Key security messages for NGO field staff: what and how do NGOs communicate about security in their policies and guidelines?

In recent years, staff security management within humanitarian organisations has developed considerably. Only ten years ago, many NGOs did not have full-time security officers, written security policies and guidelines or training programmes focused on the prevention and management of staff security incidents. Today the majority do. As the field expands, it is appropriate to look at how humanitarian organisations communicate to field staff about security issues. What key messages do staff receive about security management? What issues are less commonly addressed? How do organisations communicate these messages? To what extent are security messages and advice similar or different across organisations? What is the potential impact of these differences at field level?

These are some of the questions that researchers at the Center for Refugee and Disaster Response (Johns Hopkins Bloomberg School of Public Health) looked into during a recent review of humanitarian agency policies and guidelines. With support from the Bureau of International Cooperation of the International Medical Center of Japan (IMCJ), research staff undertook a document review with the following objectives:

1. Identify the most and least commonly cited security management messages NGOs are communicating to their field staff.

2. Determine the types of documentation that NGOs most often use to communicate key security messages.

3. Distinguish the points of commonality and divergence across organisations in the content of key security messages.

Security policy and guidelines review

Through InterAction and the European Inter-Agency Security Forum, research staff invited international humanitarian organisations to share their security policies, manuals and training materials for the purpose of the review. The review included the materials of 12 US-based NGOs, seven European NGOs and one Japanese NGO, all involved in the delivery of international humanitarian assistance. The documents included 20 security manuals, 12 policy/guideline documents and five sets of training materials. Many NGOs hire outside consultants and organisations for training and do not have original training materials. Because so few training materials were received, these were not included in objectives 2 and 3 above.

As a guideline, researchers used the InterAction Minimum Operating Security Standards (MOSS), including the Suggested Guidance for Implementing InterAction’s Minimum Operating Security Standards (2006) and The Security of National Staff (2002), referenced by the InterAction MOSS. The InterAction MOSS encompasses five main areas:

1. Organisational Security Policy and Plans.
2. Resources to Address Security.
3. Human Resource Management.
4. Accountability.
5. Sense of Community.

From InterAction’s MOSS framework, researchers developed a list of key security guidance points. The researchers added another 15 guidance points based on an initial review of documents received. In total, researchers checked each available document within each organisation for 85 items.

Two main tallies were used to determine the most and least commonly cited security messages. First, researchers tallied up the number of times each item was mentioned in each type of document (security policy, manual or training materials). The item was counted once even if cited several times in the same document. The researchers also counted the number of organisations that mentioned the item in any of their materials. Based on a count of both the number of times a specific item was mentioned across all organisations, and the number of organisations that included it in any of their materials, the researchers were able to determine the most and least commonly cited security messages.

Key findings

Typically, organisations’ security policies are brief and highlight overall security philosophy, important principles and/or key guidance points. Security manuals provide more detail about policy implementation. Not all organisations have a distinct security policy. Since policy documents are an important reference point, this could place staff at a disadvantage in terms of internalising the content that is normally provided in a security policy, and in interactions with host governments, donors, local leaders, community members and other staff where security management questions arise.

Researchers found that the majority of organisations in this review devote most security material content to Organizational Security Policies and Procedures (Standard 1). This is not surprising insofar as it is the most developed section of the MOSS. It is in this area that organisations provide specific, practical guidance about security in day-to-day operations. With two exceptions, all of the most commonly cited security messages are found under Standard 1. The most commonly cited security messages cover a range of issues, including:

• Incorporation of threat/risk assessment processes in country-specific security plans.
• Articulation of individual staff responsibility for carrying out their work in a way that supports the organisation’s security efforts.
• Guidance on acceptance, protection and deterrence strategies.
• Framework for determining acceptable and unacceptable risks to the organisation’s staff, assets and image.
• Inclusion of situation analysis (political, economic, historical, military) in local security plans.
• Use of armed security.
• Security incident reporting requirements and procedures for individual responses to incidents.
• Movement and transportation, telecommunications and contingency plans (security evacuation, medical evacuation).
• Sharing of security-related information with other humanitarian actors.
• Establishment of a headquarters crisis management plan.
• Agency response to hostage-taking and demands for ransom or protection money.

Security management entails costs for staff, materials and equipment, insurance, training, assessments and communications. While investments in staff security are crucial, very few organisations in the review make explicit reference to Resources to Address Security (Standard 2) in their materials. Guidance on budgeting for security and consideration of other resources may be included in other types of materials (e.g. programme planning and budget guidance). However, this is also likely to be a reflection of the difficulty many organisations still face in streamlining security costs into programme budgets.

Most of the least commonly cited security-related messages are found under Human Resources Management (Standard 3). Like Standard 2, these include issues that might be covered by other materials within organisations, such as personnel policies and procedures documents, or that would be considered in practice even if not documented. However, the documents in this review indicate that many human resource management concepts have not been mainstreamed into formal security guidance. These include:

• Consideration of threats to national staff incorporated into staffing decisions (e.g. whether to fill a position with national or expatriate staff).
• Security awareness incorporated into all job descriptions.
• Inclusion of efforts to anticipate emerging security threats that could warrant additional security duties.

• National staff trainers and national staff issues are included in security training curricula.
• Review of the organisation’s history, role, mandate and message included in orientation materials for national staff.
• General explanation and additional detail on request provided to staff about life insurance, health insurance, supplemental war risk insurance and compensation for work-related injuries.

