'Risk' is a concept that has been adopted by all parts of the national security establishment - the intelligence and security services, the police, even the armed forces.
The US Quadrennial Defence Review of 2001 described the management of risk as 'the single most important strategic tenet' of national security thinking.
But what in practice does 'risk' mean? How does it relate to 'security' and our intelligence machinery? These are the questions I want to explore today. I am not sure that the implications of a risk-based approach to national security - have yet been properly thought through in relation to our intelligence structures and the work of our intelligence and security services or into our thinking about security policy.
<h2>Nature and limitations of intelligence</h2>
This audience will be well aware of the nature of intelligence information and therefore of its limitations. But it is always worth reminding ourselves of them especially as the closed world of intelligence is itself prone to certain risks- above all the risk of insufficient challenge to preconceived notions widely shared within the intelligence community but not outside it. I shall return to this issue.
'Intelligence', which is the task of acquiring information that the owners or originators of that information do not wish another individual or body to know or to obtain, is needed by governments to aid decision-making and policy-making on important or sensitive subjects where open source information is either not available or is insufficient - or indeed may be intentionally misleading. In determining the quality and value of such information, a three-step process is required.
The first is to validate and audit the way in which a given piece of intelligence was acquired. This task is often thought to be easier in respect of signal and imagery intelligence since the motive for obtaining it is less open to question than in the case of human intelligence- humint. Validating human intelligence involves assessing the piece of information objectively the following sorts of questions: how reliable is the source? Is the access to information adequate for the report to be accurate? What is the reporter's motivation? How far do I trust the reporter and the report? What is the nature of the relationship between the case worker and the informant? The aim of validation is to remove unreliable information. By definition it is virtually impossible at any given moment to know for certain how successful this process is. It is however crucial to confidence in the quality of the final product.
The Butler Inquiry, which looked into the intelligence which formed part of the basis on which the British government went to war in Iraq in 2003, concluded that the Secret Service's process of validation had been faulty. There had been insufficiently critical examination of the relationship with informants and their likely reliability.
The second step is analysis, which looks at the coherence and consistency of the information obtained with other pieces of information, including other forms of intelligence like signals intelligence, imagery intelligence and open source, and converts this into something comprehensible for decision-makers - into a coherent interpretation of a situation or topic. Here one needs to beware of filtering out inconvenient information which apparently fails to fit the picture. It might be that the information is correct whereas the picture it fails to fit is wrong. This bit of the process is like doing a jigsaw without the picture on the lid of the box. The individual putting the pieces together does not know how many pieces there are; whether he/she has the right ones; how they relate to each other if at all; whether pieces being discounted as irrelevant are in fact vital and, as a result, the extent to which the covertly obtained picture being built up corresponds to reality.
The third and final step is assessment. Assessment is qualitatively different from the other two processes since it examines the picture obtained through intelligence within the overall context of government policy to help inform policy objectives and priorities. The intelligence leaves the confines of intelligence community to be handled by a group of assessment specialists who will be drawn from a wider variety of disciplines. Assessment can be strategic or tactical. It is not itself a policy making exercise from which it should be kept strictly separate. It is permissible for intelligence to influence policy but not for policy to influence intelligence- a trap into which the notorious UK "dodgy dossier" on Iraq fell.
The Butler Inquiry found serious weaknesses in the Joint Intelligence Committee's work in relation to the "dodgy dossier". It said that warnings about the limitations of judgements based on intelligence information were not made clear enough by the professionals so that laymen could too easily develop a false sense of certainty. The report also said that the judgements in the dossier went to - although not beyond - the outer limits of the intelligence available. The effect of this was also to give the impression that there was 'firmer and fuller' intelligence backing for the dossier than was actually the case. Some might conclude that the conclusions of the dossier in fact went beyond what a legitimate interpretation of the intelligence would bear.
What these findings underscore is the need for sensitivity analysis to be clearly included within assessments, particularly as the more diffuse range of security challenges we are faced with today means that it is not possible to accumulate the breadth and depth of understanding in a single place of all the threats of the type we had during the Cold War. So caveats should be reflected in the judgements of assessments, and assessments should describe the depth of the intelligence base and thus the confidence level in those judgements.
