Successfully reported this slideshow.
Number 47 June 2010 HPN Humanitarian Humanitarian Practice Network Exchange Managed by Humanitarian Policy GroupIn this issue Commissioned and published by the Humanitarian Practice Network at ODIHumanitarian security management2 A decade on: a new Good Practice Review on operational security management This issue of Humanitarian4 A closer look at acceptance Exchange, co-edited by the6 The six ‘Ws’ of security policy-making Humanitarian Practice Network8 Whose risk is it anyway? Linking operational and the Security Management risk thresholds and organisational risk management Initiative (SMI) in Geneva, focus-11 Key security messages for NGO field staff: es entirely on staff safety and what and how do NGOs communicate about security. Responses to safety security in their policies and guidelines? and security challenges vary14 Personnel management and security widely across the aid sector.18 Security management and the political economy of war Different contexts, organisa-21 Kidnap response: immediate priorities for aid tional values, principles and agencies missions, perceptions of23 The Global Code of Conduct for Private security, risk thresholds and Security Companies: why it matters to human and financial resources humanitarian organisations25 NGO responses to insecurity in Darfur all contribute to different ©REUTERS/Antony Njuguna28 Local perceptions of US ‘hearts and minds’ management approaches. The activities in Kenya articles in this issue are intended to encourage critical thinking around risk management and, in some cases, to challenge existing security management norms. Christina Wille demonstrates how incident In the leading article, Adele Harmer data may be analysed to inform strategic and highlights five important new topics operational decision-making. Policy issues covered in the revised edition of are explored by Elizabeth Rowley, Lauren HPN’s Good Practice Review (GPR) 8, Burns and Gilbert Burnham, while Larissa Operational Security Management Fast and Michael O’Neill present new ideas in Violent Environments, scheduled on developing and implementing acceptance for publication in September 2010. approaches to security. They note, as do Originally published in 2000, GPR 8 Christine Williamson (human resources andAbout HPN is considered a seminal document in security) and Madeleine Kingston and OliverThe Humanitarian Practice Network at the Overseas humanitarian operational security. Behn (risk attitudes), that managing andDevelopment Institute is an independent forumwhere field workers, managers and policymakers While much of it remains valid, key reducing risk is not just a field or operationalin the humanitarian sector share information, changes in the security environment issue but a collective responsibility, involvinganalysis and experience. The views and opinionsexpressed in HPN’s publications do not necessarily for aid workers and in humanitarian decision-makers and staff at all levels of anstate or reflect those of the Humanitarian Policy security tools, agency practices and organisation. Mark Allison looks at kidnapGroup or the Overseas Development Institute. interagency security coordination and ransom management and Ivor Morgan over the intervening ten years point outlines how agencies have adapted to Britain’s leading independent think-tank on international development to the need for a revision. changes in the security environment in and humanitarian issues Darfur. Finally, Michael Kleinman and Mark In his article, Gilles Carbonnier Bradbury examine the relationship between Overseas Development Institute discusses why it is important for aid and security in Kenya. 111 Westminster Bridge Road London SE1 7JD aid practitioners to undertake United Kingdom political economy analysis to As always, we welcome any comments or Tel. +44 (0) 20 7922 0300 Fax. +44 (0) 20 7922 0399 identify contextual drivers of feedback, which can be sent to hpn@odi. insecurity. Private military and org.uk or to The Coordinator, Humanitarian HPN e-mail: firstname.lastname@example.org HPN website: www.odihpn.org security company regulation is Practice Network, 111 Westminster Bridge discussed by André du Plessis. Road, London SE1 7JD, UK.
humanitarian security management A decade on: a new Good Practice Review on operational security management Adele Harmer, Humanitarian Outcomes A decade ago, only a handful of agencies were aware of and that much of the original volume remained valid. We were seriously considering the challenges posed by operational careful therefore not to start from scratch, but to add detail insecurity. At the time, few international or national to practices that had become more sophisticated over time, organisations had designated security positions or policies to nuance areas that were previously misunderstood or on how to manage the risks of violence against their staff needed elaboration, to trim what was outdated or no longer and operations. The impact of high-profile attacks such as useful and to highlight areas where practice in the field and the 1996 assassination of six ICRC workers in Chechnya at headquarters has evolved. The GPR covers over 25 topics spurred a number of international aid organisations into in security management. Here we highlight five. action. A collaborative learning initiative on security issues resulted in the earliest interagency security training, as Risk assessment well as the first edition of the Good Practice Review on A proper assessment of risk is a critical component of good Operational Security Management in Violent Environments practice in security management, and is an area where (also known as GPR8). GPR8 introduced core security aid organisations have advanced significantly in recent management concepts and highlighted good policy and years. The risk assessment chapter in the revised GPR is an practice in operational security in humanitarian relief attempt to take the complex subject of risk and provide am a n a g e m e nt efforts. It became, in the words of one user, ‘our Security simple, practitioner-oriented guide to the stages of analysis 101. It was the primary reference – our go-to guide’. that need to be undertaken, including programme and criticality assessment, threat and vulnerability analysis and a workable methodology for approaching a risk assessment. in the last ten years major It considers how to identify different threats and risks for national staff as compared to expatriate staff. It examines progress has been made in the the issue of risk transfer and highlights ways to mitigate professionalism and this, both with an agency’s own staff and with partner agencies. It also discusses the difficult task of identifying a sophistication of humanitarian risk threshold and determining what constitutes acceptable security management risk – both at the organisational and individual level. In our interviews, ‘danger habituation’ was an area Since the publication of GPR8 a decade ago, the global many agencies thought particularly challenging. As ones e c u r it y security environment has changed significantly. New interviewee working in Darfur, Sudan, noted: ‘Some conflict contexts involving intervening Western powers advisers came from headquarters and told me that they fighting against armed insurgent forces have created wouldn’t visit again if things didn’t tighten up (because new sources of threat to international humanitarian they felt insecure themselves), so that was a wake up action. Increasing violence against aid workers and call’. The tendency not to reinforce security measures until their operations, including more kidnappings and lethal after an incident has occurred is still widespread. The GPR attacks, has had serious implications for humanitarian argues that any decision to accept a greater level of risk relief work in insecure contexts. In some circumstances requires external oversight and would only be justifiable