Organisational risk management in high-risk programmes: the non-medical response to the Ebola outbreak

In September 2014, five aid workers from a local NGO were disposing of dead bodies in Forécariah, western Guinea. The human remains, believed to be of Ebola victims, needed to be collected and buried following a special procedure to avoid spreading the disease, which had already killed 430 people in Guinea alone. Humanitarian agencies had taken over the family burial ritual in what had become a hazardous job, and not only for the risks of contracting Ebola when handling the bodies. As the team was working in the area, a hostile crowd attacked them. A week earlier, in Nzérékoré, 530 miles from Forécariah, a national staff member working for an international NGO was killed in a mob attack during an Ebola education visit. Until these attacks Guinea had not registered any serious incidents against aid workers for 14 years. The data and information on the incidents described in this article have been taken from the Aid Worker Security Database (AWSD), a project of Humanitarian Outcomes. AWSD is available online at www.aidworkersecurity.org and www.humanitarianoutcomes.org/awsd. Data is up to date as at the time of writing in mid-February 2015.

These unfortunate (and almost isolated) events in Guinea illustrate two key points about how the Ebola outbreak challenged aid agencies’ traditional organisational risk management. The Ebola response was a high-risk programme, but not a high-risk context. Traditional checklists for high-risk environments did not fit here. First and foremost, non high-risk countries where agencies have been operating for years were now posing new and sudden safety and security challenges. Second, not only healthcare workers (understood as doctors, nurses and other medical personnel) but also community liaison staff and anyone perceived to be working in the Ebola response were facing increasing difficulties in gaining safe access to affected communities. Ebola was also raising safety and security issues for any aid organisation working in the affected areas, even if not working directly in the Ebola response.

This article looks at the organisational risk management capabilities of non-medical humanitarian agencies responding to the Ebola outbreak, and how they adapted their risk management policies in a high-risk programme in a low-risk context. It draws on interviews with four security and risk managers from non-medical aid agencies, and supporting information from the European Interagency Security Forum (EISF) working group for security managers and focal points.

The security situation in Guinea, Liberia and Sierra Leone

Figures from the Aid Worker Security Report 2014 reveal a staggering rise (66% increase over the previous year) in attacks against humanitarian staff. In total, 460 aid workers were victims of targeted violence in 2013; 155 lost their lives, 171 were seriously wounded and 134 kidnapped. Humanitarian Outcomes, Aid Worker Security Report 2014, p. 3.  Three-quarters of all attacks in 2013 took place in just five countries: Afghanistan, Syria, South Sudan, Pakistan and Sudan. Most of the victims (87%) were national staffers providing aid within their own countries, and employed either by international or national organisations.

Compared to other regions and countries, the level of deliberate violence against aid workers in Guinea, Sierra Leone and Liberia, the countries most affected by the Ebola outbreak, has been low. The combined figures for the period 1997–2013 show 17 serious incidents (Pakistan alone accounts for the same number of serious incidents in a single year, 2013). Prior to the Ebola crisis the most recent serious incident registered in the region dated back to 2010, when a local employee of an international organisation was ambushed at night while travelling in a commercial vehicle. Between 1997 and 2013, ten aid workers were killed across Guinea, Sierra Leone and Liberia, eight of them national staff. Six aid workers were wounded, all nationals, and 13 kidnapped. Eleven of these victims were international staff, and six were abducted in the same incident in Liberia; they were released unharmed after two days in captivity.

Although incident statistics help in understanding the context where aid workers operate and the risks they face, these figures should be taken as a starting point for deeper analysis. Documenting violence against aid workers is a difficult exercise and a small number of incidents does not mean that a country is not dangerous. A high number of violent attacks may merely reflect a higher number of humanitarian personnel in the country, or a more robust reporting system. It is also worth noting that attacks against national aid workers are less reported and violence against international staff usually makes more headlines.

For most organisations, Guinea, Liberia and Sierra Leone were considered family postings prior to the outbreak. The identified threats were mostly common criminality, road accidents, abuse of power, social unrest and infectious diseases like cholera. During the Ebola crisis, with the exception of the cases mentioned in Guinea the security situation has remained relatively stable and no serious incidents were registered. While some organisations experienced threats to their staff these never materialised, and on only one occasion – also in Guinea – were programmes temporarily suspended.

The Ebola crisis: an internal look at the non-medical response

The safety and security of staff is becoming a key concern for aid agencies, not least given the recent increase in deliberate attacks against humanitarians. Most international organisations follow a similar pattern when they assess whether they should respond to a humanitarian crisis: senior management at headquarters makes the call for action, then security managers and advisors are consulted on how to implement programmes safely. Depending on the organisation’s risk culture and appetite, and the operational context, headquarters security managers and advisers may be involved to a greater degree in the decision-making process. The Ebola outbreak was different: the Ebola response was a high-risk programme, but not a high-risk context. Traditional checklists for high-risk environments did not fit here.

