NGOs and Risk How internaonal humanitarian actors manage uncertainty FEBRUARY 2016 Abby Stoddard Katherine Haver Monica Czwarno An independent organisation providing research evidence and policy advice to inform better humanitarian action
NGOs and RiskHow international humanitarian actors
manage uncertainty
FEBRUARY 2016
Abby Stoddard
Katherine Haver
Monica Czwarno
An independent organisation providing research evidence
and policy advice to inform better humanitarian action
2
Table of Contents
EXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1Backgroundandobjectivesofthestudy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Policy synthesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Key-informant interviews.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Table 1: INGO interviewees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.3Caveats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2. RECKONING WITH RISK IN HUMANITARIAN ASSISTANCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Figure 1: Risk categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2Haveriskstohumanitarianactorsactuallyincreased? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3. INGO PERCEPTIONS OF THE RISK ENVIRONMENT: NEW THREATS AND HIGHER STAKES . . . . . . . . 10
3.1 Evolvingthreatsandrisks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Figure2:Intermsofyourownorganization,doyouthinkithasgrownmoreorlessrisktolerant
(takingongreaterrisks)overtime? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Figure 3: Opinions on whether “INGOs have become increasingly risk averse” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2Highest-impactrisks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4. RESPONSES IN POLICY AND PRACTICE: THE RISE OF RISK MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.1Riskmanagementmodelsandtools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2Policydevelopment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Figure 4: Policy development in risk management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Figure5:Relativeemphasisinwrittenpolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.3Organizationalcoherence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.4 INGOaffiliationsandpolicyareas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.5Policyversuspractice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.6 Theroleofdonors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5. PRINCIPLES AND PROGRAM CRITICALITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
6. CONCLUSIONS AND RECOMMENDATION FOR NEW POLICY GUIDANCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
6.1Recommendedpracticalproduct:Riskmanagementpolicybrief . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
6.2Prospectsforfurtherresearchandadvocacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
ANNEX 1. POLICY SYNTHESIS SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
ANNEX 2. PEOPLE INTERVIEWED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
ANNEX 3. SURVEY RESULTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3
Executivesummary
Forhumanitarianorganizations,thepresenceofriskintheoperatingenvironmentcanforcedifficulttrade-offsbetweentheneedsofpeopletheyaretryingtoserveandtheneedtomitigatepotentialharmtotheirpersonnel,resources,andreputation.Whetherornottheriskstohumanitarianshaveobjectively increasedinrecentyears(andthereisevidencethattheyhave),moretothepointishowtheorganizations perceivetheirriskandhowtheseperceptionshaveaffectedtheirworkbydintofnewpoliciesand practices.Thesearethecentralquestionsofthisstudy,undertakenbyHumanitarianOutcomesonbehalfofInterAction,andfundedbytheOfficeofUSForeignDisasterAssistance(OFDA)andtheBureauofPopulation,Refugees,andMigration(PRM).
Focusingonaparticipant-samplegroupof14majorinternationalNGOs,thestudyanalyzesthecurrentapproachestoriskinhumanitarianactionthroughasystematicreviewof240relevantpolicydocuments,interviewswith96keyinformants,andaweb-basedsurveyof398humanitarianpractitioners.
INGOriskperceptions:Newthreatsandhigherstakes
ThefindingsrevealaninternationalNGOsectorwhosemajoroperatorsperceiveaheightenedlevelofrisk,particularlymanifestinthesame,roughlyhalf-dozenextremeenvironments:Afghanistan,CentralAfricanRepublic,Iraq/Syriaregion,Somalia,SouthSudan,andYemen.Theseconflict-drivenemergencieswithhighlypoliticizedinternationaldimensionstendtoinvolvemultipletypesofrisks—violence, corruption,diversion,andothers—whichcanalsobeinterlinkedincomplexways.
INGOrepresentativesoverallalsoperceiveaslightlyincreasedriskaversionamongtheirorganizationsandcounterparts(thoughtheyweremorecriticalofothersthantheirownNGOinthisregard). AmajorityofINGOstaffsurveyedagreed,atleastsomewhat,withthechargethathumanitariansare becomingmoreriskaverseingeneral,tothedetrimentofprogramming.
Responsesinpolicyandpractice:Theriseofriskmanagement
Inresponsetothenewandintensifiedriskstheyperceive,thisgroupoflargeinternationalNGOshasbeguntoadoptincreasinglysophisticatedandprofessionalized“riskmanagement”approaches,whichcovernotonlythetraditionalareasofsecurityandsafety,butalsofiduciary,legal,reputational, operational,andinformationrisks.Theybroadlyshareacommonunderpinningmethodology,borrowedfromtheprivatesector,whichsystematizestheassessmentofriskinallareasatallorganizationallevelsandbuildsinmitigationmeasures.NearlyallINGOsinthesamplegroup,13outofthe14organizations,havealreadyinstitutedorareintheprocessofadoptinganoverarchingriskmanagementframeworkofthistype.Theframeworksareatvaryinglevelsofdevelopmentanddetail,butthemostadvancedamongthemgenerallyincludeaglobal“riskregister”typeoftoolforanalyzingandprioritizingrisks andplanningmitigationmeasures.Thisisinturnconnectedtodecision-makingandimplementationproceduresaswellasfunctionsforfollow-upandauditprocesses.
Intermsofstafftimeandattention,themanagementofsafety/securityriskreceivesthemostemphasis,withfiduciaryriskmanagement(preventionoffraudanddiversion)rankingaclosesecond.Thereverseistrueinwrittenpolicy,wheremorespaceisdevotedtofiduciaryrisk.ThisislikelybecauseINGOsseedonorsincreasinglyemphasizingfiduciaryriskandaretighteninginternalcontrolsandoversight mechanismsinturn.AmajorityofINGOsinthesamplegroupfeltsupportedbydonorsforsecurity- related costs. The study found less overall emphasis and understanding of risk management in the areas ofinformationsecurityandlegal(e.g.,counter-terrorlegislation)compliance.
4
Missingpieces:Principles,partnerships,andprogramcriticality
ByandlargetheINGOrepresentativessawtherisk-managementtrendaspositive,enablinggood humanitarianresponse,despitetheinevitableincreasedadministrativeburden.Despitestatedconcernsaboutgrowingriskaversion,INGOstaffdonotassociateriskmanagementwithreticence.Onthe contrary,mostwerekeenlyawarethatriskmanagementintendstoenableratherthanconstrainaction,and that improved risk awareness need not and should not lead to risk aversion.
Theyalsoindicatedsomegapsandproblemswiththeapproach,however.Forone,therisk management frameworks tend not to explicitly address the risk of programming unethically or of violatinghumanitarianprinciples.Thiswouldseemanimportantareatoconsider,notleastbecauseavoidingsecurityandfiduciaryriskinevitablyposesdilemmasforoperatingimpartiallyandprioritizingthepopulationsingreatestneed.Additionally,theconceptof“programcriticality”—beingwillingtoacceptgreaterlevelsofresidualriskforlife-savingprogramming—iswidelyunderstoodandgenerallybroughttobearindecision-making,yetmostINGOs’formalpoliciesandanalyticalmechanismsdonotinvolve steps to ensure and facilitate this.
Otherproblemsraisedbytheparticipatingorganizationsincludegapsinriskmitigationfornationalstaff(e.g.,off-hourstransportation,communications,andsitesecurityathome)andweaksupportfor nationalpartnersintheirriskmanagement,particularlygiventhatrisksareoftentransferredtotheseentitiesindifficultenvironments.Inaddition,INGOsnotedtheunhelpfulorganizationaltendencytokeepriskmanagementareassiloed,evenunderframeworkmodels.Inotherwords,decision-makingisnotalwayssufficientlyjoined-upbetweendifferentdepartments(finance,humanresources,security,etc.).Finally,complicationsstemfromtheroleofdonorsandpoliticalactorsgenerally.Roughlytwo-thirdsofrespondentsfeltthatcounter-terrorrequirementsinfluencedwhereandhowtheycouldwork, compromisingtheprinciplesofindependence,impartiality,andneutrality.ThisisconsistentwithrecentresearchundertakenbytheNorwegianRefugeeCouncilandOCHAthatfoundthattheseregulationshavea“chillingeffect”onhumanitarianactors(Mackintosh&Duplat,2013).Onthefiduciaryside, donors’formalstanceof“zerotolerance”oncorruptioncanposeakindofmoralhazardtohumanitarianactors,wherebytheymustessentiallychoosebetweenwillfulblindness/secrecy(becauseacknowledgingthatdiversiontakesplaceisunacceptable)orsimplynotactingtohelpthosemostinneed.
ThisreportconcludeswiththeproposalforanadditionalpracticalhandbookforINGOsonprinciplesand promisingpracticesinriskmanagement,basedonthegapsidentifiedbythisanalysisandtheconsensusofparticipatingINGOsgleanedintwoworkshopsheldinWashington,DC,andDublin,January2016.
5
1.Introduction
1.1.Backgroundandobjectivesofthestudy
Atthesametimethathumanitarianorganizationsarebeingfacedwithamultitudeofhazardous operatingenvironments,advancesininformationtechnologyaremakingassessmenteasier,ofboth theneedsofaffectedpopulationsandtheinabilityofhumanitarianorganizations,collectively,tomeet themall.Thisconfluencehasresultedincontradictoryobservations.Ontheonehand,INGOsseemto betakingongreaterriskthaneverbefore.Ontheotherhand,theyarereportedtobemoreconservativeandlesswillingtoextendoperationalpresencetomeetneedsinriskiersettings.The2014report ofMedécinsSansFrontières,Where is Everyone? (Healy&Tiller,2014),createdcontroversywhenit concludedthataidagencies’“verystrongriskaversion,”coupledwithcapacitydeficits,wasmoretoblame for the lack of aid presence than actual external constraints.
The purpose of this INGOs-and-risk study is to get an internal read-out of how INGOs in fact perceive risks,thetoolstheyhavedevelopedformanagingthem,andhowpracticeandprioritiesdifferwithinandamongorganizations.Italsoexaminestheconsequencesanddilemmasthatriskmanagementdecisionscancreateastheypertaintohumanitarianprinciplesandobjectives.
Incommissioningthestudy,InterActiondefinedthetwoprincipalquestionstobeexamined:
1) WhatdohumanitarianNGOsviewastheprimaryexternalrisksaffectingtheirabilitytocarryout principledhumanitarianaction?
2) HowdohumanitarianNGOsinterpret,differentiate,prioritize,andmanagetheserisksinternally?
Toanswerthesequestions,theHumanitarianOutcomesresearchteamconductedadesk-basedreviewtodeterminewhether,how,andtowhatextent
a) differenttypesofrisksareconsideredbythe(major,globallyoperating)NGOs;
b) managementpoliciesandframeworksexisttoassess,prioritizeandmitigatethem;
c) thesepoliciesandframeworksareconsistentlycommunicated,understoodandimplemented bystaff;and
d) theresultsandimplicationsofriskmanagementareasintended,orwhethertheypose additionalproblems.
Theresearchcenteredonagroupof14participatinginternationalNGOs(INGOs),whichrepresentthelargestandmostoperationalhumanitarianorganizations/federationsbasedinEuropeandNorthAmerica. TheseINGOsprovidedtheteamwithextensiveinternalpolicydocumentationandaccesstointerviewees. Theparticipatingorganizationswere
• ActionContreLaFaim(ACF) • CARE • Catholic Relief Services (CRS) • Concern • DanishRefugeeCouncil(DRC) • InternationalMedicalCorps(IMC) • InternationalRescueCommittee(IRC)
• Islamic Relief • MédecinsSansFrontières(MSF)Holland • Mercy Corps • Norwegian Refugee Council • Oxfam • Save the Children • WorldVision
6
TheresearchwasaugmentedbyinputfromNazModirzadeh,DirectoroftheHarvardLawSchool ProgramonInternationalLawandArmedConflict(PILAC),specificallyontheissueofcounter-terrorismlegislationanditsimplications.
