Top Banner
European Interagency Security Forum (EISF) Risk Thresholds in Humanitarian Assistance EISF Report
32

Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

May 13, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

European Interagency Security Forum (EISF)

Risk Thresholds in Humanitarian Assistance

EISF Report

Page 2: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

European Interagency Security Forum

The European Interagency Security Forum is anindependent platform for Security Focal Points fromEuropean humanitarian agencies operating overseas.EISF members are committed to improving the safetyand security of relief operations and staff in a way thatallows greater access to and impact for crisis-affectedpopulations.

The Forum was created to establish a more prominentrole for security management in internationalhumanitarian operations. It provides a space for NGOsto collectively improve security management practice,and facilitates exchange between members and otherbodies such as the UN, institutional donors, researchinstitutions, training providers and a broad range ofinternational NGOs.

EISF fosters dialogue, coordination, and documentationof current security management practice. EISF is anindependent entity currently funded by the UKDepartment for International Development (DFID), the USOffice for Foreign Disaster Assistance (OFDA) and theSwiss Agency for Development and Cooperation (SDC),and hosted by Save the Children UK.

Acknowledgements

This report is authored by Madeleine Kingston and Oliver Behn of EISF.

We would like to thank Alexandre Carle (independentconsultant), Andrew Cunningham (MSF Holland), MichielHofman (MSF Afghanistan), Sarah Lumsdon (Oxfam GB),Maarten Merkelbach (Security Management Initiative),Frederic Penard (Médecins du Monde France) andElizabeth Rowley (Johns Hopkins Bloomberg School ofPublic Health) for reviewing the report in its draft stages.

We would also like to thank those who gave their time forinterviews or shared documents relating to riskmanagement: Pete Buth (independent consultant), DavidClamp (VSO), Peter Crichton (Concern Worldwide), JanDalheimer (World Vision International), Pascal Daudin(CARE International), Floris Faber (Mission East),Christopher Finucane (Humanitarian Policy), DoerteHempfing (CARE International), Trevor Hughes (IMC),Heather Hughes (Oxfam GB), Asmatullah Khan (MerlinPakistan), Kevin W. Knight AM (Chair of the ISO 31000Working Group), Eric Le Guen (IRC), Marcel Langenbach(MSF Holland), Kiruja Micheni (Christian Aid), MichaelO’Neill (Save the Children US), Sicko Pijpker (ICCO & Kerk inActie), Stefano Piziali (CESVI), Tom Quinn (MSF Belgium),Emily Speers Mears (Merlin Myanmar) and Abby Stoddard(Humanitarian Outcomes).

The text was edited by Eleanor Margolies.

Whilst all provided important input and feedback, anyerrors remaining are EISF’s alone.

DisclaimerEISF is a member-led grouping and has no separate legal status under the laws of England and Wales or any other jurisdiction, andreferences to ‘EISF’ in this disclaimer shall mean the member agencies, observers and secretariat of EISF.

While EISF endeavours to ensure that the information in this document is correct, EISF does not warrant its accuracy and completeness. Theinformation in this document is provided ‘as is’, without any conditions, warranties or other terms of any kind, and reliance upon anymaterial or other information contained in this document shall be entirely at your own risk. Accordingly, to the maximum extent permitted byapplicable law, EISF excludes all representations, warranties, conditions and other terms which, but for this legal notice, might have effect inrelation to the information in this document. EISF shall not be liable for any kind of loss or damage whatsoever to you or a third party arisingfrom reliance on the information contained in this document.

© 2010 European Interagency Security Forum

Page 3: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

EISF Briefing Paper03

Contents

Overview 02

1 Introduction 03

1.1 Background to this study 04

1.2 The risk management process 05

1.3 ‘Risk attitude’ in the risk management process 07

2 Establishing risk thresholds and risk attitude 09

2.1 Risk thresholds 09

2.2 Organisational risk attitude 11

3 Managing organisational risk acceptance 14

3.1 Programme, context and risk assessment 15

3.2 Systematic and proportional judgement of risk 16

3.3 Dynamics of decision-making 18

4 Conclusions and recommendations 22

4.1 Consistent approach based on shared understanding of risk 22

4.2 From field risk analysis to integrated risk management 23

4.3 Methodologies to facilitate integrated risk management 23

Annex 1 Glossary 25

Annex 2 Resource list 26

Other EISF Publications 27

List of illustrations

The Risk Management Process 05

Levels of Risk Management 05

The Dynamic Level 06

The Strategic Level 06

Risk Attitude in Practice: the organisational decision-making process 08

Flowchart: programme, context and risk assessment 15

Page 4: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

Risk Thresholds in Humanitarian Assistance02

This study is concerned with risk management withinhumanitarian programmes. We look at how agenciesdefine and express their attitude to risk, and considerhow organisational and operational priorities might bebetter integrated. The study is therefore addressed tosenior management as well as security specialists. Wesuggest that an integrated approach to riskmanagement can maximise programme resilience andthus achieve greater humanitarian impact. Throughout,the study draws on the experience of EISF members,who are security practitioners working for humanitarianorganisations, as well as risk management knowledgefrom other sectors.

Section 1 reviews the risk management process,considering roles and responsibilities at both theorganisational and operational levels. These two levelsare further divided into the strategic (seniormanagement), systematic (country, regional or technicaldepartment heads) and dynamic (field staff). Staff ateach level identify a different range of challenges andthreats when analysing risk. Security specialists shouldprovide advice and support at every level. We describe aspectrum of institutional attitudes to risk and argue thatan organisation’s ‘risk attitude’ must be harmonisedacross all its levels in order to manage risk consistentlyand achieve sustained programme impact.

Section 2 discusses how organisations establish ‘riskthresholds’, and distinguishes two central concepts:‘proportional risk’ and ‘security thresholds’ (or ‘trigger’events). We suggest that organisations use elements ofboth approaches, according to their size, capabilitiesand experience. We argue that it is essential for anorganisation to make its ‘risk attitude’ explicit, and todemonstrate to staff members and other stakeholdershow that position has been reached. Whether anorganisation states that it will accept or reject a certainresidual risk level, problems arise when policystatements do not reflect actual practice. We identifysome of the factors that lead to apparent contradictionsbetween policy and practice, such as ‘risk creep’ anddiffering priorities at various levels.

Section 3 goes on to look at how an organisation’sattitude to risk can be put into practice and managed atall levels. We develop the notion of a spectrum ofattitudes to residual risk, but show that this picture iscomplicated by changing contextual realities,institutional pressures and evolving risk assessment andtreatment. We propose that the linear risk assessmentsteps described by security practitioners should bethought of more as a process of continuousassessment, informed by the organisational risk attitudebut responsive to changing situations, protection andhumanitarian needs, the success of mitigationmeasures, etc. While flexibility is valuable, werecommend consistent systems for internalcommunication and consultation, decision-making, andidentifying ‘risk owners’ – those who have responsibilityfor risk. We suggest that a systematised, well-documented and transparent approach to riskmanagement gives programme and security managersthe capacity to act as risk managers, maximising thepotential for achieving objectives.

Section 4 concludes with recommendations forexamining and improving the risk management processwithin humanitarian organisations, looking at threeareas: a consistent process based on a sharedunderstanding of risk; a coherent risk attitudeframework, which includes statements of risk attitudeand details of risk owners and responsibility; andmethodologies to facilitate integrated risk management.

Overview

Page 5: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

EISF Report03

This study focuses on the process of accepting andrejecting risk within humanitarian agencies. Itdocuments how agencies express or define theirattitude to risk, surveys challenges in managing this ‘riskattitude’ and ‘thresholds’ of risk, and considersframeworks and processes which increase theintegration of operational and organisational prioritiesand risk judgements. We have incorporated insightsfrom other sectors as well as international standards inrisk management.

Why do we discuss ‘risk’ as opposed to ‘security’? Themajority of humanitarian organisations working ininsecure or violent environments appoint staff to dealwith ‘security’. Security management is often seen as anoperational consideration, concerned primarily withactivities in the field. However, in recent yearsorganisations have also drawn on findings in the field ofrisk management, acknowledging that ‘risk’encompasses not only direct threats to staff andoperations in insecure environments, but also threats toan organisation’s broader remit, such as loss ofreputation, issues of liability, etc. Therefore, ‘what is atrisk’ for an organisation in any given situation is acomplex mixture of factors both internal and external.Operational security management is treated here asone component of organisational risk management.

Aid agencies have made significant progress in recentyears in professionalising both operational security andstrategic risk management. This includes the provisionof adequate training for staff, at headquarters and in thefield, and the formalisation of risk managementprocesses. We draw in this study on policies andguideline documents written for these purposes.However, it is clear that there is now a pressing need toimplement risk management frameworks, and toharmonise a professional humanitarian securityapparatus with programme and organisational systemsand imperatives.

We address this process of harmonisation from bothoperational and organisational perspectives. In order tomanage both single threats and cumulative riskconsistently, a sense of ‘what is at risk’, not only for fieldstaff and for programmes but for the organisation as awhole, must be internalised at every level. We do notpropose to examine the process by which individualmembers of staff become aware of the risks they areexposed to through their work and consciously accept acertain risk exposure. Agencies are responsible forensuring that individuals reflect on their own ‘riskattitude’ when, for example, accepting field assignmentsin high risk environments. An organisational process forexposing the current risk level, and communicating theorganisational risk attitude, is necessary to foster‘informed consent’ by staff. Although we do not addressit in detail, this process does warrant specificconsideration in organisational policies and planning.

A key concept in understanding how organisationsimplement their policies and stated attitude towards riskis the notion of ‘thresholds’. A risk threshold is defined bya particular organisation, according to the nature of itswork and the specific context. As we show in Section 2,the way that thresholds are used also varies – in somecases, the crossing of a threshold will trigger withdrawalfrom the field of operations, in other cases it will lead toa reassessment of the situation. We consider riskthresholds as dynamic components of a ‘riskacceptance’ process which should be embedded inorganisational risk management structures. Consistencyand transparency in operational risk assessment istherefore tied to organisational structures forcommunication, consultation, decision-making andaccountability. In line with the ISO 31000, RiskManagement – Principles and guidelines, we argue thatrisk assessments should consider both external(context-related) and internal (capacity, resources)factors, in order to integrate risk attitudes and thresholdsat the operational and the organisational levels (ISO2009).