if attacks have been increasingly politically motivated. This security measures have been significantly strengthened and growing violence has generated a deeper awareness of improved, and that those staying in high-risk environmentsh u m a nit a r i a n the security challenges faced by operational agencies, can manage the stress and have properly reassessed their giving rise to new adaptations and strategies in security personal threshold of acceptable risk. management. Despite or perhaps because of the fact that GPR8 was still being well utilised, HPN decided that it was Security strategy time to review and update the manual to reflect these The first edition of GPR8 identified three broad changes in the operational and policy environment. security approaches shaping an organisation’s security management strategy, namely ‘acceptance’, ‘protection’ The new GPR – what’s changed? and ‘deterrence’. These concepts were presented as a In the last ten years major progress has been made in the so-called security ‘triangle’. The triangle model was not professionalism and sophistication of humanitarian security meant to imply that an aid agency simply decides, at management and in interagency security coordination. GPR an institutional level, which approach is preferable (or users interviewed felt that the revised edition could usefully where the agency ‘sits’ on the triangle) and conducts its reflect these advances, while at the same time stressing operations accordingly. The reality is much more fluid. exchange humanitarian
These approaches are often used in combination, and will On the issue of interagency coordination, the GPRvary according to local security cultures and conditions. recognises that, while there are many reasons why information-sharing might need to be informal, there areThe revised GPR abandons the concept of the triangle in order significant benefits in establishing and supporting formalto avoid this confusion, but maintains a focus on these three interagency security mechanisms. In terms of practicalcore security approaches and invests in a detailed analysis measures, the review highlights financial and humanof good practice measures. In particular, there is a more resources, as well as operational assets such as vehicles,comprehensive examination of the means to implement communications and IT equipment.an ‘active acceptance’ approach. The GPR stresses thatacceptance cannot be assumed; it has to be won and Developing a security culturemaintained. It also recognises that, since acceptance was From the outset, the GPR clearly states the need for securityfirst analysed in the 2000 GPR, it has become much harder management to be integrated across the organisation,to achieve. Whether, when and from whom acceptance can and not treated as an ‘add-on’ or a luxury. While this is notbe gained is now a serious operational question. The GPR a new topic, only in recent years have organisations begunoutlines the key components of an acceptance approach to realise that developing a security culture poses oneand offers some possible indicators of how to measure of the most significant challenges.1 Much of the focus inthe extent to which acceptance has been achieved. It also security management tends to be on specific operationalconsiders the practical implications of acceptance, including needs, such as security policies and plans. Yet there ishow much it costs and the administrative and human also a need to take a step back and look at how to developresources required. The GPR also details deterrence and a culture of security within the organisation, includingprotective approaches, including ‘low-profile’ programming, developing capacity.and highlights the key issues an agency should considerbefore and while using armed protection. The GPR highlights that good practice in security manage- ment is closely linked with, builds on and reinforces goodRemote management practice in programme and personnel management more humaRemote management has entered the lexicon of humani- broadly. These are not separate tasks and workloads; theretarian security discourse in recent years. The position is is an important positive multiplier effect. Good programmeusually a reactive one and comes about due to poor or management requires an understanding of the operatingdeteriorating security conditions or other restrictions in environment and the impact of the agency’s presence and itsthe operating environment. It is increasingly being used work, building good relationships, managing internationalin high-risk environments, and thus it was introduced as a and national staff well and collaborating effectively withnew topic in the GPR, along with the options of evacuation, other agencies. In other words, it reinforces an active nit a r i a nrelocation and hibernation. Remote management involves acceptance strategy. The GPR details multiple ways in whichwithdrawing international staff or other categories of staff security can be treated as a staff-wide priority, and thefrom the programming location, and altering management possible options for ensuring accountability.structures to give more responsibility to national andlocal staff remaining in situ, or forming new operational The 2010 GPRarrangements with local partners. The GPR will be released in a very different climate to that of 2000. The threats aid operations face today are far moreBecause remote management sometimes occurs gradually, frequent and challenging than those identified a decade s e c u r it yas security conditions deteriorate, many agencies do ago. Equally, though, there has been significant progress inlittle planning and preparation for it. The GPR highlights organisational appreciation of the risks faced and the typespossible triggers or indicators for agencies to consider, of personnel and assets needed to mitigate them. The GPRand points to good practice examples where the need for will no longer be the sole document on an operationalremote management programming can be recognised in manager’s bookshelf. For some readers it will be squeezedadvance and appropriately planned for. It also highlights in amongst a much wider operational security literature, asthe types of training, resources and other measures well as specific agency guidelines and protocols. We hopethat can contribute to more effective and secure remote nonetheless that it will remain an important reference andmanagement programming. perhaps a benchmark, and that it will serve both those who directly oversee operations in violent environments in the managemeManaging security collectively field, and those who support them.Security coordination has never been an easy operationalpursuit. As one interviewee noted: ‘The majority of The GPR will be released in English in September and incollaboration remains the preserve of the security officer French and Spanish in December 2010. It will also be found inin the bar or with a select group of contacts. It is shared a user-friendly format online. As a multi-language resource,under Chatham House rules with people unwilling to share we hope it will be widely read and that it will contribute todetails.’ The GPR explains the critical importance of sharing increasing awareness and appreciation of good practice insecurity information both within and between agencies. It security management over the next decade.takes the reader through a step-by-step process of incidentreporting, including what counts as a reportable incident, Adele Harmer is a Partner with Humanitarian Outcomes.what information should be included in an incident report 1 Koenraad Van Brabant, Mainstreaming the Organisationaland the common problems found in incident reports. Management of Safety and Security, HPG Report 9 (London: ODI, 2001). nt Number 47 • June 2010
