![Page 1: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/1.jpg)
NGOs and RiskHow international humanitarian actors
manage uncertainty
FEBRUARY 2016
Abby Stoddard
Katherine Haver
Monica Czwarno
An independent organisation providing research evidence
and policy advice to inform better humanitarian action
![Page 2: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/2.jpg)
2
Table of Contents
EXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1Backgroundandobjectivesofthestudy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Policy synthesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Key-informant interviews.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Table 1: INGO interviewees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.3Caveats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2. RECKONING WITH RISK IN HUMANITARIAN ASSISTANCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Figure 1: Risk categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2Haveriskstohumanitarianactorsactuallyincreased? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3. INGO PERCEPTIONS OF THE RISK ENVIRONMENT: NEW THREATS AND HIGHER STAKES . . . . . . . . 10
3.1 Evolvingthreatsandrisks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Figure2:Intermsofyourownorganization,doyouthinkithasgrownmoreorlessrisktolerant
(takingongreaterrisks)overtime? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Figure 3: Opinions on whether “INGOs have become increasingly risk averse” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2Highest-impactrisks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4. RESPONSES IN POLICY AND PRACTICE: THE RISE OF RISK MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.1Riskmanagementmodelsandtools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2Policydevelopment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Figure 4: Policy development in risk management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Figure5:Relativeemphasisinwrittenpolicy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.3Organizationalcoherence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.4 INGOaffiliationsandpolicyareas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.5Policyversuspractice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.6 Theroleofdonors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5. PRINCIPLES AND PROGRAM CRITICALITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
6. CONCLUSIONS AND RECOMMENDATION FOR NEW POLICY GUIDANCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
6.1Recommendedpracticalproduct:Riskmanagementpolicybrief . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
6.2Prospectsforfurtherresearchandadvocacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
ANNEX 1. POLICY SYNTHESIS SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
ANNEX 2. PEOPLE INTERVIEWED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
ANNEX 3. SURVEY RESULTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
![Page 3: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/3.jpg)
3
Executivesummary
Forhumanitarianorganizations,thepresenceofriskintheoperatingenvironmentcanforcedifficulttrade-offsbetweentheneedsofpeopletheyaretryingtoserveandtheneedtomitigatepotentialharmtotheirpersonnel,resources,andreputation.Whetherornottheriskstohumanitarianshaveobjectively increasedinrecentyears(andthereisevidencethattheyhave),moretothepointishowtheorganizations perceivetheirriskandhowtheseperceptionshaveaffectedtheirworkbydintofnewpoliciesand practices.Thesearethecentralquestionsofthisstudy,undertakenbyHumanitarianOutcomesonbehalfofInterAction,andfundedbytheOfficeofUSForeignDisasterAssistance(OFDA)andtheBureauofPopulation,Refugees,andMigration(PRM).
Focusingonaparticipant-samplegroupof14majorinternationalNGOs,thestudyanalyzesthecurrentapproachestoriskinhumanitarianactionthroughasystematicreviewof240relevantpolicydocuments,interviewswith96keyinformants,andaweb-basedsurveyof398humanitarianpractitioners.
INGOriskperceptions:Newthreatsandhigherstakes
ThefindingsrevealaninternationalNGOsectorwhosemajoroperatorsperceiveaheightenedlevelofrisk,particularlymanifestinthesame,roughlyhalf-dozenextremeenvironments:Afghanistan,CentralAfricanRepublic,Iraq/Syriaregion,Somalia,SouthSudan,andYemen.Theseconflict-drivenemergencieswithhighlypoliticizedinternationaldimensionstendtoinvolvemultipletypesofrisks—violence, corruption,diversion,andothers—whichcanalsobeinterlinkedincomplexways.
INGOrepresentativesoverallalsoperceiveaslightlyincreasedriskaversionamongtheirorganizationsandcounterparts(thoughtheyweremorecriticalofothersthantheirownNGOinthisregard). AmajorityofINGOstaffsurveyedagreed,atleastsomewhat,withthechargethathumanitariansare becomingmoreriskaverseingeneral,tothedetrimentofprogramming.
Responsesinpolicyandpractice:Theriseofriskmanagement
Inresponsetothenewandintensifiedriskstheyperceive,thisgroupoflargeinternationalNGOshasbeguntoadoptincreasinglysophisticatedandprofessionalized“riskmanagement”approaches,whichcovernotonlythetraditionalareasofsecurityandsafety,butalsofiduciary,legal,reputational, operational,andinformationrisks.Theybroadlyshareacommonunderpinningmethodology,borrowedfromtheprivatesector,whichsystematizestheassessmentofriskinallareasatallorganizationallevelsandbuildsinmitigationmeasures.NearlyallINGOsinthesamplegroup,13outofthe14organizations,havealreadyinstitutedorareintheprocessofadoptinganoverarchingriskmanagementframeworkofthistype.Theframeworksareatvaryinglevelsofdevelopmentanddetail,butthemostadvancedamongthemgenerallyincludeaglobal“riskregister”typeoftoolforanalyzingandprioritizingrisks andplanningmitigationmeasures.Thisisinturnconnectedtodecision-makingandimplementationproceduresaswellasfunctionsforfollow-upandauditprocesses.
