Recommendation 2

HM Government Not Addressed

2: PAC conclusion: The pandemic has demonstrated variability in departments’ risk management. 2: PAC recommendation: The Cabinet Office and HM Treasury should set out what they intend to do to ensure that there is sufficient uniformity in departments’ high- level interpretation of and alignment to the principles of the Orange Book. As part of this, the Cabinet Office should set out how it will ensure that departments have a shared understanding of the government’s tolerance for the impacts of major risks, including what levels of impact are acceptable and what levels of impact require mitigation. 2.1 The government agrees with the Committee’s recommendation. Target implementation date: Spring 2022 2.2 The government is committed to the development of a training programme for risk professionals (expected by September 2022) and non-experts (expected by Spring 2023), which will help ensure that the application of the principles in The Orange Book is well 20 understood across departments. In addition, the Risk Centre of Excellence has published a number of pieces of guidance to help officials apply the Orange Book in practice (for example, guidance on risk appetite, published in August 2021). From April 2022 the government has revised reporting of principal risks to the Civil Service Board (CSB) to better reflect an assessment of risks outside appetite and management strategies to address them and will continue to refine this approach with the CSB and departments in each quarter. The steps set out in the Risk Management Strategy and Delivery Plan that we shared with the Committee on 31 January 2022, to better integrate risk management into wider government processes over the next 2-3 years, will also include embedding the active use of clear risk appetites. 2.3 The National Security Risk Assessment (NSRA) sets out the government’s understanding of the most serious malicious and non-malicious risks facing the UK. The NSRA process involves government departments and assessment bodies, Chief Scientific Advisers, Local Resilience Forums, Devolved Administrations and a range of external experts. It identifies the common consequences of risk scenarios, and the Civil Contingencies Secretariat develops the National Resilience Planning Assumptions (NRPAs) to outline the capabilities needed to manage impacts. The NSRA and the NRPAs are shared with departments, Local Resilience Forums and Devolved Administrations to ensure a shared understanding of risks and response requirements. The 2022 NSRA is currently underway and is set to be completed in late Spring. 2.4 Responsibility for the management of resilience risks, including ministerial ownership of and input into risk tolerances, will continue to be the responsibility of departments under the Lead Government Department principle.