Introduction1

Page 6: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

Anecdotal evidence suggests that international andnational aid workers with a security remit can feeldisconnected from the programme assessmentsconducted by senior management teams, which arebased on cumulative risk, resources and institutionalfactors. The emphasis decision-makers now give tosecurity concerns is reflected in the marked increase infull-time security positions within NGOs, as well asdeeper responsibility for security within the programmemanagement line. However, the most significantchallenge lies in promoting coherence betweenoperational and organisational priorities, rather thansimply strengthening technical expertise. Since eachcomponent of the humanitarian risk managementprocess must reflect an agency’s stated risk attitude, itmust be entirely transparent how this attitude is formed,with a clear recognition of all the contributing factors,including institutional pressures such as funding andreputation.

Two key elements – robust monitoring and evaluation,and clear leadership – can promote coherence betweenthe operational and organisational level. They make iteasier for senior management to assess the experienceof operations in diverse environments objectively, andfor field staff to recognise institutional interests andpressures. This is important because, as the exampleshere show, without effective leadership it can be difficultto establish common ground when operational logicmeets long-term programme and organisationalpriorities.

The process of defining, establishing and acting on a‘risk attitude’ is at the core of risk management withinhumanitarian operating environments. As we hope todemonstrate through this study, a systematisedapproach:

� capacitates humanitarian agencies to prepare foruncertainty as well as predictable events,

� enables programme and security managers to act asrisk managers, and ultimately,

� facilitates sustained humanitarian access and impact.

Our research suggests that the humanitarian sectorwould benefit from maintaining an expanded evidencebase containing case studies of risk management inpractice. In many examples, increased or prolongedhumanitarian access and programmatic impact can bedirectly attributed to good security and riskmanagement, while less successful cases also provideopportunities for learning. An evidence base of this typecould inform comprehensive studies of the design andfunction of humanitarian risk management systems.

1.1 Background to this study

European Interagency Security Forum (EISF) membersare committed to improving the safety and security ofrelief operations and staff in a way that allows greateraccess to and positive impact on crisis-affectedpopulations. In this spirit, discussions were held at EISFfora in September 2009 and February 2010 on definingand managing thresholds of risk within humanitarianagencies. The discussions, each involving around 30people who act as Security Focal Points for humanitarianorganisations, suggested that there was a need for astudy documenting the various approaches taken, andlinking these to wider debates within the humanitarianrisk sector about the concepts of risk, risk assessmentand risk acceptance.

This study focuses on the risk management processwithin humanitarian agencies. The objectives are:

� To support humanitarian risk management bydocumenting how agencies with varying operatingmodels express or define their attitude to risk.

� To survey the challenges encountered when settingand working with ‘thresholds’ of risk, through insightfrom cases of security risk management.

� To describe the process of determining andimplementing organisational risk acceptance orrejection, particularly the role of senior management.

� To consider appropriate methodologies andprocesses for risk attitude implementation, and forintegrating operational and organisational riskassessment mechanisms. In doing this, to incorporateinsights from other sectors as well as internationalstandards in risk management.

The report draws on 23 semi-structured interviews withpractising and former security practitioners and theinternal documents they provided as examples, as wellas group discussions held at fora staged by EISF, theSecurity Management Initiative (SMI), and otherhumanitarian platforms. As internal documents arequoted only to illustrate various attitudes to risk and notto comment on the positions of the organisations thatproduced them, quotations are not attributed. Similarly,the names of those involved in the case studies havebeen removed. We have drawn on risk managementprinciples introduced by the International StandardsOrganisation (ISO) as well as documents from relevantorganisations outside the humanitarian field, such asthe UK Fire and Rescue Service.

Risk Thresholds in Humanitarian Assistance04

Page 7: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

Levels of risk management

Security Specialistsprovide advice andsupport at every level

OPERATIONAL

ORGANISATIONAL Strategic

Systematic

Dynamic

Country, Region or Technical Department Headsidentify threats and vulnerabilities, introduce policiesand procedures, and mitigate risks

Field Staff assess risk dynamically and implementmitigation measures to reduce project-specific risks

Risk Protocols

Risk Protocols are presented in the form of the riskguidelines for the organisation and include therules and procedures, as well as specifying therisk management methodologies, tools and

techniques that should be used

1.2 The risk management process

Security management for humanitarian action is aspecialised field which involves managing risk at thelevels of both operations and organisation. In describingthe management of ‘risk thresholds’ by securitypractitioners, we can draw on insights from othersectors in order to illustrate how security managementfits into wider risk management processes and levels.

Paul Hopkin describes the risk management process ashaving three elements: architecture, strategy andprotocols. The table below appears in Hopkin 2010(Chapter 6 – Risk Management Standards).

Security management architecture and strategy cannotbe determined solely by security advisers or programmestaff with responsibility for security, since they depend onwider organisational structures and capacity. Ultimately,security management is determined by organisationalvalues and missions and therefore requires theengagement and commitment of senior managers,CEOs and trustees. Programme staff and securityspecialists have developed, tested and implemented awide range of tools and protocols to support the safetyand security of aid workers at the operational level, butthe areas of risk architecture and risk strategy appear tobe less well developed.

How do these three areas of risk management relate toorganisational structure? Responsibilities are commonlydivided into three levels: the organisational,departmental, and field levels. Staff at the organisationallevel are responsible for strategy, and staff at thedepartmental level for systems, while staff at the fieldlevel must make dynamic decisions on a day to daybasis, and face particular challenges in the course ofemergencies, and in insecure environments. Securityspecialists should support and advise at all three levels.

Within humanitarian agencies, departmental and fieldlevels are often grouped together and referred to as the‘operational’ level. The table below (adapted from theUK Fire and Rescue Service Risk Assessment System)shows levels of risk management within humanitarianorganisations, and the people involved in managing riskat each of these levels.

EISF Report05

Risk Architecture

Risk architecture specifiesthe roles, responsibilities,communication and risk

reporting structure

Risk Strategy

Risk strategy, appetite,attitudes and philosophyare defined in the RiskManagement Policy

Risk Management Process

Executive Board and Senior Management promotesafety and security, provide resources anddemonstrate commitment

Note: A revised edition of Van Brabant’s 2000 report, Good Practice Review 8, Operational Security Management in Violent Environments, isdue to be published in Autumn 2010, and considers whether the broader conceptualisations of risk and risk assessment emerging within thehumanitarian sector are captured by methodologies and tools currently available to security practitioners. We do not consider technical tools indetail, but refer to particular tools as components of the methodologies and processes adopted by humanitarian agencies in determining andacting on their risk attitude.

Page 8: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

At the field (or dynamic) level

Field staff assess risk dynamically and implementmitigation measures to reduce project-specific risks.They are usually trained to weigh operational risksagainst the significance and urgency of a mission, andits potential for success, as illustrated below.

In a sense, it is relatively easy to experience andreconcile conflicting risks and benefits from within thecontext of the field, where it is possible to view threats inisolation. The analysis is made in response to concretequestions such as, ‘Which road can we use today?’and ‘Is it safe to conduct an assessment in village X?’Perhaps the most significant challenge lies in linkingthese ‘calculations’ to strategic decision-making (seebelow).

At the departmental (or systematic) level

Country, Region or Technical department heads identifythreats and vulnerabilities (along with field staff),introduce policies and procedures, and support the riskmanagement process. Positioned between field staffand senior management, they have a significant role toplay in communicating the organisational riskmanagement strategy downwards and ensuring thatsenior management are aware of, and act on, lessonslearnt at project level. They also advise seniormanagement in deciding which risks to take.

At the organisational (or strategic) level

Paradoxically, an organisation’s attitude to risk may notbe as clear cut at the organisational level as it is in thefield. Operational risks and benefits will be viewedcumulatively, and necessarily through the lens ofstrategic values and interests (ranging from missiongoals to funding and reputational pressures). This will bebalanced against the organisation’s overall capacity tomanage risk in order to achieve its strategic objectives.This complex balance of internal and external factors isillustrated below.

Whilst specific decisions at this level have much widerimplications than decisions at the field level, decision-making is based on less tangible measures andindicators. Hence it is difficult to ‘feel the experience’when asking questions such as, ‘Should we work in theSomali Region of Ethiopia, or in Chechnya?’ or ‘Whatproportion of organisational resources should wedirect towards high risk environments, where we willreach less people but protection and humanitarianneeds may be more urgent?’

Our research suggests that in order to evaluatethe risk management process in humanitarianorganisations, it is vital to understandorganisational structures and operatingcontexts. A comprehensive study of thevarious humanitarian risk managementstructures, and their relation topractice in particular contexts, is yetto be undertaken.

Risk Thresholds in Humanitarian Assistance06

The dynamic level

Protection,humanitarian needs

and impactOperational risks

The strategic level

Cumulative risk

Protection,humanitarian needs

and impactCapacity to manage

residual risk

Organisational values and interests

Page 9: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

1.3 ‘Risk attitude’ in the risk managementprocess

Aid agencies operating in high-risk environments suchas Afghanistan or Chad are confronted daily with theproblem of balancing the humanitarian impact of theirprogrammes with their duty of care to employees andassociates. The security policies and training materialsproduced by these agencies are today more explicitabout the risks faced in the course of humanitarianprogramming than they have been in the past, settingout both individual and organisational responsibilitiesand liability. This change is a consequence ofprofessionalisation within the humanitarian sector asmuch as heightened risk, and shows an increasedwillingness on the part of organisations to make their‘risk attitude’ explicit.

The attitude an organisation adopts towards risk,or its ‘risk attitude’ has many elements. The ISO’sgeneric principles and guidelines on risk, whichare not sector-specific, define ‘risk attitude’ as anorganisation’s ‘approach’ to risk, demonstrated inthe way it will ‘assess and eventually pursue,retain, take or turn away from risk’ (ISO 2009:2).