Intermsofstafftimeandattention,themanagementofsafety/securityriskreceivesthemostemphasis,withfiduciaryriskmanagement(preventionoffraudanddiversion)rankingaclosesecond.Thereverseistrueinwrittenpolicy,wheremorespaceisdevotedtofiduciaryrisk.ThisislikelybecauseINGOsseedonorsincreasinglyemphasizingfiduciaryriskandaretighteninginternalcontrolsandoversight mechanismsinturn.AmajorityofINGOsinthesamplegroupfeltsupportedbydonorsforsecurity- related costs. The study found less overall emphasis and understanding of risk management in the areas ofinformationsecurityandlegal(e.g.,counter-terrorlegislation)compliance.
![Page 4: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/4.jpg)
4
Missingpieces:Principles,partnerships,andprogramcriticality
ByandlargetheINGOrepresentativessawtherisk-managementtrendaspositive,enablinggood humanitarianresponse,despitetheinevitableincreasedadministrativeburden.Despitestatedconcernsaboutgrowingriskaversion,INGOstaffdonotassociateriskmanagementwithreticence.Onthe contrary,mostwerekeenlyawarethatriskmanagementintendstoenableratherthanconstrainaction,and that improved risk awareness need not and should not lead to risk aversion.
Theyalsoindicatedsomegapsandproblemswiththeapproach,however.Forone,therisk management frameworks tend not to explicitly address the risk of programming unethically or of violatinghumanitarianprinciples.Thiswouldseemanimportantareatoconsider,notleastbecauseavoidingsecurityandfiduciaryriskinevitablyposesdilemmasforoperatingimpartiallyandprioritizingthepopulationsingreatestneed.Additionally,theconceptof“programcriticality”—beingwillingtoacceptgreaterlevelsofresidualriskforlife-savingprogramming—iswidelyunderstoodandgenerallybroughttobearindecision-making,yetmostINGOs’formalpoliciesandanalyticalmechanismsdonotinvolve steps to ensure and facilitate this.
Otherproblemsraisedbytheparticipatingorganizationsincludegapsinriskmitigationfornationalstaff(e.g.,off-hourstransportation,communications,andsitesecurityathome)andweaksupportfor nationalpartnersintheirriskmanagement,particularlygiventhatrisksareoftentransferredtotheseentitiesindifficultenvironments.Inaddition,INGOsnotedtheunhelpfulorganizationaltendencytokeepriskmanagementareassiloed,evenunderframeworkmodels.Inotherwords,decision-makingisnotalwayssufficientlyjoined-upbetweendifferentdepartments(finance,humanresources,security,etc.).Finally,complicationsstemfromtheroleofdonorsandpoliticalactorsgenerally.Roughlytwo-thirdsofrespondentsfeltthatcounter-terrorrequirementsinfluencedwhereandhowtheycouldwork, compromisingtheprinciplesofindependence,impartiality,andneutrality.ThisisconsistentwithrecentresearchundertakenbytheNorwegianRefugeeCouncilandOCHAthatfoundthattheseregulationshavea“chillingeffect”onhumanitarianactors(Mackintosh&Duplat,2013).Onthefiduciaryside, donors’formalstanceof“zerotolerance”oncorruptioncanposeakindofmoralhazardtohumanitarianactors,wherebytheymustessentiallychoosebetweenwillfulblindness/secrecy(becauseacknowledgingthatdiversiontakesplaceisunacceptable)orsimplynotactingtohelpthosemostinneed.
ThisreportconcludeswiththeproposalforanadditionalpracticalhandbookforINGOsonprinciplesand promisingpracticesinriskmanagement,basedonthegapsidentifiedbythisanalysisandtheconsensusofparticipatingINGOsgleanedintwoworkshopsheldinWashington,DC,andDublin,January2016.
![Page 5: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/5.jpg)
5
1.Introduction
1.1.Backgroundandobjectivesofthestudy
Atthesametimethathumanitarianorganizationsarebeingfacedwithamultitudeofhazardous operatingenvironments,advancesininformationtechnologyaremakingassessmenteasier,ofboth theneedsofaffectedpopulationsandtheinabilityofhumanitarianorganizations,collectively,tomeet themall.Thisconfluencehasresultedincontradictoryobservations.Ontheonehand,INGOsseemto betakingongreaterriskthaneverbefore.Ontheotherhand,theyarereportedtobemoreconservativeandlesswillingtoextendoperationalpresencetomeetneedsinriskiersettings.The2014report ofMedécinsSansFrontières,Where is Everyone? (Healy&Tiller,2014),createdcontroversywhenit concludedthataidagencies’“verystrongriskaversion,”coupledwithcapacitydeficits,wasmoretoblame for the lack of aid presence than actual external constraints.
The purpose of this INGOs-and-risk study is to get an internal read-out of how INGOs in fact perceive risks,thetoolstheyhavedevelopedformanagingthem,andhowpracticeandprioritiesdifferwithinandamongorganizations.Italsoexaminestheconsequencesanddilemmasthatriskmanagementdecisionscancreateastheypertaintohumanitarianprinciplesandobjectives.