The range of intelligence which needs to be taken into account in any given situation is a particular problem these days. Sources may be scattered, different kinds of risks may come together in a given situation and the range of expertise which is needed for analysis and assessment may be considerable. Here again, the Butler report has lessons. It said, in relation to the intelligence work done in the run up to the Iraq intervention, that the Defence Intelligence Staff, which in the UK is a key central analytical and assessment body, was not sufficiently integrated within the UK intelligence community to have access to or to ask questions about the intelligence that underpinned the dossier - even though it possessed the technical expertise in the WMD field. In today's conditions, as we have to focus an ever increasing range of risks, this finding underscores the vital need for agencies to share information and to collaborate in analysing and assessing it. The old "need to know" has to be replaced within the trusted circle by the need to share information.
The dodgy dossier is worth a further word. Evidently it violated a number of the precepts of good use of intelligence. First, the contemporary Western intelligence base in Iraq was thin. Relatively little was coming in and much of it from questionable expatriate sources with their own strong political agenda. The historical record of Saddam Hussein's previous use of chemical weapons and the assessment that WMD stocks remained unaccounted for were preferred to the contemporary - and politically inconvenient - inability of the UN inspectors to find evidence of continuing WMD activity on Saddam Hussein's part. This was discounted against the deep dyed conviction, which was allowed to assume the character of certainty, that somewhere there was a hidden such a capability which the intervention would uncover even if the inspectors were unable- or as some thought, unwilling- to uncover it.. And now we know that this assessment was deeply flawed.
Why? I do not belong to the school that thinks that the whole justification for the intervention was political and that the intelligence was simply bent to provide the case. That there was political spinning is undoubtedly true and damaging to trust in government and politicians. But the Western intelligence community overall genuinely believed that Saddam Hussein possessed a WMD capability and was still seeking to build it. The French intelligence community shared this view even though the French government opposed the intervention.
The point we need to bear in mind today is that the experts can get it wrong. That in the case of Iraq WMD the jigsaw people thought they are constructing did not correspond to reality. Were they always wrong or did the picture change? My own belief is that the picture did change over time, that information obtained to the effect that there had been destruction of WMD was discounted; that Saddam Hussein wished to have such a capability and wanted the world to believe that he had it but that the indicators of him possessing it were false. Because a man says beware of the dog, it does not necessarily follow that he has one.
<h2>Shift from threat to risk based approach</h2>
Policy makers need to be aware of the nature and limitations of intelligence and therefore the reliance to be placed upon it, especially so given the nature of the international environment in which we now find ourselves. To illustrate this point I want to make a brief comparison with the Cold War.
There is a tendency to suggest that it was all much simpler in the past because the threat was more predictable. Capacity to predict accurately of course depends on the quality of information about it and it would be misleading to suggest that even then this was readily available to the analyst. Neither side in the Cold War made a habit of informing the world about the nature and extent of their nuclear capability. But there were respects in which yesterday's challenge to the intelligence community and to the policy maker was less complex than today's.
The Cold War was characterised by a monolithic challenge in the form of the Soviet Union to open, democratic societies and the values of an open international system. This challenge remained constant over many decades and, by implication, presented a relatively slow-moving situation more readily susceptible to long-term penetration and all-source analysis, corroboration and assessment. There was the ideological challenge of subversion and the threat of interstate warfare and defeat in battle. The responses in both the intelligence and the defence and security communities were deep and intensive but also relatively static and reactive in character.
Today however, we are faced with a diffuse range of security challenges, including those deriving from state actors like Iran, from non state actors such as Al Qaeda and indeed from a range of hazards from pandemics to climate change with potentially profound effects on our security but in which human agency is indirect if present at all and certainly difficult to identify with any precision.
As we move from a world of identifiable threats to a less well defined and mixed world of threats and hazards, many of them global in nature but having local impact, there is a need to think through the analytical and management techniques that can be applied to assist in the policy making process. Much of the technique acquired and refined in the intelligence world remains extremely relevant but some practice has to be modified to deal with a broad range of what can more helpfully be regarded as "risks" to security. Tom Ridge, the former Secretary for Homeland Security in the US, said that 'there is a universe of potentials we have to deal with'. This has four implications.
First, the more diffuse the range of risks to security the less easy it is to accumulate the breadth and depth of understanding we need. Even when information is obtained from overt rather than covert sources, in a globalised world where great distances can separate cause and effect, our knowledge of a given risk will in all likelihood be imperfect and sometimes pretty inadequate, but not for that reason unimportant.