Different organisations can be placed along a spectrumaccording to the institutional attitudes they hold inregard to risk (their ‘risk attitude’). At one end of thespectrum are the agencies which do not consider thattheir activities warrant staff casualties, while at the otherend are the agencies which follow UNHCR (the UNRefugee Agency) in explicitly recognising the risk ofserious harm and even death, arguing that thehumanitarian role and imperative renders this a‘practical probability’:

Given the danger in the environment in whichUNHCR must operate if it is to protect and assistrefugees, it is inevitable that staff members will behurt and killed. It has happened in the past and itwill happen again. (UNHCR, 2004: 12).

A security practitioner working for an NGO provided EISFwith an example of how security policy has evolved inrecent years. The organisational policy had previouslyread: ‘We do not accept death and serious injury’. Thedocument released in October 2008 reads:

The provision of humanitarian assistanceinherently involves exposure to insecurity and riskof violence. This means that our work may entailthe risk of physical and mental violence to ourstaff including the risk of injury, rape, abductionand death…1

Even after steps have been taken to mitigate risk,‘residual’ (or ‘current’) risk remains in all operatingcontexts. Gassman suggested in 2005 that there hadbeen a contradiction within some organisationsbetween the view that (residual) risk is unavoidable inthe course of achieving humanitarian goals, and theassertion that staff safety came first (Gassmann 2005:3).The way an organisation manages residual riskdepends heavily on organisational mission, culture,structure and capacity, as well as the level of acceptanceof risk by staff. An organisation’s attitude to risk shouldtherefore be clearly articulated to members of staff, sothat individuals can understand and agree to the level ofrisk they run.

While some organisations have become more explicitabout risk at the level of policy, risk assessment anddecision-making are dynamic processes, involving bothindividual and organisational attitudes and needs. Staffin organisations with a lower capacity to manageresidual risk may be expected to accept higher levels ofrisk, while certain categories of staff may be moreexposed to risk due to their backgrounds, identities oractivities, or as a result of remote managementframeworks. For this reason, organisational policiesshould emerge from a broad consultation process, andall staff (and dependents) should be informed of theoutcomes of country- or project-specific analysis of risksand corresponding mitigation strategies.

In many contexts, aid agencies and workers have faceddifficulties in analysing and reacting to risk objectively,and in a way that is consistent with the organisation’sstated risk attitude. For example, according to Carle andChkam, some humanitarian agencies operating in Iraqin 2003 failed ‘to foresee or to honestly acknowledge therapid deterioration in the security environment’, whichled to ‘a failure to respond to the changes in thehumanitarian operational environment’. Carle andChkam identify the factors involved in these failures asincluding inadequate methodologies for contextual andsituational analysis, an unjustified conviction (in somecases) that the humanitarian mandate outweighed therisks involved, and financial imperatives to enter intocontracts (Carle and Chkam 2006:iv).

1 Note that this statement is made with the proviso that the organisation will do everything in its power to prevent the occurrence of such incidents.

EISF Report07

Page 10: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

Risk Strategy

Risk Attitude

A non-governmental organisation’s mission, togetherwith objectively measured programme impact,determines its baseline priorities and overall riskattitude. Whether the institutional attitude tends towards‘residual risk-management’ or ‘residual risk-avoidance’,if it is well thought-out and the product of inclusive,ongoing consultation, attitudes should converge atoperational and organisational levels, resulting in aconsistent yet flexible decision-making process. If,however, attitudes do not converge, and those staff whohold the security remit lack the methodologies thatwould allow them to evaluate and compare risks withinthe broad context of strategic objectives, then actionstaken at the organisational level may appearinconsistent.

EISF’s conception of a consistent organisational decision-making process is illustrated above. After conductingobjective needs assessments, decision-makers considerthe four aspects of humanitarian impact, risk levels, riskmanagement capacity and strategic considerations,against the determined level of need. They then use theorganisational risk strategy (which articulates the overallrisk attitude and absolute thresholds of risk) as aframework for decisions based on the aspectsdescribed above. Decisions about whether to carry

particular risks are documented, communicated to allconcerned, and implemented in line with theresponsibilities laid out in the organisational riskmanagement policy and plans. The cycle is repeated asappropriate, in response to continuous monitoring andevaluation of each component of the decision-makingprocess.

Establishing the risk attitude and managing riskacceptance is complex at every organisational level.Institutional interests and pressures, includingorganisational reputation, market share, financialopportunity and media exposure, affect both dynamicand strategic decision-making, and must beacknowledged as part of the risk management process.

Differences in immediate objectives and concerns –together with varying degrees of institutional pressure,distance, and poor communication – can engenderdisconnect between the dynamic and the strategiclevels. A risk attitude that is clearly stated andconsistently understood right across the organisationallows for the management of both single threats andcumulative risk, and helps to achieve sustainedhumanitarian access and impact. The next sections lookat how this is done.

Risk Thresholds in Humanitarian Assistance08

Absolute Risk

Thresholds

Documentation

Communication

Implementation

Protection and humanitarian needs

1. Impactassessment

2. Operational andorganisationalrisks

3. Capability tomanage currentrisk level

4. Organisationalvalues andinterests

Risk Attitude in Practice: the organisational decision-making process

Decision-making

Page 11: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

Many humanitarian agencies freely admit that, whilecontext and risk assessment frameworks are in place,understanding of their own internal workings, and of‘thresholds’ of risk, is incomplete. Processes of riskassessment are often thoroughly documented but theprocess of accepting residual risk remains fluid, context-and personality-driven and lacking in documentarysupport. Organisational risk attitude is implied ratherthan stated in security management policies, andadopting the appropriate attitude is widely consideredto be intuitive, driven by ‘case by case’ decisions taken atmanagement level in field, regional or head offices.

As we argue in this paper, the dynamic process ofassessing and accepting risk must be supported by adefinitive statement of an organisation’s approach tobalancing humanitarian need and impact with staffsafety, i.e. a statement of what we call the‘organisational risk attitude’. In practice, clearstatements are often lacking, and where they do exist,they may be obscured by institutional pressure tooperate under conditions that are not supported by thestated risk attitude (See Section 3 – Managingorganisational risk acceptance).

2.1. Risk thresholds

A key concept in the risk management process is the‘threshold of acceptable risk’. Van Brabant describes a‘threshold of acceptable risk’ which is crossed ‘whensecurity measures are unable to sufficiently mitigatethe risk or the likelihood of an event to permit thecontinuation of work’ (Van Brabant 2000, cited inRowley et al., 2010, where the same terminology isused). This definition holds today, to an extent. However,in line with current risk management theory andpractice, we prefer to say that a ‘threshold’ is reachedwhen, after the implementation of mitigationmeasures, the residual risk is not supported by anorganisation’s stated risk attitude.

An NGO Security Guidance Review conducted by Rowley,Burns and Burnham in 2009 gathered and analysedsecurity documents from twenty NGOs from America,Europe and Japan. The authors found that all thedocuments subscribed to Van Brabant’s definition of thethreshold of acceptable risk, but that in practice the pointat which agencies stop accepting risk varies widely.Although the term ‘risk attitude’ is not used in the NGOsecurity documents reviewed by Rowley et al., theauthors’ findings are useful in interrogating risk attitudeas it is conceptualised in this study. Drawing on theirwork, we distinguish two approaches: ‘proportional risk’and ‘security threshold’.

Proportional risk

Management approaches based on ‘proportional risk’are characterised by ongoing risk assessments, inwhich threats to staff, programmes and organisations(and capacity to mitigate both threats and vulnerabilities)are weighed against the capacity of project offices ororganisations to meet the needs of beneficiaries. Even ifthe term ‘proportional risk’ is not used, most agenciesassert that the benefits of programme activities shouldconsistently outweigh the level of risk to staff or to theorganisation. An internal document produced by oneorganisation illustrates this ‘balancing priorities’approach: ‘When working in tense operationalsituations that are difficult to interpret, markedlyunpredictable and highly volatile, the organisationconstantly assesses the limit beyond which direct,material action will cease to be possible.’

EISF Report09

Establishing risk thresholdsand risk attitude2

Page 12: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

Security threshold

The ‘security threshold’ approach rests on theoccurrence of specific security-related events whichprompt changes in security measures. These aresometimes referred to as ‘trigger’ or ‘benchmark’ events.The indicators of security thresholds usually relate todirect threats and/or shrinking operational capacity orspace. The identification of these factors in the field canlead to programme suspension or withdrawal. Thismodel therefore reflects an organisational risk attitudewhich responds to direct threats and specific incidents.

A direct attack (or credible threat of attack) on people orbuildings, with motives clearly linked to what the agencyrepresents, is fairly consistently seen as an upper‘threshold’ of risk. For example, one organisation whichhad not previously possessed an organisation-widestatement of its parameters of risk drafted a statementon risk attitude following a serious security incidentinvolving national and international staff in Afghanistan.Similarly, the death of staff working in the field may notmake an organisation change the way it operates, butwill certainly prompt internal reflection on riskmanagement.

While the most serious incidents demand attention,indicators which are apparently less serious also needto be examined carefully. Moreover, as suggested insection 1.2, the viewpoint on risk changes depending onthe level at which it is analysed, whether operational ororganisational. Thus at the operational level, staff mightlook at a threshold indicator such as the number of car-jacking incidents on a specific road within a particulartimeframe, while at the organisational level, riskthreshold indicators might include the accumulated lossof assets, and the availability of unmarked funds toreplace them.

Dynamic risk assessment

It is important to remember that the majority of agenciesdo not elaborate on ‘proportional risk’ and ‘securitythreshold’ in their policies and guidelines. However,these notions form the underlying basis of muchdecision-making. In the course of this study we foundthat security thresholds are not commonly referred to asthe basis of risk management, since for the majority ofagencies operating in high risk environments, the notionof thresholds forms part of the proportional riskmanagement approach: on identifying a direct threat,additional mitigation measures are instigated; re-evaluation of the residual risk level follows, with a firmdecision on whether to continue operating. Otheragencies see the security threshold as the last step inthe proportional risk approach. The process is the same,but withdrawal does not take place until after anincident occurs. This integration of the two notions ofproportional risk and security threshold illustrates furtherthe dynamic nature of risk management withinhumanitarian agencies.

