A better foundation for national security? The ethics of national risk assessments in the Nordic region

Aiming at analysing all major security risks to a country, comprehensive National Risk Assessments (NRAs) can be used as a foundation for national security policies. Doing so manifests a modernist dream of securing societies through the anticipatory governance of risks. Yet, this dream resembles a nightmare of undemocratic state control in the name of security. Based on a critique of the politics of NRAs, this article offers a theoretical framework for evaluating their scientific and political credentials. Drawing on political theory of technocratic expert rule, ethical criteria of epistemic reliability and political representation are introduced to the debate. These criteria are then applied to an analysis of the NRAs of Sweden, Denmark, Finland, Norway and Iceland. I argue that although these NRAs are convincing correctives to the risk perceptions of politicians and civil society, they are insufficiently reliable and representative for defining the scope and priorities of national security policies at large.


Introduction
In continuation of a broadening of national security policies from military defence to civil protection in Western countries after the Cold War, a new genre of 'all-hazard' national risk assessments (NRAs) evolved since the early 2000s (Neal, 2019: 4;OECD, 2017: 24). Instead of compartmentalising security policies into policing, disaster management, industrial safety and military defence, these risk assessments facilitate their integration by covering all major security risks to the citizens of a country. At least this is what they promise. In line with both counterterrorism strategies and the United Nations (UN) agenda of disaster risk reduction, the underlying idea is to integrate precautionary security risk management at all levels of society -from the government and state administration to private corporations and the individual citizen (Adey and Anderson, 2012;Chandler, 2013;Corry, 2012;Larsson, 2021;Pospisil and Gruber, 2016).
A decade ago, Jonas Hagmann and Myriam Dunn Cavelty (2012) warned against undemocratic and paternalistic effects of introducing NRAs to security politics in this way. Since then, the politics of NRAs has received scarce attention in security research and International Relations. Indeed, no attempt has been made at defining the ethical justification of NRAs and subjecting it to philosophical scrutiny. Meanwhile, the political trend has accelerated, with ever more countries producing increasingly advanced NRAs and discovering their political potential.
The relevance of NRAs is currently reinforced by debates on national preparedness for the COVID-19 pandemic and how to reduce vulnerabilities to similar events in the future (e.g. Mosello et al., 2020: 18;UNDRR, 2020). In January 2020, the severity of the outbreak caught most people by surprise. While the health risk to individuals received immediate attention, the severity for the social systems upon which the lives and welfare of individuals rely took time for media and authorities to grasp. This broader societal focus is exactly the point of departure for NRAs. Bolstered by the fact that many NRAs -like those of the United Kingdom, Netherlands, Norway, Sweden and Denmark -have identified a pandemic as the most serious type of security risk ahead of the outbreak, one might therefore expect calls for increasing the political role of NRAs as an instrument for defining the focus and priorities of national security policies in the years ahead.
Yet, the assessment of risk is a risky business. As demonstrated in this article, it has the appearance of objectivity but relies on underlying social and cultural perspectives and the limited mandates and resources of institutions (Luhmann, 1993;Slovic, 1999). Although natural disasters lend themselves to more advanced monitoring and predictions than man-made disasters, their character as security risks also has socio-cultural dimensions (Douglas and Fardon, 2013). Indeed, it is widely acknowledged in scholarly literature that the very conception of risk is political, also when based on science and expertise (cf. Arnoldi, 2009: Ch. 5 & 9;Balzacq, 2015;Boin et al., 2020;Olsen et al., 2020).
Before handing NRAs over from the bureaucratic backseat drivers to the governmental codrivers of national security, it is therefore necessary to consider exactly what one wishes for. As a contribution to such reflection, the ethical justification of NRAs as a foundation for national security policy is examined in this article. 1 Inspired by the work of Jonathan Wolff among others on the ethics of public policy, I do so by first developing an empirically informed philosophical argument and then applying this argument to the analysis of a concrete case: the NRAs of the Nordic region (cf. Swift and White, 2008;Wolff, 2020).
In the first section, I introduce the phenomenon of NRAs in Europe and relate it to a trend of risk governance in security politics. Then, I present the argument for using NRAs as a guide to national security policy and recount why this may involve dressing up paternalistic politics in a false scientific guise. In view of this critique, and drawing on political theory of technocracy and expertise, I argue that NRAs would need to meet criteria of epistemic reliability and political representation in order to be ethically justifiable as instruments for national policy-making.