1.2Methods
Theanalysispresentedinthisreportisbasedonanaggregationoffindingsfromacomprehensivereviewofrelevantpolicydocuments,keyinformantinterviewsoffieldandheadquartersINGOpersonnel,andan online survey (in English). The document review and key-informant interviews focused solely on the participatingINGOs,whiletheonlinesurveytargetedboththesamplegroupandawidersweepof humanitarianorganizations.Thethreeresearchcomponentsaredescribedbelow.
“Promisingpractices”identifiedbytheresearcharecitedthroughoutthereportinboxes.Thesearealsocollected as a separate annex.
Policysynthesis
ThesamplegroupofINGOsprovided189individualdocumentsforreviewandassessment.Asrequestedbytheresearchteam,participatingINGOsprovidedinternalpolicyandproceduraldocumentsdeemedrelevanttothedefinedriskareas.1Tofacilitateacomparativereview,alldocumentswereinventoriedandcodedinaspreadsheetaccordingtotype,length,content(thematicareasandpolicyfunctions),levelofdetail,andspecifickeywords(seeAnnex1:PolicySynthesis).Thisallowedforquantitativeaswellasqualitativeanalysis.TheanalysissoughttoidentifythekeypolicycomponentsofriskmanagementwithintheINGOs,similaritiesanddifferencesbetweenthem,anddegreesofemphasisondifferent policy areas.
Key-informantinterviews
Theteaminterviewed96individualsforthestudy.Ofthese,90wererepresentativesofthe14participating INGOs,threewerewithdonors(PRM,OFDA,StartFund)andthreewerewithNGOsecurityplatforms(EuropeanInteragencySecurityForum,thePakistanHumanitarianForum,andtheNGOSafetyPrograminSomalia).Ofthe96interviews,43(44percent)werewithstaffbasedinfieldorregionalofficesandtherestbasedinheadquarters.ThebreakdownofINGOrepresentationisshowninTable1(pg7).
Survey
Theonlinesurveyallowedforadditionalorganizationsandperspectivestobecapturedbeyondthe necessarilylimitednumberofinterviewees.DesignedasaKAP-stylesurvey(knowledge,attitudesandpractices)the13mostlyclosed-endedquestionssoughttoelicitperceptionsofriskandrisktolerance,policyawareness,understanding,andlevelofimplementation.Responsesweredisaggregatedby categories:sampleversusnon-sampleNGOs,HQ(headquarters)versusfieldstaffand,whererelevant,theorganizations’countriesofoperationandorigin.
The survey collected 398 usable responses out of 401 completed surveys (three were excluded as non-NGOaffiliated,i.e.,UNagencies).Themajorityofresponses(339,or85percent)werefromINGOs
1 Fromthese,theresearchersextracted22separatesections(includedinthe189werefive“parent”documents,fromwhichthe22relevantsectionswereextractedsothattheycouldbeassessedatamoregranularlevel)and51additionalpolicytitlesthatwerelistedwithinthematerials(thesewereassessedattherisk/policy-arealevel).
7
Totalpersons Numberwhowere INGO interviewed field-orregional-basedACF 4 0CARE 6 2Catholic Relief Services 13 8Concern 6 3DRC 8 5IMC 7 1IRC 6 3Islamic Relief 5 3Mercy Corps 5 1MSF 6 2NRC 4 2Oxfam 10 4Save the Children 5 0WorldVision 5 3
Table1:INGOinterviewees
inthesamplegroup.Oftheremaining59non-sampleNGOs,sevenresponseswerefromnationalNGOs.Theyrepresentedatleast57uniqueNGOs(tworespondentsdeclinedtonametheirorganization) working in 79 countries.
Asintended,respondentswereweightedmoretofieldstaff(265)thanHQstaff(128),andfiveidentifiedasbeingfromregionaloffices.Ofthetotalrespondents,159identifiedasexpatriates/internationalsand103asnationalstaff.
1.3Caveats
AscanbeseeninTable1,theinterviewsamplewasslightlyunbalancedinthatOxfamandCRSweremore heavily represented than others were. This was mainly because they provided more names of peopletobeinterviewedandmoreofthemagreedtobeinterviewed.Twoorganizations(Savethe ChildrenandACF)didnothaveanyintervieweesbasedinfieldorregionallocations,whiletwootherorganizations(IMCandMercyCorps)hadonlyonefield-basedinterviewee.
TheparticipatinggroupofINGOsfacilitatedtheresearchgreatlybyprovidingtheteamwithaccesstointernaldocumentsandpersonnelforinterviews.Theothersideofthatcoin,however,isthatthis inevitablyraisesthepossibilityofcherrypickingandselectionbias.Onbalance,theresearchersweresatisfiedthattherewerenomajorholesinthebodyofmaterialsandinterviewsubjectsprovidedto the study.
Finally,allfindingsshouldbetakeninlightofthefactthatthesamplegrouprepresentsthelargestandbest-resourcedINGOsinthesector.Onetheonehand,thesearetheINGOsmostlikelytobeoperatinginhigher-riskcountries,buttheyarealsobetterequippedthanmanyotherorganizationstoestablishtheinstitutionalmechanismsandinvestmentforriskmanagement.
8
Preciselybecauseitisneededinsituationsofconflict,crisis,andextremepoverty,humanitarianactionisaninherentlyriskyundertaking.Notuntilthe1990s,however,didhumanitarianpractitionersfirstbegantosystemicallyassessandaddressrisksintheareasofsafetyandsecurity,andonlyinrecentyearshavetheyexpandedtherisk-managementapproachtoincludeothertypesoforganizationalrisk,suchasfinancial,legal,operationalandreputational.Beforeexploringhowtheconceptsofriskandrisk managementhaveevolvedinthesphereofhumanitarianaction,definingsomebasictermsisworthwhile.
2.1Definitions
Thelatestdefinitionof“risk”codifiedbytheInternationalOrganizationforStandardization(ISO) broadenedtheconceptfromthepossibilityofharmorlossto“theeffectofuncertaintyonobjectives,” allowingforthepossibilityforpositiveimpactsaswellasnegative(ISO,3100:2009).Thisdefinition,whicheffectivelyincorporatestheconceptof“opportunity”undertheumbrellaofrisk,islesshelpful forthepurposesofthisstudythanthetraditional,narrowerunderstanding,throughwhichmost humanitarianorganizationsapproachthesubject.
Theinceptionnoteforthisreviewthereforedefinedtermsasfollows:
Threat:adangerorpotentialsourceofharmorloss
Risk:thelikelihoodandpotentialimpactofencounteringathreat
RiskManagement:aformalizedsystemforforecasting,weighingandpreparingforpossiblerisks in order to minimize their impact2
Thestudyfoundthatdifferentorganizationshaveindividualizedwaysofdifferentiatingandcategorizingrisktypes,correspondingtotheirmanagementapproaches.Intheinterestofdefininggeneraltermsforthisreview,theresearcherssettledonacategorizationofsevenriskareas(seeFigure1).Thefirsttwo,security and safety,refertophysicalrisksforstaff,securitymeaningtheriskofdeliberateviolence,andsafety meaning the risk of accident or illness. Fiduciary risk refers to the possibility that resources will notbeusedasintended,andencompassescorruption,fraud,embezzlement,theft,anddiversionofassets.Itdiffersfromfinancialriskinthesenseofinsufficiencyorunexpecteddeficits(thisiscoveredbyoperationalrisk).Thelegal/compliancecategoryrelatestothepossibilityofbeingfoundinviolationoflaws,regulationsorrequirements.Thesecouldbeintheformofhost-governmentlaws,internationalsanctionsorothercodes,orinternalrestrictionsandstandardspertainingtohumanresourcesandstaffbehavior. The informationriskarea,sometimescalledinformationsecurity,referstothechanceofdatabreach/theft,loss,orinappropriatesharingsuchasleaksofconfidentialinformationorinappropriateordangeroussharingofinformationonsocialmedia.Reputational risk is anything in the public sphere that coulddamagethename,image,andcredibilityofanorganization.Finally,theoperational category encompassesrisksthatcouldresultintheorganization’sinabilitytofulfillitsmissionormeetitsobjectives. Thisincludesfinancialrisk(e.g.,thedefundingordisallowingofcostsbyadonor,orlackofdiversityinfunding),governmentobstruction,humanerror,capacity/skillsdeficits,andthepotentialtodoharm.
Figure1(pg9)givessomeindicationofhowthedifferentareasofriskcanoverlapandaffecteachother.Forinstance,anorganizationthatoperatesthroughapartnerorcontractorinadangeroussettinginordertomitigatesecurityriskcanfaceincreasedfiduciaryriskasitcedesdirectcontroloftheprogram. Ifcorruptionresults,thiswillcreatenewlegal/compliancerisksaswellasriskstotheorganization’s reputation.Fearsoflegalimplications(e.g.,runningafoulofcounter-terrorismlegislation)orfiduciaryriskcaninturncreatetheoperationalriskthatvitalhumanitarianprogrammingwillbehaltedorcutbackin certain places.
2. Reckoning with risk in humanitarian assistance
2 InassessingtheexistenceandrobustnessofriskmanagementsystemswithintheINGOsstudied,theteamalsonotedtheISO31000 definition:“asetofcomponentsthatsupportandsustainriskmanagementthroughoutanorganization.”
9
Figure1:Riskcategories
Security violence/crime
Fiduciarycorruption/fraud/ theft/diversion
Legal/compliance•International/donor
government laws andregulations
• Host government lawsandregulations
•Personnel/HRissues
Operationalinability to
achieveobjectives• Financial (e.g. funding constraints,disallowedcosts)
•Capacity/competencegaps• Access constraints• Inadvertently doing harm
Informationdatabreach/loss
Reputationaldamage to image andreputation
Safetyaccident/illness
2.2Haveriskstohumanitarianactorsactuallyincreased?
Althoughhumanitarianactionhasneverbeenarisk-freeendeavor,statisticalevidencesuggeststhatithasbecomemorephysicallydangerousinspecificenvironments.Therateofmajorattacksagainstaidworkers,measuredbythenumberofkillings,kidnappingsandseriouswoundingsoverthebest estimatesofthepopulationofaidworkersinthefield,hasincreasedoverthepastdecadeinahandfulof highly violent environments (whereas in other host countries it has stayed stable or declined) (HumanitarianOutcomes,2014).
Itisalsosafetoconcludethatwiththepromulgationofinternationalanddomesticcounter-terrorlawsandpolicies,aswellasnewinternationalsanctionsregimesonactorsrelevanttothehumanitarianresponse,thepossibilityoforganizationsinadvertentlyviolatinglegalregulationshasincreasedinrecentyears.(CounterterrorismandHumanitarianEngagementProject,2014;MackintoshandDuplat,2013).Additionally,astechnologicaladvancementshaveincreasedhumanitarians’abilitytogather,store,andshareinformation,theyhaveatthesametimeposednewrisksoftheftandlossofimportantorsensitivedataandledtolesscontrolovercommunications.
Evenwithoutsuchevidence,simplybyloggingyearsofexperience,overtimeorganizationscanbeexpected to think and behave asthoughthe risk level has increased. Behavioral research has shown that theperceptionofriskincreaseswitheachexperiencedincident(Slovic,2000)(Tversky&Kahneman,1974).Sowhetheritisanattackonacompound,lawsuit,forensicaudit,ormediascandal,vigilancetowardthatparticularriskcannaturallybeexpectedtorise.Andwhileinthelongertermcomfortorcomplacencymayreturnonapersonallevel,organizationalsystemstendnottochangeoncemitigationmeasureshavebeenbuiltup.“Oncebitten,”itisdifficultforanorganizationtotakedeliberatestepstorelaxitsstancevis-à-visrisk.Intervieweesforthisstudysuggestedthatmemorablenegativeeventsaffectingcolleaguesandcounterpartscanstickinthecollectivemindandraisetheriskperceptionacrossthesectorasawhole,promptingprotectiveaction.ThefollowingsectionsdiscussINGOattitudestowardriskagainstthisbackdropofheightenedrisk,bothrealandperceived.