Secondly, whereas a 'threat' is defined by a clear declaration of intent and is therefore specific - like the challenge posed to the international system by the ambitions of the Soviet Union - a 'risk' arises when vulnerabilities are identified in a society or system which are open to targeting and exploitation by external dangers and which need mitigation. To quote Sir David Omand, the UK's former Intelligence and Security Co-ordinator, risk is the product of the likelihood of an event, the vulnerability to the impact of the event and the effects of the impact itself should it occur.
So when dealing with risks, as opposed to threats, we are in fact managing uncertainty and probabilities. Individuals might become radicalised-how likely depends on the social context; a cell of terrorists might be planning attack; how will depend on their assessment of our vulnerability; or that there might be a flu pandemic how severe depending on the precautions taken against it. And so on.
Some might suggest that terrorism does not fit into the category of risk and that it is a clear and direct threat. Is terrorism a risk or a threat? In common parlance it is perfectly sensible to talk about a threat. But for analytical purposes it may be more helpful to use the parlance of risk. The structure of the international terrorism is so complicated, composed as it is of a central Al Qaeda core, affiliate groups, self-starting groups and even self-radicalised individuals, that there is no single identifiable overarching declaration of intent. And no definitive set of targets.
So we are often dealing with a causal hypothesis which indicates that harm or damage may occur against which we must protect and mitigate.
Thirdly, it is not just the risks which are varied. It is also the vulnerabilities. In the Cold War, it was essentially the integrity of the state and of the state organs of power which we sought to protect. Today we seek to look after the whole of society: it is not just institutions we need to safeguard. It is whole systems - the systems which underpin our daily lives like transport, power and telecommunications. The supply of food and energy. But also our intangibles: our values and our identity as individuals and as nations.
Fourthly, and as a consequence, we face the difficulty of transforming our relatively static and reactive intelligence and security structures into much more active and nimble agencies able to assess, manage and act on uncertainties at both the strategic and operational levels. The very diffusion and diversity of risks confronting governments, from natural hazards to motivated attacks by state and non-state actors has at least two effects.
First, the range of Government departments and policies to which the intelligence and security community will have to lend support is inevitably increasing. And secondly the policy maker has to respond to the risk analysis systematically. Systematically in the ordinary sense of the word- ie thoroughly. But also in the sense of taking a systems approach - not just tackling selected vulnerabilities but ensuring the safety and security of all links in the chain. This places significant demands on the policy makers.
<h2>Precautionary, pre-emptive and preventative action</h2>
What does transforming our intelligence and security structures into active organisations able to assess, manage and act on uncertainties, as reflected in various definitions of risk management, mean in practice?
Our security structures include of course our armed forces. They are already in full scale adaptation to meet the needs of terrorism and insurgency and peacekeeping in highly insecure conditions. But these days the term also includes the police and other emergency services as well as all those who are employed in the growing band of private sector security companies who play a significant role in both risk analysis and risk management. All these organisations have to show a high degree of adaptability and versatility which in turn depends on good training and leadership.
The posture they have to adopt in managing risk is reflected in the 1992 Rio Declaration on Environmental Development which says: 'where there are threats of serious or irreversible environmental damage, lack of full scientific certainty shall not be used as a reason for postponing cost-effective measures to prevent environmental degradation'. And the UK's Health and Safety Executive (HSE) defines risk management as the 'impetus to take a decision notwithstanding scientific uncertainty about the nature and extent of the risk'. Some think that the HSE take their own philosophy too far. Bu the principle embodies in it is valid: lack of complete knowledge or lack of total certainty about the nature or the effects of a possible event is not by itself a reason for failing to act in advance of it to mitigate damage.
Applying this approach to security means that we will take precautionary or pre-emptive action in advance of a potential danger - or even preventative action to stop a danger from emerging in the first place: a 'better safe than sorry' approach. I would argue that given the limitations on certainty imposed by the very nature of intelligence, this is the only feasible way forward to providing security to populations. The judgement call lies in how far one takes precaution and pre-emption.
Some have tried to develop criteria to assist making such judgements. The Inter-Governmental Liaison Group on Risk Assessment, for example, has suggested two possible approaches to deciding how far to take prior action in a given situation: first, there being 'good reason' to believe that harmful effects could be demonstrated by empirical evidence, or by analogy with another activity or situation, or by showing that there is a sound theoretical situation; or, secondly, by gauging those 'harmful effects' by reference to factors such as their severity, irreversibility, uniqueness, numbers affected, temporal, special, or knock-on consequences. Such criteria are helpful but they are not objective and action will inevitably remain a matter of judgement. They could therefore be controversial. How should we deal with such eventualities?