As an example of what this argument means in practice, I then apply the ethical criteria to an analysis of the NRAs of Sweden (Swedish Civil Contingencies Agency (MSB), 2016, 2019), Denmark (Danish Emergency Management Agency (DEMA), 2017), Finland (MoI, 2019), Norway (Norwegian Directorate for Civil Protection (DSB), 2019b) and Iceland (NCP, 2011(NCP, , 2015. Through a qualitative document analysis (Bowen, 2009: 34), the NRA reports and related policy documents are interpreted in the context of scholarly literature on Nordic and European security politics. From the analysis, I conclude that while the Nordic NRAs are potentially fit for the purpose of preventing disasters within the territory of a state, they are not sufficiently reliable or representative for defining the focus and priorities of national security policies at large.

Governing security risks
Drawing on the work of Michel Foucault, Deborah Lupton describes how the idea that dangers can be governed at a national level involves systematic prediction based on a new mode of surveillance where statistical correlations and probabilities are derived from data on whole populations rather than from close observation of particular 'dangerous' individuals or organisations (Lupton, 2013: 124; see also Bell, 2006;Castel, 1991: 288;Dillon, 2008;Krahmann, 2003;Prozorov, 2021;Williams, 2008). With the failure of threat and risk assessments to predict catastrophes like 9/11, the 2007 financial crisis and the 2009 swine flu pandemic, the latest reiteration of this approach, Lupton argues, is what Claudia Rens Van Munster (2007, 2011) call 'precautionary risk' (see also Amoore, 2013;Amoore and de Goede, 2008;Lupton, 2013: 135-140). In distinction from mere statistical inference from historical events, this involves a combination of calculation, imagination and performance through techniques like visioning, future-planning and scenario building for the management of unknown events (Amoore, 2014;Anderson, 2010;de Goede et al., 2014;Lupton, 2013: 138;Petersen, 2011). This is what NRAs are all about.
European NRAs come in many shapes and forms, and also go by names like national risk registers and national threat assessments. Generally, they treat risk as 'a combination of the consequences of an event (hazard) and the associated likelihood/probability of its occurrence' (European Commission (EC), 2010b: 10). However, the theory and method for operationalising and applying this conception vary significantly within and between countries (for an overview, see OECD, 2017; and Annex 1-3 in EC, 2017). Some NRAs are based on selected types of risks and scenarios, while others seek to cover all major threats to society. Following a tradition of classified risk and threat assessments in specific areas of government, the difference with the new NRAs is their wide scope, systemic focus and that they are intended for a broader audience. As with all the Nordic NRAs, they are usually published in public versions (with sensitive aspects left out) as part of political strategies of risk communication (Bergersen, 2017;Frandsen and Johansen, 2020).
Stemming from the field of civil protection, most NRAs currently exclude military threats, at least from the public versions of the reports. Arguably, the recent 'return' of war as a security problem in Western politics nonetheless makes the introduction of military risks to European NRAs expectable, as exemplified by those of the Netherlands andFinland (ANV, 2016, 2019;MoI, 2019).
The pioneer NRAs of the United Kingdom and Netherlands have already influenced political priorities for more than a decade since their introduction in 2007/2008 (Hagmann and Dunn Cavelty, 2012;Neal, 2019: 242). The UK National Security Strategy has rested on a 'National Security Risk Assessment' since 2010, entailing an all-hazard and 'all-ofgovernment' approach to national security (HM Government, 2010. The 2019 Dutch NRA was specifically requested by the government for the purpose of informing a new long-term national security strategy (ANV, 2019: 7). In the resultant strategy, national security is conceptualised as a matter of risk management: 'This NSS lays the foundations for a risk management system that will develop into a strategy that spans the entire breadth of Dutch society' (Netherlands CG, 2019: 40).
In the wake of the 2010 EU Internal Security Strategy, all European Union (EU) member states were requested to carry out all-hazard NRAs, and in 2013, this was turned into a requirement of submitting a summary of risk assessments at the national level every 3 years from 2015 (Bossong and Hegemann, 2016;EC, 2010aEC, : 14, 2010bEC, : 4, 2020European Union (EU), 2013;Morsut, 2020). NRAs are also a central part of the UN Sendai Framework for Disaster Risk Reduction that is integrated with the UN Sustainable Development Goals and the Paris Agreement (Mosello et al., 2020;UNDRR, 2020;UNISDR, 2015UNISDR, : §17, 2017. A key selling point in this context is that risk governance is a sound economic investment, both for states themselves and for international donors, as compared to the cost of disaster response and reconstruction. Apparently, it was this connection to financial risk management in a G20 setting that sparked the commitment of European governments and the EU to invest in NRA capacity (OECD, 2017: 24-25). Indeed, the most comprehensive all-hazard risk assessment to date is not a NRA but the Global Risk Report by the World Economic Forum (WEF, 2020). This report draws on practices of risk assessment in the fields of private insurance, business management and trading that surpass the scale of public risk assessments by far. This link to the economy reflects how the very concept of risk is integral to a range of domains beyond security politics. By hooking up with these, NRAs comprise an assemblage of different political rationales and resources -from civil protection, military defence, finance and social security to international peace and security, development, and humanitarian action. The resultant constellations of risk governance do not only allow traditional security actors to influence other policy domains but presents actors in these other domains with an opportunity to challenge existing policies and practices of security.