Incommissioningthestudy,InterActiondefinedthetwoprincipalquestionstobeexamined:
1) WhatdohumanitarianNGOsviewastheprimaryexternalrisksaffectingtheirabilitytocarryout principledhumanitarianaction?
2) HowdohumanitarianNGOsinterpret,differentiate,prioritize,andmanagetheserisksinternally?
Toanswerthesequestions,theHumanitarianOutcomesresearchteamconductedadesk-basedreviewtodeterminewhether,how,andtowhatextent
a) differenttypesofrisksareconsideredbythe(major,globallyoperating)NGOs;
b) managementpoliciesandframeworksexisttoassess,prioritizeandmitigatethem;
c) thesepoliciesandframeworksareconsistentlycommunicated,understoodandimplemented bystaff;and
d) theresultsandimplicationsofriskmanagementareasintended,orwhethertheypose additionalproblems.
Theresearchcenteredonagroupof14participatinginternationalNGOs(INGOs),whichrepresentthelargestandmostoperationalhumanitarianorganizations/federationsbasedinEuropeandNorthAmerica. TheseINGOsprovidedtheteamwithextensiveinternalpolicydocumentationandaccesstointerviewees. Theparticipatingorganizationswere
• ActionContreLaFaim(ACF) • CARE • Catholic Relief Services (CRS) • Concern • DanishRefugeeCouncil(DRC) • InternationalMedicalCorps(IMC) • InternationalRescueCommittee(IRC)
• Islamic Relief • MédecinsSansFrontières(MSF)Holland • Mercy Corps • Norwegian Refugee Council • Oxfam • Save the Children • WorldVision
![Page 6: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/6.jpg)
6
TheresearchwasaugmentedbyinputfromNazModirzadeh,DirectoroftheHarvardLawSchool ProgramonInternationalLawandArmedConflict(PILAC),specificallyontheissueofcounter-terrorismlegislationanditsimplications.
1.2Methods
Theanalysispresentedinthisreportisbasedonanaggregationoffindingsfromacomprehensivereviewofrelevantpolicydocuments,keyinformantinterviewsoffieldandheadquartersINGOpersonnel,andan online survey (in English). The document review and key-informant interviews focused solely on the participatingINGOs,whiletheonlinesurveytargetedboththesamplegroupandawidersweepof humanitarianorganizations.Thethreeresearchcomponentsaredescribedbelow.
“Promisingpractices”identifiedbytheresearcharecitedthroughoutthereportinboxes.Thesearealsocollected as a separate annex.
Policysynthesis
ThesamplegroupofINGOsprovided189individualdocumentsforreviewandassessment.Asrequestedbytheresearchteam,participatingINGOsprovidedinternalpolicyandproceduraldocumentsdeemedrelevanttothedefinedriskareas.1Tofacilitateacomparativereview,alldocumentswereinventoriedandcodedinaspreadsheetaccordingtotype,length,content(thematicareasandpolicyfunctions),levelofdetail,andspecifickeywords(seeAnnex1:PolicySynthesis).Thisallowedforquantitativeaswellasqualitativeanalysis.TheanalysissoughttoidentifythekeypolicycomponentsofriskmanagementwithintheINGOs,similaritiesanddifferencesbetweenthem,anddegreesofemphasisondifferent policy areas.
Key-informantinterviews
Theteaminterviewed96individualsforthestudy.Ofthese,90wererepresentativesofthe14participating INGOs,threewerewithdonors(PRM,OFDA,StartFund)andthreewerewithNGOsecurityplatforms(EuropeanInteragencySecurityForum,thePakistanHumanitarianForum,andtheNGOSafetyPrograminSomalia).Ofthe96interviews,43(44percent)werewithstaffbasedinfieldorregionalofficesandtherestbasedinheadquarters.ThebreakdownofINGOrepresentationisshowninTable1(pg7).
Survey
Theonlinesurveyallowedforadditionalorganizationsandperspectivestobecapturedbeyondthe necessarilylimitednumberofinterviewees.DesignedasaKAP-stylesurvey(knowledge,attitudesandpractices)the13mostlyclosed-endedquestionssoughttoelicitperceptionsofriskandrisktolerance,policyawareness,understanding,andlevelofimplementation.Responsesweredisaggregatedby categories:sampleversusnon-sampleNGOs,HQ(headquarters)versusfieldstaffand,whererelevant,theorganizations’countriesofoperationandorigin.
The survey collected 398 usable responses out of 401 completed surveys (three were excluded as non-NGOaffiliated,i.e.,UNagencies).Themajorityofresponses(339,or85percent)werefromINGOs
1 Fromthese,theresearchersextracted22separatesections(includedinthe189werefive“parent”documents,fromwhichthe22relevantsectionswereextractedsothattheycouldbeassessedatamoregranularlevel)and51additionalpolicytitlesthatwerelistedwithinthematerials(thesewereassessedattherisk/policy-arealevel).
