What NGOs Need to Know for Safety, Security & Risk Management
What NGOs Need to Know for Safety, Security & Risk Management
Recent events in South Sudan, Turkey, and elsewhere serve as yet another reminder of the unrelenting threats to individual safety and security. Increasingly, international development and relief organizations have moved duty of care to a critical item on their risk register.
Addressing organizational risk can seem to be a daunting task requiring time, effort, and financial resources. It is therefore important that this investment produce systems and processes that are not ignored but rather are supportive and help reduce the multi-faceted risks the NGO community faces.
If you had to evacuate your staff tomorrow from a project office due to a military coup, would you be prepared? If you are not sure of your readiness in the event of a critical incident, consider this guidance.
The Evolving Nature of Risk
While the ‘Acceptance Model’ or ‘Safe Access’ model as an approach to NGO security management still has value—the principle that security risk is reduced by building local relationships and instilling trust by being viewed as impartial within the community—today we are finding that the threats do not necessarily lay within the communities NGOs are supporting. Rather, they come from individuals and groups with a reach into the NGO’s activity or geographic space, who have the drive and means to impact the safety and security of NGO staff, as well as those the NGO is supporting or working with, and more broadly, the NGO’s ability to function as an organization.
NGO groups also face both direct and indirect threats, whether being singled out and targeted, or facing risks through proximity and circumstance. As a result, the NGO community is increasingly aware that safety and security can no longer be viewed as stand-alone components of wider organizational resiliency, but that the threats they face (and the risks which result) must be approached from a holistic standpoint, understanding the ripple effects that an incident can have across the organization, and the cascading risks that might result from a singular event.
This coupled with more stringent requirements by donors on ethics and compliance, more oversight by host nation governments, the rapidly evolving risk of cybercrime, increasing expectations from staff and donors to demonstrate good duty of care, and the wide geographic spread of staff and extensive use of consultants or volunteers, creates a real challenge when seeking to effectively and sensibly manage risk, and still function as an NGO operating in one or more countries.
Building Your Risk Management Capacity
As such, a more mature and systematic approach is now needed, and one which is based on recognized international standards and the ability to ensure a consistency of approach, and which is aligned to the nature, scope, and unique needs of individual NGOs.
Simply put, here’s what you should think about:
- Do you have the right person or group designing your approach?
- Is the approach one which moves you to your desired end point quickly and effectively?
- Do you have the right management structures in place?
- Does the system include the prepare and prevent, respond and manage, and transition and recover phases?
- Is there top level commitment to developing, supporting, and enforcing a system?
- Have you identified, and trained, champions to lead and manage the system once designed?
- Have you articulated your approach effectively in policies, plans, and procedures?
- Have you operationalized these concepts and systems through effective training?
- Do you test your systems, knowledge, and application? And if so, how and how often?
- Are other business and operational processes integrated into your risk management approach?
- Do you have the right support and resources to manage risks or respond to incidents?
- Do you know how to manage both internal and external stakeholders?
- Do you understand how to maintain and monitor your approach to keep it alive and current?
Increasingly, ISO 22301 for business continuity management systems (BCMS) has taken the role of shaping how such a system is designed and managed, merging enterprise risk management, risk management (ISO 31000), and other supportive resiliency standards and guidelines (such as ISO 27000 for ICT Disaster Recovery) into a 360-degree approach to organizational resiliency. This standard is the only one which focuses on cross-cutting organizational requirements to ensure resiliency and continuity; it captures all needs, whether in protecting people, assets, facilities, business interests, operations, or the reputation of the NGO.
Having internal policies and protocols, particularlu if they’re aligned to ISO 22301, demonstrates NGO maturity and professionalism to all stakeholders, evidences strong duty of care to donors and staff, provides a ‘safe harbor’ against litigation, helps win new funding by being a ‘safer bet’ to donors, can reduce insurance premiums, and concurrently ensures a more appropriate approach is adopted in protecting people and the organization as a whole. This starts with conducting a holistic audit of all risks (understanding the interconnectedness of all things), before then shaping the management structures, documents, training, support and resources, and monitoring approach.
How Do You Operationalize and Sustain the Approach?
Whether you have strengthened your safety and security plans and protocols, created a new plan, or established a business continuity management system, you will need to identify champions to implement and maintain it, while also creating an awareness and competency program to raise knowledge and skills within your team, whether senior leaders, managers, your entire team, or selected staff.
Champions should be identified within the headquarters team, including a BCMS ‘shepherd’—often someone at a director or vice president level—to oversee the system, as well as supportive champions, often found within each department or key functional area. For international NGOs with operations in the field, Local Incident Management Teams will take the lead on risk and incident management, and a Security Focal Point may manage the day-to-day requirements of enacting and sustaining the system. For short term or small team deployments, ‘Team Leaders’ may be selected on a case-by-case basis to ensure basic risk and incident management needs are met.
A training and testing program must support any systems and documents used by these champions and their teams, otherwise the knowledge and skills needed to activate and use them in times of crises will not be there when necessary.
NGOs should consider what training and testing are mandatory for some team members, what is mandatory for all, which components are elective, and what are just-in-time training needs, as well as how these will be rolled out and sustained. Online training provides an excellent mechanism for quick and far reaching awareness building and baseline testing, whereas accredited leadership training for champions reinforces (and importantly rewards) leaders in assuming what is often a secondary function. For high-risk groups, instructor-led training might be a consideration, and train-the-trainer programs are also a useful way of building up internal capacity.
Designing, developing, implementing, and sustaining a fully integrated approach to risk management, safety, security, disaster recovery, financial resiliency and ethics, reputational management, as well as broader business continuity and recovery needs, is complicated. Strong and clear management goals and controls are required. The right approach will help NGOs—both their employees and those they serve through their programs—survive times of crisis and ensure sustainability. Resources are available to the NGO community.
If you’d like to learn more about safety and security risk management and its role within a broader ISO 22301 Business Continuity Management System, I will be leading Humentum’s Safety & Security Risk Management workshop in Nairobi September 13-14. I hope to see you there. Not in Kenya? Join me for a FREE one-day course on ISO 22301 organizational risk auditing in Washington DC in October.
Mike Blyth is Chief Operating Officer of Risk and Strategic Management, Corp. For free access to RSM’s educational guidance on designing an ISO 22301 Business Continuity Management System for an NGO group, please contact: email@example.com