Technocratic expert rule to the rescue
The political argument for NRAs as an instrument for security risk governance at the state level has its clearest expression in the Foreword to the above cited Organisation for Economic Co-operation and Development (OECD) report, National Risk Assessments: A Cross-Country Perspective (2017). Here, the directors of the Crisis Management Directorate of the European Commission and the OECD Public Governance Directorate pose the rhetorical question of how governments can invest their finite resources most efficiently to mitigate the effects of extreme events, provided that 'citizens expect governments to manage the impacts of such events whether they come from natural disasters, terrorist attacks, industrial accidents or disease outbreaks' (OECD, 2017: 3). They continue, 'Since not all hazards and threats can be prevented, important trade-offs need to be made in preparing for different types of disaster risks' (OECD, 2017: 3). In response, they call on countries 'to develop risk anticipation capacity linked directly to decision-making, including through the adoption of all-hazards approaches to national risk assessment' (OECD, 2017: 3, italics added).
In a study of the NRAs of the United Kingdom, Netherlands and Switzerland, Hagmann and Dunn Cavelty (2012: 86-88) cast doubts on the premises of this argument. They claim that the political role of NRAs is highly problematic because (1) the NRAs are presented as objective, glossing over the political decisions, limited information and scientific uncertainties that they are based on, and (2) the political nature of the assessments is concealed when stemming from science and expertise rather than from sovereign dictates by governments or consultations with the public. Resonating with debates on general technocratic and depoliticising tendencies in European politics (see, for example, Deville and Guggenheim, 2018;Eriksen, 2011;Habermas, 2015;Hegemann and Kahl, 2018;Rayner, 2007), they conclude that the combination of these aspects results in an unwarranted form of paternalism where 'claims to protection are articulated on behalf of the civil population, but not by the civil population' (Hagmann and Dunn Cavelty, 2012: 90; see also Bossong and Hegemann, 2016).
This critique of NRAs as politics in disguise finds support in more general research on the sociology and politics of risk. Defining risks as 'potential dangers', Jacob Arnoldi sums up three ways in which risks are not objective and neutral but social and political: Risks are social and political problems -for example, the problem of creating an ecologically sustainable society; risks are understood against a social and cultural background, that is, people worry about different risks due to different social and cultural backgrounds; and risk is a key concept in various practices and knowledges with which people are governed and society is structured. (Arnoldi, 2009: 3, emphasis in original) The first dimension -risks as 'problems' -makes NRAs political in the straightforward sense that they involve the identification of security problems with consequences for political priorities (cf. Buzan, 1991). When politicians fight over issues like climate change, NRAs can be taken in support of one side or the other. If risks could be assessed on a socially and politically neutral basis, this would not itself be a problem. However, the second dimension -socio-cultural premises -makes NRAs political in the more constitutive sense of relying on (inter-)subjective perceptions of the world (cf. Burgess, 2011;Douglas and Fardon, 2013). For instance, the assessment of mass migration as a risk looks very different from an ethnonationalist and a multicultural perspective. According to the former, immigration is itself a danger to the nation, while it is generally seen as a valuable contribution by the latter (cf. Huysmans, 2006). When NRAs do not define immigration as a risk in itself, they therefore not only take a stance in the political debate on immigration (the problem dimension) but delegitimise ethnonationalism as a socio-cultural orientation. When determining 'practices and knowledges for governing and structuring society' -the third dimension -this means that NRAs not only become a political instrument for governing risks but for indirectly bolstering the political order that they rely upon.
By isolating NRAs from broader political debates on matters like war and climate change and turning risk governance into a matter of professional expertise, expert agencies thus end up in a role as political oracles premising decision-making across society. On this basis, it can be argued with Hagmann and Dunn Cavelty that the assessment of risks should be left to the citizens and representative politicians in order to be ethically justifiable in a democratic context. In response, one might ask what the problem really is if the work of the agencies is based on transparent mandates from democratic authorities and their conclusions are more reliable than what can be expected from the general public.

Ethical criteria for national risk assessments
The reliance of governments and parliaments on expert agencies and committees for solving complex political problems is an increasingly common feature of contemporary democracies (Góra et al., 2018). Contrary to the reputation of such 'expert bodies' as detached, unaccountable and depoliticised, Eva Krick and Cathrine Holst highlight the social and political ties of experts and argue that this presents us with the question of 'how to strike a balance between the independence requirement of reliable expertise and the responsiveness requirement of democratic governance' (Krick and Holst, 2019: 118; see also Holst and Molander, 2017). Noting the affinity of this problem with the millennia-old tension between the rule of knowers and democratic rule, they convincingly argue that the ethical justification of expert bodies thus does not require that they either fulfil an 'epistemic' requirement of authoritative knowledge production based on adequate autonomy and integrity or a 'democratic' requirement of sufficient degrees of accountability, inclusion and participation but that both of these demands are met in a balanced manner. The combination of these criteria seems to summarise the normative concerns underpinning the critique by Hagmann and Dunn Cavelty; in their view, NRAs were neither reliable nor representative.