To illustrate these points I want to take two examples.
The first is the police raid on a house in the Forest Gate area in the east of London in 2006. Two men were arrested by police, who said they were acting on what they described as 'specific intelligence' that there might be terrorists in possession of a chemical bomb. During the raid one of the men was shot and injured. No explosive devices were found during the raid or afterwards and the men were released without charge.
In response to the raid, various protests were held by Muslim Groups outside Scotland Yard and a march of 5,000 was organised from Newham to Forest Gate Police Station. Andy Hayman, then an Assistant Commissioner at Scotland Yard, said the police had 'no choice but to act' and the Independent Police Complaints Commission concluded that the police had not used excessive force given the intelligence they had relied on, but that they should have altered their behaviour once it became clear that the situation was under control and that there was no imminent threat.
This episode illustrates a number of things. There is the dilemma of when to act: soon enough to prevent a disaster: not so soon as to preclude gathering vital evidence. There is the problem of the accuracy and completeness of information: was the intelligence wrong or wrongly acted on? There are hints of both, though neither factor appears to have been so overwhelming as to completely to have invalidated the action taken by the police. But the disquiet at the raid and the protests it brought about tell us something else. In a democracy the public, in whose name the act of pursuit and protection is being carried out, have to be convinced too. And they will make their judgement on the basis of their perception of the relevance and proportionality of the action taken in the light of the information available to them.
They will not necessarily agree with the police's judgement, or with each other. There will be argument. But the security services need always to bear in mind the question: will their actions seem reasonable and proportionate to those outside? One of the most difficult things to get right is the appropriate level of accountability for intelligence and security services. The public do not want to know about operational detail, intriguing as this may be. Rather the contrary. A senior Counter terrorist police officer in the UK has just lost his job over inadvertently releasing sensitive operational information. But they do want to know what the aims of this community are and how, in broad terms, they intend to achieve them. Here the government has a vital role to play in both remaining master of the agencies charged with our safety and communicating with the public on the nature of risks society faces. I would say that in general, in the UK at least, more transparency could be forthcoming without damage to operational capability.
The second example I want to look at is the concept of "resilience", both in the sense of protecting the critical infrastructure essential to our daily lives, for example energy and transport, but also in the psychological sense of the attitude of mind that people bring to the notion that, through no fault of their own they may not be totally safe on a daily basis and that they can help themselves should the need arise.
First physical resilience. I will take a UK example. The current role of the regulators of our critical national infrastructure, is primarily one of pricing- keeping supply to the consumer as cheap as possible. In itself hardly unreasonable. But it can be damaging if other important public interest considerations thereby get excluded- as is the case. Long term factors such as investment in the physical condition of plant or the capacity to meet disruptions of supply in an emergency have been comparatively neglected. So what could happen when a terrorist blows up a key part of the power grid, or floods overwhelm a key power substation which puts a whole region in darkness?
There are two points here. First is the importance of horizon scanning: watching for the emergence of risk elements can be a major element in mitigation. But no human run organisation will always totally prevent unwanted events occurring even when well informed. This means, secondly, that one can and should do a good deal beforehand to mitigate the effects by reducing vulnerability as far as possible- vulnerability reduction, let us remember, being part of risk management. The issue here, of course is determining the right level of cost effectiveness. It is easy to decide to protect against damaging events which occur frequently. But how much, for instance, is a society going to invest in protecting against a high adverse impact contingency when the likelihood of it happening is very low but not nil? These are difficult questions.
The other part of resilience - the role of individuals and communities in mitigating risk is also important. People are in fact perfectly sensible and they know that the state cannot provide protection against every possible threat or hazard or that if public authorities tried to, the price to be paid in terms of individual and collective freedoms would be very high. A free society depends on trust between its members and if we have to come to depend on the state to protect us from each other we have in effect lost the values we seek to preserve. That is a whole seminar it itself. Suffice it to say here that in a democracy, preserving our values is as important as our material well being and that at the margin we may need to make choices. Risk is inherent in freedom.
So when crises do occur whatever the cause, the public need to know how to respond- what they can do for themselves, what they should be able to expect of their neighbours and of government locally. Good crisis recovery is itself crisis mitigation. And far from the government concealing vulnerabilities for fear of criticism or-the frequent excuse- creating unnecessary alarm- the right course is for there to be sufficient information and training available on a regular basis for the community itself to help speed recovery.