10
3.1.Evolvingthreatsandrisks
TheINGOsparticipatinginthisstudywidelyagreedonthehighest-riskcontextsamongthecurrent humanitarianresponsecountries,withintervieweesmostfrequentlymentioningSyria,Afghanistan, Somalia,SouthSudan,Yemen,andCentralAfricanRepublic.TheymademanymentionsaswellofPakistan, DRC,Iraq,andNigeria.Themostprominenttypeofrisk—andthemainreasonthesecountriesareseen as“highestrisk”—issecurity.Butthethreatenvironmentsintheseconflict-drivenemergenciestendto bemulti-faceted,anddifferenttypesofriskareoftenhighlyinterlinked.Forexample,becauselarge-scale and/orhigh-profilecrisestendtooccurinviolentenvironments,INGOsareoftenworkingremotely,lacking “eyesandearsontheground,”whichcancontributetoelevatedfiduciaryrisk.Beingseentomisusefunds,especiallybydiversiontoterroristgroups,cancausereputationaldamage,andleadtolegalliability. Incontextswherecorruptioniswidespread,refusingtopaybribesordiscontinuingarelationshipwithalocalpartnerorganization(becauseoffiduciaryconcerns)cancarryariskofviolencetostaff.Alackofcapacityontheground(duetolong-termunderdevelopmentand/ortheflightofskilledpersonnelfromtheconflict)combinedwithpressuretodelivercanraisetheoperationalriskofunderperformance.
Intermsoftrendsinthetypesofriskfacedbyhumanitarians,manyINGOrespondentsfeltthatdonorsweregenerallybecomingmoreconcernedwithpreventingfraudanddiversion.Thisheightenedemphasis hasessentiallyincreasedthepotentialnegativeimpactofsuchincidents,shouldtheyoccur.Concernswithcompliancewithanti-terrorlegislationalsocontinuedtogrow(seefurtherdiscussionbelow).Increasingglobalconnectivityanduseofsocialmediawereseentobecreatingawiderangeofnewreputationalrisks.Examplesrangedfromtheirresponsibleuseofsocialmediabystaff(e.g.,“taggingISISintweets”)totheneedtodealwithstate-sponsoredonlinepropaganda(Russia/Ukraine)tothe managementofsocialmediamessagingfromaffiliatestoageneralpressuretomaintainacrediblenarrativeaboutanINGO’simpact“inplaceslikeSyriaandSomalia,wherewecan’tsendinjournaliststoviewourwork.”Informationsecurityrisks,suchasthepossibletheftofdonors’orbeneficiaries’personalinformation,werealsoseentobeincreasing.Lastly,theamountoftimeandenergyrequiredtocomplywithhostgovernmentlawsandregulations(andtherisksassociatedwithnon-compliance)werealsoseentobeacontinuingandgrowingproblem,forinstanceinDRC,Pakistan,SouthSudanandSyria.
Most respondents in the survey and interviews rated their own INGO as being more toward the “risk tolerant”endofthespectrum.However,inthesurvey,aslightlylargerpercentageofrespondents
3.INGOperceptionsoftheriskenvironment:Newthreats and higher stakes
Figure2:Intermsofyourownorganization,doyouthinkithasgrownmoreorlessrisktolerant(takingongreaterrisks)overtime?
Changes in risk tolerance
0 35 70 105 140
More risk tolerant
Less risk tolerant
About the same
79 33
90 48
91 46
Field HQ
Number of survey respondents
11
Figure3:Opinionsonwhether“INGOshavebecomeincreasinglyriskaverse”
Agree with statement
Disagree0
35
70
105
140
Somewhat agree Agree
32
58
45
9220
78
N. America
Europe
Num
ber o
f sur
vey
resp
onde
nts
reportedthattheriskappetiteoftheirorganizationhaddeclinedinrecentyears,comparedwiththosewhoreportedthatithadstayedthesame(Figure2).Althoughthiswasthecaseforbothfieldand HQstaff,aslightlylargerpercentageofthosewhoclaimedtheirINGOhadbecomelesstolerantwerespeakingfromheadquarters.
Most survey respondents “agreed” or “somewhat agreed” with the statement “INGOs have become increasinglyriskaverseandarecurtailinghumanitarianresponseasaresult.”StaffofUS-basedINGOsweremorelikelytodisagree,andlesslikelytoagreecompletely,thantheirEuropeancounterparts,butapluralityofthemstill“somewhatagreed”withthestatement(Figure3).
Organizationsthatperceivedthemselvesashavingahigherriskappetitecitedvariousreasons,includingorganizationalculture(e.g.,being“mandatedriven,”“havingemergencyresponseatourcore,”or—foroneINGO—havingacultureoffrankdiscussion“whereeverythingisthoroughlydebated”)aswellaspolicy(e.g.,aquickstep-downpolicyfornewemergencies).AfewINGOscitedthefactthattheyhadaverysmalldevelopmentportfolio(i.e.,thattheyaremainlyfocusedonemergencyresponse)asenablingthemtogo“allin”duringanemergency,knowingthatitwouldnotcompromiseotheraspectsoftheirprogram. One INGO felt that the fact that they worked in only one sector made it easier to manage and takerisks.AnotherINGOcitedtheircloserelationshipwithaparticulardonorasenablingthemto“getontheground”andassumetheinitialfinancialrisksecureintheknowledgethat“theywillfundus,eveniftheycan’tformallyguaranteeit.”OneINGOnotedthattheirlargepercentageoffundingfromthegeneralpublicgenerallyfreedthemfromconstraintsand,specifically,guaranteedsufficientresourcesforsecuritymanagement.Lastly,someorganizationsbelievedthattheirinvestmentinriskmanagementapproaches enabled them to feel more comfortable about taking risks.
Organizationsthatperceivedthemselvesasmorerisk-aversesometimescitedpastincidentswheresomethinghadgonewrong,suchasaparticularlyscarringsecurityincidentorafinancialormanagement performance issue involving an important donor. Others emphasized their ability to appropriately take risksinoneareabutnotanother.Forexample,severalINGOsdescribedthemselvesasmorerisk-taking
12
onthefinancial/fiduciaryside(e.g.,advancingtheirownfundstostartnewprograms,ornotworryingasmuchasotherINGOsdoaboutcounter-terroristregulations),butmorerisk-aversewhenitcomestosecurity.Othersreportedthattheirorganizationwasverywillingtotakesecurityrisksbutlesswillingtotakefinancialrisksorrisksthatmightharmtheirreputation.OnerepresentativefeltthattheirINGOhada veryhightoleranceforprogram/operationalriskbuthadnotadapteditsbusinesssystems(administration, finance,humanresources)toreflectthis.Thisdissonancewasseentocausefrustrationamongstaff,as“theyreceivetwodifferentsetsofsignals:takeriskforoutsizeoutcomes,butdanceontheheadofapintodoit.”SeveralintervieweesexpressedconcernabouttheirINGO’soverlyburdensomeregulatorystructure,financialmanagementsystemand/orcomplianceprocedures.Thepressuretodevelopsuchsystemsappearedtobebothexternal(i.e.,comingfromdonors,particularlythosewiththemost stringentrequirements)aswellasinternal.
3.2.Highest-impactrisks
Respondentsgenerallyfeltthatsecurityrisksandaccessrisks(suchasgovernmentobstruction)ratherthanfinancialorfiduciaryriskswerethemainreasonsforfailingtodeliver.Indeed,manyshared examplesofneedingtowithdrawstafforceaseprogramming,temporarilyorpermanently,dueto generalhostilitiesortargetedviolence(Stoddardetal.,forthcoming).Amongthedifferenttypesofsecurityrisk,kidnappingisseenasaparticularconcern.Kidnappingsorthethreatofkidnappingswereseentohaveamajorimpactandhenceweremorelikelythanmanyothersecuritythreatstoleadtothecessationorwithdrawalof(oranunwillingnesstobegin)programming.Afeworganizationsalsocitedparticularlygruesomekillingsofstaffmembersashavinghadasignificantorganizationalimpact,evenmany years later.
Fiduciaryandreputationalriskscanalsohavealargeimpactonprogramming.Exampleswereprovidedoforganizationsdecidingtodiscontinuetheirworkinareascontrolledbyarmedgroupsdesignatedasterroristorganizations(eitherbytheUnitedNationsSecurityCouncilorbyindividualgovernments)for acombinationofreasons:securityconcerns;notwantingtorunafoulofcounter-terrorlegislation (andthebroaderreputationaldamagethatcouldentail);andweakfiduciaryoversightduetoremotemanagement.Insuchsituationsteasingoutwhichriskfactorsplayedthegreatestrolecanbehard. ThisandotherresearchsuggestthatINGOsaremostlikelytosuspendoperations(ornotstarttheminthefirstplace)whenthereisnotonlyahighpotentialforinterferencebyaconflictactorthatisa designatedterroristgroup,butwhentheconflictactorisoneofparticularconcerntoWestern governments(e.g.,ISIS,ascomparedwiththeAlNusraFront).3
The“nightmarescenario”mostoftencitedbytheINGOsinterviewedwasamajordiversiontoaterrorist organization.Suchincidentscombineseveraltypesofrisk,aswellasthepotentialforasituationtospiraloutofcontrolduetomediaexposure.Evenmodestincidentsoffraudornon-compliance,regardlessofwhethertheyinvolveddiversiontoarmedactors,canloomlarge,however.TheseincludeincidentsaffectingthatINGOorotherINGOs(orrumorsofsuchincidents).INGOswithonesinglemajordonorappeartobeparticularlylikelytotrytoavoidsuchincidents,includingthroughtheintroductionof additionalcomplianceoroversightmeasures.
3 SeeHumanitarianOutcomes(2015),“Component2PreliminaryInterimReport,”SecureAccessinVolatileEnvironments(SAVE), https://www.humanitarianoutcomes.org/sites/default/files/save_component_2_interim_report.pdf.
13
4.Responsesinpolicyandpractice:Theriseofriskmanagement
4.1Riskmanagementmodelsandtools
The INGOs in the sample group have widely embraced the concept of risk management. Thirteen out offourteenreportedhavingsomemeanstobringtogetherdifferenttypesofriskinacommonanalysis.WhiletheparticipatingINGOsuseavarietyofmodels,whichdifferbyformorfunction,theyallsharecommonidentifiableelementsoftheintegrativeriskmanagementconcept.4 These elements include risk managementframeworkstatements,riskregisters,definedriskprocessaccountabilities,mitigationtools,andriskauditprocesses.SomeINGOsarestilldevelopingtheirriskmanagementframeworks,withsometoolscompletedbutothersstillunderway.Someorganizationsregularlyprepareriskreportsand/orauditstotheirboardofdirectors,whileothersreporttointernalboards(e.g.,sittingwithinauditorcom-plianceunits)specificallydesignedtomanagerisk.TwoINGOsinthestudyhaveamanagerdedicatedtoimplementingriskmanagementacrosstheorganization.SeveralINGOshavecreatedaninternalauditfunction(individual(s)and/oraunit),whichtheysawassupplementingexistingsystemsbyconducting regular audits and having an independent but also well-informed advisor on risk and control issues.
Many of the sample INGOs use the term “enterprise risk management” (ERM) to describe their approach.ERMisa“strategicbusinessdisciplinethathelpsorganizationsachievetheirmissionsbyaddressingorganizationalriskanditscombinedimpactofthoserisksasaninterrelatedriskportfolio”(RIMS,2016).VariouscommitteesandprofessionalbodieshavedevelopedanumberofERM frameworks. Two of the more well-known and widely used approaches are authored by the Swiss-based InternationalOrganizationforStandardization(ISO)andtheUS-basedCommitteeofSponsoring OrganizationsoftheTreadwayCommission(COSO).5
ThesampleINGOs’frameworkstendtodrawfromtheCOSOEnterpriseRiskManagement–IntegratedFrameworkapproachortheISO31000:2009approach,andinmostcasesseemedtoblendboth.AmajordifferencebetweenthetwoisthatinternationalstandardsandriskmanagementexpertsdevelopedISO,whilefinancialandauditexpertswroteCOSO.ThisgivesCOSOamoreaudit-heavyapproach,withafocusoncomplianceandcontrolmechanisms.ISOtendstobeflexibleinadaptingtotheorganizationitisserving,basedonthemanagementprocess,andtailoredtomoreeasilyfittheorganization.Bothhaveariskmanagementprocessthatseekstoassesstheriskstotheorganization,monitortheserisksandrespond to events.