Accountability (Standard 4) and Sense of Community (Standard 5) are both brief and have mixed coverage by most organisations in this review. Of the items found under Accountability, two are among those least commonly cited: staff evaluations to include security-related responsibilities, if any; and clearly stated consequences for violation of security policies and procedures. Articulation of the individual’s responsibility for carrying out their work in a way that supports the organisation’s security efforts is one of the items most commonly cited.

Under Sense of Community (Standard 5), there are also items that are most commonly mentioned by the NGOs in this review (i.e. information-sharing with other humanitarian actors as appropriate), and least commonly mentioned (i.e. taking steps to mitigate any negative impact of an organisation’s operations on the security of others). The latter occurs in the field in many, though perhaps not all, instances, even if not formalised in agencies’ security guidance. But there is little if any detail on how information-sharing about security-related issues should happen. Although different operating environments to some extent determine how this occurs in reality, more guidance on information-sharing might facilitate better security-related communication across organisations.

In terms of the review’s second objective – looking at which documents are used to communicate the key security messages – researchers found that the most commonly cited messages were in NGOs’ security manuals, rather than in security policies. As mentioned above, security manuals are often fairly detailed, while policy documents tend to focus on a few key issues or the general security approach of an organisation. Among the most commonly cited messages included in security policies specifically are an articulation of the individual’s responsibility to work in a manner that supports the organisation’s security efforts, clarification of the organisation’s position on the use of armed security, and emphasis on the inclusion of threat/risk assessment processes in country-specific security plans. Although researchers could not access the security training materials used by many NGOs, this is not to say that training does not occur. Indeed, NGOs continue to make significant investments in this area. However, the limited availability of training materials for review is likely to be a symptom of a somewhat scattered approach to security training, whereby some is done at headquarters, some is done in the field, some is conducted in-house and some done by consultants using their own materials. Anecdotally, there is a great deal of variation in how training is done, who is trained and what training content includes. It is not possible to comment on how this impacts on key training messages that field staff receive or the overall effectiveness of security training. This is an important area for further review.

Researchers focused on three of the most commonly cited security messages to investigate similarities and differences in interpretation across NGOs (objective 3 of the review). These were threat/risk assessment processes, frameworks for determining unacceptable risk and guidance on acceptance, protection and deterrence approaches. The review indicates that, while NGOs use similar definitions and frameworks for security assessments and security risks, there is considerable variation in the level of detail provided in how to undertake assessments. Staff at some organisations may receive additional detail on assessments through training, and seasoned staff may have a better sense of assessment implementation gained through experience. However, it is likely that even senior humanitarian staff are equipped with different levels of information on the purpose and practice of security assessments. Few NGO materials indicated that a security assessment is not a one-off exercise, provided guidance on determining the frequency of security assessments or discussed which staff to involve in the assessment process.

Most NGO security guidance highlights that not all organisations, nor all staff within the same organisation, have the same level of vulnerability in a given security environment. Based in part on different assessments of vulnerability, NGOs in the same situation sometimes make different security decisions based on their own interpretation of risk. This is to be expected, but it also highlights the need for good communication across organisations in the field since the decisions of one can affect the security of others. The review also found variation in the frameworks and terminologies that NGOs use for determining an unacceptable security risk, and when an organisation might suspend project activities or withdraw staff. Many but not all organisations have adopted a framework that uses either a risk matrix (plotting the probability of a security event against the impact of such an event if it occurs) or a variety of indicators to determine security levels, using categories such as low, moderate, high and severe. There is considerable variation in indicators used to define those categories and differences in security level terminology.

Sixteen of the organisations in the review refer to acceptance, protection and deterrence as the three main security management strategies or approaches. The definitions provided for these terms are similar across organisations, and most point to acceptance as the preferred approach. However, there is variation in the detail provided about what acceptance means and how to implement it as a security management approach. Many organisations provide a cursory description similar in nature to basic project management (e.g. building good relations with the community, impartiality and transparency). Few go into the more nuanced description of acceptance as a security management approach as originally outlined by Van Brabant in Operational Security Management in Violent Environments, and none provides indicators for implementing a successful acceptance-based strategy.

Conclusions

NGOs have made significant advances in efforts to prevent and respond to aid worker security incidents over the last few years. Having dedicated security staff, increased emphasis on training and the drafting of policies and guidelines are all important parts of this work. The review of 20 NGOs’ security documents shows a focus on key security messages mainly in guidance on organisational security policies and plans, while other areas, particularly resources for security and issues related to human resources, are less frequently cited. More detailed guidance on security-related communication between organisations could enhance effective information-sharing in the field and facilitate trend analysis across organisations. While we now have an idea of which security messages are most and least likely to be communicated to NGO staff, we do not know which communication methods are most effective, or the most common hindrances staff face in implementing policies. We could learn more through a systematic field-based review of security practices in relation to policies. As the security environment continues to change, NGOs will need to reassess the messages conveyed to staff and what impact these messages have in preventing and responding to security incidents.

Elizabeth Rowley is a Doctoral Candidate at the Johns Hopkins Bloomberg School of Public Health. Lauren Burns is Senior Research Assistant and Gilbert Burnham is Professor at the Johns Hopkins Bloomberg School of Public Health. A more detailed description of the research reported on in this article is anticipated in a future issue of the journal Disaster Medicine and Public Health Preparedness.