Whose risk is it anyway? Linking operational risk thresholds and organisational risk management

Aid agencies have worked hard in recent years to professionalise security management, including the provision of training for staff at headquarters and in the field and the formalisation of the risk management process. This article is part of a larger European Interagency Security Forum (EISF) research project to support NGO security management by documenting the risk acceptance process. It argues that programme managers should adopt a broader understanding of risk in order to contribute to flexible, organisation-wide judgements of risk exposure. To recognise risks effectively and engage with strategic decision-making, managers must understand what is at risk,[1] not just for field staff and programmes but for the organisation as a whole.

Establishing ‘risk attitude’[2]

Aid agencies operating in complex, high-risk environments have to balance the humanitarian impact of programmes with the duty of care they have to their employees and associates. The way an NGO manages risk depends heavily on the organisational mission and culture. This attitude to risk should be clearly explained to staff so that personal levels of risk acceptance may also be defined. Whilst some agencies do not consider that their activities pose high risks to staff, others follow UNHCR in explicitly recognising the risk of serious harm and even death, arguing that the humanitarian imperative renders this a ‘practical probability’. Competing moral imperatives of humanitarian impact and duty of care are complicated further by organisational capabilities, reputation, internal and external financial leverage, experience and judgement in the field and decentralised decision-making. 

Aside from a conscious acceptance of risk, ‘risk creep’ may occur. In Chad, the Central African Republic and Darfur, for example, agencies may tolerate an extremely high risk of armed robbery and carjacking. Predefined trigger events can rarely be absolute, and adaptation is necessary in dynamic contexts. At the same time, however, it is unclear the extent to which this process is conscious and consistent, and how risk attitude is communicated to international and national staff, partner institutions, beneficiary communities and donors.

Tools without process

Many humanitarian agencies freely admit that, while context and risk assessment frameworks are in place, understanding of their own internal workings, and of thresholds of risk, is incomplete. The risk acceptance process remains fluid, context- and personality-driven and lacking in documentary support. Risk attitude is seen as intuitive, driven by case-by-case decisions taken in the field or at the regional or head office, depending on the severity of the event. During the first presidential elections in Afghanistan in 2004, for instance, some NGOs based their acceptance of risk partly on an assertion by senior staff that the situation was no worse than in Mogadishu in 1992, or other contexts they had worked in. Every worst-case scenario mapped out had been surpassed, yet the acumen of managers, based on current context analysis as well as transferrable experience, enabled agencies to continue operating. Depending on the context, this level of fluidity may be central to achieving humanitarian objectives. However, the constant re-evaluation required in dynamic situations must be documented, transparent and adaptable.

The basic technical steps involved in accepting or rejecting risk are:

1. Establishing the external threats; evaluating internal structures and vulnerabilities.
2. Evaluating the risk mitigation process; documenting the measures taken to mitigate risks and expected outcomes.
3. Determining the capacity of staff to manage the residual risk.
4. Documenting the humanitarian impact of programmes, and whether this warrants accepting the residual risk.

Where documentation of these steps is complete and satisfactory, programmes can usually go ahead. Risk assessment tools such as the impact-probability matrix are employed to document the internal and external contexts, arming programme staff with a snapshot of known threats and prompting frequent communication with local contacts and situational monitoring. These tools do not easily incorporate uncertain risks such as terrorist attacks, and encourage a heavy focus on singular threats (such as theft, armed attack or road accidents) and the organisation’s ability to reduce the likelihood and/or consequences of these threats, rather than systemic risk (cumulative threats weighed against organisational capacity, structural weaknesses, financial and reputational pressures, etc.). A narrow focus at the dynamic technical level, or poor communication of the organisational risk attitude, can lead to inconsistent risk acceptance processes and a lack of synergy between operational risk judgement and strategic decision-making.

Layers of risk attitude

Case studies reveal that who makes the decisions at which level of the organisation has a substantial impact on the content and outcome of the technical risk assessment steps described above. The higher the organisational risk the higher the levels involved in the decision-making process. For this reason, we distinguish between risk attitudes at different levels. Definitions for operational and organisational security offered by People in Aid provide a framework for these distinctions: 

• Operational definition of security: ‘NGO security is achieved when all staff are safe, and perceive themselves as being safe, relative to an assessment of the risks to staff and the organisation in a particular location.’
• Organisational definition of security: ‘NGO security is achieved when organisational assets are safe and when the organisational name and reputation are maintained with a high degree of integrity.’[3]

The basis for decisions will also affect the trajectory of the risk acceptance process. Calculations prompted by trigger events are relatively ill-defined. On a short-term basis, gut instinct is employed as a measure of the severity of threats and the level of humanitarian impact. External influencers include the actions and recommendations of other NGOs, the UN and host governments, the potential risk transfer to national staff and partners and prospects for returning to the area of operation. Swift, incident-based organisational withdrawals from Pakistan and Afghanistan have been described in this way.

Calculations that are not immediately related to specific threats or security incidents are more likely to involve a sophisticated approach, in which standard operating procedures are central. It is useful to think of such calculations in terms of parameters of risk rather than of security. Deciding when to withdraw is a process of continuous risk assessment and mitigation, and largely involves a gradual reduction of activity or visibility. Good identification and communication of changes in the operating environment has allowed agencies to return to full programming in contexts as diverse as Iraq, the Democratic Republic of Congo and Zimbabwe.

Decision-making

The decision-making process hinges on several factors that may adversely affect risk management. Wide consultation and inclusiveness – firmly led by senior and middle managers – is important for NGOs, particularly when returning to a country or project area. Having an effective structure in place, and commitment at all organisational levels, will prepare agencies for uncertainty in a way that predefined risk reactions and decisions cannot. Yet provisions for ensuring this are often unclear. Depending on organisational structure and operating mode, communication can be problematic. Relations between country or project bases and head offices may be hindered by remoteness, misunderstanding of either the local context or the big picture and conflicting interests.