‘Last resort’ options

In the most insecure environments, where agenciesoperate under severe resource and capacity constraints– sometimes with limited knowledge of complex andconstantly changing environments – notions andterminology can be vaguer. Carle and Chkam describehow in their research on operationality in Iraq, theyfound some NGOs referring to the ‘last resort option’ asa substitute for a defined risk threshold.2 In agenciesexperiencing very rapid staff turnover, no parametersexisted at all: security managers would ‘keep themission going as they found it’ (Carle and Chkam2006:16). Security planning had been abandoned in theface of too many threats. When asked about theirprovisions for security, staff working for local NGOswould answer that insecurity was a feature of their dailyenvironment regardless of which sector they worked in.Where security planning was in evidence, it focussed onthreats that were perceived to be most likely or mostsevere, for example kidnapping. Methodological biastowards known threats, rather than threats that weneither know nor understand (and hence cannotmitigate), is a commonly noted weakness of riskmanagement within the humanitarian agencies,although not unique to the sector.

2 The ‘last resort option’ is described by Carle and Chkam as when: a staff member is killed or seriously injured; a staff member of a local partner NGO is killed or seriously wounded in direct connectionto their work with the international NGO partner; or, for international NGOs operating in a ‘clandestine approach’, when someone finds out that one of their staff works for a foreign organisation.

Risk Thresholds in Humanitarian Assistance10

Page 13: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

Common language for assessing risk

Programme and security managers often operate on anarrow, technical conceptualisation of risk which doesn’taccount for the multitude of factors which determine anorganisational risk attitude. In their NGO SecurityGuidance Review, Rowley et al. emphasise the need fora common language and framework for determiningrisks. They highlight the benefits of enhanced securitymanagement coordination: in-depth contextualunderstanding, shared resource costs, and the potentialfor a more timely and regular security assessmentprocess. Further progress towards coordination orstandardisation of risk terminology could be achieved byusing existing notions and definitions more consistentlywithin the humanitarian sector, and incorporatingadvances in risk management terminology andguidelines at the international level. For example, thedefinitions given by the International StandardsOrganisation are in many cases relevant tohumanitarian agencies.

2.2. Organisational risk attitude

Risk assessment and acceptance processes withinhumanitarian agencies should be preceded by thedefinition of an appropriate risk attitude. Due to thenature of their work, many humanitarian agenciestolerate a high level of residual risk. Yet organisationalstances and, in turn, their methods of instilling anorganisational risk attitude, are not always clear.Participants in this study recognised that it is difficult insome cases to maintain a consistent link betweensecurity assessments and decisions about how muchand what types of risk are acceptable. We argue thatsuch assessments and decisions should always reflectthe organisational risk attitude and risk managementstrategy.

Risk seen as a ‘practical probability’

Echoing UNHCR (see section 1.3), a securitymanagement policy produced by one agency states thatit is ‘inevitable’ that its work ‘will expose staff to greaterpersonal risk’. It continues,

Our approach to managing security is one of riskmanagement rather than risk aversion. We need agood understanding of our working environmentand good security management processes to helpus decide whether the risks are tolerable andmanageable.

In an increasingly globalised risk environment,humanitarian agencies are compelled to clarify theirstatements on risk acceptance and set out priorities interms of the balance between staff security andprogramme impact. Within many agencies there maybe tension between the two. According to PierreGassman, ‘almost all’ agencies say that ‘nohumanitarian act is worth the death of a single aidworker’ (Gassmann 2005:3). However, in practice, in theenvironments in which these agencies operate, staff areexposed to high levels of risk (up to and including death).The agencies’ blanket statements do not fit this reality,nor do they recognise the fact that organisations chooseto operate in dangerous areas when they feel thatsufficient capacity to mitigate risk exists at the local level.Even if organisational policies assert that death orserious injury to staff is unacceptable3, and that they willdo everything in their power to prevent this, the sameorganisations often proceed with programming in fullknowledge that death or serious injury is a possibility.Conscious decisions to continue programming areusually based on the nature of programmes beingimplemented and the capacity in context.

In a climate in which risk is recognised as a ‘practicalprobability’, humanitarian agencies describe themselvesas ‘risk managers’ rather than ‘risk avoiders’. Theyexpose their staff to greater than average personal riskon the premise that the organisation possesses a goodunderstanding of the local and international context, andhas sound risk management processes in place tosupport decisions to accept or reject particular risks.

The operational environment in Pakistan provides agood example of these considerations. Humanitarianagencies working in Pakistan acknowledge thattargeted attacks are part of the environment, and thatthey will continue, despite the strong emphasis ondeveloping mitigation measures to counter specificvulnerabilities. The motive for the majority of attacks onagencies in Pakistan may be found within theoperational context itself: agencies are perceived as‘western-aligned’, particularly if they receive fundingfrom institutional donors, and it is difficult to change thisperception. If this is indeed the main motive for attacks,all agencies share a similar level of risk, no matter howneutral their profile or programmes. As in any similarcontext, senior management teams must feelcomfortable with the level of residual risk, make it explicitto staff, and plan accordingly. What distinguishesorganisations is the nature and extent of their riskmitigation measures (which should include influencingstaff behaviour), and their capability to manage residual risk.

EISF Report11

3 Following the UK Health and Safety Executive, humanitarian organisations might define ‘unnecessary’ incidents as those which occur when the risk of such an incident is not judged tobe ALARP, i.e. ‘as low as reasonably practicable’. An introduction to this concept can be found at http://www.hse.gov.uk/risk/theory/alarpglance.htm [accessed 6 June 2010].

Page 14: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

A member of staff with responsibility for securitydescribed how community liaison and risk analysisform the pillars of one organisation’s operating modein areas of northern Pakistan. Security, context andprogramme assessments are combined, andcomplex strategies for gaining acceptance arerelated both to the organisation’s ‘political’ interactionwithin the context – i.e. its external communicationsstrategy, including explaining actions in ways that willbe acceptable to different types of externalstakeholders – and the capacity and effectiveness ofstaff deployed on the ground. Staff safety is the firstpriority, but a balanced approach is followed in whichprogramme staff constantly seek enablers (such ascommunity outreach, or new information on thecredibility of threats) for continuing, expanding, or re-starting operations.

Allowing risk to ‘creep’

In some cases, rather than consciously accepting acertain level of residual risk, staff and organisationsexperience ‘risk creep’. At the time of writing, agenciesoperating in Chad, the Central African Republic andDarfur appear to tolerate an extremely high risk ofarmed robbery, kidnapping and carjacking, though theformal frameworks for doing so are unclear, and therisks run by staff may exceed previously agreed limits.One security practitioner interviewed for this studysuggested that pre-defined trigger events are nottreated as absolutes: ‘quite often when the threshold isreached, Security Focal Points are quick to offerexplanations with a view to shifting [the] goal posts.’Clearly, adaptation is necessary within dynamiccontexts, yet the example given above raises difficultquestions of whether the process is conscious andconsistent, and how risk attitude is communicated tovarious stakeholders.

This ‘creeping’ extension of the level of risk endured isrelated to the process Van Brabant calls ‘dangerhabituation’ (Van Brabant 2000:51). When internationalstaff live for extended periods of time in unstable ordangerous areas, they may start to see their situation as‘normal’, for both psychological and practical reasons. Incontrast, complacency on the part of national staff maystem from a feeling that they will be exposed to a highlevel of risk in whichever sector they work. Economicreasons – such as the desire to cling on to a job in areaswhere employment opportunities are scarce – and lackof experience may also be factors in the acceptance ofincreasingly high levels of personal and programmerisk. Yet accepting more risk may also be a consciousdecision based on a recognition of the ‘practicalprobability’ of security incidents. A Country SecurityManagement Plan provided by a security practitionermakes this explicit: ‘The work of a humanitarianorganisation in the field inevitably involves a certainlevel of risk to staff safety’. The document immediatelygoes on to state that the agency’s purpose is to provide aparticular service ‘…and to save lives.’

Viewing risk through different lenses

The lens through which risk is viewed affects the attitudeadopted by an organisation, whether implicitly orexplicitly stated. We earlier distinguished between thedifferent levels at which decisions about risk are taken(section 1.2). Two contrasting definitions of NGO securityare provided in the Policy Guide and Template for Safetyand Security produced by People in Aid (2008:6):

Operational: ‘NGO security is achieved when allstaff are safe, and perceive themselves as beingsafe, relative to an assessment of the risks to staffand the organisation in a particular location.’

Organisational: ‘NGO security is achieved whenorganisational assets are safe and when theorganisational name and reputation aremaintained with a high degree of integrity.’

These two quotations suggest the different aspects ofsecurity which come into focus according to the lensused.

Risk Thresholds in Humanitarian Assistance12

Page 15: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

EISF Report13

Conclusions on establishing risk thresholdsand risk attitude

We have defined the risk ‘threshold’ as being reachedwhen, following the implementation of mitigationmeasures, the current/residual risk is not supported bythe organisational risk attitude (based on humanitarianneeds, programmatic impact and risk managementcapacity). For humanitarian agencies, direct attack orcredible threat of attack represents a fairly universalsecurity threshold, but lower-level risks are more oftenevaluated on the basis of proportional risk assessment.

Immediate objectives and concerns vary between theoperational and organisational levels, and small andlarge agencies alike face challenges in maintaining aconsistent link between operational risk assessments anddecisions taken at the organisational level. Thephenomenon of ‘risk creep’ illustrates the difficulty inbalancing necessary adaptation at the dynamic level withconsistent and transparent institutional processes.

Our interviews suggest that agencies with low resources,or minimal attention to risk management, tend to lack astructured and consistent approach to risk management.Instead, they emphasise programme impact, capacity tomanage current/residual risk, and contextualunderstanding. The next section explores the challengesfaced by aid agencies when developing these coreelements of humanitarian risk attitude into a riskacceptance process.