All individuals interviewed for this article reported that their organisations had well-established programmes in Guinea, Liberia and Sierra Leone before the outbreak, although in one instance one of the organisations was scaling down operations prior to the crisis. When the outbreak started to show signs of following a different course than previous outbreaks in West Africa, and the situation started to be closely monitored by agencies on the ground, the question at headquarters level for non-medical organisations was whether to stay or leave. Emergency responses generally have a quick decision-making process that may leave out the security component. However, in the case of the Ebola response the reputational and individual risks for non-medical organisations were so alien that the decision to continue or adapt programmes was only taken after robust risk assessments at headquarters. How would the organisation handle the media and liaise with families if a staff member was infected? Would it be possible to get medical treatment or evacuation in the event of a road accident or a medical emergency not related to Ebola?

In most cases these assessments involved consultations with senior managers in logistics, finance, human resources and security. In many organisations these consultations were delayed as many agencies initially turned to the human resources department as the division generally responsible for dealing with health and safety risks. Only when senior managers realised that the Ebola outbreak required a more holistic internal response did security managers come into play. Senior managers recognised that security managers do not only ‘do security’, but actually understand how to manage risks.

Once the decision was taken, mitigating measures for different risks, including physical security, medical and reputational, were considered together as part of an overall risk management approach, rather than trying to tackle them separately. Many non-medical organisations implemented new safety and security protocols and revised existing policies and contingency plans, notably insurance and medical evacuations for non-medical responders. How internal protocols were adapted differed according to the programmes, needs and resources of each organisation, for example using returning travellers to brief headquarters and outgoing staff and employing specific Ebola programme risk managers. Many organisations held consultations with medical agencies such as Médecins Sans Frontières, national Red Cross societies and national public health ministries.

An interagency Ebola working group for security managers and focal points was set up by EISF to share information on the issues faced in the early days of the outbreak and ways of dealing with them (e.g. details of European Union (EU) contact points in case of medical evacuation). Much of the discussion was around how to deal with the fear caused by perceptions around Ebola, such as contagion risks to other staff and family of people travelling in the affected region. Internally, working groups were also put in place at headquarters to engage different organisational divisions. Generally, both internally and externally the Ebola response was tightly coordinated.

Organisations that had the resources recruited additional dedicated field staff with responsibility for safety and security. However, some organisations did not find it easy to recruit qualified non-medical personnel willing to work in the response. As mentioned earlier, the security situation remained generally stable, and bearing in mind that Guinea, Liberia and Sierra Leone were not complex environments – as opposed to Nigeria, for instance – the biggest concerns were around safety and staff health. Job descriptions and person specifications for security managers shifted towards a stronger safety and health background. In the early days of the Ebola outbreak security managers had to address a variety of risks, from new risks to staff travelling to the region on day-to-day organisational business to the continuity of non-Ebola response projects and managing perceptions of staff being deployed to Ebola-affected regions – including returning offices wanting to isolate personnel coming back from deployment in the area.

Health is usually a diluted function that falls into different teams and positions. With public health systems collapsing in the region, some organisations had to allocate dedicated personnel responsible for staff health in country, although in most cases organisations were also liaising with national systems in Europe to seek medical advice to prevent infection, and coordination and planning advice in case of infection. On the ground, health and safety training was put in place for all staff working in the response, including security personnel such as guards and watchmen. Other safety risks had to be assessed, including the risk of fire from inflammable equipment.

Looking forward: integrating risk management into programming

The Ebola outbreak challenged the organisational capabilities of both medical and non-medical humanitarian agencies in many different ways. From the operational capacity to deliver programmes that could help health workers stop the spread of the disease to the moral dilemma of responding to communities in need at high risk not only for the health and safety of staff, but also for the organisation’s reputation in case of infection, the Ebola response required a different approach to dealing with the threats, one that took an organisational, proactive approach to identifying and managing a variety of risks, rather than compartmentalising programme, health and security risks and dealing with them separately.

Even if it proves difficult to replicate, integrating security risk management into future responses from the outset of programmes, and as early as the initial decision-making process, may now be a step closer. As the number of new cases falls in Guinea, Liberia and Sierra Leone, a positive outcome of this initially slow response may be a sweeping organisational change that integrates security risk management into all programming stages.

Lisa Reilly is the Executive Coordinator at the European Interagency Security Forum (EISF). Raquel Vazquez Llorente is a Researcher at EISF.