In one example, a Country Office in the Philippines managed by national staff came under pressure from Head Office to revert to standard operating procedures and push project activities further into the field. The Country Office felt that emergency standards were still appropriate due to the political and military situation, together with the organisation’s profile locally and popular perceptions of a rich, Western-driven entity. In this case, a regional security manager mediated between the two loosely connected Offices to emphasise the potential harm to staff if sophisticated field operations resumed. Since the Country Director’s leverage with senior managers was limited, this negotiation process was vital in ensuring that project staff were not exposed to unacceptable levels of risk.

Structured provisions within security policies and plans for consultation are required, a process that should be documented and monitored as rigorously as risk decisions and supporting evidence.

Personality and experience

Personality and experience can encourage the devolution of authority and deviations from risk management policy. In an evacuation from Goma in 2008, the appropriate Desk Officer was rapidly deployed, and a Security Management Team set up to liaise with the Head of Operations. Despite the hierarchical nature of the organisation, authority was devolved to the Desk Officer, who possessed considerable experience within DRC and had close links to local political and social actors. The Desk Officer’s decision to withdraw was communicated to regional security managers, and the role of the Management Team was in this case to confirm and document the decision. This level of decentralisation is necessary in dynamic contexts, but possible only when an organisation has full confidence in the experience and judgement of staff further down the organisational hierarchy, and where staff are relatively forceful and prepared to accept high levels of responsibility for tough decisions. Far greater organisational guidance on risk attitude is called for in contexts where staff are less experienced or proactive.

Regardless of organisational structure, it may be difficult to reconcile operational risk assessments, funding requests for security measures and the desire to prolong programmes for reputational or financial reasons. Middle ground can be hard to find when short-term technical or operational logic meets long-term programmatic and organisational priorities.

Operational risks in organisational context

The examples given here illustrate the need for aid agencies to develop processes for risk acceptance and rejection that are consistent, accurate, transparent, participatory and unbiased by self-interest. Risk attitude must be systematic and driven by senior management, yet embraced by staff at all levels, enabling them to respond flexibly to both routine and unforeseen challenges. A broader conceptualisation of risk could facilitate this flexibility. To engage with programme managers appropriately, security advisers should consider equipping themselves to analyse both the internal and external environment, weighing operational and organisational risks against programmatic impact and strategic priorities.

For practitioners of humanitarian security, an organisational culture of awareness and exchange is sought over and above rigid frameworks or lengthy policy documents. Programme and security managers may therefore want to concentrate on formalising the risk acceptance process, rather than adding to the supporting literature. Transparent consultation and decision-making structures are required, which are well-documented and instilled in staff on the ground.

The process of establishing and acting on risk attitude is not readily defined. NGOs work in complex and dynamic environments; they comprise a multitude of values, perspectives and interests, and judgement of risk depends heavily on the mission, programme outputs and capacity. Documenting internal and external operating contexts and humanitarian impact through robust monitoring and evaluation can aid project-level decision-making. When defining risk parameters for organisational portfolios, though, agencies need to consider systemic risk and overall exposure. Despite progress towards professionalisation, work remains with respect to applying clearly defined structures and processes to the management of humanitarian risk.

Oliver Behn (eisf-coordinator@eisf.eu) is EISF Coordinator. Madeleine Kingston (eisf-research@eisf.eu) is an EISF Researcher. This article is based partly on interviews and internal documents provided by security practitioners, as well as discussions held at various NGO fora. It also draws on risk management principles introduced by the International Standards Organisation (ISO). EISF recognises the pivotal role of the Security Management Initiative (SMI) in promoting awareness and understanding of ISO standards. EISF would like to thank Maarten Merkelbach in particular for his invaluable input and contribution to the interpretation of many of the issues raised.

References and further reading

A. Carle and H. Chkam, Humanitarian Action in the New Security Environment: Policy and Operational Implications in Iraq, HPG Background Paper, 2006, www.odi.org.uk/resources/download/294.pdf.

Paul Davies, ‘Mainstreaming Security Management’, Security Quarterly Review, no. 1, Spring 2005, www.redr.org.uk/objects_store/SQR%20Issue%201.pdf.

Pierre Gassmann, ‘Rethinking Humanitarian Security’, Humanitarian Exchange, no. 30, June 2005, www.odihpn.org/report.asp?ID=2721.

International Organization for Standardization, ISO 31000: Risk Management – Principles and Guidelines, 2009. See also the related ISO Guide 73:2009 – Risk management vocabulary. Both documents were developed by the ISO Working Group on Risk Management; they are available at http://www.iso.org/iso/pressrelease.htm?refid=Ref1266.

People in Aid, Promoting Good Practice in the Management and Support of Aid Personnel: Policy Guide and Template for Safety and Security, 2008, www.peopleinaid.org/pool/files/publications/safety-security-policy-guide-and-template.pdf.

[1] Phrase attributed to previous discussions with Maarten Merkelbach of the Security Management Initiative (SMI).

[2] ‘Risk attitude’ is defined by the International Organization for Standardization (ISO) as ‘an organization’s approach to assess and eventually pursue, retain, take or turn away from risk’. International Organization for Standardization, ISO 31000: Risk Management – Principles and Guidelines, 2009.

[3] People in Aid, Promoting Good Practice in the Management and Support of Aid Personnel: Policy Guide and Template for Safety and Security, 2008, www.peopleinaid.org/pool/files/publications/safety-security-policy-guide-and-template.pdf, p. 6.