![Page 7: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/7.jpg)
7
Totalpersons Numberwhowere INGO interviewed field-orregional-basedACF 4 0CARE 6 2Catholic Relief Services 13 8Concern 6 3DRC 8 5IMC 7 1IRC 6 3Islamic Relief 5 3Mercy Corps 5 1MSF 6 2NRC 4 2Oxfam 10 4Save the Children 5 0WorldVision 5 3
Table1:INGOinterviewees
inthesamplegroup.Oftheremaining59non-sampleNGOs,sevenresponseswerefromnationalNGOs.Theyrepresentedatleast57uniqueNGOs(tworespondentsdeclinedtonametheirorganization) working in 79 countries.
Asintended,respondentswereweightedmoretofieldstaff(265)thanHQstaff(128),andfiveidentifiedasbeingfromregionaloffices.Ofthetotalrespondents,159identifiedasexpatriates/internationalsand103asnationalstaff.
1.3Caveats
AscanbeseeninTable1,theinterviewsamplewasslightlyunbalancedinthatOxfamandCRSweremore heavily represented than others were. This was mainly because they provided more names of peopletobeinterviewedandmoreofthemagreedtobeinterviewed.Twoorganizations(Savethe ChildrenandACF)didnothaveanyintervieweesbasedinfieldorregionallocations,whiletwootherorganizations(IMCandMercyCorps)hadonlyonefield-basedinterviewee.
TheparticipatinggroupofINGOsfacilitatedtheresearchgreatlybyprovidingtheteamwithaccesstointernaldocumentsandpersonnelforinterviews.Theothersideofthatcoin,however,isthatthis inevitablyraisesthepossibilityofcherrypickingandselectionbias.Onbalance,theresearchersweresatisfiedthattherewerenomajorholesinthebodyofmaterialsandinterviewsubjectsprovidedto the study.
Finally,allfindingsshouldbetakeninlightofthefactthatthesamplegrouprepresentsthelargestandbest-resourcedINGOsinthesector.Onetheonehand,thesearetheINGOsmostlikelytobeoperatinginhigher-riskcountries,buttheyarealsobetterequippedthanmanyotherorganizationstoestablishtheinstitutionalmechanismsandinvestmentforriskmanagement.
![Page 8: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/8.jpg)
8
Preciselybecauseitisneededinsituationsofconflict,crisis,andextremepoverty,humanitarianactionisaninherentlyriskyundertaking.Notuntilthe1990s,however,didhumanitarianpractitionersfirstbegantosystemicallyassessandaddressrisksintheareasofsafetyandsecurity,andonlyinrecentyearshavetheyexpandedtherisk-managementapproachtoincludeothertypesoforganizationalrisk,suchasfinancial,legal,operationalandreputational.Beforeexploringhowtheconceptsofriskandrisk managementhaveevolvedinthesphereofhumanitarianaction,definingsomebasictermsisworthwhile.
2.1Definitions
Thelatestdefinitionof“risk”codifiedbytheInternationalOrganizationforStandardization(ISO) broadenedtheconceptfromthepossibilityofharmorlossto“theeffectofuncertaintyonobjectives,” allowingforthepossibilityforpositiveimpactsaswellasnegative(ISO,3100:2009).Thisdefinition,whicheffectivelyincorporatestheconceptof“opportunity”undertheumbrellaofrisk,islesshelpful forthepurposesofthisstudythanthetraditional,narrowerunderstanding,throughwhichmost humanitarianorganizationsapproachthesubject.
Theinceptionnoteforthisreviewthereforedefinedtermsasfollows:
Threat:adangerorpotentialsourceofharmorloss
Risk:thelikelihoodandpotentialimpactofencounteringathreat
RiskManagement:aformalizedsystemforforecasting,weighingandpreparingforpossiblerisks in order to minimize their impact2
Thestudyfoundthatdifferentorganizationshaveindividualizedwaysofdifferentiatingandcategorizingrisktypes,correspondingtotheirmanagementapproaches.Intheinterestofdefininggeneraltermsforthisreview,theresearcherssettledonacategorizationofsevenriskareas(seeFigure1).Thefirsttwo,security and safety,refertophysicalrisksforstaff,securitymeaningtheriskofdeliberateviolence,andsafety meaning the risk of accident or illness. Fiduciary risk refers to the possibility that resources will notbeusedasintended,andencompassescorruption,fraud,embezzlement,theft,anddiversionofassets.Itdiffersfromfinancialriskinthesenseofinsufficiencyorunexpecteddeficits(thisiscoveredbyoperationalrisk).Thelegal/compliancecategoryrelatestothepossibilityofbeingfoundinviolationoflaws,regulationsorrequirements.Thesecouldbeintheformofhost-governmentlaws,internationalsanctionsorothercodes,orinternalrestrictionsandstandardspertainingtohumanresourcesandstaffbehavior. The informationriskarea,sometimescalledinformationsecurity,referstothechanceofdatabreach/theft,loss,orinappropriatesharingsuchasleaksofconfidentialinformationorinappropriateordangeroussharingofinformationonsocialmedia.Reputational risk is anything in the public sphere that coulddamagethename,image,andcredibilityofanorganization.Finally,theoperational category encompassesrisksthatcouldresultintheorganization’sinabilitytofulfillitsmissionormeetitsobjectives. Thisincludesfinancialrisk(e.g.,thedefundingordisallowingofcostsbyadonor,orlackofdiversityinfunding),governmentobstruction,humanerror,capacity/skillsdeficits,andthepotentialtodoharm.
