, you can model exposure.

Even in the absence of good historical data, techniques are available to control exposure. For instance, within each financial contract, a certain percentage of loss is accepted. There are ways of cutting and boxing risk so it can be passed on, and insurance is a testament that it can be done.
 

Everything is rooted in data​...but it’s hard to model human behaviour in risks. Expert judgements provide an additional layer.
 

Industry looks at a combination of likelihood and impact. Emma Watkins commented that 20 years ago, the focus was on probable maximum losses, using one worst case scenario. Now, the focus is on different levels of probability of loss occurring at a given a return period – for example looking at 1% probability of loss in any given year for a 1-in-100-year event – and looking across a curve of return periods to understand how bad things could be over a longer period of time.

But it’s hard to model human behaviour in risks, like cyber & terrorism risks. Expert judgements can provide an additional layer here. Industry and regulators require that there is a robust framework around using these judgements, which must be recorded, tested and challenged.

In contrast, the financial world is learning and relearning lessons the insurance industry knows from experience - and people from a research background can be surprised by what the definition of a model sometimes is in our industry.

 

The role of scenarios in risk assessment and communication

A scenario can make a risk seem real, clearing the fog of uncertainty without confusing people and providing transparency of communication. As Alan Godfrey explained, if you can’t effectively communicate a model to underwriters, risk managers and technical experts, then the model is not valuable in practice.

Scenarios show impacts in a tangible way – you can put the scenario on a map and show damage, insured coverages and secondary impacts. You can then take this to different risks such as cyber or terrorism, and walk-through possible effects on a credit risk account. This can be simply too complicated to do all in one model.
 

You are dealing with profound uncertainty and it is important to consider limitations when making decisions.
 

Scenarios also help validate and challenge modelling against reality. Models are very complex, with layers of data, assumptions and judgements. Dealing with uncertainty can involve multiple models doing the same things with different strengths and weaknesses. You can use these to create a band of statistical outputs and probability distribution functions.

But how do you make decisions with those outputs? Emma Bergin commented that you can weight the models according to which model you trust more, but you can only calibrate them against observed events and data. You are therefore dealing with profound uncertainty and it is important to keep this tractable and consider the limitations when making decisions.

Throwing multiple scenarios at the questions – to test extreme tail events, more realistic disasters, and near-term risks – avoids getting you locked into a a single answer, Emma Watkins explained. Counterfactual scenarios, for example, are useful to understand how an existing event might have played out differently by modifying key contributing factors thereby helping to avoid over-focusing on one outcome.
 

Scenarios show impacts in a tangible way. If you can’t effectively communicate a model, it is not valuable in practice.
 

Finally, it is important that individuals implementing scenarios are clear on the priorities and the questions being asked of them. We must assess what is needed to design a more granular model for the type of risk and acceptable outcomes.

 

Chronic vs. acute risks

You can’t disentangle rapid onset events, i.e. acute risks, from long-burning, chronic risks such as climate change – the insurance industry is now having to price in the current impacts of long-term climate change.

However, as Raveem explained, insurance works on the basis of a year-long policy, so you need to gain market share and compensate in a year-long timescale. A “greed-fear cycle” can develop where a risk does not manifest in that period, so prices decrease. Then, when a risk happens, prices increase again.
 

You can’t disentangle rapid onset events from chronic risks. The decision context and risk assessment of insurers is very different to that of government.
 

There is no such thing as stationary risk. The high frequency of car accidents provides lots of data, allowing policies to be priced very finely. However, the pandemic is a reminder to plan for and price in systemic and global risks that are expected not to manifest in a 10-year timeframe.

Nicola Ranger pointed out that different models are good at different things in this context: you wouldn’t use a climate model for an acute risk but could combine it with catastrophe risk models to help understand a more acute risk.

Ultimately, the decision context and risk assessment of insurers is very different to that of government, and tolerance for uncertainty becomes different in different contexts. In industry, an incorrect estimate does not result in systemic impacts. In contrast, the UK Government manages critical, prudential level risk, dealing with questions like “will climate change destabilise the entire economy?”.

Insurance has a lot of knowledge to bring to these bigger questions and more robust approaches to scenario development. However, while government can learn from insurance, it also needs to think if those lessons are applicable.