Page 16: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

Risk Thresholds in Humanitarian Assistance14

This section outlines the principal components of the riskacceptance process within humanitarian agencies. Wepresent examples of successful implementationalongside cases where challenges have beenencountered. We aim to demonstrate that whereconsistent processes are in place, good security and riskmanagement can enable increased humanitarianaccess and impact, even in the most high-riskenvironments.

Rigid frameworks for risk assessment and decision-making do not necessarily suit dynamic operatingenvironments. The process of establishing and acting onrisk attitude, which is described by Van Brabant in achapter entitled ‘Operationalising Your Mandate’ (VanBrabant 2000:22), is therefore not readily defined.Humanitarian agencies work in complex externalenvironments; their internal environments comprise amultitude of structures, values and interests; andjudgement of risk depends heavily on mission,programme output and capacity in context. Riskacceptance management has therefore evolved as adynamic and informal process, driven by strategicorganisational interests as well as the knowledge andexperience of senior programme management.

Earlier, we defined a spectrum of organisational riskattitudes, from those agencies which do not considerthat their activities warrant staff casualties, to thosewhich consider that serious harm and even deathshould be considered a ‘practical probability’ (section1.3). An agency’s position on the spectrum of risk attitudealso partly determines its approach to managing risk,whether it chooses to be ‘risk-avoiding’ or ‘risk-managing’. It should be pointed out that in both cases itis ‘residual risk’ that is under discussion – that whichremains after mitigation measures have been taken.

Residual risk-avoiding agencies primarily emphasisethe organisational duty of care to staff, which translatesinto ‘staff safety comes first’. Developmental agencies –and some multi-mandate agencies – aim to decouplestaff safety and humanitarian impact completely. A 2009internal discussion paper from one such agency, whichdeals with issues surrounding the closing and re-opening of programmes from a security perspective,asserts that the agency ‘should never compromisesecurity for programmatic gain – security should beviewed as a separate issue to be considered first’. Asin other agencies, this view is reflected in a clear processof withdrawal from insecure areas based on continuousassessment of the context, reaction to the presence ofspecific risk indicators, and the routine rejection ofparticular mitigation measures such as armedprotection.

Residual risk-managing agencies (especially those withlife-saving missions) tolerate a high level of residual risk,emphasising programme criticality, capacity toimplement, and (objectively measured) impact. In theoperational context, this translates into a practitionerbeing empowered to make an informed judgementafter carrying out a technical risk assessment process.This judgement should be embedded in theorganisational risk attitude and risk managementstrategy. Whilst staff safety is considered to beparamount, there are few absolute ‘thresholds’ of risk,aside from the threat of direct and targeted attack. Theemphasis is on organisational responsibility for effectiverisk management processes, together with explicitrecognition of residual risk, and communication of this tostaff through ongoing training and awarenessprogrammes.

Managing organisationalrisk acceptance3

Page 17: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

EISF Report15

In practice, an agency’s place on the spectrum betweenrisk-managing and risk-avoiding is determined not onlyby its organisational risk attitude, but by changingcontextual realities and evolving stages of riskassessment and treatment. Moreover, even ‘risk-avoiding’ agencies sometimes suffer from institutionalpressure to operate in environments in which staff safetyis compromised, including (post-)conflict areas. Pressuremay be related to the ‘humanitarian imperative’, toreputation, or to funding. Some developmentalorganisations are drawn into operating in complexenvironments such as Afghanistan, contrary to their riskattitude, since the sheer volume of institutional fundingavailable contributes to their survival as an organisation.This discrepancy between organisational risk attitudeand operational reality is often managed by ‘risktransfer’ to national staff and local partners, althoughthis process in itself raises practical and ethicalquestions.

3.1 Programme, context and risk assessment

Informed judgement of risk at the operational level restsupon continuous monitoring and evaluation of factorsrelating to programme, context and risk, within theframework of the organisational risk managementprocess. Security practitioners typically describe thebasic technical steps for evaluating risk as follows:assessing external hazards and threats; assessinginternal and external vulnerabilities; drawing up amatrix to illustrate impact and likelihood for variousthreats; implementing the necessary mitigationmeasures; assessing the level of residual risk; andfinally defining the threshold of acceptable risk (leadingto the ‘Go’/’No go’ decision).

Below, we have expanded these basic technical stepsinto a flowchart which places greater emphasis on thecircular, repeated nature of the evaluation: theassessment stages are followed by implementation ofstrategies for risk mitigation and maximisingorganisational impact, leading to decisions on whetherto accept risk at all organisational levels.

Programme assessment including therelationship between programme goals and

organisational risk attitude

Context analysis and needs assessment

Threat and vulnerabilityassessment

Programme goals and impact

Risk analysis and current risk level

Implement mitigation measures to reduce risk,whilst strengthening programme impact

Evaluate current/residual risk level and riskmanagement capacity

Check organisational risk attitude againstcurrent/residual risk level and risk

management capacity

NO GO if impactis low or current

risk too high

Adjust strategyto strengthenprogramme

impact and/ororganisational

resilience

GO if impactjustifies exposure

to current risk

Flowchart: programme,context and risk assessment

Page 18: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

Risk Thresholds in Humanitarian Assistance16

The flowchart illustrates a process in which operationaland organisational risk attitude – and parameters of riskwhere appropriate – are established and ingrainedduring the earliest stages of project planning.

A clearly defined organisational process directed oneagency’s preparations in anticipation of its expulsionfrom Sudan. A number of triggers – such asgovernment statements resulting in particular actionsby the agency – had been established. A SecurityAdvisor was in place, responsibilities were defined,analysis and decision-making was documented.When the triggers were observed, the plannedactions were implemented and a process of gradualwithdrawal from Sudan was enacted betweenJanuary and March. The expulsion was formallyannounced by the government on the 5th of March2009. By this time, the organisation had reduced itsrisk exposure by operating with a skeleton staff of justthree members who were maintaining significantlyreduced programmes.

The case above shows an agency with a strongemphasis on constant preparedness, awareness andprevention. Its country programmes come togetherduring the proposal writing stage to weigh contextualfactors in a given area against the level of staffing,equipment needed, etc., aiming to map out what canrealistically be achieved and devise objectivesaccordingly.

This approach can be used by both risk-avoiding andrisk-managing agencies to ensure that risk parametersare considered from the start. Subsequently, risk can beaccepted or rejected with a clear justification. However,the use of defined parameters must allow forresponsiveness to mutating internal and externalenvironments. A more flexible approach may allow theorganisational risk attitude to influence programmeplanning and implementation, and link dynamic threatassessments with broader risk management priorities,which relate to organisational resilience as well ashumanitarian access and impact.

3.2. Systematic and proportional judgementof risk

If an agency’s risk attitude is inconsistently defined orapplied, or an unanticipated serious security incidentoccurs, the risk management process may be driven bysecurity threshold-based estimates (see Section 2 –Establishing risk thresholds and risk attitude).Judgements based on incidents that occur within anoperating context are relatively ill-defined within riskmanagement documentation. On a short-term basis,‘gut feeling’ is employed as a measure of the severity ofthe threat and the level of humanitarian impact,delicately balanced with capacity in the particularproject location, and organisational capacity to provideadditional support (temporarily or permanently). Externalinfluences include the actions of other agencies, UN andgovernment recommendations, potential risk transfer tonational staff and partners, and the prospects forreturning once a decision has been made to withdraw(see VENRO 2002). Swift, incident-based withdrawalsfrom Pakistan, Afghanistan and the DRC have beendescribed by practitioners in this way. It is notuncommon in complex environments such as the DRC,South Sudan and Somalia for temporary evacuations atproject level to be carried out so frequently that theybecome almost routine.

Interviews conducted for this study suggest thatestimates based on parameters of ‘risk’ rather than‘security’ – i.e. not immediately related to specific securityincidents – are more likely to involve a systematisedapproach. Standard Operating Procedures, long-termcontextual engagement and acceptance strategies arecentral, guided by the organisational risk attitude.Deciding when to implement and when to withdraw is aprocess of continuous assessment and mitigation,founded on clear definition and communication of theresidual risk to all involved. Discussion anddocumentation of changes in the operating environmenthas facilitated a return to full programming for agenciesthat have previously withdrawn from Iraq, theDemocratic Republic of Congo (DRC) and Zimbabwe.

The following case of anticipatory, proportional risk-based management in Iraq in 2005 and 2006 showsthat aid agencies need to find a balance between theadherence to organisational frameworks or processesand the freedom to adapt objectives in order to fit theirmission, management capacity and stated risk attitude.

Page 19: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

EISF Report17

During Iraq’s transition from government bymultinational forces to Iraqi control of nationalborders and internal security, humanitarian agenciesnecessarily considered and prepared for new anduncertain operating realities. As in other complexoperating environments, analysis was hampered bythe limited availability of qualitative and quantitativeinformation. One agency documented a consistentprocess of re-evaluation of programme outcomes,threats, vulnerability and mitigating factors, based ona six-month assessment cycle. The resulting analysisshowed that in general threats and vulnerability werelikely to increase, and scope for mitigation wasexpected to shrink. The Iraq/Kuwait border, forexample, was no longer considered a site of easy exitdue to hostile relations between the two states. Thistransparent and consultative approach was used toexplain the organisation’s withdrawal from Iraq at thepoint where the evident humanitarian impact nolonger justified the level of vulnerability and lowcapacity for mitigation. For an organisation that wasnot engaged in life-saving work, ‘too many highimpacts’ were anticipated.

A security assessment conducted by the agencyshows the value of explicit statements defining thefactors held in balance when decisions are made:

At a point where decisions involving operationalplanning and the future of programming in Iraqfactor in the security threats and our diminishingcapacity to mitigate the impact of these threatsthe time has come to clearly establish thethreshold of acceptable risk when measuredagainst the programmatic outcomes.

Significantly, in this case, awareness was shown fromthe beginning of the withdrawal that there could be noreturn to programming without structured identificationof changes in the environment that would allowoperations to resume. Where provisions for returningare considered from the start of an evacuation, andwritten into the evacuation plan, the process can be fluidand transparent.

