Risk Assessment and Management
How to assess and manage risk
Rights organisations often send staff members abroad to investigate human rights abuses, monitor trials or collaborate with a partner organisation on the ground. In some cases, investigations or campaigns in the organisation's home country will pose new threats to its operations and staff members, which will require new security practices and policies. It is important that all staff involved know what the potential hazards are and how to avoid them.
A risk assessment allows an organisation to ensure staff are well aware of the risks as well as the strategies to prevent or avoid such risks. A risk management policy also outlines the roles and responsibilities of both the organisation and the individual staff member in responding to real and potential danger. It also is important for organisations to develop strategies to protect vulnerable individuals they may contact for information or advice. This guide, and the attached step-by-step article for performing risk assessments, will help organisations ensure security measures are adequate and effective on the ground.
Performing a risk assessment
A risk assessment is the process whereby an organisation identifies threats, assesses the risk level associated with those threats and determines ways to avoid high-risk hazards. A risk assessment should be performed before a risk management policy is developed and before a project commences. As the nature of an organisation's work evolves, and as political situations change, organisations will need to reassess risks, adapt mitigation strategies and make decisions accordingly.
Establishing a risk management policy
A risk management policy should be clearly communicated to senior level staff as well as all staff who are involved in a foreign mission or high-risk operation at home. This policy should include:
- The organisation's safety principles. These principles are general statements that reflect basic safety values. NGOs should communicate that staff will be supported for making decisions that prioritize safety, even if this means refusing a task due to the real or perceived risks involved. It should be made clear that the ultimate responsibility for an individual staff member's safety lies with that individual. In addition, security principles should emphasise that actions and decisions should aim to also prioritise the safety of individuals who provide information or support to the organisation. This is particularly important when considering the security of local contacts whose safety may be compromised by the actions and decisions of people unaware of local contexts.
- An overview of the current security situation in the region and, if possible, the suspected future evolution of the situation.
- A summary of the actions taken by the organizational management to reduce risk to individuals on the ground.
- An explanation of the actions that staff members are expected to take to reduce risk to themselves and others. To assist staff traveling abroad, these actions should be divided into those required pre-departure (vaccinations, for example), immediately upon and arrival (registration with an embassy, for example) and during the mission.
- General advice on conduct staff members should follow to minimize risk. Staff members should be required to report any threats they encounter as well as any incidents that affect the security of the organisation's staff, property, information and those involved in the organisation's work.
- Arrangements to be put in place by organisation/individual regarding insurance (professional indemnity, property and medical).
- A list of contact information for individuals who will help to ensure safety of staff and other individuals. This list should clearly define each individual's role and responsibilities.
This security policy should be provided in written form to all staff members involved in the operations. An organisation should also verbally go through the policies in a safety training orientation, where staff members can ask any questions about the security measures put in place.
Appointing security officers
Many organisations find it helpful to delegate one or two individuals within an organisation to oversee security management. In the case of a foreign mission, it is often ideal to have a go-to person on the ground in the foreign country as well as a security officer at headquarters who can support the field coordinator. A security officer oversees risk assessments and risk management policies, in addition to creating exit and contingency plans. The person assigned to this role should also assist staff members in implementing personal safety measures and respond appropriately to threats as they arise. It is important that the security officer(s) be available on-call to respond to emergencies. Contact information for all staff members, including their relatives, health requirements, address in the field and other important personal information should be securely kept by the security officer and be accessible for other members of the organisation in case of emergency. The security officer should communicate to all staff when an incident has occurred that signifies a threat to safety or when a new danger has arisen; such communications should detail prevention strategies. Finally, in high-risk situations, it may be important for all staff members to notify the security officer in regards to location and time of interviews and other activities that could pose risk.
Minimising risk to vulnerable persons
The risks to people an organisation interviews, seeks advice from, stays with or otherwise comes in contact with are often not as easy to predict as the risks to staff. In some cases, local guides, translators and interview sources face higher threats than on-staff members because they are easier targets. Mitigating against the risks to vulnerable people requires individuals to on one hand, respond to the threats as perceived by the individual, and on the other hand, recognise threats that the individual themselves may not be aware of. In the first instance, in the interest of trust, respect and safety, an organisation should always address the vulnerable person's concerns, including fears of social stigma, and follow the person's cue on where/when/how to meet, etcetera. At the same time, individuals may not always be aware of the threats they face and rights advocates should be sure to consider threats not identified by the individual. A best practice is to interview individuals in private, away from potential informants; however, in cases involving children, it may be important for a trustworthy adult known to the child be present. In almost all cases, staff members should not interview detainees unless the interview is guaranteed to be unsupervised by guards or security officials. When meeting individuals in person, always ensure that they have safe access to and from the chosen locale.
At the same time, it is important for NGO staff to communicate the limits to the security they are able to provide, as well as the limits to the help they can offer regarding asylum seeking applications and other professional and legal aid. Individuals may place false hopes in international NGOs in terms of what the NGO can provide them. Since these false assumptions increase the likelihood that individuals will prioritise providing information over their own safety, staff members should be trained in clearly communicating the benefits and potential costs of participating in the NGO's work.
Creating emergency response plans
Every organisation should have emergency response plans in the event of political violence or other possible major calamities. Staff members should know what they should personally do in an emergency scenario, even if they are not versed on the full details of the plan at an organisational level. At the security orientation stage, a NGO should clearly communicate to all staff members where they should go in case of emergency, and provide several alternate destinations if that location becomes unsafe. In foreign missions, emergency plans often focus first on gathering staff in a secure location within the country and then, if necessary, on ensuring the secure exit of staff. When developing emergency response strategies, the following points need be considered:
- contacts to be made at various stages in the implementation of the plan (for example, to embassy, border or government officials)
- driver and vehicle requirements
- process for contacting relativeschains of contact to ensure all staff members are notified about the plans, especially in large deployments
- documents required (including necessary contact numbers, list of staff members, etcetera)
- food and water requirements
- location of valuable documents, laptops, etcetera that organisations may need to take
- buddy systems for staff members
Emergency plans should ideally be created by security officers, with input from the organisation's staff, partner organisations, on-the-ground NGOs and possibly UN or embassy officials. Emergency plans should account for various contingencies, including alternative exit points, alternative road routes, meeting places and so on. In other words, in addition to a Plan A, it is often important to have a Plan B, C and D in mind. While emergency response plans should be overseen and implemented by the security officers, other members of the organisation should be well versed on the plan and should be on hand to implement it if required.
Click below to view a campaigns-related sample risk assessment template:
An organisation with a large staff deployment that is engaging in sensitive investigations or political activity in insecure areas may require more comprehensive and detailed risk assessments, security policies and security oversight staff than are included in this document. When developing a risk assessment and security policy ahead of a new mission, organisations may wish to consult experts in the field as well as additional online resources. Some useful links to guide NGOs in their security policies are provided to guide organisations in this degree.
Note that some of these sources use different approaches and terminology than has been employed in this guide for assessing and responding to risks.
Training Manual on Human Rights Monitoring (OHCHR):
(go to no. 7 under 'Human Rights: A basic handbook for UN staff' and read chapter 24 on security)
Security Risk Analysis: NGO Approach (InterAction Security Unit and USAID):
Using the Likert scale to assess risks (NGO Security Blog):