A closer look at acceptance Larissa Fast, Kroc Institute, and Michael O’Neill, Save the Children Repeated bombings and attacks in Afghanistan, carjackings in Sudan and persistent insecurity in Somalia and elsewhere demonstrate the challenges of providing security for humanitarian aid workers. The statistics point to higher numbers of targeted attacks against aid workers between 2006 and 2008, driven largely by insecurity in Afghanistan, Somalia and Sudan.1 This growing insecurity has prompted media articles and a persistent and increasingly prevalent discourse among humanitarian organisations that challenges ‘acceptance’ as a legitimate, effective approach to security management. For example, a conference in April 2010 discussed the ‘limits and possibilities’ and the ‘(perceived) end’m a n a g e m e nt of the acceptance approach in light of the increase in security incidents and the perception that aid is part of a Western agenda.2 Some practitioners argue that humani- tarian agencies place too much ©REUTERS/Ceerwan Aziz faith in acceptance without fully acknowledging changes in the security environment that undermine its effectiveness. For example, kidnappings for extortion or remuneration reflect a different environment than those The death of acceptance? US troops secure a blast site outside the officess e c u r it y motivated for political reasons and of the ICRC in Baghdad, October 2003 therefore deserve a security manage- ment approach tailored to that unique threat environ- core element of their security management strategy. We ment.3 Others share anecdotes about NGOs implementing argue that insufficient evidence exists either to support relief and development projects that are targeted for or refute the effectiveness of acceptance. With apologies hostile action despite apparent acceptance by local to Mark Twain, reports of the death of acceptance are communities. But is it really the acceptance approach that an exaggeration.4 Instead, the humanitarian community has failed as the basis of sound security management, needs a clearer understanding and a more consistent or might there be another explanation behind this application of the acceptance approach, and a systematic phenomenon? assessment of its effectiveness in different contexts in order to evaluate whether and under what circumstancesh u m a nit a r i a n The death of acceptance? the acceptance approach works. While aid workers may Even as many question the efficacy of acceptance in the most believe that acceptance-based strategies make them most violent places, others, like the International Committee of secure, no corresponding evidence exists on whether or to the Red Cross (ICRC) and Save the Children, are resolutely what degree acceptance works in practice.5 and deliberately using an acceptance approach as a 1 Abby Stoddard, Adele Harmer and Victoria DiDomenico, Providing The ICRC is the recognised originator of the concept of Aid in Insecure Environments: 2009 Update, HPG Policy Brief 34 acceptance, tying its security approach to the principles (London: ODI, 2009). of neutrality, impartiality and independence. Its security 2 The 2010 NGO Security Conference is sponsored by the Centre for approach relies on gaining consent from stakeholders Safety and Development. See http://www.centreforsafety.org/Default. 4 In May 1897, American author Mark Twain famously responded to aspx?. rumours of his demise with ‘the report of my death was an exaggeration’. 3 Bob Macpherson, Christine Persaud and Norman Sheehan, See http://www.twainquotes.com/Death.html. ‘Experienced Advice Crucial in Response to Kidnappings’, Monday 5 Larissa Fast and Dawn Wiest, Final Survey Report: Security Developments, 26, March 2008, pp. 22–24. Perceptions Survey, unpublished, 2007. exchange humanitarian
in an operational area, including (especially) those who that facilitates access to vulnerable populations, they aremight obstruct access to or commit acts of aggression rarely directly linked to the skill sets needed to addressagainst beneficiaries and field workers. Thus, the ICRC’s security concerns through the acceptance approach.acceptance is linked to its ability to inform and educatelocal stakeholders about its mission and programmes, andto its negotiations for access to war-affected populations. the fact that humanitarianGood Practice Review 8 (Operational Security Managementin Violent Environments, published in 2000 and currently agencies often share the aidbeing revised) outlined acceptance in more detail, landscape with other actorshighlighting the importance of analysing context andconflict dynamics, cultivating relationships with multiple poses further challenges forstakeholders, and understanding the perceptions of local acceptancepopulations. Since then, relief and development NGOshave latched on to acceptance, largely because it is mostconsistent with their values, missions and mandates. Most The importance of local perceptionsNGOs today claim acceptance as a foundation of their A persistent and thorny problem with an acceptancesecurity strategy. How each NGO implements acceptance, approach is the diversity of missions, mandates and valueshowever, differs substantially. Many take a ‘passive’ among humanitarian agencies. Aid agencies rarely representapproach, assuming that doing good programming will themselves with any unity of mission at municipal, regionalwin the consent of the local population and acceptance will or central government levels, largely due to competitionautomatically follow. Others take a more ‘active’ approach, among organisations, differences in programme objectivesdeliberately working to gain and sustain consent from all and design or organisational cultures and individualstakeholders. The continuum of implementation, from personalities and national/ethnic backgrounds. The factpassive to active, is evidence of the diverse ways in which that humanitarian agencies themselves often share theNGOs apply acceptance. aid landscape with other actors – private-sector, religious huma and increasingly military – poses further challenges for acceptance as an approach to security. Local stakeholders no evidence exists on whether or often perceive these various entities as more-or-less to what degree acceptance works indistinguishable. Several research initiatives have documented how local communities perceive relief and in practice development actors, including the HA2015 project of the Feinstein International Center,7 CDA Collaborative Learning nit a r i a nThis diversity in implementation suggests that the Project’s Listening Project and MSF-Switzerland’s studyacceptance approach remains inadequately understood in of local perceptions of MSF. Their conclusions suggestconceptual and operational terms. For example, a recent the need for more attention to local perceptions and theirreview of security policies reveals that many organisations effect on security.understand and implement only part of the originalacceptance concept.6 The sections of the acceptance While an individual organisation may well have establishedframework, as articulated in GPR8, that organisations an effective acceptance-based approach, this hard-wonmost commonly incorporate in their own descriptions of acceptance can be undone by the behaviour, affiliation or s e c u r it yacceptance include broad-based relationships (in particular other attributes of another, unrelated organisation. Thus,developing relationships with multiple authorities and in places like Afghanistan and Chad, where military andpower-brokers), implicit messages through appearance civilian actors work in close proximity, the actions of non-and behaviour (translated by many organisations into humanitarian organisations can undermine the safety andstatements about the importance of cultivating a positive security of humanitarians. As a case in point, after seeing‘image’for the organisation) and effective programming. The its access progressively diminish the ICRC delegationreview found that many organisations do not distinguish in Afghanistan chose to reassert its distinct missionbetween passive