Someofthemostprevalentandadvancedtoolsaretheriskregister,riskmatrix,andriskannex.Thesetoolshelptoidentify,assess,andevaluatepotentialthreatstotheorganizationatdifferentlevels,e.g.,fieldlevel,countrylevel,orinstitutionalenterprisecontext.Theriskratingattributesacertainlevelofrisk to each of the threats. Many of the tools discuss the realized and residual risk (the remaining risk afterallappropriatemitigationmeasuresaretaken)andsomeallowtheusertoassesspotentialmitiga-tionstrategies.Themost-advancedriskregistertoolsalsoassignaccountabilitytospecificriskorprocessowners,orotherwisespecifywhowillfollowup.Generally,however,themonitoringfunctionwithinriskmanagementtendedtobelessemphasizedthantheotherfunctions.
4 Formoreinformationonsomeriskmanagementcomponents,see“ManagingRisks:Anewframework,”byKaplanandMikes
5 AfewotherapproachesweredevelopedbytheCasualtyActuarialSociety(CAS)andtheRiskManagementSociety(RIMS).Previously, theJointAustralia/NewZealandhadtheirownstandards(4360-2004),buttheyhavesinceadoptedISO31000:2009insupportofan internationalstandard.
14
The team analyzed 111 policy tools and found them to be of the following types:
• Analytical:assessingthreats/risks,improvingsituationalawareness(e.g.,riskassessments,risk registers,riskratings)(43 percent)
• Procedural:dealingwiththemanagement,programmingandadministrativefunctionsgeared towardmitigatingrisk(checklistsandtemplatesforpreparedness,criticalincidentmanagement,logistics,communications)(35 percent)
• Declarative:focusedonreportingofandaccountabilityforrealizedrisks(e.g.,auditchecklists, reportingforms)(22 percent)
Themajorityoftheprocedural and declarativetoolsweredesignedspecificallytoaddresssecurityandsafety risks. The analyticaltoolsoftenaddressedrisksholistically,however,oratleastlookedatmultipletypes of risk.
TheINGOsvaryinthedegreetowhichtheirfieldteamshaveadoptedanintegrative(orholistic)approach toriskmanagementasapracticalwayofoperating.Inahandfuloffield-levelinterviews,forexample,the distinctionbetweensecurityriskmanagementandtheorganization’slargerriskmanagementframeworkwasunclear.Furthermore,manyrespondentsnotedthat,evenwiththeuseofholisticriskmanagementframeworks,thetendencyisstillto“silo”differentrisksareas(e.g.,security,finance,communications).
Mostrespondentswhoseorganizationsuseriskmanagementsystemsfeltthattheyprovideausefulframeworkformakingbothheadquartersandfieldstaffawareofrisksthroughasystematizedapproach.Afewexpressedconcernsthatsuchasystemcouldcreatemoreriskaversion,forexamplebecause“theminuteit’swrittendown,you’renowliable.”Othersworriedthatriskmanagementframeworksmayleadto abox-tickingmentality“insteadofcommittingthetimetodevelopaculturethatisinherentlyriskfocused.” Butthemajorityofviewsabouttheoverallriskmanagementapproach(oratleastitspotential)werepositive.
4.2Policydevelopment
INGOscontinuetoprofessionalizetheirapproachtorisk.Since2011,theyhavebeendevelopingandrefiningtheiranalyticalandpolicyinstrumentsatasteppedupratefromprioryears(Figure2).6
6 Thepolicydocumentreviewshowedalargeandsteadyincreaseinthenumberofpolicydocumentsandtoolseitherproducedorrevisedsince2011bythesampleorganizations.Sincethereviewincludedonlythedocumentsweweregiven,itispossiblethatother,pre-existingrisk-relatedpoliciesexistthatweren’tsharedsoweren’tcounted,butthefindingisalsosupportedbyinterviews.
Figure4:Policydevelopmentinriskmanagement
Documentproduced(dates) Documentsrevised
0.0
1.5
3.0
4.5
6.0
1996
1
2003 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
1 1 1 1
2 2
6
4 4
6
5
0.0
3.5
7.0
10.5
14.0
12006 2010 2011 2012 2013 2014 2015
1
4
2
11
13
9
15
Fiduciaryriskmanagementwasfoundtoreceivethemostemphasisinpolicyonpaper,withmore writtenwordsdevotedtofinancialproceduresandprecautionsthananyotherriskarea.Securityriskwasaclosesecond,however,andthisgapclosesfurtherifoneconsiders“safetyandsecurity”asasinglecategoryofrisk,assomeINGOsdo.Inaddition,thesecuritypolicyareahasthemosttools,outsideofthepolicyandguidancematerials,tosupportthefunction.
Thethirdriskcategory,operations,wassignificantlylessrepresentedinwrittenpolicy,followedbythecategoryofdocuments(“all”)thataddressedrisksfromanumberofdifferentpolicyangles,coveringallcategories—fiduciary,security,reputational,operationalandlegal/compliance.Mostorganization-wideriskmanagementpoliciesandframeworks,aswellastoolsthatsupportthem,fellintothiscategory.
Figure5:Relativeemphasisinwrittenpolicy
Policy areas by word count
Legal/compliance 1%Safety & Security 2%
Safety 2%
Communicaons 5%
Informaon 6%
ALL 7%
Operaonal 7%
33% Security
37% Financial
Security risk management has some of the most robust policy documents with the overall highest level ofdetail.Thispolicyareahadacomprehensiveframeworkandstronglyembeddedorganizationalclarityandlanguageonwhatsecuritymanagementisandhowitpertainstotheentireorganizationanditsculture.Asdescribedinonemanual,“securitymanagementisasystem,notadocument.Itstartswitheachandeveryindividualwithintheorganization,maintaininghighlevelsofawarenesstoouroperatingenvironmentandtohowourownbehaviors,actions,andcommunicationscontributetoanimprovedsecurity posture or to the contrary places oneself and the larger agency at risk.”
Formanytypesofpolicies,anorganization’sheadquartersprovidesthegeneralframeworkorguidancematerialandexpectsthecountryprogramteamtodevelopaspecificpolicyappropriateforthatcontext.
16
4.3Organizationalcoherence
InseveraloftheINGOfederationsorconfederations,differentmembersoraffiliatesmaintaindifferentrisk-relatedpoliciesand/orreportinglinesandrequirements.Differentaffiliatesofthesamefederationmay have more comprehensive and well-developed risk management frameworks than their counterparts do,ormayberequiredtoreporttotheirrespectiveboardsmorefrequentlyandwithdifferentinformation. Forinstance,oneorganizationmustreporttoitsboardonceperyearonhigh-levelrisksonly,whileitsinternationalaffiliatereportsriskstoitsboardonaquarterlybasis.
Thesedifferentstandardsoccasionallycreatetensionamongcounterpartsandcomplicaterisk management.AfeworganizationsreportedthatdifferentaffiliateshaddifferentlevelsofsecurityrisktolerancearoundprogramminginSyriaandSomalia,forexample,causingdelaysindecision-making.Severalorganizationshavedevelopedstrongercoherenceintheareaofcommunicationsinordertomanage risk. This was done because public statements and messaging (or lack of consistency therein) caneasilyentailfederation-widerisk.Manyhaveimposedastringentapprovalsprocesswherethelargerumbrellaorganizationapprovessensitivematerialbeforeaffiliatesreleaseit.
4.4INGOaffiliationsandpolicyareas
TypesofpolicydocumentscreatedbyUS,UK,Europeanand“international”umbrellaentitiesvary. First,US-basedINGOshaveoverfourtimestheamountofwrittenpolicyonfinancial/fiduciaryissuesthantheirEuropeancounterparts.ThissuggeststhattheUS-basedINGOsmaybeparticularlyconcernedwithfinancialandfiduciarycomplianceandsystems.Second,theinternationalumbrellaentitiesofa federationorconfederationaremostlikelytohavedevelopedpolicyintheareaofsecurity.Theyalsotendtobeinvolvedincraftingbroaderrisk-managementtoolsandframeworksfortheentityasawhole.
Specificriskfactorsandissuesregisteredmorehighlythanotherswithinthedifferentpolicyareas. Withinthesecuritypolicyarea,apreponderanceoforganizations(11)mostfrequentlydiscussedriskinthecontextofacceptancestrategies,followedbyabduction/kidnapping.Evacuationwasthenextmost-common element found in security risk documents. Risks pertaining to social media were least discussedinthesecuritypolicydocuments,butfiguredprominentlywithincommunicationsriskpolicy.MostoftheINGOsdidnothavespecificdocumentsrelatedtocounter-terrorlegislation,butrather coveredtheseissuesinrelatedpolicydocuments,includingfiduciaryandlegal/compliancepolicies.
Promisingpractice:RiskregistersasanalyticaltoolsandblueprintsforactionTheorganizationswiththemostadvancedandrobustrisk-managementsystemsalldothefollowing:
1. createandmaintain“riskregisters”(atfieldandHQlevels)byconsultingwidelywithintheorganizationtoidentifyandquantifydifferenttypesofrisk;
2. takeoperationaldecisionsbasedonprioritiesidentifiedintheriskregister,atfieldandHQlevels;
3. identifynecessarymitigationmeasuresorcorrectiveactions;and
4. followupwithregularvisitsorauditstoensurethesetakeplace.
EachoftheseINGOsreportedthatcountry-levelmanagerswereinvolvedinholisticassessmentsofrisk,whichfed organization-wideassessments.
17
Promisingpractice:Allowingforin-countrynationalstaffevacuationsOneINGOmadethedecision,unprecedentedfortheorganization,toevacuatenationalstaffmembersandtheir familieswhenaprovincewasoverrunbyanti-governmentforcesandtheyweredeemedtobeatdirectrisk.Althoughnotwithoutpotentialrisks(suchassettingaharmfulprecedentorevenrunningafoulofnationallaws),theadhoc decisionrevealedtheneedfor,andhelpedtospark,policydevelopmentonthisissue.
4.5 Policyversuspractice
Intervieweessuggestedthatsafety/securityriskmanagementreceivesthemostemphasisintermsofstafftimeandattentioninpractice,withfiduciaryrisksaclosesecond—thereverseofwrittenpolicy(asnotedabove).Thisdifferencecouldreflectthegreatereasewithwhichfinancial/fiduciarymanagementcanbestandardized,comparedwithsecuritymanagement,whichmustbemorecontext-driven.Itcouldalsoreflectadividebetweenheadquartersandfieldstaff.Ahandfulofintervieweesexpressedconcernaboutanover-emphasisonfiduciaryriskmanagementattheexpenseofsecurityriskmanagement.Oneseniormanagerintervieweebasedinahigh-risksetting,forexample,feltthatthebulkofhisfocusandmentalenergywasonthesecurityofhisstaff,whereasstaffinheadquartersweremorepreoccupiedwithpreventingfraudanddiversion.Intervieweesalsonotedgapsinsecurityriskmitigationfornationalstaff,includingspecificallyoff-hourstransportation,communication,andsitesecurity.
Lastly,intervieweesnotedthatfiduciaryriskmanagementwithlocalNGOs(inparticularthosemanagedremotely)wassignificantlymoredevelopedthansecuritymanagement.Insub-granting,INGOsareconsciousthattheywillbeultimatelyheldaccountableforfiduciaryrisk,whichhasledtomorecapacitybuildingforandoversightoftheirpartners.Thesameisnottrueforsecurityrisk,andmanyunderstoodtheirnationalNGOpartnerstobeexposedtohighlevelsofsecurityrisk,oftenwithoutsufficient support,training,anddiscussion.