In many cases evacuations are effected on theassumption of a return. In the immediate aftermath ofthe February 2008 violent attack on Plan International’soffice in Mansehra, Pakistan, a number of organisationsincluding Concern closed down their operations.Dorothy Blane of Concern asserted that ‘InternationalNGOs are supported by Pakistan’s Earthquake Reliefand Rehabilitation Authority (ERRA) and they will backus. We will definitely re-open.’ (IRIN News, 2008) Theassumption that the organisation will return must,however, be backed up by ongoing documentation ofchanges in the operating environment, linked toconsultative decision taking. In most cases, factors suchas humanitarian need, the level of contextualunderstanding, and risk management capacity willneed to be evaluated alongside organisational orexternal interests. The International Federation of RedCross and Red Crescent Societies (IFRC)’s Stay Safemanual warns agencies:

Remember! The decision about when to return isdifficult as everybody (delegates, National Society,donors, media, etc.) is usually pushing and tryingto bring about a speedy return. Make sure you arecertain of the security situation and do not letanything or anyone else influence you.(IFRC 2007:41)

Interviews conducted for this study also confirmed thatall components of the risk acceptance process vary bymission phase, programme activity and shiftinghumanitarian impact, and are necessarily informal atcertain points. During initial needs assessments, forexample, immediate programme impact is zero orminimal, capacity is low, contextual understanding andnegotiated access is weak. Risk assessmentmethodologies cannot be fully employed at this stage,although a basic level of awareness is essential. Asever, a known threat of death remains the absolute riskthreshold. A heightened residual risk level exists in thissituation, hence needs assessments will normally beconducted by experienced staff.

Page 20: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

Risk Thresholds in Humanitarian Assistance18

3.3. Dynamics of decision-making

Decision-making varies widely according toorganisational structure, operating context and phase ofoperation. Broad consultation and commitment fromevery level of an organisation is normally required.Decisions must be ‘internally consultative and externallyadvised to ensure … objectives are met’ (People in Aid2008:9). However, the degree of consultation andrepresentation sought will be higher in routine riskassessments than during crises, and in both casesdecisions should be led firmly by senior management,with the backing of organisational governancestructures. In all cases a ‘risk owner’ – i.e. a singleperson or entity with the accountability and authority tomanage a risk (ISO, 2009) – should be clearly identified.

Internal Communication and Consultation

Wide consultation and inclusiveness is important forhumanitarian organisations, particularly when returningto a country or project area, or when entering highlyinsecure environments. Having an effective structure inplace, and commitment at all organisational levels, willprepare agencies for uncertainty in a way that pre-defined risk reactions and decisions cannot. Yetprovisions for ensuring this are often unclear.Depending on organisational structure and operatingmode, communication can be problematic. Relationsbetween country or project bases and headquartersmay be hindered by remoteness, misunderstanding ofeither the local operating context or the largerorganisational strategy, and conflicting interests. Twocase studies reported by security practitionersinterviewed for this study suggest the difficulties that can arise.

Following a period of heightened insecurity, a countryoffice located in the Philippines and managed bynational staff came under pressure from Head Officeto revert to routine security procedures and to pushproject activities further into the field. This directionwas attributed to funding pressures rather than thehumanitarian imperative. The Country Office inquestion felt that higher security standards were stillappropriate due to the political and military situation,together with the organisation’s profile and popularperceptions of the organisation as a rich, Western-driven entity. In this case, a mobile regional securitymanager mediated between the two looselyconnected offices to emphasise the potential harm tostaff were sophisticated field operations to beresumed. Since the Country Director’s leverage withsenior management was limited, this negotiationprocess was a vital strategy in avoiding the exposureof project staff to unacceptable levels of risk.

Similar dynamics played out within a country office inNepal, this time comprising mainly international staffin senior positions. A project office elsewhere in thecountry reported an incident involving extortion by anarmed group, accompanied by the threat of physicalharm. The report was viewed with suspicion bymanagement in the country office. The case was nottreated as a serious incident because an element ofcomplicity on the part of national staff was suspected.Since this attitude prevented senior managementfrom getting a real insight, a regional securitymanager was deployed who, following investigation,convinced management of the gravity of the incidentand offered support for discussions with the CountryDirector, devising contingency plans, etc.

The examples above illustrate the importance of makingstructured provision for consultation within securitypolicies and plans. Such processes should bedocumented and monitored as rigorously as riskdecisions and supporting evidence.

Page 21: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

EISF Report19

Communicating insights from the field to the office

How can humanitarian organisations ensure that fieldsituational awareness is communicated effectively, andacted upon appropriately?

A response to a serious security incident experiencedby an agency operating in a high risk environmentillustrates how communication and cooperationmight function during a crisis. In this case, a regionalsecurity advisor happened to be on the ground andassisted the crisis management and risk assessmentprocess. Additional support was flown in fromheadquarters to contribute to analysis of the incident.Operations were reduced to a core group of staff,with extremely low profile programming. A lengthyand consultative ‘lessons learnt’ process ensued at allorganisational levels, during which an outsideconsultant was drafted in to assess what needed tobe improved in the organisation’s programming(rather than the specifics of the incident itself).Confirmation that the event had resulted neither froma major flaw in security management in the field or atHQ, nor from deliberate targeting, was a significantfactor in the organisation’s decision to continueimplementing programmes.

Note that in each case mentioned here, the provision ofadditional support was determined by the competencyof staff members rather than their position within theorganisation.

Responsibility and accountability

Minimum Standards regarding Staff Security inHumanitarian Aid, a report produced by VENRO, anumbrella organisation of German development NGOs,argues that security plans should contain definitivestatements on the authority of employees to givedirections, as well as their responsibility to comply withinstructions (VENRO 2003:11). Clarity and confidenceabout the lines of authority and responsibility (allowingstaff to answer questions such as whether it is the viewexpressed by headquarters or the assessment made byin-country staff which is decisive in cases of possibleevacuation) are essential when preparing for uncertaintyas well as predictable security incidents.

Although humanitarian organisations function withvarying degrees of formalisation, a security policy willnormally be framed by senior management, setting outa clear line of authority for security (within the generalmanagement line or through a separate security line)and detailing roles at each level. During incident or crisismanagement, a clear declaration from an authoritativesource is necessary to confirm that the ‘threshold’ hasbeen or is about to be crossed. This may originate fromheadquarter level, locally, or from any level in between,depending on organisational and incidental factors.However, in every case a ‘risk owner’ (see section 3.3) isrequired at the operational or organisational level.Further, any subsequent assessment and decision tosustain the suspension or to return to programmingshould have clear ownership at senior managementlevel.

When assigning responsibility for judging securitythreats, agencies value proximity to the country orproject context. One agency described a structure inwhich security responsibility is decentralised. Thedecision-making process involves consultation at allorganisational levels, but is driven by country or regionaloffices since they are best placed to judge whethercontinuation is possible or sensible. Headquarter andregional management structures are usuallyresponsible for reviews of risk management practicewithin the organisation, while responsibility foroperational security – including accepting or rejectingcertain risks – resides within field (country and project)programme or security management structures. Anextract from a policy document supports this approach:

Although plans and procedures are designed aspreventive measures, incidents will still occur andcommon sense and judgement are needed todeal with situations. Staff are better prepared forthis if they have been involved, as far as possibleand practical, in the development andimplementation of the security system, ensuringunderstanding of the rationale, observance andcompliance.

Page 22: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

Due to the potential for risk ‘creep’ noted above,however, most agencies attempt to maintain a balancerather than relying on the judgement of field staff incontext. Headquarter programme and securitymanagers/advisers are sent in periodically to conductassessments of the risk context, and resources and skillsavailable on the ground, and support should be madeavailable where necessary. Where the context andhumanitarian imperative demand ‘a higher than usualtolerance of insecurity’, one agency’s security policyexplains, ‘an even greater emphasis on good securitymanagement is essential’. This may require a higherlevel of responsibility to be taken at senior managementlevel. Moreover, when an organisational crisis occurs, aheadquarter crisis management team will be activatedautomatically, assuming full responsibility andaccountability for risk judgement and action.4

While fairly low-level approval is required when shiftingto higher security levels (which may lead to significantlyreduced operations), a lengthy consultative process isrequired when shifting to lower security levels orincreasing operational presence. This can be a sourceof frustration for staff working at the dynamic field level.One interviewee commented that the ‘reversal process’can be ‘a challenge’: ‘for example, many NGOs havebeen debating whether or not to return to Iraq, butmaking an informed decision to return has not beeneasy’. Many agencies adhere to graduated levels ofsecurity, or to indicators for deteriorating environments(as part of the broader risk assessment process), but atpresent few devise indicators for improvingenvironments.

Judgement and experience

Although risk-based calculations shape theorganisational risk attitude and risk assessmentframeworks, each specific assessment involves anelement of experience and judgement that cannot bereflected in policy documents, or in equations describingrisk analysis. According to Kevin W. Knight AM, chair ofthe ISO working group developing internationalstandards relating to risk management, ‘Riskmanagement is and remains an art, and cannot be ascience! You will not take a decision because thecomputer told you so.’

The following example shows that organisations candevolve decisions about security, relying on thejudgement of experienced staff.

During the first presidential elections in Afghanistan in2004, some agencies based their acceptance of riskpartly on the assertion by senior staff that the situationwas no worse than other contexts they had workedin, particularly Mogadishu in 1992. According to onesecurity practitioner…, ‘every worst case scenariomapped out had been surpassed’, yet the acumen ofdetermined and experienced staff, based on currentcontext analysis as well as transferrable experience,enabled agencies to continue operating. Dependingon the context, this flexible approach may be centralto achieving humanitarian objectives. However, theconstant re-evaluation required within dynamicsituations must be carried out in a transparent wayand properly documented.

The devolution of authority, which often constitutes adeviation from an agency’s risk management policy,usually depends upon the experience and personalcharacteristics of the staff in context.