acceptance, which assumes that good, as a means of renegotiating consent from belligerentcommunity-based programming will automatically lead factions and distinguishing itself as a unique entity amongto acceptance, and active acceptance, which is based on humanitarian actors. In the absence of unanimity of managemeestablishing and consistently maintaining consent from purpose and a disciplined commitment to humanitarianall stakeholders. Much of GPR8’s guidance on issues principles, individual NGOs are left with the same dilemma,such as interpersonal relations and negotiating styles, but without the benefit of the ICRC’s unique standing.the nuances of appropriate socialising and diplomacy,the messages and images conveyed through formal and In our view, acceptance is founded on effectiveinformal meetings and real or perceived divisions among relationships and cultivating and maintaining consentstaff are typically not emphasised as part of the acceptance from beneficiaries, local authorities, belligerents andapproach. While these diplomatic and negotiation skills other stakeholders. This in turn is a means of reducing orare conceived of as integral to the ‘humanitarian craft’ removing potential threats in order to access vulnerable6 Elizabeth Rowley, NGO Security Guidance Review Report (Baltimore, 7 Antonio Donini et al., Humanitarian Agenda 2015: The State of theMD: Center for Refugee and Disaster Response, The Johns Hopkins Humanitarian Enterprise (Medford, MA: Feinstein International Center,Bloomberg School of Public Health, 2009). 2008), available from http://fic.tufts.edu/?pid=75. nt Number 47 • June 2010
populations and undertake programme activities. Gaining undermine local power-brokers, commercial interests or acceptance among stakeholders is directly related to an those that seek instability to advance a political agenda. agency’s mission and positive stakeholder perceptions Any of these actors may target an organisation that they of the agency’s image. Local perceptions are influenced see as undermining their interests; they are therefore key by project design and accountability, adherence to stakeholders from whom at least tacit consent is required. humanitarian principles, staff behaviour that is respectful The inability of NGOs to gain safe access to affected of cultural norms and whether the agency understands the populations from key belligerents in Somalia, Pakistan and dynamics among various power-brokers. Gaining consent Afghanistan testifies to this challenge. depends not on how an NGO sees itself, but on how external actors perceive the NGO. Many organisations Much of the recent critique of the acceptance approach have established codes of behaviour for their staff that seems to assume that a security management strategy are linked to general ethical standards (e.g., avoiding that is neither deterrence-based nor protection-based conflicts of interest) or to an organisation’s mission and by default implies an acceptance-based approach. We principles.8 Although these codes and standards influence suggest that, in many cases, what is being critiqued is not how an organisation is perceived, how many of these the acceptance approach per se, but overall substandard are understood in light of acceptance or integrated into security management. While many NGOs may claim to a security strategy? The values and principles an NGO use acceptance as a primary means of improving the espouses are not always readily evident to external security of their staff, it is not at all clear how they define stakeholders, and should be explicitly promoted and acceptance, how they implement it in practice, whether contextualised through outreach and negotiation. or not it is effective, or the circumstances under which it is, or is not, effective. Many questions still surround our understanding of acceptance and its effective application. acceptance is founded on What does successful acceptance look like? What are its necessary constituent parts? How do we assess whether effective relationships andm a n a g e m e nt and under what conditions the acceptance approach cultivating and maintaining is most effective? What factors contribute to achieving acceptance? The lack of a widely accepted conceptual consent and operational understanding of acceptance hampers not only its implementation but also its testability. Further consideration of what acceptance means, how Acceptance is not just about gaining the consent and this approach is implemented in the field and its level of support of the local community; instead, it is as much about impact on the security of national and international staff gaining consent and access from those who may want to is timely and crucial in light of the current debate about obstruct the organisation or harm its personnel. In this how best to ensure the safety and security of aid workers way, the diplomatic and negotiating skills that are part and and the requisite competencies, skills and training that parcel of the humanitarian craft are critical to a successful aid workers require. Before the obituary on acceptance is acceptance approach. While often perceived as valuable to definitively written, we need a better understanding of the beneficiaries, the actions of NGOs may at the same time acceptance concept, how it is applied and its effectivenesss e c u r it y 8 For example, the Save the Children Code of Conduct for its staff in secure and insecure contexts. members explicitly forbids the exploitation of children. The Code of Conduct for the International Red Cross and Red Crescent Movement Larissa Fast is Assistant Professor at the Kroc Institute, and NGOs in Disaster Relief links standards to operational details. The Red Cross Code is available at http://www.icrc.org/Web/eng/siteeng0. University of Notre Dame. Michael O’Neill is Senior nsf/html/p1067. Director, Global Safety and Security at Save the Children. The six ‘Ws’ of security policy-makingh u m a nit a r i a n Christina Wille, Insecurity Insight On 29 October 2008, a vehicle loaded with explosives The events made headlines around the world. Images forced its way into the UN compound in Hargeisa, the of broken windows, damaged walls and dead civilians capital of the breakaway republic of Somaliland. The inevitably shape our opinion of the dangers and threats detonation killed two employees of the UN Development associated with delivering aid in a volatile and ungoverned Programme (UNDP). Across town, further bombs targeted country like Somalia. In the absence of foresight, accounts the presidential palace and Ethiopia’s diplomatic of past events are the best available sources to gain representation. Another two bombs exploded in the semi- an overview of the specific dangers in a particular autonomous Puntland region. The attacks occurred as environment. However, the media’s focus on selected leaders from Kenya, Uganda, Djibouti and Ethiopia met in attacks is not a guarantee that our attention is drawn to Nairobi to discuss the Somali issue. Islamist groups with the most frequent or the most dangerous situations that links to Al-Qaeda are believed to have been responsible. aid workers confront. Moreover, such reports do not tell exchange humanitarian
