A decade on: a new Good Practice Review on operational security management
by Adele Harmer, Humanitarian Outcomes June 2010

A decade ago, only a handful of agencies were aware of and seriously considering the challenges posed by operational insecurity. At the time, few international or national organisations had designated security positions or policies on how to manage the risks of violence against their staff and operations. The impact of high-profile attacks such as the 1996 assassination of six ICRC workers in Chechnya spurred a number of international aid organisations into action. A collaborative learning initiative on security issues resulted in the earliest interagency security training, as well as the first edition of the Good Practice Review on Operational Security Management in Violent Environments (also known as GPR8). GPR8 introduced core security management concepts and highlighted good policy and practice in operational security in humanitarian relief efforts. It became, in the words of one user, ‘our Security 101. It was the primary reference – our go-to guide’. 

Since the publication of GPR8 a decade ago, the global security environment has changed significantly. New conflict contexts involving intervening Western powers fighting against armed insurgent forces have created new sources of threat to international humanitarian action.  Increasing violence against aid workers and their operations, including more kidnappings and lethal attacks, has had serious implications for humanitarian relief work in insecure contexts. In some circumstances attacks have been increasingly politically motivated. This growing violence has generated a deeper awareness of the security challenges faced by operational agencies, giving rise to new adaptations and strategies in security management. Despite or perhaps because of the fact that the GPR8 was still being well utilised, HPN decided that it was time to review and update the manual to reflect these changes in the operational and policy environment.

The new GPR – what’s changed?

In the last ten years major progress has been made in the professionalism and sophistication of humanitarian security management and in interagency security coordination. GPR users interviewed felt that the revised edition could usefully reflect these advances, while at the same time stressing that much of the original volume remained valid. We were careful therefore not to start from scratch, but to add detail to practices that had become more sophisticated over time, to nuance areas that were previously misunderstood or needed elaboration, to trim what was outdated or no longer useful and to highlight areas where practice in the field and at headquarters has evolved. The GPR covers over 25 topics in security management. Here we highlight five.

Risk assessment

A proper assessment of risk is a critical component of good practice in security management, and is an area where aid organisations have advanced significantly in recent years. The risk assessment chapter in the revised GPR is an attempt to take the complex subject of risk and provide a simple, practitioner-oriented guide to the stages of analysis that need to be undertaken, including programme and criticality assessment, threat and vulnerability analysis and a workable methodology for approaching a risk assessment. It considers how to identify different threats and risks for national staff as compared to expatriate staff. It examines the issue of risk transfer and highlights ways to mitigate this, both with an agency’s own staff and with partner agencies. It also discusses the difficult task of identifying a risk threshold and determining what constitutes acceptable risk – both at the organisational and individual level.

In our interviews, ‘danger habituation’ was an area many agencies thought particularly challenging. As one interviewee working in Darfur, Sudan, noted: ‘Some advisers came from headquarters and told me that they wouldn’t visit again if things didn’t tighten up (because they felt insecure themselves), so that was a wake up call’.  The tendency not to reinforce security measures until after an incident has occurred is still widespread. The GPR argues that any decision to accept a greater level of risk requires external oversight and would only be justifiable if security measures have been significantly strengthened and improved, and that those staying in high-risk environments can manage the stress and have properly reassessed their personal threshold of acceptable risk.

Security strategy

The first edition of GPR8 identified three broad security approaches shaping an organisation’s security management strategy, namely ‘acceptance’, ‘protection’ and ‘deterrence’. These concepts were presented as a so-called security ‘triangle’. The triangle model was not meant to imply that an aid agency simply decides, at an institutional level, which approach is preferable (or where the agency ‘sits’ on the triangle) and conducts its operations accordingly. The reality is much more fluid. These approaches are often used in combination, and will vary according to local security cultures and conditions.