During the evacuation from Goma in 2008, thestructured and inclusive approach of oneorganisation led to the rapid deployment of anappropriate Desk Officer, and the simultaneousestablishment of a management team to liaise withthe Head of Operations. Despite the hierarchicalnature of the organisation, the final decisiondepended on the assessment of the Desk Officer,who was assertive and possessed both considerableexperience within DRC and close links to local politicaland social actors. The eventual decision wascommunicated to regional security management,and the function of the management team becameconfirmation and documentation of the decision,following closure of the project office. This level ofdecentralisation is possible when an organisationhas full confidence in the experience and judgementof members of staff further down the organisationalhierarchy, and when staff are assertive (even forceful)and prepared to accept high levels of responsibilityfor tough decisions. The organisation underdiscussion exerts greater organisational guidance incontexts where staff are less experienced orproactive.

Risk Thresholds in Humanitarian Assistance20

4 See the EISF Briefing Paper on Crisis Management of Critical Incidents for more detail on varying management structures and responsibilities. First published April 2010, available at www.eisf.eu.

Page 23: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

Conclusions on managing organisational risk acceptance

This section has traced the principal components of thehumanitarian risk acceptance process. These remainconsistent regardless of where an agency is placed onthe spectrum between residual risk-management andresidual risk-avoidance. Consistency and transparencyin programme, context and risk assessment rest uponeffective organisational structures for communication,consultation, decision-making and accountability. While‘gut feeling’ alone is insufficient, risk acceptance is aproportional judgement rather than a science. Informedand argued decisions are made at various levels,depending on the organisational structure, the potentialimpact of events, and the capacity and experience ofstaff in context. Within a flexible system, effective riskownership – in the form of clear decision-making anddeclarations of the risk attitude and risk ‘thresholds’ – isvital. One organisation’s security guidelines emphasisethe delicate balance between organisational processes(and assigned responsibilities) and individualjudgement: ‘Guidelines and checklists cannot replacesound judgement. Every level carries a measure ofresponsibility!’

Where organisational leadership is lacking, and the riskattitude is not internalised at all levels, field staff mayperceive senior management to be inconsistent. Theymay also experience frustration as they feel thatprogramme objectives are being overlooked. This kindof frustration becomes evident when operational riskassessments conflict with the strategic imperative ofprolonging organisational presence or programming.

In order to maintain consistency and maximise thepotential for achieving objectives at each level of anagency, each component of the risk acceptance processmust reflect the organisational risk attitude. If the statedrisk attitude does not match the operating realities,problems may arise. For this reason, institutionalpressures and desires must be recognised during theconsultation and documentation stages of riskmanagement. This results in a risk acceptance processthat reflects the organisational risk attitude and widerrisk management priorities. The inclusive, balancedapproach adopted by one agency in northern Pakistan(described in section 2.2) shows that a systematisedapproach allows an organisation to prepare forunforeseen challenges as well as predictable events,since it capacitates programme and security managersto act as risk managers. Ultimately, a systematisedapproach should enable sustained humanitarianaccess and impact.

EISF Report221

Page 24: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

Risk Thresholds in Humanitarian Assistance22

Integrated security is a ‘culture that pervades theorganisation and its people, rather than abureaucracy cluttered with endless checklists andprocedures’ (Davies 2005:8)

This study illustrates the challenges faced byhumanitarian organisations in adopting a formalisedapproach towards risk thresholds and risk attitude.Operational agencies do not work to rigid parameters ofrisk, applied across the organisation or transferrablebetween contexts. Internal capacity and consistentprocesses for managing risk are as important asspecific thresholds.

Examples cited here illustrate the need for aid agenciesto foster risk management processes that areconsistent, accurate, participatory, transparent, andunbiased by organisational self-interest. Risk attitudemust be systematic and driven by senior management,yet embraced by staff at all levels, capacitating them torespond flexibly to both routine and unforeseenchallenges. A broader conceptualisation of risk, andhow security threats relate to risk at differentorganisational levels, could facilitate this flexibility.

4.1 Consistent process based on sharedunderstanding of risk

We suggest that organisations should consider theirapproach to risk in five areas:

� A broad conceptualisation of risk

Organisations should work towards holisticconceptualisations of risk, engaging staff in inclusivediscussion at headquarters and in the field. By analysingboth the internal and the external environment, andconsidering risk impacts at all organisational levels,operational and organisational objectives can be betteraligned.

� Clear and consistent process

Organisations should concentrate on strengthening riskmanagement capacity and ensuring key elements of therisk management process are in place. Consistentjustification (and documentation) of actions taken is key,rather than producing further policies and guidelines, oradhering to pre-defined thresholds.

� Streamlining

A good risk management process can be achievedthrough transparent assessment, consultation anddecision-making structures. An organisationalframework for these structures will enable staff todemonstrate informed and argued decisions onwhether risks are acceptable, which consider the level ofhumanitarian need, programme and organisationalobjectives, and capacity to implement programmes andto manage the risks involved. An organisationalframework should therefore promote greater synergybetween programme and security objectives.

� Documentation

Security frameworks must be brief, readily understoodand realistic. When implementing security plans, staffmust document clearly the rationale and process forspecific actions. Through consistent documentation,humanitarian organisations can show that they aremanaging risk well. This documentation is also anessential first step towards an evidence base showinghow good risk management impacts on access andprogramme delivery.

� Flexibility

Policy documents must take into account the differencesin character between the various operating phases(such as initial needs assessments, emergencyoperations, etc.) Such documents might include processcharts or checklists guiding staff through riskassessment and decision-making.

Conclusions andRecommendations 4

Page 25: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

EISF Report23

4.2 From field risk analysis to integrated riskmanagement

Risk management is effective in cases where theprocess of risk acceptance is consistent across anorganisation, and responsibility is assigned andaccepted appropriately. However, in cases whereorganisational capacity to describe, accept and managerisk is lower, the risk management process remainsinformal, personality-driven and reactive, even ifappropriate policies and procedures are in place.

For practitioners of humanitarian security, a culture ofawareness and exchange – leading to flexibility ofaction – is sought over and above rigid frameworks,lengthy policy documents and endless checklists.Nevertheless, maintaining consistency in the riskmanagement process across an organisation requiresboth firm leadership from senior management level,and commitment to a coherent risk attitude framework.This framework must be comprehensible to all staff,capacitating them to act as risk managers. Twoelements are therefore crucial:

A risk attitude framework: where riskmanagement is process-focussed, senior managementmust articulate a coherent and clear risk attitudeframework, in which the accepted level ofcurrent/residual risk is made explicit.

Risk owners: the organisational risk managementstrategy must detail responsibility and accountability ateach level, so that risk owners may be identified.

In working towards consistent processes with clear linesof responsibility, humanitarian agencies are engagingwith and adapting risk management principles andstandards negotiated at the international level, such asthe ISO 31000 (ISO 2009). As the humanitarian sector isincreasingly professionalised, duty of care isdocumented more consistently at the operational level.Perhaps more importantly, at the strategic level therelationship between organisational mission,humanitarian access and impact, and organisationalresilience, is increasingly interrogated. Internationalstandards in risk management can act as a benchmarkfor humanitarian agencies in harmonising operationaland organisational judgement of risk. This should fosteruniform action on whether to pursue certain projectactivities, advocacy strategies, and so on. Ultimately,integrated risk management seeks to maximiseorganisational resilience with the aim of achievinggreater humanitarian impact.

4.3 Methodologies to facilitate integratedrisk management

While the process of risk management is fluid anddynamic, an organisational culture of awareness andgood risk management can aid project-level decision-making. We suggest that it is particularly important toconsider the following four areas:

� Good monitoring and evaluation

Monitoring and evaluation (M & E) can support effectiverisk management, enabling humanitarian programmesto run for longer in complex operating environments. M& E allows agencies to track operational access andimpact, adjust operational strategies accordingly,constantly re-evaluate and attempt to mitigate risk.

� Understanding humanitarian security and riskmanagement systems

The humanitarian sector lacks comprehensive researchon, as well as internal reviews of, its own riskmanagement systems. This study shows that broader,process-led risk management methodologies, whichbuild capacity to manage risk across organisations, arenecessary if humanitarian agencies hope to ingrainwide awareness and understanding of their ownorganisational cultures.

� Developing an evidence base

To make good practice visible, agencies shoulddocument cases where increased or prolongedhumanitarian access and programmatic impact hasresulted directly from good security and riskmanagement.

� Risk ranking and profiling tools

Methodologies for evaluating operational andorganisational risk jointly are already being developed.The efficacy of such tools will depend on whetherindividual agencies can foster coherent organisationalrisk attitudes and whether these risk attitudes, as well asthe humanitarian impact of individual programmes, areunderstood by all staff. To define risk parameters fororganisational portfolios, organisations will need todevise systems for evaluating cumulative risk andoverall exposure. These systems should complementproject-level risk assessment tools.

Page 26: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

Throughout this report, we have emphasised the needfor humanitarian organisations to develop structuredrisk management processes which define riskarchitecture, strategy and protocols. Consistentprocesses for decision-making, communication andappropriate consultation can provide staff who assessrisk within dynamic environments with a supportingframework for action. Through internalising theorganisational risk attitude and managementprocedures, and understanding risk impacts at differentorganisational levels, staff are capacitated to manageimmediate responses to security events, as well aslonger term assessments and reviews of security-riskmanagement strategies.

The maturity of an organisation in terms of riskmanagement may be measured by how well itsassessment and decision-making processes arefunctioning. Signs of immaturity can include informaland ad hoc risk management practices, includingprotracted or inconsistent decision-making; poorcommunication on potential withdrawals andevacuations; a culture of blame and lack ofaccountability; and resource allocation for riskmanagement that is inappropriate for the level of riskinvolved.

Finally, consistent processes should promote, ratherthan stifle, flexibility. Humanitarian assistance takesplace in highly dynamic and sometimes highly riskyenvironments, in which programme objectives could notbe achieved without flexibility at the local level. Over-reliance on rigid risk management structures andprocedures could cause an organisation to become riskaverse, and to discourage staff from operating in areasof high or uncertain risk even if urgent humanitarianneeds may be met as a result. We stress therefore thathumanitarian organisations should not pursue riskmanagement as an objective in its own right, butwherever possible as a tool for achieving programmeobjectives. Documentation of how risk managementimpacts on access and programme delivery isnecessary if organisations aim to demonstrate that theyare achieving greater impact for crisis-affectedpopulations through better risk management.