us what can be done to make people and their work less Such cooperation has wide benefits. Organisations gainvulnerable. access to information on security developments directly affecting aid organisations around the globe withoutThe six ‘Ws’ having to spend resources on monitoring incidents beyondThis article describes a new project that highlights patterns those affecting their own organisation. Information aboutof violence drawing on analysis of data providing detailed what is happening to other agencies is particularly usefulinformation on the nature of the event. This is based on when organisations are taking decisions about whether tothe six ‘Ws’: who did what to whom, where, when, why open (or reopen) operations in a country. Such data canand with what weapons. Such analysis can provide vital also be readily used to demonstrate to directors, boardinformation for designing an effective policy response. members and donors the need for adequate financialInsecurity Insight, in partnership with humanitarian investment in security measures.agencies and umbrella organisations, collects informationon a wide range of incidents covering both the most An important added value of this project lies in its uniquedevastating attacks and near-misses. By applying an and sophisticated approach to event processing. Theinnovative approach to data analysis, we can generate concept is based on the Taback-Coupland method ofinsights into common factors underlying these attacks, violence analysis. The thinking is inspired by public healthwhich can then be used by the project’s members and the methods. Information is coded, stored and retrieved in abroader humanitarian and policy-making communities. specifically designed relational database. The aim is to generate findings akin to the kinds of recommendationsThe project combines information from media reports with used by public health specialists seeking to preventinternal security monitoring by humanitarian agencies. disease by advising people to avoid or adopt certainPartner agencies, including Care International, International practices. Applied to security thinking, this means lookingMedical Corps, Oxfam and Save the Children, submit detailed for those aspects of security incidents that can be affecteddescriptions to Insecurity Insight of security incidents by a change in people’s behaviour or controllable elementsaffecting their staff or work. The definition of security in the environment. humaincident is as broad as the spectrum of events affectingthe delivery of aid. It covers murders and kidnappings of Information on the six ‘Ws’ draws attention to the roleaid workers, as well as the less severe but more frequent various factors may play in shaping the outcome of anrobberies, injuries, threats and expulsions.1 It also records event, helping to identify where policy measures areinformation on the impact of security events on the ability required. The aim is to reduce the vulnerability of victimsto deliver aid, for example in cases where security concerns and the potency of perpetrators in order to limit the impactor ambient violence have resulted in staff being withdrawn, of violence. The objective of such a database is not to nit a r i a nor operations being suspended or cancelled. describe the magnitude of the problem by attempting a full count of all violent events and numbers of affected people. Public health experts teach us that the search for the factors that influence the spread of a disease, which by applying an innovative is the information needed to identify counter-measures, approach to data analysis, does not require information on the total number of people affected by a disease. Instead, a sample of relevant we can generate insights into events can provide these answers. s e c u r it y common factors underlying Case example: kidnapping in Somalia attacks The example of Insecurity Insight data on kidnappings of humanitarian staff in Somalia illustrates the approach and outputs. At present, the database, which is continuallyHumanitarian agencies have long recognised that updated and backdated, contains 115 events reportedcooperation in sharing security information benefits from Somalia for the period July 2008 to December 2009.everyone. Yet legitimate concerns regarding data protection These events describe the death of 52 humanitarians,responsibilities towards the victims and differences in the the kidnapping of 50 employees and ten threats toway organisations’ reporting mechanisms work in the past organisations. This is not a complete list of events, and managememade sharing information on a global scale very difficult. does not provide a full count of the number of aid agenciesHowever, the work of specific information-sharing and affected or staff killed, kidnapped or threatened. The totalcoordination mechanisms, such as the Afghanistan NGO count is, without a doubt, higher. Even so, enough eventsSafety Office (ANSO) and the NGO Safety Program exist to start looking for patterns.(NSP) in Somalia, has shown that cooperation canwork. In the project described here, Insecurity Insight All 50 kidnapping victims worked for humanitarianfunctions as a clearinghouse, managing submissions agencies, whether non-governmental or UN-related.from partner agencies in a confidential manner and Of these, 27 were expatriates and 21 were Somalis.2making the information available in an aggregate and However, this does not show that expatriates are at aanonymised format that no longer identifies a specific higher risk of kidnapping than Somali employees. Suchvictim or agency. 2 For two kidnapping victims no information was provided as to nt1 Safety incidents such as road accidents are not included. whether they were Somalis or foreigners. Number 47 • June 2010
a conclusion could only be drawn with the knowledge systematically available). The length of time that the head that the sample accurately reflects the proportion of UNHCR was held may differ from the general pattern of expatriates and Somalis kidnapped and the total of kidnapped Somalis because his captors may have numbers of expatriate and national staff in the country. regarded him as higher value due to his senior position The approach here treats groups of events with distinct within a UN agency. characteristics as separate samples. In the example here, these are the sample of events in which expatriates were Few expatriates attempted to resist their kidnappers, kidnapped and the sample of events in which locals were perhaps because this is the general advice given. A kidnapped. Both samples are examined for differences number of Somali victims, by contrast, attempted to that are unlikely to be the result of biases within the overpower their abductors. Some succeeded and managed data. to escape, while others were killed. This raises the question whether agencies provide local employees with the same All but two of the 27 expatriates kidnapped in Somalia type of kidnapping awareness and behaviour training as were released following an average of 100 days in captivity expatriates. If so, it could be worth finding out why such (mean 100 days, median 67 days). Two other victims are advice is not adhered to. If the right answers and policy missing without any information available as to their responses to these differences in behaviour are found, whereabouts. Of the 21 kidnapped Somalis who worked it might be possible to reduce the proportion of Somali for humanitarian agencies, five were killed, and 15 were humanitarians killed during a kidnapping. either freed or managed to escape, usually on the day of the kidnapping itself (median 0 days in captivity, This is just one example of how consumers of the mean six).3 The exception was the kidnapping of Hassan information from this project could use it. The aim is Mohammed Ali, the head of UNHCR in Somalia, who was to identify entry points for measures that might make held for 67 days. a difference. Training on how to react in the event of a kidnapping might be the ‘seatbelt’ which, while not able to The differences in the example from Somalia are interpreted prevent the car crash, might make the difference betweenm a n a g e m e nt based on qualitative information with a view to identifying life and death. areas for policy measures. The conclusion based on this comparison is that expatriates and Somalis are treated The project is looking for more agencies to work with us. differently when kidnapped and may behave differently Becoming a partner is simple. Following a memorandum of as well. Ransom demands for kidnapped expatriates understanding, the partner agency forwards information tend to be addressed