If risk assessment was a matter of objective knowledge, the criterion of epistemic reliability would be sufficient. However, the (inter-)subjective foundations of risk mean that for the assessments to be reliable their normative and descriptive premises must also be politically representative. Likewise, the way that these premises are turned into assessments must be epistemically reliable in order for the conclusions to be representative. Hence, rather than thinking of the balancing of the two requirements as a question of compromise they should be seen as complementary.
In democracies, this ethical requirement implies that in order to be ethically justifiable NRAs not only have to be produced by experts and institutions that are more knowledgeable about the issue and sufficiently independent and impartial for producing reliable results; their work also needs to be aligned with the socio-cultural and political orientations of the citizens -not in terms of mirroring their own risk perceptions but of resting on representative political premises when carrying out the assessments. According to Krick and Holst (2019: 125-127), this democratic requirement can be achieved through familiar measures such as accountability and parliamentary oversight, a balanced composition of the experts and genuine participation by stakeholders in the process -including non-expert representatives from different parts of society.
Is such reliability and representativeness at all realistic in security politics? Different theories of security and risk would answer this question differently. Some see the epistemic shortcomings as a necessary result of the subjectivity of risk assessments, making the demand of reliable truth claims entirely unrealistic. However, if agreeing on the theoretical premises of a risk assessment -including the definition of risks like earthquakes, terrorist attacks or armed conflict and how these are to be measured -it is indeed reasonable to expect experts to be better at assessing the risks than a lay person (Aven, 2010(Aven, , 2012. In this respect, Thierry Balzacq distinguishes between two meanings of 'objective threats' in security politics: objective as in the positivist separation between subjective and objective, and objective as in 'the intersubjective solidification of a social fact' (Balzacq, 2015: 4). While risks are not objective in the former sense, they can be more or less intersubjective in the second sense. Provided that risk assessments are carried out in settings of social and political struggle, this 'conditioned objectivity' does not free them from their political character, however.
Some theories also see security politics as inherently undemocratic. An extensive literature in critical security studies confirms how any conception of security is embedded in political struggles, social hierarchies and economic competition (C.A.S.E. Collective, 2006;Jabri, 2016;Peoples and Vaughan-Williams, 2014). In the original formulation of 'securitization theory', the definition of an issue as a security problem allows for its exemption from ordinary politics by leaving it in the hands of governments and elites (Waever, 1995). On this account, the broadening of security policies through NRAs might be seen as inherently antidemocratic, subjecting ever new political domains to the dictates of national security rather than struggles for liberty or justice (cf. Bigo, 2011;Molotch, 2014). Others, however, see a potential in security politics for both authoritarianism and democratisation, repression and empowerment Nunes, 2012;Nyman and Burke, 2016). Andrew Neal, for instance, describes recent developments in the United Kingdom where security politics have become increasingly 'normalised' as a political topic, diffusing national security from governmental control to open parliamentary debates and oversight (Neal, 2019). Indeed, the widening of security politics from existential military threats to mundane issues like water and sanitation means that we might at least expect a range of different degrees of accountability, inclusion and participation. In this vein, Balzacq (2015: 4-5) maintains that security should not be seen as either negative or positive a priori, as this would hinder a non-biased critical examination: 'Understanding security in exclusively negative terms amounts to a cheap ethics, of sorts, as it puts critical security scholars on the rather defensive position of having to resist anything that looks like a security practice'.
Against this backdrop, the results from an analysis of the epistemic reliability and political representativeness of NRAs in the Nordic region will now be presented and discussed. Provided that the Nordic countries have a tradition for civil-military cooperation, figure on top of global rankings of democracy, security, peace and development, and that the politicians and state institutions are trusted by the citizens (cf. Helliwell et al., 2020: 129), their NRAs -if any -might be expected to meet the epistemic and democratic requirements for expert advise. If not, it indicates that the ethical justification of NRAs as an instrument for determining the focus and priorities of national security policies is rather unconvincing -although this would only remain a strengthened hypothesis to be further examined in other settings. It is, however, important to note that the following analysis does not address the key question of how the NRAs are used in practice. Indeed, reliable and representative NRAs would only be a first step in this regard -and some might say the easiest one.