The revised GPR abandons the concept of the triangle in order to avoid this confusion, but maintains a focus on these three core security approaches and invests in a detailed analysis of good practice measures. In particular, there is a more comprehensive examination of the means to implement an ‘active acceptance’ approach. The GPR stresses that acceptance cannot be assumed; it has to be won and maintained. It also recognises that, since acceptance was first analysed in the 2000 GPR, it has become much harder to achieve. Whether, when and from whom acceptance can be gained is now a serious operational question. The GPR outlines the key components of an acceptance approach and offers some possible indicators of how to measure the extent to which acceptance has been achieved. It also considers the practical implications of acceptance, including how much it costs and the administrative and human resources required. The GPR also details deterrence and protective approaches, including ‘low-profile’ programming, and highlights the key issues an agency should consider before and while using armed protection.

Remote management

Remote management has entered the lexicon of humanitarian security discourse in recent years. The position is usually a reactive one and comes about due to poor or deteriorating security conditions or other restrictions in the operating environment. It is increasingly being used in high-risk environments, and thus it was introduced as a new topic in the GPR, along with the options of evacuation, relocation and hibernation. Remote management involves withdrawing international staff or other categories of staff from the programming location, and altering management structures to give more responsibility to national and local staff remaining in situ, or forming new operational arrangements with local partners.

Because remote management sometimes occurs gradually, as security conditions deteriorate, many agencies do little planning and preparation for it. The GPR highlights possible triggers or indicators for agencies to consider, and points to good practice examples where the need for remote management programming can be recognised in advance and appropriately planned for. It also highlights the types of training, resources and other measures that can contribute to more effective and secure remote management programming.

Managing security collectively

Security coordination has never been an easy operational pursuit. As one interviewee noted: ‘The majority of collaboration remains the preserve of the security officer in the bar or with a select group of contacts. It is shared under Chatham House rules with people unwilling to share details.’ The GPR explains the critical importance of sharing security information both within and between agencies. It takes the reader through a step-by-step process of incident reporting, including what counts as a reportable incident, what information should be included in an incident report and the common problems found in incident reports.

On the issue of interagency coordination, the GPR recognises that, while there are many reasons why information-sharing might need to be informal, there are significant benefits in establishing and supporting formal interagency security mechanisms. In terms of practical measures, the review highlights financial and human resources, as well as operational assets such as vehicles, communications and IT equipment.

 Developing a security culture

From the outset, the GPR clearly states the need for security management to be integrated across the organisation, and not treated as an ‘add-on’ or a luxury. While this is not a new topic, only in recent years have organisations begun to realise that developing a security culture poses one of the most significant challenges.[1] Much of the focus in security management tends to be on specific operational needs, such as security policies and plans. Yet there is also a need to take a step back and look at how to develop a culture of security within the organisation, including developing capacity.

The GPR highlights that good practice in security management is closely linked with, builds on and reinforces good practice in programme and personnel management more broadly. These are not separate tasks and workloads; there is an important positive multiplier effect. Good programme management requires an understanding of the operating environment and the impact of the agency’s presence and its work, building good relationships, managing international and national staff well and collaborating effectively with other agencies. In other words, it reinforces an active acceptance strategy. The GPR details multiple ways in which security can be treated as a staff-wide priority, and the possible options for ensuring accountability.

 The 2010 GPR

The GPR will be released in a very different climate to that of 2000. The threats aid operations face today are far more frequent and challenging than those identified a decade ago. Equally, though, there has been significant progress in organisational appreciation of the risks faced and the types of personnel and assets needed to mitigate them. The GPR will no longer be the sole document on an operational manager’s bookshelf. For some readers it will be squeezed in amongst a much wider operational security literature, as well as specific agency guidelines and protocols. We hope nonetheless that it will remain an important reference and perhaps a benchmark, and that it will serve both those who directly oversee operations in violent environments in the field, and those who support them.

The GPR will be released in English in September and in French and Spanish in December 2010. It will also be found in a user-friendly format online here. As a multi-language resource, we hope it will be widely read and that it will contribute to increasing awareness and appreciation of good practice in security management over the next decade.

Adele Harmer is a Partner with Humanitarian Outcomes.


[1] Koenraad Van Brabant, Mainstreaming the Organisational Management of Safety and Security, HPG Report 9 (London: ODI, 2001).

Share
FacebookTwitterLinkedIn