to the organisation they work for about security events in its preferred format to Insecurity or the state of origin. Lengthy negotiations often follow Insight. Agencies can then take part in seminars that look that may or may not include the payment of a ransom. at patterns within the data, and possible implications. For many Somalis ransom demands appear to be made There are also plans to develop online access to summary to their families, some of whom may pay up quickly. It is data for partners, for which funding is being sought. For also likely that the amount of money demanded is higher more information see the Insecurity Insight website at when demands are addressed to an organisation or state, www.insecurityinsight.org. rather than a local family (although this information is nots e c u r it y 3 There is no further information on the whereabouts of the 21 Christina Wille is co-director of Insecurity Insight. Her kidnapped Somalis. email address is Christina.Wille@insecurityinsight.org. Whose risk is it anyway? Linking operational risk thresholds and organisational risk management Oliver Behn and Madeleine Kingston, European Interagency Security Forum (EISF)h u m a nit a r i a n Aid agencies have worked hard in recent years to risk,1 not just for field staff and programmes but for the professionalise security management, including the organisation as a whole. provision of training for staff at headquarters and in the field and the formalisation of the risk management process. Establishing ‘risk attitude’2 This article is part of a larger European Interagency Aid agencies operating in complex, high-risk environments Security Forum (EISF) research project to support NGO have to balance the humanitarian impact of programmes security management by documenting the risk acceptance 1 Phrase attributed to previous discussions with Maarten Merkelbach process. It argues that programme managers should adopt of the Security Management Initiative (SMI). 2 ‘Risk attitude’ is defined by the International Organization for a broader understanding of risk in order to contribute to Standardization (ISO) as ‘an organization’s approach to assess and flexible, organisation-wide judgements of risk exposure. eventually pursue, retain, take or turn away from risk’. International To recognise risks effectively and engage with strategic Organization for Standardization, ISO 31000: Risk Management decision-making, managers must understand what is at – Principles and Guidelines, 2009. exchange humanitarian
with the duty of care they have to their employees and 1. Establishing the external threats; evaluating internalassociates. The way an NGO manages risk depends structures and vulnerabilities.heavily on the organisational mission and culture. This 2. Evaluating the risk mitigation process; documentingattitude to risk should be clearly explained to staff so the measures taken to mitigate risks and expectedthat personal levels of risk acceptance may also be outcomes.defined. Whilst some agencies do not consider that their 3. Determining the capacity of staff to manage the residualactivities justify putting staff at risk, others follow UNHCR risk.in explicitly recognising the risk of serious harm and 4. Documenting the humanitarian impact of programmes,even death, arguing that the humanitarian imperative and whether this warrants accepting the residual risk.renders this a ‘practical probability’. Competing moralimperatives of humanitarian impact and duty of care Where documentation of these steps is complete andare complicated further by organisational capabilities, satisfactory, programmes can usually go ahead. Riskreputation, internal and external financial leverage, assessment tools such as the impact-probability matrixexperience and judgement in the field and decentralised are employed to document the internal and externaldecision-making. contexts, arming programme staff with a snapshot of known threats and prompting frequent communication with local contacts and situational monitoring. These tools aid agencies have to balance do not easily incorporate uncertain risks such as terrorist attacks, and encourage a heavy focus on singular threats the humanitarian impact of (such as theft, armed attack or road accidents) and the programmes with the duty organisation’s ability to reduce the likelihood and/or consequences of these threats, rather than systemic of care they have to their risk (cumulative threats weighed against organisational employees and associates capacity, structural weaknesses, financial and reputational huma pressures, etc.). A narrow focus at the dynamic technical level, or poor communication of the organisationalAside from a conscious acceptance of risk, ‘risk creep’ risk attitude, can lead to inconsistent risk acceptancemay occur. In Chad, the Central African Republic and processes and a lack of synergy between operational riskDarfur, for example, agencies may tolerate an extremely judgement and strategic decision-making.high risk of armed robbery and carjacking. Predefinedtrigger events can rarely be absolute, and adaptation is Layers of risk attitudenecessary in dynamic contexts. At the same time, however, Case studies reveal that who makes the decisions at which nit a r i a nit is unclear the extent to which this process is conscious level of the organisation has a substantial impact on theand consistent, and how risk attitude is communicated content and outcome of the technical risk assessmentto international and national staff, partner institutions, steps described above. The higher the organisationalbeneficiary communities and donors. risk the higher the levels involved in the decision-making process. For this reason, we distinguish between riskTools without process attitudes at different levels. Definitions for operationalMany humanitarian agencies freely admit that, while and organisational security offered by People in Aidcontext and risk assessment frameworks are in place, provide a framework for these distinctions: s e c u r it yunderstanding of their own internal workings, and ofthresholds of risk, is incomplete. The risk acceptance • Operational definition of security: ‘NGO securityprocess remains fluid, context- and personality-driven and is achieved when all staff are safe, and perceivelacking in documentary support. Risk attitude is seen as themselves as being safe, relative to an assessmentintuitive, driven by case-by-case decisions taken in the of the risks to staff and the organisation in a particularfield or at the regional or head office, depending on the location.’severity of the event. During the first presidential elections • Organisational definition of security: ‘NGO securityin Afghanistan in 2004, for instance, some NGOs based is achieved when organisational assets are safe andtheir acceptance of risk partly on an assertion by senior when the organisational name and reputation arestaff that the situation was no worse than in Mogadishu in maintained with a high degree of integrity.’3 manageme1992, or other contexts they had worked in. Every worst-case scenario mapped out had been surpassed, yet the The basis for decisions will also affect the trajectory of theacumen of managers, based on current context analysis risk acceptance process. Calculations prompted by triggeras well as transferrable experience, enabled agencies events are relatively ill-defined. On a short-term basis, gutto continue operating. Depending on the context, this instinct is employed as a measure of the severity of threatslevel of fluidity may be central to achieving humanitarian and the level of humanitarian impact. External influencersobjectives. However, the constant re-evaluation required include the actions and recommendations of other NGOs,in dynamic situations must be documented, transparent the UN and host governments, the potential risk transfer toand adaptable. 3 People in Aid, Promoting Good Practice in the Management and Support of Aid Personnel: Policy Guide and Template for Safety andThe basic technical steps involved in accepting or rejecting Security, 2008, www.peopleinaid.org/pool/files/publications/safety- ntrisk are: security-policy-guide-and-template.pdf, p. 6. Number 47 • • June 2010 Number 47 March