Risk Thresholds in Humanitarian Assistance24

Page 27: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

EISF Report25

These explanations of key terms are based on policydocuments provided by participating agencies, togetherwith terminology used by the wider humanitariancommunity and at the cross-sector international level. Asnoted above, an agreed risk management lexicon couldaid understanding and coordination betweenhumanitarian agencies, as well as dialogue with riskmanagement experts from other sectors. However, thisglossary is intended merely for clarification andelaboration of the risk-related terms used in this report.For a broader lexicon see, for example, InterActionSecurity Unit (2010).

Risk is usually described as ‘The combination of theimpact and likelihood for harm, loss, or damage to[organisations] from the exposure to threats.’ (InterAction2010:6). In this report we acknowledge that ‘risk’encompasses not only direct threats to staff andoperations in insecure environments (for example, theftof assets, kidnap of staff members, or exposure todangers such as landmines and Improvised ExplosiveDevices), but also threats to an organisation’s broaderremit, such as loss of reputation, issues of liability, etc.Therefore, ‘what is at risk’ for an organisation in anygiven situation is a complex mixture of factors bothinternal and external. Defined in its broadest sense bythe International Organization for Standardization, risk isthe cumulative ‘effect of uncertainty on objectives’ (ISO2009:1).

Uncertainty: Defined by the International Organizationfor Standardization as ‘the state, even partial, ofdeficiency of information related to, understanding orknowledge of an event, its consequence, or likelihood’(ISO 2009:2).

Risk attitude: The attitude an organisation adoptstowards risk, or its ‘risk attitude’ has many elements. TheISO 31000, which is not sector-specific, defines ‘riskattitude’ as an organisation’s ‘approach’ to risk,demonstrated in the way it will ‘assess and eventuallypursue, retain, take or turn away from risk’ (ISO 2009:2).

Risk ‘threshold’: The threshold of acceptable risk isreached when, following the implementation ofmitigation measures, the residual/current risk level is notsupported by an organisation’s stated risk attitude.

Residual/current risk: Defined by the InternationalOrganization for Standardization as risk ‘remaining afterrisk treatment’ (ISO 2009:6). This risk remains ‘current’ asit is continuously reassessed at the operational level.

Mitigation measures: Short-term measures or long-term strategies enacted to reduce the likelihood ofsecurity incidents, or minimise their impact. Mitigation isbased on Standard Operating Procedures (SOPs), andconstant assessment and engagement with the context.

Risk treatment: The process of mitigating risk. Accordingto the International Organization for Standardization, risktreatment can involve: avoiding the risk by deciding notto start or continue with the activity that gives rise to therisk; taking or increasing risk in order to pursue anopportunity; removing the risk source; changing thelikelihood; changing the consequences; sharing the riskwith another party or parties; and retaining the risk byinformed decision (ISO 2009:6).

Risk management strategy, policy and plans: Riskstrategy, appetite, attitudes and philosophy should bedefined in clear terms in an organisation’s riskmanagement policy, and reflected in associated riskmanagement plans. These documents provide theframework for effective organisational riskmanagement.

Security strategy, policy and plans, including policies,guidelines, protocols and methodologies, should beguided by the organisational risk management strategy.

Glossary ANNEX

1

Page 28: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

Risk Thresholds in Humanitarian Assistance26

Australian Homeland SecurityResearch Centre, 2005. The Beginningof the End for Risk Management.National Security Practice Notes,September, available at:www.homelandsecurity.org.au/files/Risk_Mgmt.pdf [accessed 23 February2010].

Barkham, Patrick, 2009. Deadlines onthe frontline: Stephen Farrell, SultanMunadi and the perils of war reporting.The Guardian, 12 September, availableat: www.guardian.co.uk/theguardian/2009/sep/12/farrell-munadi-war-reporting [accessed 23February 2010].

Carle, Alexandre and Hakim Chkam,2006. Humanitarian Action in the newsecurity environment: policy andoperational implications in Iraq.Background Paper, HumanitarianPolicy Group, September, available at:www.odi.org.uk/resources/download/294.pdf [accessed 23 February 2010].

Davies, Paul, 2005. MainstreamingSecurity Management. In SecurityQuarterly Review, 1 (Spring), pp.7-8,available at: www.redr.org.uk/objects_store/SQR%20Issue%201.pdf[accessed 23 February 2010].

European Interagency Security Forum(EISF), 2010. Crisis Management ofCritical Incidents – EISF Briefing Paper.Available at: www.eisf.eu [accessed 16September 2010].

Gassmann, Pierre, 2005. Rethinkinghumanitarian security. In HumanitarianExchange, Humanitarian PracticeNetwork, 30 (June), available at:www.odihpn.org/report.asp?ID=2721[accessed 23 February 2010].

Gent, Mike, 2002. Weighing up therisks in aid work. In HumanitarianExchange, Humanitarian PracticeNetwork, 21 (July), pp.17-19, available at:www.odihpn.org/report.asp?id=2455[accessed 23 February 2010].

Hopkin, Paul, 2010. Fundamentals ofRisk Management: understanding,evaluating and implementing effectiverisk management. Kogan Page.

InterAction Security Unit, 2010.Security Risk Management: NGOApproach. Available atwww.eisf.eu/resources/library/SRM.pdf [accessed 13 May 2010].

International Federation of Red Crossand Red Crescent Societies (IFRC),2007. Stay safe: The InternationalFederation’s guide for securitymanagers. Available at:www.eisf.eu/resources/library/IFRC_stay_safe_mgmt.pdf [accessed16 September 2010].

International Organization forStandardization (ISO), 2009. ISO31000: Risk management – Principlesand guidelines. 1st ed. See also therelated ISO Guide 73:2009 – Riskmanagement vocabulary. Bothdocuments were developed by the ISOWorking Group on Risk Management;they are available at www.iso.org/iso/pressrelease.htm?refid=Ref1266[accessed 16 September 2010].

IRIN News, 2008. Pakistan: NGOsclose down operations after four die inMansehra attack. 28 February,available at: www.alertnet.org/thenews/newsdesk/IRIN/e6ddaee592faeabcedbfae10468f23c4.htm[accessed 29 March 2010].

NGO Coordination Committee for Iraq(NCCI), 2008. Operational Modalities inIraq. Briefing Paper 2, January,available at:www.reliefweb.int/rw/RWFiles2008.nsf/FilesByRWDocUnidFilename/SODA-7CL49G-full_report.pdf/$File/full_report.pdf [accessed 23February 2010].

People in Aid, 2008. Promoting GoodPractice in the management andsupport of aid personnel: Policy Guideand Template for Safety and Security.2nd ed. Available at:www.peopleinaid.org/pool/files/publications/safety-security-policy-guide-and-template.pdf [accessed 23 February 2010].

Porfiriev, Boris, 2004. The Perceptionand Management of Security andSafety Risks: Implications forInternational Negotiations. In RiskManagement: An International Journal,6 (4), pp.9-25.

Rowley, Elizabeth, Lauren Burns andGilbert Burnham, 2010. ResearchReview of NongovernmentalOrganizations’ Security Policies forHumanitarian Programs in War,Conflict, and Postconflict Environments.In Disaster Medicine and Public HealthPreparedness, available at:http://171.66.125.179/cgi/content/abstract/dmp.2010.0723v1 [accessed16 September 2010].

UK Health and Safety Executive riskmanagement resources:www.hse.gov.uk/risk/ [accessed 16September 2010].

United Nations High Commissionerfor Refugees (UNHCR), 2004. Report ofthe Steering Committee on SecurityPolicy and Policy Implementation. 20September, Geneva.

Van Brabant, Koenraad, 2000.Operational Security Management inViolent Environments: A Field Manualfor Aid Agencies. Good Practice Review8. London: Humanitarian PracticeNetwork and Overseas DevelopmentInstitute.

Verband EntwicklungspolitikdeutscherNichtregierungsorganisationen e.V.(VENRO), 2003. Minimum Standardsregarding Staff Security in HumanitarianAid. Available at: http://eisf.eu/resources/library/VENRO_MOSS_1.pdf[accessed 24 May 2010].

Resource list ANNEX

2

Page 29: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

EISF Report27

Briefing Papers

Abduction Management

May 2010

Pete Buth (author), supported by the EISF Secretariat (eds.)

Crisis Management of Critical Incidents

April 2010

Pete Buth (author), supported by the EISF Secretariat (eds.)

The Information Management Challenge

March 2010

Robert Ayre (author), supported by the EISF Secretariat (eds.)

Reports

Joint NGO Safety and Security Training

January 2010

Madeleine Kingston (author), supported by the EISF Training Working Group

Humanitarian Risk Initiatives: 2009 Index Report

December 2009

Christopher Finucane (author), Madeleine Kingston(editor)

Articles

Whose risk is it anyway? Linking operational riskthresholds and organisational risk management(in Humanitarian Exchange 47)

June 2010

Oliver Behn and Madeleine Kingston (authors)

Risk Transfer Through Hardening Mentalities?

November 2009

Oliver Behn and Madeleine Kingston (authors)

Also available as a blog atwww.odihpn.org/report.asp?id=3067

Available atwww.eisf.eu

Other EISF Publications

Page 30: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

Risk Thresholds in Humanitarian Assistance28

Page 31: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international
Page 32: Risk Thresholds in Humanitarian Assistancereliefweb.int/sites/reliefweb.int/files/resources/... · Risk Thresholds in Humanitarian Assistance ... role for security management in international

First published October 2010

European Interagency Security Forumc/o Save the Children1 St John’s LaneLondon EC1M 4AR

EISF Coordinator+44 (0) 207 012 [email protected]

EISF Researcher+44 (0)207 012 [email protected]

www.eisf.eu design and artwork: www.wave.coop