Mostintervieweesfeltthebalanceoffocusondifferenttypesofrisk(intermsofadministrative workload,timeexpenditure,workload,mentalenergy/discussion)tobegenerallyright,however. Thiswasespeciallytrueforthoseorganizationsthatexplicitlyidentifythe“top”risksthroughariskmanagementframework.Asonesaid,“thebalanceiswhereitneedstobe…we’veidentifiedthetop13risks,andthosearetheonesthatgetthemostattention.”Bycontrast,arepresentativeofanINGOworkinginahigh-riskcontextdescribedanegative(andhigh-impact)incidentthattheybelievedcouldhavebeenavoided,hadtheorganizationbeenfocusingonthecorrectsetofrisks.ThatINGOdidnotyethave a well-developed system for assessing and comparing risks. Some interviewees reported that even INGOswithwell-developedriskmanagementframeworkscancontinuetoapproachriskinwaysthataresiloedratherthanholisticorintegrated.Financialrisksaredealtwithbythefinancedepartmentandsecurityrisksbythesecurityunit,forexample.Thistypeofapproachmaynotbewellsuitedtohigh-riskenvironments,wheredifferenttypesofriskareinter-linked,asdescribedabove.
Thefield-andregionally-basedstaffwhowereinterviewedgenerallydemonstratedanunderstandingof theirorganization’sriskmanagementpoliciesandproceduresthatwassimilartothatofheadquarters- basedstaff.Althoughintervieweesfrombothheadquartersandfield/regionallocationsdidacknowledgethatagapexistedbetweenpolicyandpractice,itdidnotappeartobeamajorconcern.Survey respondentswerepositiveoverallontheextenttowhichpolicieswereunderstoodandimplemented,withmajoritiesreportingthatimplementationwas“good”inallareasofriskmanagement.(Those representingtheINGOsfromthesamplegroupweregenerallymorepositive—moreoftenanswering“good”or“excellent”—thanthenon-samplerespondents,whohadagreaterpercentageof“fair”or“poor”responses.)Surveyrespondentsfeltthatsafety,securityandfiduciarypolicieswerethebest
18
understoodandimplemented,while“informationsecurity”and“counter-terrorlegislationcompliance”policies were the least so. This appears to stem from the fact that both of these areas involve emerging threatareasand(forcounter-terrorlegislationcompliance)broaderchallengesinunderstandingthemeaningandimplicationsofthelegalagreementsandpolicydeclarations.
Awarenessoforganizationalriskmanagementpolicieswere,onthewhole,strongeramongthe samplegroupofINGOsthanthenon-samplerespondents,butvariedbycategorybetweenfieldandheadquartersrespondents.Forexample,awarenessofinformationsecuritypoliciesinthefieldwasstrongerthaninheadquarters(61percentand49percentofsurveyrespondents,respectively).
4.6 Theroleofdonors
Abouttwo-thirdsofINGOintervieweesaffirmedthatdonorsinfluencethetypeand/orlevelofrisk thattheirorganizationiswillingtoassume,whiletheremainingthirdbelievedtheydidnot.The generalsensewasthatdonorsinfluencewhereandhowINGOsprogram(pushingthemtoreachthemostvulnerablepeople,generallyfocusingontheir“highpriority”countries)andsobyextension influencingwhattypeofrisktheytakeon.Mostrespondents(withafewexceptions)feltthatdonorswerenotinfluencingthelevelofrisktheirorganizationtakeson.(Oneexceptionconcernedadonor requirementthatinternationalstaffbepresentduringprogramdelivery,whichanINGOrepresentativefeltputthematunduerisk.)SeveralINGOsfeltthattheirlargesizeand/orgeneralfinancialstabilityallowedthemto“walkaway,”i.e.,torefusetogowheretheyfeltthelevelofriskwastoohigh,despiteencouragement from donors to be present.
The INGOs in the sample group generally felt supported by donors for security related costs. Some INGOsfundsecurityinputsbyputtingapercentageintoeachbudgetforsecurity(e.g.,acertain percentageforprivatefoundations,anotherforlargerinstitutionaldonors).Othersbasetheirrequestsondetailedsecurityassessmentspresentedtothedonor.AsoneINGOrepresentativesaid,“Weexplainto donors what it will cost to manage those risks and we have never been refused by donors for security investments.”Aminorityofintervieweesfeltthatdonors“cansometimesstartbalking”withmore intensivecapitalinvestments,suchasthoseincommunicationstechnology.AfewfeltthatbothdonorsandINGOswerestillnotdedicatingenoughmoneytosecurityandriskmanagementgenerally.
Asnotedabove,theINGOsinterviewedperceivemajorgovernmentaldonorstobeincreasingtheiremphasisonfiduciaryrisk(preventionoffraudanddiversion)andtobetighteninginternalcontrolsandoversightmechanismsinturn.Anumberofdonors—thelistwasnotparticularlyconsistent—were referred to as having “zero tolerance” approaches to fraud and diversion. Several interviewees mentionedthattheriskofindividualINGOstaffbeingcriminallycharged,whilelow,nonethelessplays aroleindecision-making.OperationsinSomaliawereseenasunderparticularlyheavyscrutiny,becauseofrecentcorruptionscandals.OneINGOinSomaliasaiditsfinanceandprogramstaff“usedtospend 20percentofthetimetheyarespendingnow”onreportingandoversight.InSyria,donorsareseentohaveacceptedagreatdealoffiduciaryriskuntilrecently,but“thisisnowreceding.”
Promisingpractice:Institutesafe-failpartnershipmeasuresRatherthanblacklistingnationalNGOsbasedonrisk,forhigh-riskpartners,dosmaller,more-frequentdisbursements offundingandsecondstafftooversee/monitor.
19
INGOsexpressedconcernthatdonorsweretransferringfiduciaryrisktoNGOswithoutguidanceonwhatlevelofriskisacceptable.Donorswereseentoacknowledgetheelevatedriskinsomecontextsduringinformalconversation,butnotinwriting,andneverintermsofanexplicitpercentageordollarfigureofwhatmightbedeemed“acceptableloss.”WhileanINGOmayachieveanunderstandingwithaspecificprojectofficer,thisisnotthesameasinstitutionalcommitmentoralegalorcontractualagreement.Several INGOs shared stories of auditors coming in a few years later and applying a higher standard than wasunderstoodtobeinplaceatthetime,requiringINGOstogivebackfundsbecauseprocedureswerenotproperlyfollowed,forexample.
Inadditiontoovertpressurefromdonors,manyINGOsobserveaphenomenonof“self-censorship”orself-regulationthatcanoccurwhenstaffassume that donors will disallow costs or not agree to certain programmingactionsorlocationsandthereforewillnotevenraisetheissue.Evenifdonorshaveproven receptivetosupportingsecuritycostsinthepast,forexample,aprogrammanagermayrefrainfrombudgetingfortheideallevelofsecurityinputs,onfearsthatitwouldmaketheINGO’sproposal“lesscompetitive.”Similarly,giventhegenerallackoffamiliaritywithcounter-terrorlegislationandconcernsaboutlegalimplicationsofviolatingit,manyINGOswilldefaulttothemostconservativeinterpretationoftheregulations—orsimplysteerclearofcertainprogrammingaltogether.
Interviews conducted for this study as well as for other research7suggestthatmanyINGOfieldstaff remainuncertainofhowtoengagewithnon-statearmedactorstoenableaccess,orwhethertheyshoulddosoatall.Humanitarianorganizationsalsostruggleinternallytoacknowledgeanddiscussthesometimes-necessarycompromisesthatenableaccess.Suchcompromisesorconcessionscanincludepayingmoneyatcheckpoints,payingunofficialtaxestolocalauthorities’alteringtargetingcriteriasothatpowerfulactorsortheirfamiliesreceiveaid,employingarmedguardsfromalocalmilitia,or working in one region and not another to avoid antagonizing a local authority or armed actor.8 Areluctancetodiscussthesepracticescanresultinaninternalcultureofsilenceoncorruption, fraud,anddiversion.Itcanalsofosteracultureofwillfulblindnessonthepartofinternationalstaff,whilenationalstaffareleftwiththeburdenandriskofmakingthetransactions.
SeveralINGOsinterviewedforthisstudyrelayedthefearofanegativestorylandinginthemedia, forexample,“whereanNGOistreatingsoldiersfromISIS,9 or had to pay Al Shabab for access.” This “nightmarescenario”wouldbefurtherexacerbatedbythefactthat,atthispoint,“politicsdrivesthe riskappetite,anditbecomesabsolutelyzero.”INGOsreliantondonor-governmentfundingstruggleto
7 SeeHumanitarianOutcomes(2015),“Component2PreliminaryBriefingNote,”SecureAccessinVolatileEnvironments(SAVE), https://www.humanitarianoutcomes.org/sites/default/files/component_2_summary_of_preliminary_findings.pdf.
8 Ibid.
9 Thiswouldnotbeillegalunderinternationalhumanitarianlaw(IHL),giventhatthislawrequiresthatallmembersofthearmedforcesandfightersfromarmedgroupswhoarewounded,sick,andhorsdecombatmustbetreatedaccordingtomedicalneed.ThisintervieweewasnotfromamedicalINGO.
Promisingpractice:CataloguingmisstepsandrealizedrisksTheseniormanagementofoneINGOhasbegunaregularpracticeofcompilingalistofallsignificantmistakesorbadoutcomesthataffectedtheorganizationovertheyearandsharingitwiththeentireorganizationasalearningtool.Itincludesbothdetailsonincidentsandwaystheymighthavebeenavoidedormitigated.Thiswasseenasparticularlyhelpfulinfosteringopennessandlesson-learning.Priortothispractice,manystaff/officeswereonlyvaguelyawareormisinformedoftheseincidents,whichtheylearnedthroughrumorsandspeculation.
20
appropriatelymanageriskaroundthesetypesofincident,asthiswouldrequirethatdonors—and ultimatelytheirtaxpayingpublic—acceptsomelevelofcompromisewhendeliveringaidduringwar.
Withregardtodonors’counter-terrorpoliciesspecifically,abouttwo-thirdsofINGOrespondentsfeltthattheseinfluencedwhereandhowtheycouldworkinasignificantway.TwoINGOrepresentativescitedexampleswheretheyfeltdonorshaddirectedthemonwhichcommunitiestheycouldworkwith(e.g.,inSyria,LebanonandSomalia,atthecountrylevel),andfoundtheywereprohibitedfromworkingwithimportantactorsintheareabecauseoftheirpoliticalassociations.Manyothersviewedthe pressureaslessdirect,expressedinsteadthroughadditionalriskmanagementclausesorreporting requirementsincontracts.AsoneINGOdescribed,“IfyourprocurementprocessinIraqona USAID-fundedprojectseemsabitwonky,the[USgovernment]couldgetquiteinquisitive.”Several INGOsexpressedconcernsabouttheUSgovernment’sPartnerVettingSystem,whichrequiresINGOgranteestocollectandprovideinformationontheirlocalNGOpartnersandstaff.Theybelievethis potentiallycreatesadditionalsecurity,reputational,andinformationrisks(e.g.,throughcollecting informationthatwasnotproperlystored/protectedorbeingperceivedascollectingpersonal informationtobepassedontoagovernmentagency).
Promisingpractice:Briefanduser-friendlytoolsforfieldsettingsMorebasic,“digestible,”toolsgetused.Forexample,one-pagersthatcanbepostedorcarriedwillhavefargreater utilitythanlargesecuritymanagementplans,whichareoftenunwieldyandsitonashelf.Focusandinsistonmore practicaltoolsandmorepracticaltrainings.