national staff and partners and prospects for returning to Personality and experience the area of operation. Swift, incident-based organisational Personality and experience can encourage the devolution withdrawals from Pakistan and Afghanistan have been of authority and deviations from risk management policy. described in this way. In an evacuation from Goma in 2008, the appropriate Desk Officer was rapidly deployed, and a Security Management Calculations that are not immediately related to specific Team set up to liaise with the Head of Operations. Despite threats or security incidents are more likely to involve the hierarchical nature of the organisation, authority was a sophisticated approach, in which standard operating devolved to the Desk Officer, who possessed considerable procedures are central. It is useful to think of such experience within DRC and had close links to local political calculations in terms of parameters of risk rather than and social actors. The Desk Officer’s decision to withdraw of security. Deciding when to withdraw is a process of was communicated to regional security managers, and the continuous risk assessment and mitigation, and largely role of the Management Team was in this case to confirm involves a gradual reduction of activity or visibility. Good and document the decision. This level of decentralisation identification and communication of changes in the is necessary in dynamic contexts, but possible only when operating environment has allowed agencies to return an organisation has full confidence in the experience and to full programming in contexts as diverse as Iraq, the judgement of staff further down the organisational hierarchy, Democratic Republic of Congo and Zimbabwe. and where staff are relatively forceful and prepared to accept high levels of responsibility for tough decisions. Far greater organisational guidance on risk attitude is called for in deciding when to withdraw is contexts where staff are less experienced or proactive. a process of continuous risk Regardless of organisational structure, it may be difficult assessment and mitigation to reconcile operational risk assessments, funding requests for security measures and the desire to prolongm a n a g e m e nt programmes for reputational or financial reasons. Middle Decision-making ground can be hard to find when short-term technical The decision-making process hinges on several factors or operational logic meets long-term programmatic and that may adversely affect risk management. Wide organisational priorities. consultation and inclusiveness – firmly led by senior and middle managers – is important for NGOs, particularly Operational risks in organisational context when returning to a country or project area. Having The examples given here illustrate the need for aid agencies an effective structure in place, and commitment at all to develop processes for risk acceptance and rejection that organisational levels, will prepare agencies for uncertainty are consistent, accurate, transparent, participatory and in a way that predefined risk reactions and decisions unbiased by self-interest. Risk attitude must be systematic cannot. Yet provisions for ensuring this are often unclear. and driven by senior management, yet embraced by Depending on organisational structure and operating staff at all levels, enabling them to respond flexibly mode, communication can be problematic. Relations to both routine and unforeseen challenges. A broaders e c u r it y between country or project bases and head offices may be conceptualisation of risk could facilitate this flexibility. To hindered by remoteness, misunderstanding of either the engage with programme managers appropriately, security local context or the big picture and conflicting interests. advisers should consider equipping themselves to analyse both the internal and external environment, weighing In one example, a Country Office in the Philippines operational and organisational risks against programmatic managed by national staff came under pressure from impact and strategic priorities. Head Office to revert to standard operating procedures and push project activities further into the field. The For practitioners of humanitarian security, an organisational Country Office felt that emergency standards were still culture of awareness and exchange is sought over and above appropriate due to the political and military situation, rigid frameworks or lengthy policy documents. Programmeh u m a nit a r i a n together with the organisation’s profile locally and and security managers may therefore want to concentrate on popular perceptions of a rich, Western-driven entity. In formalising the risk acceptance process, rather than adding this case, a regional security manager mediated between to the supporting literature. Transparent consultation and the two loosely connected Offices to emphasise the decision-making structures are required, which are well- potential harm to staff if sophisticated field operations documented and instilled in staff on the ground. resumed. Since the Country Director’s leverage with senior managers was limited, this negotiation process The process of establishing and acting on risk attitude is was vital in ensuring that project staff were not exposed not readily defined. NGOs work in complex and dynamic to unacceptable levels of risk. environments; they comprise a multitude of values, perspectives and interests, and judgement of risk depends Structured provisions within security policies and plans heavily on the mission, programme outputs and capacity. for consultation are required, a process that should be Documenting internal and external operating contexts documented and monitored as rigorously as risk decisions and humanitarian impact through robust monitoring and and supporting evidence. evaluation can aid project-level decision-making. When exchange humanitarian 10
defining risk parameters for organisational portfolios, though, internal documents provided by security practitioners,agencies need to consider systemic risk and overall exposure. as well as discussions held at various NGO fora. It alsoDespite progress towards professionalisation, work remains draws on risk management principles introduced by thewith respect to applying clearly defined structures and ISO. EISF recognises the pivotal role of the Securityprocesses to the management of humanitarian risk. Management Initiative (SMI) in promoting awareness and understanding of ISO standards. EISF would like toOliver Behn (email@example.com) is EISF Coordinator. thank Maarten Merkelbach in particular for his invaluableMadeleine Kingston (firstname.lastname@example.org) is EISF input and contribution to the interpretation of many of theResearcher. This article is based partly on interviews and issues raised. References and further reading A. Carle and H. Chkam, Humanitarian Action in the New Security Environment: Policy and Operational Implications in Iraq, HPG Background Paper, 2006, www.odi.org.uk/resources/download/294.pdf. Paul Davies, ‘Mainstreaming Security Management’, Security Quarterly Review, no. 1, Spring 2005, www.redr.org. uk/objects_store/SQR%20Issue%201.pdf. Pierre Gassmann, ‘Rethinking Humanitarian Security’, Humanitarian Exchange, no. 30, June 2005, www.odihpn.org/ report.asp?ID=2721. International Organization for Standardization, ISO 31000: Risk Management – Principles and Guidelines, 2009. See also the related ISO Guide 73:2009 – Risk management vocabulary. Both documents were developed by the ISO Working Group on Risk Management; they are available at http://www.iso.org/iso/pressrelease.htm?refid=Ref1266. huma People