Nordic National Risk Assessments
In line with a general Europeanisation of Nordic security (Rieker, 2004), the Nordic NRAs are all the result of the above mentioned EU requirement and guidelines. Being produced by departments or directorates for civil protection under the ministry of defence (Sweden and Denmark) or justice/interior (Norway, Iceland and Finland), the degree to which the Nordic NRAs are currently integrated with national security policies nonetheless varies significantly.
A strong emphasis in Sweden, Finland and Norway on civil-military cooperation ('total defence') and comprehensive ('societal') security bodes particularly well for such integration (see Larsson and Rhinard, 2020). Like in the United Kingdom and Netherlands, the Finnish NRA (MoI, 2019) is now directly connected with national security policy by making it a basis for the national Security Strategy for Society (Ministry of Defence (MoD), 2017: 25). Here, 'preparedness' is defined as the baseline of national security, and 'the aim is that the national risk assessment should form the basis for preparedness planning at all levels of action' (MoD, 2017: 25). At the opposite end of the scale, the stated political purpose of the Danish NRA -National Risk Profile for Denmark (DEMA, 2017) -is more one of raising the general awareness of risk in society and informing risk assessments and exercises by private or public organisations than premising specific governmental policies and strategies (see also OECD, 2017: Ch. 9). In Sweden, like with Finland, there is direct overlap between the national security strategy and the NRA, but here the main reference is not the comprehensive Summary of Risk Areas and Scenario Analyses (MSB, 2016) but the related annual National Risk and Capabilities Assessment (MSB, 2019) that highlights selected risks of particular concern, combined with annual public reports and classified communication by specialised security agencies (Stiglund, 2020).
In Denmark, Norway and Iceland, there is a clearer distinction between the policy domains of civil protection and foreign and security policy, with the all-hazard NRAs informing the former and annual risk and threat assessments by police and military agencies informing the latter. In Norway, this results in four overlapping national risk and threat assessments, where the all-hazard Analysis of Crisis Scenarios (DSB, 2019b) focuses on hypothetical risk scenarios while the others concentrate on manifest threats of various kinds (anonymised reference). Until recently, the distinction between civil protection and foreign and security policy has been even stronger in Iceland (Bailes and Ólafsson, 2014). In 2016, a new and more comprehensive national security strategy for Iceland was nonetheless introduced, with a paragraph declaring the integration of civil protection into the national security policy (IcelandPo, 2016: §7). Yet, the two domains are still covered by separate security councils and ministries, and no all-hazard NRA has been published since the 2011 National Risk Assessment for Iceland (in English summary from 2015; NCIP, 2015; NCP, 2011).
As acknowledged in the Swedish and Norwegian versions, none of the five NRAs actually evaluate the risks for whether and how they ought to be managed (DSB, 2019c: 8;MSB, 2016: 10). They analyse the severity of the risks in terms of likelihood and consequences, with a view to vulnerabilities and capabilities. However, they avoid evaluating the political imperatives of the risks and options for addressing them because such evaluation depends on the question of risk acceptance as well as on political priorities in work on preparedness (Lidén, 2018). Some risks might be seen as a natural part of life, while others, like terrorism, might be seen as inherently unacceptable even though their likelihood and impact are lower. Likewise, mitigation efforts might have more positive sideeffects for some risks than others; compare for instance the side-effects of strengthening the health system in preparation for pandemics with the side-effects of preventing terrorism through intrusive mass surveillance. As stated in the Swedish NRA, 'MSB deems it very difficult, if not impossible, to determine thresholds for acceptable levels of risk' (cf. MSB, 2016: 10). This is left to the users to consider -be it organisations or individuals. It is therefore more coherent with risk management terminology (International Organization for Standardization (ISO), 2019) to call the Nordic NRAs national risk 'analyses' rather than full-blown 'assessments'. This is significant for their political role -as it leaves more political agency in the hands of their users. This point is nonetheless missed if the severity of the risks is equated with political priorities.

Reliable?
While providing reliable information about the immediate risk of disasters within the Nordic countries, the following analysis implies that the theoretical and methodological premises of the NRAs are not adjusted to the task of defining the scope and priorities of national security policies at large. Essentially, their normative, thematic, geographical, temporal and ecological scopes reflect their institutional origins in the field of civil protection. This affiliation also means that their levels of independence and impartiality are inadequate for producing reliable results.
Normatively, the NRAs focus on risks to a set of values and functions within a country (cf. the classic discussion on the normative foundations of 'national security' in Wolfers, 1952). In the Swedish version, these values are called 'Swedish national values of protection' and defined as 'human life and health, society's functionality, economy and the environment, democracy, rule of law, and human rights and freedoms, and national sovereignty' (MSB, 2016: 7, 10). Denmark, Norway and Iceland operate with similar but not identical lists (in Norway they are called 'societal values';DEMA, 2017: 7, 11;DSB, 2019c: 29;NCIP, 2015: 10;NCP, 2011: 39). The values are connected to a set of 'vital functions' to be protected, and the NRA of Finland skips the focus on values and concentrates on an extensive list of such functions (MoD, 2017;MoI, 2019: 10).