21
5.Principlesandprogramcriticality
Programcriticality(i.e.,theurgencyorpotentialimpactoftheprogram,intermsofsavinglivesandrelievingsuffering)iswidelyunderstoodbyhumanitarianINGOsandfactoredintotheirdecision-making.Almostallintervieweesaffirmedthattheytakethecriticalityoftheinterventionintoaccount,insomeway,whendeterminingthelevelofrisktheyarewillingtoaccept.Respondentsmadecommentssuch as“Iftheneedishuge,ouracceptablelevelofriskshiftssomewhat”;“Ifit’saboutsavinglives,yes, [ourorganization]iswillingtotakemorerisks”;and“Thisalwayscomesupin[seniormanagementteam]discussions[atfieldlevel].”Thiscriticalityassessmentismainlydoneinformally,however.Programcriticalitywastypicallynotpartofriskmanagementmechanisms,andtherewasnowayofsystematicallymeasuringit.NoneofthesampleINGOshadaformalwayofmeasuringthecriticalityoftheintervention, orawaytobalancethatagainstoveralllevelsofrisk.(Bycontrast,theUNhasdevelopedawayto systematicallymeasureprogramcriticalityandtobalancethiswiththelevelofsecurityriskassumedbyitsstaff(Haver,etal.,2014).
Contrarytointerviewandpolicydocumentfindings,themajorityofsurveyrespondentsanswered“yes”tothequestionofwhethertheirorganizationhadaspecificmechanismforconsideringprogramcriticalityindecisionsonrisk.However,respondentswerelikelyexpressingthefactthattheconceptisfamiliarandconsideredindecision-making,ratherthanthattheyhadawritten/formaltool.Thiswasfurtherjustifiedbyseveralofthecommentsinthesurvey,whichnotedthatexistingtoolsdonotincludeameasurementoftheimportanceoftheprogram.Whenasked,intervieweessuggestedthatthereasonsfornotincludingprogramcriticalityelementsinriskmanagementwasnotbecausetheyareinherentlydifficulttomeasure(i.e.,criticalityisnotnecessarilymoredifficulttomeasurethanrisk).Theirabsencecouldstemfromthefactthatriskmanagementframeworksweredevelopedintheprivatesector,wherethebottomlineismoreeasilymeasured,i.e.,intermsofprofit.
Deliveringhumanitarianassistanceinthemidstofviolentconflictinevitablyinvolvesrisk.Delivering principledhumanitarianassistanceinvolvesgrapplingwithcontradictionsandethicaldilemmas,eveninthebestofsituations.Notably,upholdingtheprincipleofhumanity(savinglivesandalleviatingsuffering) mayattimesrequirecompromisingneutrality,independenceorimpartiality.Forexample,anarmedactor mayseektospecifywhichpeoplecanbehelpedwhen,forcinganethicaldilemma.Similarly,tobring securityandfiduciaryrisksdowntoacceptablelevelscanmeanadefactofailuretoprioritizepopulations ingreatestneed,andthereforeafailuretoactimpartially—atleastforthecollectivehumanitarian response,ifnotforasingleINGO.Inotherwords,thereisabuilt-intensionbetweenfulfillingthe mandateandmissionofone’sorganizationandmanagingitsrisk.
Whilemanyintervieweeswerequicktopointoutthattheirorganizationhadnotshiedawayfrom workinginthehighest-riskenvironments,theyalsoprovidedmultipleexamplesofwheretheirworkwas restrictedinvariousways.Severalintervieweesnotedthatwhiletheywererarelyentirelypreventedfromworkinginacertaincountryaltogether,theyrestrictedthemselvestospecificregionswithinit.Restrictionswerealsonotedinthetypesofprogrammingtheycouldcarryout.In-kindassistancewassometimesusedbecausecashwasseenastoorisky,forexample,duetoahostgovernment’snegativeperceptions(e.g.,inAfghanistan,Iraq,Syria,andUkraine).Insomeareas,sexualandgender-based violence(SGBV)programswereseenaslocallyunacceptableandthereforetooriskyfromasecuritypointofview.Inaddition,INGOsreportedoftennotspeakingoutonbehalfofaffectedpeople(i.e.,reducingtheiradvocacy)becauseofperceivedoractualriskstothesecurityofstaff,theorganization’sreputation,oritsfutureaccess.Feworganizationsseemedtohaveawayofmeasuringorassessingthislasttypeofrisk.Decision-makingonadvocacywascomplicatedbythefactthatoftenstaffbasedoutsidethecountryleadadvocacyefforts,buttheyarenotasawareoftherisksandsotendtodefertocountry- basedstaff,whoarenaturallymorefocusedonensuringthecontinuityoftheiroperations.
22
Promisingpractice:“Pre-mortems”-chartingpossiblerisksandpotentialresponsesThoughitmayseemelementary,NGOsreportedthatthepracticeofexplicitlylistingrisksandtheirpossiblemitigationmeasureswasextremelyhelpfulindecision-making.Aselectionofexamplestheycitedarebelow,andcanbeviewedaspromisingpracticesinthemselves.
CATEGORY
Information
Compliancewithhost governmentlawsand regulations
Communicationsand outreach(reputation)
Operational
RISK
Systemsriskbeinghacked,withdonors’creditcardsorothersensitiveinformation stolen.Nationalstaffadministration softwareiseasytodefraud.
Tax,registration,andotherlegal complianceissuestakealotoftimeandenergy,andaresospecificthattheyaredifficultforagloballyoperatingNGOtoresolve(andforesee).
Workingwithexternalfundraising companiesthatengageinaggressive ordishonesttacticscanleadto reputationaldamage.
Alocalpartnerdoesnothavethe capacitytomeetdonorconditions,ordoesn’thavefinancialreserves.
MITIGATION MEASURES
GetanITsecurityaudit(technological andprocedural)byexternalprofessionalstoidentifyandfixvulnerabilities.
Havelawyersonretainerinthecountriesofoperation(notexpats)withspecificexpertiseinthatareaoflaw(e.g., employmentlaw,taxlaw)todealwithissuesastheycomeupandfeedinto decisionsandpolicies,e.g.,country- specificHRpolicies.
Ratherthanoutsourcing,investin in-housefundraisingstaff.
Secondstafftositwiththepartner organization.
Obtainfundingformentoringandcapacitybuildingforpartners.
The “risk management” approaches of INGOs have tended not to explicitly address the risk of programmingunethicallyorviolatinghumanitarianprinciples.Asoneintervieweenoted,“Thereislessofafocusondilemmasaroundwhoyouworkwith,accessissues,theinternationalpoliticalagendaetc.Thesearenotseenas‘risks’butratherjustconditionsthatyouhavetodealwitheveryday.”Risk managementhastendedtofocusmoreonsecurity,fiduciaryandcompliancerisks,ratherthanthemoregeneralriskofnotlivinguptoone’smandate/missiontodeliverprincipledandeffectivehumanitarianresponse.The“failuretodeliverresponsibly,inaprincipledway”isdeeplyintertwinedwiththeconceptofacceptance-basedsecurity,butnotconsideredariskinitself.Thismirrorsthefinding(above)that INGOslackastructuredwaytothinkaboutprogramcriticality—instead,takingitmoreorlessfor grantedthatitwillbeintuitivelyconsideredbydecision-makers.
23
6.Conclusionsandrecommendationfornewpolicyguidance
Thebalanceofevidencefromthekeyinformantinterviews,surveyresponsesandpolicysynthesis suggeststhatthemajoroperationalINGOscontinuetoprofessionalizeandinstitutionalizerisk management,buthaveagooddealfurthertogoiftheirobjectiveistoachieveatrulyintegrative approachtorisk.Securityremainsthemostadvancedareaofpolicyandpractice,likelybecauseithasbeenstudiedlongerandwithmoreurgency(beingamatteroflifeandlimb),butsecurityfocalpoints donotyetconsistentlyengageinpracticalplanningordiscussionwithotherpolicyareaswithin organizations.Thestudyrevealedgeneralenthusiasmforthesystematicandholisticapproachoffered byriskmanagement.Atthesametime,however,somestaffworrythatifappliedthewrongwayitcanleadtoriskaversionandconstrainedactionasonepotentialnegativeoutcome,ortobox-tickingandcomplacency as another.
Finally,therearethingsthatriskmanagementdoesn’tcoverandarguablyshould.Oneisprogram criticality,avitalconsiderationwhendecidinghowmuchresidualriskisacceptable.Withoutit,there isthepossibilityofmakingdecisionsusingalowestcommondenominatorriskthreshold,andfailing totakelife-savingactionasaresult.Anotheristheissueofhumanitarianprinciplesandtheethicaldilemmasthatcanresultwhentheyconflictwitheachotherorwithotherriskmanagementobjectives.Giventheprimarymissionofhumanitarianorganizations,therisksoffailingtoliveuptocore humanitarianprinciples,ortherisksofactingunethicallytowardaffectedpopulations,arealso important to manage and be honest about.
6.1Recommendedpracticalproduct:Riskmanagementpolicybrief
Thetermsofreferenceforthestudycallfortheresearcherstoproposeanddevelopanadditionalpractical toolorguidancedocumentforNGOsinaddressingrisk.Approachingthistask,wewereguidedbytheunderstandingthatintroducinganewtoolortemplateintoanalreadycrowdedfieldwillnotaddvalueunless it addresses a key gap or problem and is simple enough to be readily understood and implemented. Interviewees and survey respondents were prompted for their opinions and ideas on what sorts of tools mightbemostuseful.Althoughanumberofthemexpressedthesentimentthat“toomanytools”already exist,thiswasaminorityopinion.Nostrongconsensusorspecificideasemerged,however,onwhatnew instrumentsareneededorwouldbemosthelpful.Themostfrequentlymadesuggestionwasforconsolidated guidance on the basic principles and procedures for risk management that was “short” and “simple.”
Basedonthereviewfindingsandtheidentificationofgaps,theresearchteamproposedthreepossibleoptionsforconsiderationtotheparticipatingINGOsatworkshopsinWashington,DC,andDublin.Theoptionsincludedahandbookonbasicprinciplesofriskmanagement,aprogramcriticalityassessmenttool,andpolicyguidanceonethics-relatedrisk.Despitethestudy’sfindingthatissuesofprogram criticalityandethicsarenotsystematicallyincludedinriskmanagementprocesses,neithergroup expressedinterestintheselattertwooptions.Afterdiscussionoftheprosandconsofeach,consensusemergedaroundahandbook/briefingpaperthatwouldincludenotonlybasicprinciples,butalso specificexamplesofpromisingandpoorpractice,andanannotatedriskregistertemplate.Thehandbook canbefoundhere[link].Bothgroupsalsoexpressedinterestinthepossibilityoffurtherresearchonmeasuringandacceptingresidualrisk(seesection6.2).
6.2Prospectsforfurtherresearchandadvocacy
Inadditiontothehandbook,anotherareaofconsensusthatemergedattheworkshopswasinterestinfutureappliedresearchintoresidualrisk.Afterallappropriatemeasureshavebeentakentomitigatethe risk,canhumanitarianorganizationsanddonorscollectivelysetparametersforacceptablelevelsofresidual risk?TheparticipatingINGOsexpressedtheirwillingnesstoconsiderthepotentialforadditionalin-depthresearchonthisissue,withaneyetoproducinganoutputthatcouldbeusedforcoordinationandadvocacy.
24
References
ALNAP(2006).EvaluatinghumanitarianactionusingtheOECDDACcriteria:AnALNAPguidefor humanitarianagencies.London:OverseasDevelopmentInstitute.
ALNAP(2010).Thestateofthehumanitariansystem:Assessingperformanceandprogress.London:OverseasDevelopmentInstitute.
Collinson,S.,&M.Duffield(2013).Paradoxesofpresence.HumanitarianPolicyGroup. www.odi.org/publications/7514-risk-humanitarian-remote-management.
CounterterrorismandHumanitarianEngagementProject(2014).Ananalysisofcontemporary anti-diversionpoliciesandpracticesofhumanitarianorganizations.CounterterrorismandHumanitarianEngagementProject.http://blogs.harvard.edu/cheproject/files/2013/10/CHE_Project_-_Anti-Diversion_Policies_of_Humanitarian_Organizations_May_2014.pdf.