in Aid, Promoting Good Practice in the Management and Support of Aid Personnel: Policy Guide and Template for Safety and Security, 2008, www.peopleinaid.org/pool/files/publications/safety-security-policy-guide-and-template. pdf.Key security messages for NGO field staff: what and how do NGOs nit a r i a ncommunicate about security in their policies and guidelines?Elizabeth Rowley, Lauren Burns and Gilbert Burnham, Johns Hopkins Bloomberg School of PublicHealthIn recent years, staff security management within 1. Identify the most and least commonly cited security s e c u r it yhumanitarian organisations has developed considerably. management messages NGOs are communicating toOnly ten years ago, many NGOs did not have full-time their field staff.security officers, written security policies and guidelines 2. Determine the types of documentation that NGOs mostor training programmes focused on the prevention and often use to communicate key security messages.management of staff security incidents. Today the majority 3. Distinguish the points of commonality and divergencedo. As the field expands, it is appropriate to look at across organisations in the content of key securityhow humanitarian organisations communicate to field messages.staff about security issues. What key messages do staffreceive about security management? What issues are less Security policy and guidelines reviewcommonly addressed? How do organisations communicate Through InterAction and the European Inter-Agency Security managemethese messages? To what extent are security messages Forum, research staff invited international humanitarianand advice similar or different across organisations? What organisations to share their security policies, manualsis the potential impact of these differences at field level? and training materials for the purpose of the review. The review included the materials of 12 US-based NGOs, sevenThese are some of the questions that researchers at the European NGOs and one Japanese NGO, all involved inCenter for Refugee and Disaster Response (Johns Hopkins the delivery of international humanitarian assistance.Bloomberg School of Public Health) looked into during The documents included 20 security manuals, 12 policy/a recent review of humanitarian agency policies and guideline documents and five sets of training materials.guidelines. With support from the Bureau of International Many NGOs hire outside consultants and organisationsCooperation of the International Medical Center of Japan for training and do not have original training materials.(IMCJ), research staff undertook a document review with Because so few training materials were received, thesethe following objectives: were not included in objectives 2 and 3 above. nt Number 47 • June 2010 11
As a guideline, researchers used the InterAction Minimum section of the MOSS. It is in this area that organisations Operating Security Standards (MOSS), including the provide specific, practical guidance about security in Suggested Guidance for Implementing InterAction’s day-to-day operations. With two exceptions, all of the Minimum Operating Security Standards (2006) and most commonly cited security messages are found under The Security of National Staff (2002), referenced by the Standard 1. The most commonly cited security messages InterAction MOSS. The InterAction MOSS encompasses cover a range of issues, including: five main areas: • Incorporation of threat/risk assessment processes in 1. Organisational Security Policy and Plans. country-specific security plans. 2. Resources to Address Security. • Articulation of individual staff responsibility for carrying 3. Human Resource Management. out their work in a way that supports the organisation’s 4. Accountability. security efforts. 5. Sense of Community. • Guidance on acceptance, protection and deterrence strategies. From InterAction’s MOSS framework, researchers developed • Framework for determining acceptable and unaccept- a list of key security guidance points. The researchers added able risks to the organisation’s staff, assets and another 15 guidance points based on an initial review of image. documents received. In total, researchers checked each • Inclusion of situation analysis (political, economic, available document within each organisation for 85 items. historical, military) in local security plans. • Use of armed security. Two main tallies were used to determine the most and • Security incident reporting requirements and least commonly cited security messages. First, researchers procedures for individual responses to incidents. tallied up the number of times each item was mentioned • Movement and transportation, telecommunicationsm a n a g e m e nt in each type of document (security policy, manual or and contingency plans (security evacuation, medical training materials). The item was counted once even if evacuation). cited several times in the same document. The researchers • Sharing of security-related information with other also counted the number of organisations that mentioned humanitarian actors. the item in any of their materials. Based on a count of • Establishment of a headquarters crisis management both the number of times a specific item was mentioned plan. across all organisations, and the number of organisations • Agency response to hostage-taking and demands for that included it in any of their materials, the researchers ransom or protection money. were able to determine the most and least commonly cited security messages. Security management entails costs for staff, materials and equipment, insurance, training, assessments and communications. While investments in staff security are security policies are typically brief crucial, very few organisations in the review make explicit reference to Resources to Address Security (Standard 2) and highlight overall securitys e c u r it y in their materials. Guidance on budgeting for security and philosophy, important principles consideration of other resources may be included in other types of materials (e.g. programme planning and budget and key guidance points guidance). However, this is also likely to be a reflection of the difficulty many organisations still face in streamlining security costs into programme budgets. Key findings Most of the least commonly cited security-related messages Typically, organisations’ security policies are brief and are found under Human Resources Management (Standard highlight overall security philosophy, important principles 3). Like Standard 2, these include issues that might beh u m a nit a r i a n and/or key guidance points. Security manuals provide more covered by other materials within organisations, such as detail about policy implementation. Not all organisations personnel policies and procedures documents, or that have a distinct security policy. Since policy documents are would be considered in practice even if not documented. an important reference point, this could place staff at a However, the documents in this review indicate that many disadvantage in terms of internalising the content that is human resource management concepts have not been normally provided in a security policy, and in interactions mainstreamed into formal security guidance. These include: with host governments, donors, local leaders, community members and other staff where security management • Consideration of threats to national staff incorporated questions arise. into staffing decisions (e.g. whether to fill a position with national or expatriate staff ). Researchers found that the majority of organisations • Security awareness incorporated into all job in this review devote most security material content to descriptions. Organisational Security Policies and Procedures (Standard • Inclusion of efforts to anticipate emerging security 1). This is not surprising insofar as it is the most developed threats that could warrant additional security duties. exchange humanitarian 12