Figure1(pg9)givessomeindicationofhowthedifferentareasofriskcanoverlapandaffecteachother.Forinstance,anorganizationthatoperatesthroughapartnerorcontractorinadangeroussettinginordertomitigatesecurityriskcanfaceincreasedfiduciaryriskasitcedesdirectcontroloftheprogram. Ifcorruptionresults,thiswillcreatenewlegal/compliancerisksaswellasriskstotheorganization’s reputation.Fearsoflegalimplications(e.g.,runningafoulofcounter-terrorismlegislation)orfiduciaryriskcaninturncreatetheoperationalriskthatvitalhumanitarianprogrammingwillbehaltedorcutbackin certain places.
2. Reckoning with risk in humanitarian assistance
2 InassessingtheexistenceandrobustnessofriskmanagementsystemswithintheINGOsstudied,theteamalsonotedtheISO31000 definition:“asetofcomponentsthatsupportandsustainriskmanagementthroughoutanorganization.”
![Page 9: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/9.jpg)
9
Figure1:Riskcategories
Security violence/crime
Fiduciarycorruption/fraud/ theft/diversion
Legal/compliance•International/donor
government laws andregulations
• Host government lawsandregulations
•Personnel/HRissues
Operationalinability to
achieveobjectives• Financial (e.g. funding constraints,disallowedcosts)
•Capacity/competencegaps• Access constraints• Inadvertently doing harm
Informationdatabreach/loss
Reputationaldamage to image andreputation
Safetyaccident/illness
2.2Haveriskstohumanitarianactorsactuallyincreased?
Althoughhumanitarianactionhasneverbeenarisk-freeendeavor,statisticalevidencesuggeststhatithasbecomemorephysicallydangerousinspecificenvironments.Therateofmajorattacksagainstaidworkers,measuredbythenumberofkillings,kidnappingsandseriouswoundingsoverthebest estimatesofthepopulationofaidworkersinthefield,hasincreasedoverthepastdecadeinahandfulof highly violent environments (whereas in other host countries it has stayed stable or declined) (HumanitarianOutcomes,2014).
Itisalsosafetoconcludethatwiththepromulgationofinternationalanddomesticcounter-terrorlawsandpolicies,aswellasnewinternationalsanctionsregimesonactorsrelevanttothehumanitarianresponse,thepossibilityoforganizationsinadvertentlyviolatinglegalregulationshasincreasedinrecentyears.(CounterterrorismandHumanitarianEngagementProject,2014;MackintoshandDuplat,2013).Additionally,astechnologicaladvancementshaveincreasedhumanitarians’abilitytogather,store,andshareinformation,theyhaveatthesametimeposednewrisksoftheftandlossofimportantorsensitivedataandledtolesscontrolovercommunications.
Evenwithoutsuchevidence,simplybyloggingyearsofexperience,overtimeorganizationscanbeexpected to think and behave asthoughthe risk level has increased. Behavioral research has shown that theperceptionofriskincreaseswitheachexperiencedincident(Slovic,2000)(Tversky&Kahneman,1974).Sowhetheritisanattackonacompound,lawsuit,forensicaudit,ormediascandal,vigilancetowardthatparticularriskcannaturallybeexpectedtorise.Andwhileinthelongertermcomfortorcomplacencymayreturnonapersonallevel,organizationalsystemstendnottochangeoncemitigationmeasureshavebeenbuiltup.“Oncebitten,”itisdifficultforanorganizationtotakedeliberatestepstorelaxitsstancevis-à-visrisk.Intervieweesforthisstudysuggestedthatmemorablenegativeeventsaffectingcolleaguesandcounterpartscanstickinthecollectivemindandraisetheriskperceptionacrossthesectorasawhole,promptingprotectiveaction.ThefollowingsectionsdiscussINGOattitudestowardriskagainstthisbackdropofheightenedrisk,bothrealandperceived.
![Page 10: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/10.jpg)
10
3.1.Evolvingthreatsandrisks
TheINGOsparticipatinginthisstudywidelyagreedonthehighest-riskcontextsamongthecurrent humanitarianresponsecountries,withintervieweesmostfrequentlymentioningSyria,Afghanistan, Somalia,SouthSudan,Yemen,andCentralAfricanRepublic.TheymademanymentionsaswellofPakistan, DRC,Iraq,andNigeria.Themostprominenttypeofrisk—andthemainreasonthesecountriesareseen as“highestrisk”—issecurity.Butthethreatenvironmentsintheseconflict-drivenemergenciestendto bemulti-faceted,anddifferenttypesofriskareoftenhighlyinterlinked.Forexample,becauselarge-scale and/orhigh-profilecrisestendtooccurinviolentenvironments,INGOsareoftenworkingremotely,lacking “eyesandearsontheground,”whichcancontributetoelevatedfiduciaryrisk.Beingseentomisusefunds,especiallybydiversiontoterroristgroups,cancausereputationaldamage,andleadtolegalliability. Incontextswherecorruptioniswidespread,refusingtopaybribesordiscontinuingarelationshipwithalocalpartnerorganization(becauseoffiduciaryconcerns)cancarryariskofviolencetostaff.Alackofcapacityontheground(duetolong-termunderdevelopmentand/ortheflightofskilledpersonnelfromtheconflict)combinedwithpressuretodelivercanraisetheoperationalriskofunderperformance.