 

Dealing with interdependent risks

It is difficult to move from risk assessment to risk management unless you can quantify risk, as Nicola Ranger explained. Some interdependencies, like the risk of a fire following an earthquake, can be modelled probabilistically. However, other interdependent risks are more complicated, like Covid-19 being interdependent with economic and financial sector risk.

By combining model and expert judgement estimates you can take a more quantified approach. For example, the World Bank examined how developing countries would cope with Covid-19 and natural catastrophe events by combining natural catastrophe risk assessment with macro-economic models to get a sense of magnitude, even if not of probability.
 

Insurance industry methods could capture spatial dependence and evaluate methods that are not yet present in a public planning perspective.
 

While the industry doesn’t necessarily put a number on certain risks, narrative scenarios or a sense of the order of magnitude can still help manage risks. For example, Emma Bergin described the challenges in public communication, such as the difficulty of directly communicating what a 1% risk from flooding really means. You can instead look at it from other angles, like the risk in the life of a mortgage; scenarios have a role here to manage uncertainty and build a narrative that people can visualise.

Further, insurance industry methods could capture spatial dependence and evaluate new paradigms and methods that are not yet present in a public planning perspective. The insurance industry looks at a portfolio across the UK; but from a public policy perspective, flood engineering, for example, is done at a micro level and the interdependence of catchments is less important.

 

Emerging risks

The industry takes emerging risks more seriously than ever. The focus is moving from primary risks to newer trends, and to embedding emerging risks in underwriting.

As Emma Watkins explained, people think emerging risks are new, but industry may have been aware of issues for five years or more, for example with litigation risks, while they go from the scientific literature to test cases, courts, then industry.
 

Every event throws up something new that has not been captured in a model or scenario. ​The industry takes emerging risks more seriously than ever.
 

There is lots of potential to prioritise and make sure the list of risks is as broad as possible. The industry pays attention to what clients are experiencing. Actuaries monitor trends, especially for their own portfolios. There are industry collaborations and knowledge exchanges, including via Lloyds’ white papers and exercises.

Every event throws up something new that has not been captured in a model or scenario. The industry has got better at post-event feedback and analysis. In the liability space, third party providers also try to feed in and add value to what we do. A multi-dimensional approach is necessary, and everyone has a role to play. Managing risk is fractal and operates, as we have seen, at macro- and micro-levels.

 

Cultural and behavioural aspects to mitigating risk

With systemic risk, individuals and companies have no incentive to act, so government has an important role to step in. Government creates the environment for individuals and firms to manage risk, and manages risk in society that individuals don’t manage themselves, as Nicola Ranger explained.

Government can also be an insurer of last resort; as in Flood Re and Pool Re, industry liability is kept within contractual arrangements, but the Government holds implicit contingent liability on its balance sheet.

Where government sets the floor is also important to nudge industry in the right direction - private public partnerships are very important in this regard. Is the Government managing risk to its own balance sheet and creating cultures in society to manage that risk?
 

Industry creates risk management behaviours indirectly and directly in society. Government creates the environment for individuals and firms to manage risk, and manages risk in society.
 

Raveem Ismail explained that industry itself creates risk management behaviours indirectly and directly in society, and can insist on standards, such as building codes to improve resilience. The risks become better risks.

Conversely, there are areas we don’t do so well in. Scenarios can become fossilised, or used as box-ticking, blunt instruments. Again, public-private partnerships are important - through risk sharing and enabling private markets, government can reduce liability and create the right incentives, and could potentially expand this role to manage emerging systemic risks.

 

Suggested Further Reading

• Royal Academy of Engineering - Critical capabilities: strengthening UK resilience

• UK Government - National Risk Register 2020

• DRM-PPG - Disaster Risk Pooling - enabling mutual cross border resilience

• DRM-PPG - Communicating and understanding risk in dynamic situations

 

About the Authors

¹ Founder and Co-Chair, Professional Practice Group for Disaster Risk Management at the Royal Geographical Society; Director and Honorary Treasurer at the Remote Sensing and Photogrammetry Society; Head of Catastrophe Analytics EMEA West-South, Willis Re.

² Royal Geographical Society (with IBG)