<h2>The International dimension of risk management</h2>
I have hitherto been talking largely in the national context. That is only part of the story. Because threats and hazards are transnational, national intelligence and security communities increasingly rely for information and help on organisations in other countries to help mitigate risks which may have their source overseas but take place at home. Pandemics, terrorist plots and the consequences of climate change are all examples. And building a network of high quality professional contacts to pass information and assessment is a key part of managing the risks they represent. This again is a seminar all to itself. Suffice it to say that there is still a long way to go as responses to natural and man made catastrophes show.
What the terrorism scene demonstrates is that even among close allies such as NATO nations, threat perceptions vary sufficiently for there to be wide variations of policy response and levels of effort in national capitals to any given situation. This is all too evident in the case, for instance, of the perceived risk to security in European countries represented by the situation in Afghanistan. To the UK, the threat seems obvious. But Britain's continental European neighbours by and large do not see themselves as so threatened and the response is different and lesser. A threat to one does not as things stand translate into it being regarded as a threat to all. Of course there must be room for local variation in priorities but in relation to issues fundamental to security failure of allies to develop and pursue common strategies in the end damages all and limits the likelihood of valuable reciprocity of action.
We need to beware of short-sightedly seeking to dissociate ourselves from risks others face, or worse, doing things which get in each others' way. This can happen even when allies agree on fundamentals. Let me give you and example of the problem.
Let me give you an operational example.
You will recall the transatlantic bomb plot of 2006, which was an attempt to detonate liquid explosives on several airliners travelling at roughly the same time from the UK to Canada and the US. Had it succeeded it would have caused incalculable human, economic and political damage.
On 9 August of that year, Rashid Rauf, a man believed to be a key figure in the plot, was arrested in Pakistan. Peter Clarke, the then Head of Counterterrorism in the UK, has made clear that the timing of this arrest came as a surprise to the police forces investigating in the UK. He has said "We were at a critical point in building our case against them. If they got to hear that he had been arrested, they might destroy evidence and scatter to the four winds. More worrying still, if they were tipped off to the arrest, they might panic and mount a desperate attack. At Scotland Yard, we decided, in a matter of minutes, that Operation Overt [the code name of the investigation] had to be brought to an end and all twenty suspects were arrested immediately."
It seems that Rashid Rauf was arrested by the Pakistan authorities on that timing -premature from the UK point of view where the main investigation was under way - because the US authorities wanted him taken into custody as soon as they became aware of his alleged involvement. What this underlines is that in a world of transnational risk, having a shared perception of it, while vital, is not enough. There must also be agreement on the right way to go about mitigatation since the action of one party can have consequences across a wide geography, not all of them necessarily wanted by others involved or affected. Since, left to themselves, different societies are inclined to act differently in relation to it, we have consciously to learn how best to cooperate. Some institutionalisation of best practice in risk management would be helpful and is a key challenge for the future.
I might add that the fate of Rashid Rauf is to this day uncertain. His Pakistan captors allowed him to escape. It was subsequently claimed that he had been killed by a US Predator vehicle in the North West Frontier provinces, but a number of analysts believe him still to be alive and active in terrorism. We need to manage these things better.
Let me conclude.
We have moved from an international system characterised by a clear and dominant threat, to one characterised by multi dimensional and multi directional security challenges which are harder to foresee and assess. Governments have to respond to these and will make broader demands in relation to more issues on their intelligence and security services than was previously the case.
The intelligence that can be supplied to support decisions, whether from covert or overt sources, will by definition be imperfect and both government and public need to understand this and its implications. And the intelligence community itself needs to bear the limitations of its profession in mind.
But we also have to understand- and this is the element which distinguishes the current situation from the Cod War, action will on occasion be necessary and imperfect knowledge is no good reason for failing to act on a precautionary, preemptive or preventative basis. The post crisis judgement of the reasonableness of the action taken will be made on the basis of its relevance and proportionality and, increasingly, on whether the need to act could have been avoided altogether by greater upstream mitigating action. I have talked here in terms of the public sector but much if not all of what I have said applies equally to the private sector.
We must also be clear that the state cannot provide total security and that we should not demand it. Living in a prison is not enjoyable. But sharing the issues involved in risk management with the public is an important task for government.
And despite the current recession, we are not going to retreat any great distance from a globalised world, if at all, and it will be important to institutionalise on an international basis some common idea of risk perception and management.
We have come some distance, but for those involved in securing the safety and welfare of our societies, much remains yet to be done.