This focus on national values and functions is broader than the traditional national security focus on 'state security' (McDonald, 2016). However, it also departs from the globally oriented notion of 'human security' by being limited to the security of 'society' within the borders of a state. As such, it might be taken to reflect a compromise between state security oriented 'political realism' and international or collective security oriented 'liberal internationalism' . However, while this may be a reasonable interpretation, the immediate reason is more instrumental than ideological. By being tasked with the identification of risks to a country, the conception of national or societal values and functions follows as a reasonable response to the question of 'what is to be protected'. It is not in itself contrary to a global concern for human security, but may nonetheless have that effect if premising national security policies at large.
Thematically, the NRAs do not present a truly comprehensive picture of the security risks to the values and functions they focus on. In addition to excluding the risk of war (except Finland), their focus on exceptional events that require an extraordinary 'emergency response ' (cf. DEMA, 2017: 5;MoI, 2019: 22) excludes 'ordinary' risks like cancer, traffic accidents, poverty or drug abuse with impacts that exceed most catastrophic scenarios in the NRAs by far (cf. Kreissl, 2015: 58;WHO, 2020). While this limited focus on a particular type of security risks makes sense in the context of civil protection, the NRAs do not tell us how their findings should be integrated with general national risk governance across political domains although this is exactly how they are presented. An unintended effect may well be that national risk governance is confused with governing the risk of exceptional disasters and that the positive as well as negative yields of assuming risks -including security risks -are overlooked.
Geographically, and in line with a hallmark of the genre, all the Nordic NRAs limit their focus to events that take place within the territory of the state (or the immediate neighbourhood in the case of Finland -while Denmark excludes the Danish territories of Greenland and the Faeroe Islands). In effect, the NRAs fail to reflect that the Nordic countries are among the most secure in the world (INFORM, 2021). The relatively limited likelihood and impact of the risks and the absence of some of the most common and severe security problems of other countries simply disappears because none of the NRAs compare their findings with other countries (cf. Hagmann and Dunn Cavelty, 2012: 90). If informing priorities between security and other political concerns this provides a poor basis for national policy-making.
Certainly, placing 'national risks' in a global context is also necessary for informing decisions on the distribution of resources between security at home and abroad. For instance, analysing the risk of global pandemics within a national territorial scope might help justifying that rich, small and relatively mildly affected Nordic countries with a functioning health system outbid far more populous and hardly hit countries in a global struggle for vaccines and medical equipment to manage the COVID-19 pandemic (cf. Hassoun, 2021).
The NRAs include some risks that originate elsewhere but cause emergencies within the state's territory, like a nuclear accident abroad (Norway, Denmark) or a disruption to the foreign production of vital drugs (Norway). However, these are only included because of immediate effects on the life, health, economy and environment of the citizens within the national territory. Disasters that severely affect foreign countries, with harmful international political and economic effects, are exempted when they do not pose an immediate threat to the country's own security.
The clearest example of an international risk that currently falls outside the scope of the Nordic NRAs is warfare beyond their own territory. Even if the likelihood of something like a major international war with weapons of mass destruction is deemed low, the consequences could make all the risks assessed in the current NRAs marginal in comparison, also when limited to their cascading effects on the Nordic countries. Arguably, the best way to reduce this risk is for all countries to sustain a focus on the problem and actively working to prevent it. Excluding it from NRAs may have the opposite effect if informing the priorities of national security policies.
Temporally, the NRAs strike an interesting balance between infrequent and improbable risks in order to be relevant to efforts of prevention and preparedness (see also DSB, 2019a: 20;MSB, 2016: 12). As a result, the NRAs generally follow the EU guideline of focusing on events that may occur within a 5-year period -leaving longer term risks to a different category of 'trends' or 'tendencies ' (cf. DEMA, 2017: 6;EC, 2010b: 24). This may seem reasonable from the perspective of emergency management but not as a foundation for comprehensive security policies. Some of the most fundamental and probable longer term risks emanate from decisions that are made at present in fields like energy production, biotechnology and artificial intelligence. The severity of these risks makes their mitigation through prevention and preparedness as urgent a concern as for impending but less severe risks like floods or school shootings. Not recognising this gives the NRAs the appearance of 'political presentism' -the attitude that the interests of future generations will be maintained by pursuing the interests of the present (Thompson, 2010).
Finally, the ecological scope of the NRAs reduces animals, plants and ecosystems to 'environmental factors'. This for instance excludes the imminent risk of continued mass extinction of animal and plant species -so-called 'ecocides' -as long as it does not have immediate disastrous effects on humans (McDonald, 2016). Treating homo sapiens as 'the centre of the universe' and disregarding the inherent value of other species, this is typical for 'anthropocentrism' (Mitchell, 2016).
