Skip to main content

Should the UK have a Chief Risk Officer?

Posted by: , Posted on: - Categories: Actuary, Analysis, Risk management

There have been several calls recently for the UK government to appoint a Chief Risk Officer (CRO).

For example, this was recommended by both the:

The pandemic has also led to suggestions the UK needs to re-examine the trade-off between shorter-term efficiency (‘just in time’) and longer-term resilience (‘just in case’). And whether the UK is sufficiently well-prepared to address ‘extreme risks’.

Extreme risks are defined by the Lords Select Committee as: “High-impact events that, if they materialise, would cause widespread damage to many aspects of our society and compromise the achievement of the strategic objectives set by the Government. They can impact at global, national or regional levels and could cause significant loss of life, loss of value, or a substantial and detrimental societal impact.”

Between them the committees drew attention to the challenges represented by risks that are whole-system or cross-cutting, interconnecting or cascading, or have not been encountered before.

Man's hand stops dominoes which could knock down the rest of the dominoes in the row.
Risk management brings its own set of challenges

Government risk management

Mechanisms already exist within government for managing risk.

Risks to the government’s own operations or the achievement of its policy objectives are departmental responsibilities. These are generally managed by members of the finance profession on behalf of departmental Accounting Officers. We might call these ‘internal risks’.

Conversely ‘external risks’ - risks to the country - are identified by the government’s Civil Contingencies Secretariat in producing the National Risk Register (NRR) and classified National Security Risk Assessment. Lead responsibility for each risk in the NRR is allocated to an individual government department, where it will normally be addressed by policy officials.

Actions are underway to review and enhance these mechanisms, partly in response to the challenges identified in the November 2021 National Audit Office report which informed the PAC. Examples include:

  • A Head of Risk Profession is being appointed to lead the Risk Centre of Excellence within HM Treasury. The Centre’s remit includes enhancing risk capability in government, strengthening leadership and collaborating across boundaries.
  • The latest Post Implementation Review of the Civil Contingencies Act 2004 reported in April 2022. Work is ongoing on a new National Resilience Strategy (with the consultation outcome on the call for evidence published in December 2021.)
  • The Cabinet Office published the government’s response to the Lords Select Committee in March 2022, accepting many of the recommendations and agreeing in principle with most of the others.
Two people pointing to graphs and pie-charts.
Planning for change

The role of a CRO

Views on what a CRO would do differ.

The PAC recommended someone to “consider cross-cutting risks in government and proactively manage the identification and resolution of system-wide concerns”.

The Lords Select Committee recommended someone to head a new Office for Preparedness and Resilience. This office would “be responsible for producing independent analysis of UK preparedness and monitoring Government preparedness. It would produce assessments of UK resilience, set resilience standards, and conduct audits of UK preparedness.”

Although different, these perspectives have some important features in common. A CRO would not be responsible for actually managing any risks. Ultimate responsibility for managing risks would remain with Accounting Officers as at present. This is consistent with the so-called ‘3 lines of defence’ model typically used to separate out risk management, independent oversight, and assurance.

A CRO would also be more concerned with ‘external risks’ facing the UK rather than ‘internal’ government risks. In this capacity they could initiate or oversee implementation of another recommendation from the Lords Select Committee, specifically that: “The Government should work with the UK insurance industry to explore mechanisms which allow for the transfer, management and mitigations of risks which are too large for the private sector to address alone and for which the Government is the insurer of last resort, but may in fact find itself the insurer of first resort.”

Two cogs with the words 'risk management' on them.
Getting the risk management process into gear


It is encouraging to see a growing conversation about national risk and resilience.

A key component of this concerns the enhancement of institutional capability to recognise and manage crises. There is an important role for all sections of society in preparing for, adapting to and recovering from the effects of risk.

A CRO could help to maintain attention on this vital topic.
But there is also a need to facilitate resolution of important political questions. Ultimately as a society we need to answer questions such as:

  • What risks do we wish to guard against or prepare for?
  • How much resilience do we want and are we willing to pay for?
  • Where should the necessary resources come from; that is, who should pay?

And these must be answered in the context of many competing spending priorities and short-term budget pressures.


The opinions in this blog post are not intended to provide specific advice. For our full disclaimer, please see the About this blog page.


Sharing and comments

Share this page