Intermsoftrendsinthetypesofriskfacedbyhumanitarians,manyINGOrespondentsfeltthatdonorsweregenerallybecomingmoreconcernedwithpreventingfraudanddiversion.Thisheightenedemphasis hasessentiallyincreasedthepotentialnegativeimpactofsuchincidents,shouldtheyoccur.Concernswithcompliancewithanti-terrorlegislationalsocontinuedtogrow(seefurtherdiscussionbelow).Increasingglobalconnectivityanduseofsocialmediawereseentobecreatingawiderangeofnewreputationalrisks.Examplesrangedfromtheirresponsibleuseofsocialmediabystaff(e.g.,“taggingISISintweets”)totheneedtodealwithstate-sponsoredonlinepropaganda(Russia/Ukraine)tothe managementofsocialmediamessagingfromaffiliatestoageneralpressuretomaintainacrediblenarrativeaboutanINGO’simpact“inplaceslikeSyriaandSomalia,wherewecan’tsendinjournaliststoviewourwork.”Informationsecurityrisks,suchasthepossibletheftofdonors’orbeneficiaries’personalinformation,werealsoseentobeincreasing.Lastly,theamountoftimeandenergyrequiredtocomplywithhostgovernmentlawsandregulations(andtherisksassociatedwithnon-compliance)werealsoseentobeacontinuingandgrowingproblem,forinstanceinDRC,Pakistan,SouthSudanandSyria.
Most respondents in the survey and interviews rated their own INGO as being more toward the “risk tolerant”endofthespectrum.However,inthesurvey,aslightlylargerpercentageofrespondents
3.INGOperceptionsoftheriskenvironment:Newthreats and higher stakes
Figure2:Intermsofyourownorganization,doyouthinkithasgrownmoreorlessrisktolerant(takingongreaterrisks)overtime?
Changes in risk tolerance
0 35 70 105 140
More risk tolerant
Less risk tolerant
About the same
79 33
90 48
91 46
Field HQ
Number of survey respondents
![Page 11: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/11.jpg)
11
Figure3:Opinionsonwhether“INGOshavebecomeincreasinglyriskaverse”
Agree with statement
Disagree0
35
70
105
140
Somewhat agree Agree
32
58
45
9220
78
N. America
Europe
Num
ber o
f sur
vey
resp
onde
nts
reportedthattheriskappetiteoftheirorganizationhaddeclinedinrecentyears,comparedwiththosewhoreportedthatithadstayedthesame(Figure2).Althoughthiswasthecaseforbothfieldand HQstaff,aslightlylargerpercentageofthosewhoclaimedtheirINGOhadbecomelesstolerantwerespeakingfromheadquarters.
Most survey respondents “agreed” or “somewhat agreed” with the statement “INGOs have become increasinglyriskaverseandarecurtailinghumanitarianresponseasaresult.”StaffofUS-basedINGOsweremorelikelytodisagree,andlesslikelytoagreecompletely,thantheirEuropeancounterparts,butapluralityofthemstill“somewhatagreed”withthestatement(Figure3).
Organizationsthatperceivedthemselvesashavingahigherriskappetitecitedvariousreasons,includingorganizationalculture(e.g.,being“mandatedriven,”“havingemergencyresponseatourcore,”or—foroneINGO—havingacultureoffrankdiscussion“whereeverythingisthoroughlydebated”)aswellaspolicy(e.g.,aquickstep-downpolicyfornewemergencies).AfewINGOscitedthefactthattheyhadaverysmalldevelopmentportfolio(i.e.,thattheyaremainlyfocusedonemergencyresponse)asenablingthemtogo“allin”duringanemergency,knowingthatitwouldnotcompromiseotheraspectsoftheirprogram. One INGO felt that the fact that they worked in only one sector made it easier to manage and takerisks.AnotherINGOcitedtheircloserelationshipwithaparticulardonorasenablingthemto“getontheground”andassumetheinitialfinancialrisksecureintheknowledgethat“theywillfundus,eveniftheycan’tformallyguaranteeit.”OneINGOnotedthattheirlargepercentageoffundingfromthegeneralpublicgenerallyfreedthemfromconstraintsand,specifically,guaranteedsufficientresourcesforsecuritymanagement.Lastly,someorganizationsbelievedthattheirinvestmentinriskmanagementapproaches enabled them to feel more comfortable about taking risks.