From this analysis of the theoretical scope of the NRAs, we see how they manifest the mandates and competences of the agencies producing them. These were established to help government ministries managing the whole array of internal civil protection concerns that were redefined as matters of security after the Cold War (except in Finland where the NRA is produced by the Ministry of Interior itself). Although the NRAs are supposed to generate independent and impartial answers to the question of what the main risks to the nation or country are, it appears that the analysts producing them interpret their task in line with the general focus and objectives of their organisations (cf. Barnett and Finnemore, 2004;Kennedy, 2016). This is reflected in the variations between the Nordic NRAs, manifesting differences in the mandates of the agencies producing them. In Norway, this is further exemplified by how the four security agencies producing national risk and threat assessments have not been able to agree on a shared national risk assessment due to their different roles and competencies (anonymised reference).
In all the NRA reports, it is nonetheless emphasised that they are based on extensive consultations with relevant experts. The scenarios of the Swedish and Norwegian NRAs are drafted by analysts against the backdrop of existing risk assessments at national and sub-national levels and eventually discussed with experts in ministries and other specialised agencies. Focusing more broadly on potential incidents than on construed scenarios, Denmark, Finland and Iceland compile more limited risk assessments from a range of institutions -primarily ministries, municipalities and/or specialised agencies -and convert these into the format of their respective NRAs. When speaking of experts, the Finnish NRA refers to 'the expert opinions in the ministries' respective branch of administration' (MoI, 2019: 12). The other NRAs also mostly rely on expertise within the ministries and 'stakeholder organisations' that are also the primary addressees of the NRAs. In contrast to a model of independent and impartial advice, the users are therefore also key producers. Thus, the work of the 'technocratic risk assessors' turns out to be as much about bureaucratic arbitration as independent scientific investigation.

Representative?
This reliance of the NRAs on existing knowledges and practices of the state administration nonetheless means that the NRAs can be expected to be more politically representative than if produced by detached, unaccountable and depoliticised agencies. Yet, they are primarily accountable to the ministries requesting them and not to the parliament or civil society. They are also only inclusive in the sense of covering implicated policy domains and fields of expertise -not with respect to representing the political, social and cultural composition of society at large. To be sure, the emphasis on 'stakeholder consultation' does not fulfil the requirement for democratic participation outlined by Krick and Holst (2019: 127) because the category of stakeholders is understood as actors involved in security risk management and not as the wider public.
In effect, the NRAs basically reproduce existing knowledges and practices in the governing apparatus. This is hard to imagine when looking at the sensible list of risks that are highlighted in the Nordic NRAs. However, it is the risks that are not included that indicate the conservative bias of the assessments. Risk perceptions that challenge the political orthodoxies in a country will simply never make it into these NRAs given their current procedural premises.
Not exactly boding for revolutionising national policies, the democratic legitimacy of the Nordic NRAs therefore depends on the reliability and representativeness of the state administration. Involving advanced projections of risks, it is nearly impossible for lay persons, including elected politicians, to comprehend and challenge their findings. If turned into 'policy-making machines', the NRAs will thus insulate the political status quo. In contrast to the spectacular bracketing of civil and political rights by counterterrorism practices for the precautionary protection of national security (e.g. Bigo, 2011;Heath-Kelly, 2012;Kundnani and Hayes, 2018), the NRAs thereby involve more mundane and bureaucratic limitations on political freedoms -not through explicit interventions but as long-term restrictions on political ideas that challenge prevalent rationales of security risk governance.
This seems to confirm the warning by Hagmann and Dunn Cavelty against technocratic and paternalistic effects of NRAs. It also resonates with observations by Aradau and Van Munster (2011) of the depoliticising referral of the 'politics of catastrophe' from the democratic arena to security agencies and their advanced technologies of risk governance. Yet, as Neal (2019: 249-250) argues, turning national security policies into explicit strategies based on comprehensive and public assessments belongs to a different register than the secrecy of military affairs or sovereign dictates in a state of exception. By contrast, the use of NRAs as a technology of governance makes security policies resemble any other political domain that depends on advanced expertise and bureaucratic procedures.
In the UK setting, Neal observes a subjection to economic policies when national security is reduced to ordinary politics in this way. In the Nordic countries, however, it seems to be the social-democratic welfare state rather than the liberal economy that is bolstered by the comprehensive scope of the NRAs -although the procurement by the state of commercial products and consultancy services also involves a market dimension (Hoijtink, 2014;Larsson, 2020). By 'seeing like a (welfare) state' (Scott, 1998), the NRAs present the risks in a manner that makes the state the guarantor of 'societal security', filling a vacant spot between 'social security' and 'state security'. While risks like industry accidents, cyber attacks or diseases may be managed by private security schemes elsewhere, the Nordic states take active responsibility for them when including them in national security policies -although delegating some of this responsibility to the individual citizen in the name of resilience (Berling and Petersen, 2020;Chandler, 2013;Larsson, 2021).