Haver,K.,A.Stoddard,andA.Harmer(2014).Independentreviewofprogrammecriticality,Humanitarian Outcomes,July.
Healy,S.,&S.Tiller(2014).Whereiseveryone?:Respondingtoemergenciesinthemostdifficultplaces. London:MedecinssansFrontieres.
Hoppe,K.(2015).Climbingbackdown:Thechallengeofreducingsecuritylevels.HumanitarianPracticeNetwork,23November.http://odihpn.org/blog/climbing-back-down-the-challenge-of-reducing- security-levels/.
Humanitarian Outcomes (2014). Ratesofviolence(1997–2014).London:HumanitarianOutcomes.
HumanitarianPracticeNetwork(2010).Goodpracticereview:Operationalsecuritymanagementin violentenvironments(2nded.)London:OverseasDevelopmentInstitute.
Kaplan,R.,&A.Mikes(2012).Managingrisks:Anewframework.HarvardBusinessReview,48–60.
Mackintosh,K.,&P.Duplat(2013).Studyoftheimpactofdonorcounterterrorismmeasuresonprincipled humanitarianaction.UN OCHA and Norwegian Refugee Council.
OfficeofForeignAssets(2014).Controlguidancerelatedtotheprovisionofhumanitarianassistancebynot-for-profitnon-governmentalorganizations.Washington,DC:DepartmentoftheTreasury.
RIMS(2015).WhatisERM?RIMS:TheRiskManagementSociety.https://www.rims.org/resources/ERM/Pages/WhatisERM.aspx.
Schafer,J.,&P.Murphy(2011).Securitycollaboration:bestpracticesguide.Washington,DC:InterAction.
Slovic,P.(2000).Theperceptionofrisk.London:Earthscan.
Tversky,A.,&D.Kahneman(1974).Judgmentunderuncertainty:Heuristicsandbiases.Science,185 (4157),1124–31.
25
Figure6:TopicareasbeingdiscussedbyINGOsinregardstorisk
Num
bero
fmen
tions
0
6
12
18
24
30
Acce
ptan
ce
27
Loca
l par
tner
ship
s
Abd
uc�o
ns &
Kid
napp
ing
21 20 19 18 17 16 1614 13 12 12 11 11 11 10 10 9 8 8 7 6 5 5 4 3 3
Prot
ec�o
n
With
draw
/sus
pend
Info
Sec
CT
& C
T Le
gisla
�on
Eva
cua�
on
Dut
y of
Car
e
Hum
anita
rian
Prin
cipl
es
Con
flict
of I
nter
est
Dono
rs
Cas
h pr
ogra
mm
ing
Civ
-Mil
Rig
ht to
with
draw
Do n
o ha
rm
Sex
ual a
ssau
lt/ex
ploi
ta�o
n
Loc
al S
taff
Pro
gram
cri�
calit
y
Rem
ote
Man
agem
ent
Soci
al M
edia
Info
rmed
Con
sent
Pol
i�cs
(for
eign
influ
ence
)
Risk
tran
sfer
Neg
o�a�
ons
Arm
ed a
ctor
s
OFA
C
Topic area
Annex 1. Policy synthesis summary
Figure7:Toptenthematicareasofdiscussion inrelationtorisk
Num
bero
fmen
tions
Loc
al P
artn
ersh
ips
0
7
14
21
28
21
Abd
uc�o
ns &
Kid
napp
ing
20
Prot
ec�o
n
With
draw
/sus
pend
Info
Sec
CT
& C
T Le
gisla
�on
Eva
cua�
on
Duty
of C
are
19 18 17 16 1614
27
Acce
ptan
ce
Hum
anita
rian
Prin
cipl
es
13
Figure8:Lowesttenthematicareasofdiscussioninrelationtorisk
Num
bero
fmen
tions
Pro
gram
cri�
calit
y
0
3
6
9
8
Rem
ote
Man
agem
ent
8
Soc
ial M
edia
Info
rmed
Con
sent
Pol
i�cs
(for
eign
influ
ence
)
Risk
tran
sfer
Neg
o�a�
ons
Arm
ed a
ctor
s
76
5 54
3
9
Loc
al S
taff
OFA
C
3
26
Figure9:INGOaffiliationsandpolicyarea(policywordcount)
0 80000 160000 240000 320000
Security
Safety & Security
Safety
Opera�onal
Legal & Compliance
Informa�on
Financial
Communica�ons
ALL
US
INT
UK
EU
127,050165,424
87,29330,043
20,176
225
10,2801,754
16,368
14,32253,036
18,137
1,6165,004
7,0771,382
14,55445,610
2,00511,292
318,67947,204
12,50069,701
3,58344,733
10,474
17,30757,414
3,779
7
4,542
27
Figure10:Thematicdiscussionsofriskwithinsecuritypolicy
Acceptance Abduc�ons & Kidnapping
Evacua�onProtec�on
Duty of Care Withdraw/suspend
Right to withdraw Humanitarian Principles
Civ-Mil Sexual assault/exploita�on
Program cri�cality Local Partnerships Informed Consent
Nego�a�ons Poli�cs (foreign influence)
Local Staff Do no harm
Armed actorsInfoSec
CT & CT Legisla�onRemote Management
Risk transferDonors
Social Media
0 5 10 15 20
Figure11:Thematicdiscussionsofriskwithinfinancialpolicy
Conflict of Interest
Local Partnerships
Cash programming
CT & CT Legisla�on
Donors
OFAC
Evacua�on
Duty of Care
Remote Management
Local Staff
Withdraw/suspend
0 2 4 6 8
28
Figure12:Thematicdiscussionsofriskwithincommunicationpolicy
Social Media Local Staff
DonorsAcceptance
Withdraw/suspend programInfoSec
Abduc�ons & KidnappingProtec�on
Humanitarian PrinciplesCiv-Mil
Do no harm
0 1 2 3 4
Figure13:Thematicdiscussionsofriskwithin“all”policycategory
CT & CT Legisla�onProtec�on
Local Partnerships Do no harm
Duty of CareProgram cri�cality
Cash programmingRemote Management
InfoSec Risk transfer
Humanitarian PrinciplesConflict of Interest
Local Staff0 1 2 3 4 5
Figure14:Thematicdiscussionofriskwithinoperationalpolicy
Remote Management
Do no harm
CT & CT Legisla�on
Local Partnerships
Local Staff
Humanitarian Principles
Duty of Care
Conflict of Interest
InfoSec
Risk Transfer
0 1 2 3
29
ValuesAcceptance 1 2 20 23Abductions&Kidnapping 1 1 18 20LocalPartnerships 8 1 2 6 17Evacuation 2 1 13 16InfoSec 1 9 1 1 3 15Protection 1 1 1 11 14Withdraw/suspendprogram 1 1 2 10 14DutyofCare 1 1 10 12Humanitarian Principles 1 1 9 11CT&CTLegislation 5 1 2 1 2 11Right to withdraw 1 10 11ConflictofInterest 8 1 1 10Civil military 1 1 8 10Donors 1 4 2 2 9Sexualassault/exploitation 1 1 7 9LocalStaff 1 1 2 4 8Cash programming 7 1 8Social Media 4 1 1 1 7Donoharm 1 2 1 3 7Remote Management 1 3 2 6Programcriticality 6 6Informed Consent 1 5 6Politics(foreigninfluence) 4 4Negotiations 4 4Risk transfer 1 2 3OFAC 3 3Armed actors 3 3
Table2:Overviewofpolicyareasinrelationtothematicdiscussionsaboutrisk
Commun
icati
ons
Fina
ncial
Inform
ation
Legal/c
ompliance
Ope
ratio
nal
Safety
Safety&Security
Security
Gran
dtotal
30
Figure15:TypesoftoolsusedbyINGOsinriskmanagement
Figure16:Riskmanagementtoolsinrelationtotheirpolicyareas
Procedural 35%
22% Declara�ve
43% Analy�cal
ALL 23%
Security 50%4% Safety & Security
2% Communica ons4% Compliance
4% Finance
9% Opera onal
4% Safety
31
Annex 2. People interviewed
NAME TITLE INGO/DONOR
ChrisLockyear DirectorofOperations(US) ACF
LuisGarcia DirectorofFinance ACF
AlexCottin DirectorofExternalRelations ACF
ColinMcIlreavy SecurityDirector ACF
BarbaraJackson HumanitarianDirector CAREInternational
RobertYallop PrincipalExecutiveInternationalOperations CAREAustralia
Greg Brown Head of Corporate Services CARE Australia
ChrisWilliams HeadofSafetyandSecurity CAREUSA
DawMohammed CountryDirector,Yemen CAREUSA
ChristinaNorthey CountryDirector,Afghanistan CARE
ÁineFay PresidentandChiefOperatingOfficer Concern
RichardDixon DirectorofPublicAffairs Concern
Abdi-RashidHajiNur CountryDirector,Somalia Concern
FeargalO’Connell CountryDirector,SouthSudan Concern
MubashirAhmed CountryDirector,Pakistan Concern
DominicCrowley EmergencyDirector Concern
SeanCallahan ChiefOperatingOfficer CRS
KevinHartigan RegionalDirector,Europe,MiddleEast,andCentralAsia CRS
JenniferPoidatz VicePresident,HumanitarianResponse CRS
JimO’Connor Director,RiskManagementandStaffSecurity CRS
MauriceMcQuillan SeniorAdvisor,StaffSafetyandSecurity CRS
TimothyBishop CountryRepresentative,DRCongo CRS
JonasMukidi SecurityManager CRS
NiekDeGoeij CountryRepresentative,Mali CRS
AnneMaltais HeadofOffice,Sevare,Mali CRS
GorelSidibe SecurityManager,Mali CRS
LorraineBramwell CountryRepresentative,SouthSudan CRS
FarukhKhan SecurityManger,SouthSudan CRS
ChristineTucker LiaisonwiththeEnterpriseRiskManagementCouncil CRS
MiaNeumann ChiefTechnicalAdvisor,RiskandCompliance DRC
FredrikPaalson ChiefTechnicalAdvisor,SafetyandSecurity DRC
PeterKlansoe RegionalDirector,MiddleEast DRC
HeatherAmstutz RegionalDirector,HornofAfrica/Yemen DRC
ImmoMeyer-Christian RegionalSafetyAdvisor,MiddleEast DRC
MichaelMatt RegionalSafetyAdvisor,HornofAfricaandYemen DRC
RikkeJohannessen RegionalHeadofProgram,HornofAfrica/Yemen DRC
32
NAME TITLE INGO/DONOR
BryanWalden ProjectManager,LogisticsSystemsandTraining DRC
ShaunBickley ExecutiveCoordinator(interim) EISF
MarinTomas GlobalLogisticsManager IMC
ChrisSkopec SeniorDirector,EmergencyPreparednessandResponse IMC
StephenTomlin SeniorAdvisor,Program,Policy,andPlanning IMC
TimMcAtee DeputyDirectorofGlobalSecurity IMC
TaralynLyon EpidemiologyandSystemsCoordinator IMC
JonCunliffe EmergencyTeamLeader,Turkey IMC
AdenNoor CountrySecurityManager,Somalia IMC
BobKitchen Director,EmergencyPreparednessandResponseUnit IRC
DeniseFurnell SeniorDirector,GlobalSafetyandSecurity IRC
ColleenRyan VicePresidentofCommunications IRC
SannaJohnson RegionalDirector,Asia,Caucasus,andMiddleEast IRC
MarkSchnellbaecher RegionalDirector,SyriaRegionalResponse IRC
BrycePerry EmergencyFieldDirector IRC
YusufAhmed RegionalDirect,EastAfrica IslamicRelief
AteeqRehman CountryDirector,Pakistan(former) IslamicRelief
MohammedSalah CountryDirector,Yemen IslamicRelief
Dr.AhmedNasr HeadofGlobalOperations IslamicRelief
JavedBostan InternalAuditManager IslamicRelief
BethdeHamel ChiefFinancialOfficer MercyCorps
Barnes Ellis General Counsel Mercy Corps
ChristineBragale DirectorofMediaRelations MercyCorps
NajiaHyder DirectorofGlobalProgramming MercyCorps
DamienValletted’Osio RovingSecurityAdviser,Africa MercyCorps
ChristianKatzer OperationsManager,MSFOCABerlindesk-Chad, CAR,Zimbabwe,Swaziland,PNG,mobileHAT MSFHolland
ThijsvanBuuren Controller(finance) MSFHolland
PeteButh DeputyDirectorofOperations MSFHolland
WouterKok FieldSecurityAdvisor MSFHolland
JustinArmstrong HeadofProgramsforOCAinAfghanistan MSFHolland
GautamChatterjee HeadofMission,Somalia MSFHolland
Kelsey Hoppe Head of Service Safety and Security Pakistan Humanitarian Forum
MarcosFerreiro InformationandAnalysisManager NGOSafetyProgram, Somalia
GregNorton HeadofInternalAuditandQualitySupport NRC
33
NAME TITLE INGO/DONOR
MagnhildVasset DirectorofFieldOperations NRC
QuratSadozai CountryDirector,Afghanistan NRC
NasrMuflahi CountryDirector,Iraq NRC
Heather Hughes Global Security Advisor Oxfam GB
KathleenParsons DeputyProgramDirector,BusinessPractices OxfamGB
SagarDave HeadofInternalAudit OxfamGB
ChristianBadete SecurityAdviser,DRCongo OxfamGB
AndresGonzalez CountryDirector,Iraq OxfamGB
Rod Slip Response and Resiliency Team Security Advisor Oxfam GB
NahuelArenas HumanitarianDirector OxfamAmerica
MarkKripp ChiefFinancialOfficer OxfamAmerica
RachelHayes SeniorDirectorofCommunications and Community Engagement Oxfam America
ElFatehOsman OxfamCountryDirector(Sudan) OxfamAmerica
MikeNovell DeputyInternationalProgramDirector SavetheChildrenIntl.