Organizationsthatperceivedthemselvesasmorerisk-aversesometimescitedpastincidentswheresomethinghadgonewrong,suchasaparticularlyscarringsecurityincidentorafinancialormanagement performance issue involving an important donor. Others emphasized their ability to appropriately take risksinoneareabutnotanother.Forexample,severalINGOsdescribedthemselvesasmorerisk-taking
![Page 12: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/12.jpg)
12
onthefinancial/fiduciaryside(e.g.,advancingtheirownfundstostartnewprograms,ornotworryingasmuchasotherINGOsdoaboutcounter-terroristregulations),butmorerisk-aversewhenitcomestosecurity.Othersreportedthattheirorganizationwasverywillingtotakesecurityrisksbutlesswillingtotakefinancialrisksorrisksthatmightharmtheirreputation.OnerepresentativefeltthattheirINGOhada veryhightoleranceforprogram/operationalriskbuthadnotadapteditsbusinesssystems(administration, finance,humanresources)toreflectthis.Thisdissonancewasseentocausefrustrationamongstaff,as“theyreceivetwodifferentsetsofsignals:takeriskforoutsizeoutcomes,butdanceontheheadofapintodoit.”SeveralintervieweesexpressedconcernabouttheirINGO’soverlyburdensomeregulatorystructure,financialmanagementsystemand/orcomplianceprocedures.Thepressuretodevelopsuchsystemsappearedtobebothexternal(i.e.,comingfromdonors,particularlythosewiththemost stringentrequirements)aswellasinternal.
3.2.Highest-impactrisks
Respondentsgenerallyfeltthatsecurityrisksandaccessrisks(suchasgovernmentobstruction)ratherthanfinancialorfiduciaryriskswerethemainreasonsforfailingtodeliver.Indeed,manyshared examplesofneedingtowithdrawstafforceaseprogramming,temporarilyorpermanently,dueto generalhostilitiesortargetedviolence(Stoddardetal.,forthcoming).Amongthedifferenttypesofsecurityrisk,kidnappingisseenasaparticularconcern.Kidnappingsorthethreatofkidnappingswereseentohaveamajorimpactandhenceweremorelikelythanmanyothersecuritythreatstoleadtothecessationorwithdrawalof(oranunwillingnesstobegin)programming.Afeworganizationsalsocitedparticularlygruesomekillingsofstaffmembersashavinghadasignificantorganizationalimpact,evenmany years later.
Fiduciaryandreputationalriskscanalsohavealargeimpactonprogramming.Exampleswereprovidedoforganizationsdecidingtodiscontinuetheirworkinareascontrolledbyarmedgroupsdesignatedasterroristorganizations(eitherbytheUnitedNationsSecurityCouncilorbyindividualgovernments)for acombinationofreasons:securityconcerns;notwantingtorunafoulofcounter-terrorlegislation (andthebroaderreputationaldamagethatcouldentail);andweakfiduciaryoversightduetoremotemanagement.Insuchsituationsteasingoutwhichriskfactorsplayedthegreatestrolecanbehard. ThisandotherresearchsuggestthatINGOsaremostlikelytosuspendoperations(ornotstarttheminthefirstplace)whenthereisnotonlyahighpotentialforinterferencebyaconflictactorthatisa designatedterroristgroup,butwhentheconflictactorisoneofparticularconcerntoWestern governments(e.g.,ISIS,ascomparedwiththeAlNusraFront).3
The“nightmarescenario”mostoftencitedbytheINGOsinterviewedwasamajordiversiontoaterrorist organization.Suchincidentscombineseveraltypesofrisk,aswellasthepotentialforasituationtospiraloutofcontrolduetomediaexposure.Evenmodestincidentsoffraudornon-compliance,regardlessofwhethertheyinvolveddiversiontoarmedactors,canloomlarge,however.TheseincludeincidentsaffectingthatINGOorotherINGOs(orrumorsofsuchincidents).INGOswithonesinglemajordonorappeartobeparticularlylikelytotrytoavoidsuchincidents,includingthroughtheintroductionof additionalcomplianceoroversightmeasures.
3 SeeHumanitarianOutcomes(2015),“Component2PreliminaryInterimReport,”SecureAccessinVolatileEnvironments(SAVE), https://www.humanitarianoutcomes.org/sites/default/files/save_component_2_interim_report.pdf.
![Page 13: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/13.jpg)
13
4.Responsesinpolicyandpractice:Theriseofriskmanagement
4.1Riskmanagementmodelsandtools
The INGOs in the sample group have widely embraced the concept of risk management. Thirteen out offourteenreportedhavingsomemeanstobringtogetherdifferenttypesofriskinacommonanalysis.WhiletheparticipatingINGOsuseavarietyofmodels,whichdifferbyformorfunction,theyallsharecommonidentifiableelementsoftheintegrativeriskmanagementconcept.4 These elements include risk managementframeworkstatements,riskregisters,definedriskprocessaccountabilities,mitigationtools,andriskauditprocesses.SomeINGOsarestilldevelopingtheirriskmanagementframeworks,withsometoolscompletedbutothersstillunderway.Someorganizationsregularlyprepareriskreportsand/orauditstotheirboardofdirectors,whileothersreporttointernalboards(e.g.,sittingwithinauditorcom-plianceunits)specificallydesignedtomanagerisk.TwoINGOsinthestudyhaveamanagerdedicatedtoimplementingriskmanagementacrosstheorganization.SeveralINGOshavecreatedaninternalauditfunction(individual(s)and/oraunit),whichtheysawassupplementingexistingsystemsbyconducting regular audits and having an independent but also well-informed advisor on risk and control issues.