To be sure, the mandates of the Nordic NRAs are all anchored in democratic institutions, which make them politically representative in a fundamental sense. However, as we have seen, the operationalisation of these political foundations leaves significant room for interpretation by the responsible ministries, agencies and individual experts (cf. DSB, 2019c: 16;MSB, 2011;Wikman-Svahn, 2019). When defining 'national risks' and reforming 'public risk perceptions' from the limited bureaucratic perspective of civil protection, this could, as we have seen, not only preserve the status quo but result in more reactionary, nationalist, political presentist and anthropocentric policies.
The dramatic difference between this Nordic setting and for example, the Middle East or Sub-Saharan Africa illustrates the perils of discussing the politics and ethics of NRAs in the abstract (cf. Brigg and George, 2020). Compared to regions with higher levels of immediate security problems like war and natural disasters that tie up political and economic resources, the Nordic countries seem particularly well placed for using NRAs as political instruments (Larsson and Rhinard, 2020). Also, a relatively low level of political conflict bodes well for a concerted conception of national security risks. When the political role of NRAs turns out to be ethically problematic in this context, one might therefore nonetheless expect similar problems elsewhere.
Indeed, these political dynamics in a Nordic context indicate that the current promotion of NRAs as part of national disaster risk governance on a global scale in the Sendai Framework (UNISDR, 2015) require ethical attention. When produced in countries with a low level of public trust in the state apparatus or where the state is fraught with deeprooted political struggles, it is naïve to expect the NRAs to be a source of reliable and representative policies. Instead, they are well suited for the justification of the status quo for the protection of 'society' from dangers that the people is per definition unable to comprehend.

Conclusion
As part of a turn in security politics towards precautionary risk governance, the influence of NRAs is set to rise in the years ahead. While offering a map for such governance, NRAs are neither scientifically objective nor politically neutral and replace democratic contestation with technocratic management. This presents us with the question of how to evaluate their political prospects from an ethical perspective. Disclosing their epistemic and political shortcomings is insufficient for rejecting their ethical justification if the alternatives also fall short of these ideals. Instead, a more nuanced contextual analysis of their reliability and representativeness is therefore needed.
In the case of Nordic NRAs, we have seen how they provide a systematic corrective to the shifting and often superficial focus of national security policies -as reflected in their persistent focus on the risk of pandemics at times when political attention was glued to terrorism. By drilling into vulnerabilities in social and material systems rather than concentrating on known threats and their immediate repercussions, the NRAs therefore present us with a better understanding of the risk of disaster within a country than what we get from traditional threat assessments.
Yet, this does not mean that the Nordic NRAs are suited for defining the focus and priorities of national security policies at large. Rendering some of the most secure, peaceful, developed and happy countries of the world in a gloomy light, they currently resemble the crime genre of Nordic Noir where horrendous crimes and grievances reveal persistent social and political problems. Moreover, they are set to preserve the existing knowledges and practices of the state apparatus instead of challenging these on rational and representative grounds.
Would it be possible to adjust the epistemic and political credentials of the Nordic NRAs to resolve this problem? From the above analysis, it appears that this would require a concerted position on a wide set of normative, thematic, geographical, temporal and ecological premises of the assessments -with a far broader scope than at present. These are all contested political issues, also in the Nordic countries, and even if possible in principle, the idea of reaching a consensus of this sort seems unrealistic in practice and would require a different institutional and procedural setup. If providing a truly comprehensive account of the main risks that should be considered in national policy-making, the assessments would also need to cover much more thematic ground. In comparison, the expert body par excellence, central banks determining monetary policies, do not premise the general economic policies of a country but a sub-set of economic instruments, and operate under intense democratic scrutiny with extensive resources at their disposal (Krick and Holst, 2019: 119). Likewise, one might envision a clearer division of labour between NRAs and the political process of defining the overall scope and priorities of national security policies.
While confirming some of the scepticism against security risk governance, this analysis thus does not imply that the NRAs should necessarily be discarded as a key source of information in security politics. Instead, their role in policy-making should be limited to informing the formulation and implementation of policies for reducing the risk of disasters within a country. Sometimes, this introvert and precautionary objective is conflated with the purpose of national security policies at large, but it should rather be understood as a limited component of national security broadly defined (cf. Sears, 2020;Selchow, 2016). Even if limited to this purpose, the theoretical and procedural premises of the current Nordic NRAs would nonetheless need to be revised and their findings placed in a broader thematic and geographical context when presented.