Karl Sandstrom Risk Manager Save the Children Intl.
GregRamm VicePresident,HumanitarianResponse SavetheChildrenUS
RafaelKhusnutdinov SeniorDirectorGlobalSafetyandSecurity SavetheChildrenUS
HajiraShariff VicePresident,BusinessIntegration SavetheChildrenUS
SeanLowrie Director StartNetwork
EricHembree OfficeoftheComptroller(Director) US/BPRM
KatherinePerkins OfficeofPolicyandResourcePlanning(ActingDirector) US/BPRM
StacyGilbert OfficeofAsiaandNearEast(SeniorCivilMilitaryOfficer) US/BPRM
JenniferSmith OfficeofMultilateralCoordinationandExternalRelations US/BPRM
MariaRowan OfficeofPolicyandResourcePlanning(Monitoring andEvaluation) US/BPRM
FaithChamberlain OfficeofPolicyandResourcePlanning(MilitaryAdvisor) US/BPRM
AndrewKent SeniorHumanitarianPolicyAdvisor US/OFDA
CaraChristie TeamLeadforEastandCentralAfrica US/OFDA
PaulSitnam EmergencyResponseManager,CentralAfricanRepublic WorldVision
PerryMansfeild NationalDirector,SouthSudan WorldVision
KhalilSleiman ResponseManager WorldVision
SeanDenson OperationsDirector,OfficeofCorporateSecurity WorldVision
LaurenceBaird GlobalSecurityAdvisor WorldVision
34
Figure17:Staffpositionsrepresented
Field HQ
Subna�onal field staff 11
Senior management 129
78 Program
4 Security
Admin/support 12Communica�ons 2
Finance 9
Logis�cs 19
Senior management 76
35 Program
4 Security
Admin/support 1Communicaons 3
Legal 5
Logiscs 3
Existence/awarenessofriskmanagementpolicies
Thepresenceofexplicitriskmanagementpolicies,particularlyintheareasofsafetyandsecurity,wasconfirmedbyamajorityofrespondents.Majoritiescouldconfirmtheexistenceofformalproceduresandpoliciesinsafety(themostwell-knownarea)andsecurity(thesecondmostconfirmed).Financial/ fiduciaryriskwasthethirdmostconfirmedareaofexplicitpolicy,followedbyinternational(sanctionsandcounter-terror)andnationallegalcompliance.
Informationsecurityandpoliciesregardingcompliancewithinternationalsanctionsandcounterterrorregulationshavethelowestlevelofawareness,buttheirexistencewasstillconfirmedbyamajorityofoverallrespondents(56–57percent)exceptforthenon-sampleNGOsandHQstaff.
Annex 3. Survey results
Responsebreakdown
The survey collected 398usableresponsesout of 401 completed surveys (three were excluded as non-NGOaffiliated,i.e.UNagencies).Themajorityofresponses(339or85percent)werefromINGOsinthesamplegroup.Oftheremaining,43non-sampleINGOs,sevenresponseswerefromnationalNGOs.
Altogether,thesurveyrespondentsrepresentedatleast57uniqueNGOs(two respondents declined to nametheirorganizations)workingin79countries.
Asaimedfor,thereweremorefield-basedrespondents(265)thanHQstaff(128),andfiveidentified asbeingfromregionaloffices.Ofthese,159identifiedasexpatriates/internationalsand 103as nationalstaff.
ThemostprevalentfieldsettingswereLebanon(26),DRC(24),Jordan(24),SouthSudan(22),and Afghanistan(19).ByfarthemostHQrespondentswerefromtheUS(39),followedbyDenmark(7), Switzerland(6),andGermany,Ireland,andUK(4each).
Themajorityofrespondents(207)wereinseniormanagementpositions,followedbyprogramand technicalstaff(113),logistics(22),security(11)andotherroles.
35
Toyourknowledge,doesyourorganizationhavespecific Sample Other policiesandproceduresonanyorallofthefollowing? Total group NGOs
Safety 92% 94% 81%
Security 89% 91% 83%
Fiduciary/financial 82% 84% 71%
Legalcompliance(hostgovernmentlaws) 72% 74% 59%
Informationsecurity 57% 60% 44%
Legalcompliance(int’lsanctions/counterterror) 56% 57% 47%
Existenceand/orawarenessofrisk-managementpoliciesingeneralwerestrongeramongthesamplegroupofNGOsthanthenon-samplerespondentswere,butvariedbycategorybetweenfieldand headquartersrespondents.Forinstance,awarenessofinformation-securitypoliciesinthefieldwasstrongerthaninheadquarters(61percentand49percentrespectively).
Effectivenessofimplementationofriskmanagementpolicies
Overall,respondentswerepositiveontheextenttowhichpolicieswereunderstoodandimplementedinthefield,withmajoritiesreportingthatimplementationwas“good”inallareasofriskmanagement.ThoserepresentingtheINGOsfromthesamplegroup,however,weregenerallymorepositive(moreoftenanswering“good”or“excellent”)thanthenon-sampleones(whichhadagreaterpercentageof“fair” or “poor” responses).
Table3.Policyemphasis
Excellent Good Fair
Sample
Non-sample
0.0
0.1
0.2
0.3
0.4
0.5
0.6
Poor
Figure18:Securitypolicyimplementation
36
0
50
100
150
200
Secu
rity
Safe
ty
Info
rma�
on
Excellent
Fair
Int'l
com
plian
ce
Host
govt
com
plian
ce
Fiduc
iary
Com
mun
ica�o
ns
RM ov
erall
Good
Poor
Largemajoritiesalsoreportedthattrainingwasprovidedforeachcategoryofriskmanagement,withthehighestnumberof“yes”responsesintheareasofsafetyandsecurity.Again,thepositiveresponseswerestrongerinthesamplegroupofINGOs,whoseratioofyes-to-noanswerswasovertwiceashighasthatof the non-sample group.
Programcriticalityconsiderations
Contrarytointerviewandpolicydocumentfindings,themajorityofsurveyrespondentsanswered“yes”tothequestionofwhethertheirorganizationhadaspecificmechanismforconsideringprogramcriticality indecisionsonrisk(i.e.,allowingfortheacceptableriskthresholdtobehigherforactivitiesthatservemorecriticalneeds).Respondentspossiblywereexpressingtheirfamiliaritywiththeconceptandthatitisconsideredindecision-making,ratherthanthattheirorganizationhasawritten/formaltool.
Onecommentsaid,“intermsofdecision-makingonbalancebetweenriskandprogrammingare mechanismsandsystemsthatarewellestablished(riskmatrixandanalysis,etc.)toassessthesecurityrisksthemselves,butasfarasIknowthereisnoexplicitmechanismtoweighriskagainstimportanceofprogramimplementation.”
Forothersitmaybethattoolsareavailablebutnotorganization-wide:
• “Yes,butprobablynotallcountryoperationsusethesametool,oruselocallydevelopedtools.”
• “Yes,butthetoolismoretoensuremitigationmeasuresareinplacetoaddressrisks.”Itneedstohaveastrongcomponent(oradifferenttoolisneeded).
Figure19:Howwellarepoliciesimplementedandunderstood?
37
DoesyourNGOexplicitlyweigh“programcriticality”inrisk-managementdecisions?
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
Yes No I don’t know
Sample NGOs
Others
Figure20:Weighing“programcriticality”inrisk-managementdecisions
Forsomeitwascontainedinotherpolicies:“Forciv-milissues,weuseatoolwedevelopedcalledtheHISS-CAMwhichguidesdecisionmakingaboutarmedactors/militaryinvolvement.Thetoolcontainsapart on risk vs. program urgency.”
Policyemphasis
Respondents were asked to rate areas of risk management in terms of what received the most emphasisinorganizationalpolicyandprocedures.Securityandsafetywerethetoptwoareasof emphasis,followedbyfiduciaryrisk,hostgovernmentlegalcompliance,reputationalrisk,and internationalcounter-terrorcompliance.Thelowestrankedareawasinformationrisk.
Attitudestowardriskacceptance
Most respondents rated their own agencies as being more toward the “risk tolerant” end of the spectrum.However,theyalsoreportedthatriskappetiteattheirorganizationhaddeclinedinrecentyears–slightlymorethanreportedithadstayedthesame.
Whenresponsesaretalliedbyorganization,wesee4organizationsinthesamplegroupwhose respondingstaffperceivethemtobelessrisktolerantthanpreviously,5whosestaffperceivethemto bemorerisktolerant,and4reportingnochange.TheremainingINGOhadstaffwhowereevenlysplit on the issue.
38
Organizationhasbecome:
More risk tolerant
Less risk tolerant
About the same
Field
HQ
0 35 70 105 140
79 33
90 48
91 46
Figure21:Changeinrisktoleranceovertime
Open-endedresponsesstressedthevarianceincontextsandindividualswhenitcomestoriskappetite.However,whenfilteredforthehigh-securityriskcountries,theresultsaregenerallythesamefortheseorganizations,withstrongermajorities.
ThesurveyaskedINGOstaffhowmuchtheyagreedwiththestatement“INGOshavebecomeincreasingly risk averse and are curtailing humanitarian response as a result.” Overall most respondents answered thattheyagreedor“somewhatagreed.”StaffofUS-basedINGOsweremorelikelytodisagree,andlesslikelytoagreecompletely,thantheirEuropeancounterparts,butstillhadapluralityofrespondentsthat“somewhat agreed” with the statement.
Figure22:Changeinrisktoleranceaccordingtocontext
Changeinrisktolerance(high-risksettings)
More risk tolerant 20%
33% About the same
Less risk tolerant 47%
39
Figure23:“INGOshavebecomeincreasinglyriskaverseandarecurtailing humanitarianresponseasaresult.”
Agree with statement
N. America
Europe
0
35
70
105
140
32
58
45
92 20
78
Disagree Somewhat agree Agree