Many of the sample INGOs use the term “enterprise risk management” (ERM) to describe their approach.ERMisa“strategicbusinessdisciplinethathelpsorganizationsachievetheirmissionsbyaddressingorganizationalriskanditscombinedimpactofthoserisksasaninterrelatedriskportfolio”(RIMS,2016).VariouscommitteesandprofessionalbodieshavedevelopedanumberofERM frameworks. Two of the more well-known and widely used approaches are authored by the Swiss-based InternationalOrganizationforStandardization(ISO)andtheUS-basedCommitteeofSponsoring OrganizationsoftheTreadwayCommission(COSO).5
ThesampleINGOs’frameworkstendtodrawfromtheCOSOEnterpriseRiskManagement–IntegratedFrameworkapproachortheISO31000:2009approach,andinmostcasesseemedtoblendboth.AmajordifferencebetweenthetwoisthatinternationalstandardsandriskmanagementexpertsdevelopedISO,whilefinancialandauditexpertswroteCOSO.ThisgivesCOSOamoreaudit-heavyapproach,withafocusoncomplianceandcontrolmechanisms.ISOtendstobeflexibleinadaptingtotheorganizationitisserving,basedonthemanagementprocess,andtailoredtomoreeasilyfittheorganization.Bothhaveariskmanagementprocessthatseekstoassesstheriskstotheorganization,monitortheserisksandrespond to events.
Someofthemostprevalentandadvancedtoolsaretheriskregister,riskmatrix,andriskannex.Thesetoolshelptoidentify,assess,andevaluatepotentialthreatstotheorganizationatdifferentlevels,e.g.,fieldlevel,countrylevel,orinstitutionalenterprisecontext.Theriskratingattributesacertainlevelofrisk to each of the threats. Many of the tools discuss the realized and residual risk (the remaining risk afterallappropriatemitigationmeasuresaretaken)andsomeallowtheusertoassesspotentialmitiga-tionstrategies.Themost-advancedriskregistertoolsalsoassignaccountabilitytospecificriskorprocessowners,orotherwisespecifywhowillfollowup.Generally,however,themonitoringfunctionwithinriskmanagementtendedtobelessemphasizedthantheotherfunctions.
4 Formoreinformationonsomeriskmanagementcomponents,see“ManagingRisks:Anewframework,”byKaplanandMikes
5 AfewotherapproachesweredevelopedbytheCasualtyActuarialSociety(CAS)andtheRiskManagementSociety(RIMS).Previously, theJointAustralia/NewZealandhadtheirownstandards(4360-2004),buttheyhavesinceadoptedISO31000:2009insupportofan internationalstandard.
![Page 14: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/14.jpg)
14
The team analyzed 111 policy tools and found them to be of the following types:
• Analytical:assessingthreats/risks,improvingsituationalawareness(e.g.,riskassessments,risk registers,riskratings)(43 percent)
• Procedural:dealingwiththemanagement,programmingandadministrativefunctionsgeared towardmitigatingrisk(checklistsandtemplatesforpreparedness,criticalincidentmanagement,logistics,communications)(35 percent)
• Declarative:focusedonreportingofandaccountabilityforrealizedrisks(e.g.,auditchecklists, reportingforms)(22 percent)
Themajorityoftheprocedural and declarativetoolsweredesignedspecificallytoaddresssecurityandsafety risks. The analyticaltoolsoftenaddressedrisksholistically,however,oratleastlookedatmultipletypes of risk.
TheINGOsvaryinthedegreetowhichtheirfieldteamshaveadoptedanintegrative(orholistic)approach toriskmanagementasapracticalwayofoperating.Inahandfuloffield-levelinterviews,forexample,the distinctionbetweensecurityriskmanagementandtheorganization’slargerriskmanagementframeworkwasunclear.Furthermore,manyrespondentsnotedthat,evenwiththeuseofholisticriskmanagementframeworks,thetendencyisstillto“silo”differentrisksareas(e.g.,security,finance,communications).
Mostrespondentswhoseorganizationsuseriskmanagementsystemsfeltthattheyprovideausefulframeworkformakingbothheadquartersandfieldstaffawareofrisksthroughasystematizedapproach.Afewexpressedconcernsthatsuchasystemcouldcreatemoreriskaversion,forexamplebecause“theminuteit’swrittendown,you’renowliable.”Othersworriedthatriskmanagementframeworksmayleadto abox-tickingmentality“insteadofcommittingthetimetodevelopaculturethatisinherentlyriskfocused.” Butthemajorityofviewsabouttheoverallriskmanagementapproach(oratleastitspotential)werepositive.
4.2Policydevelopment
INGOscontinuetoprofessionalizetheirapproachtorisk.Since2011,theyhavebeendevelopingandrefiningtheiranalyticalandpolicyinstrumentsatasteppedupratefromprioryears(Figure2).6
6 Thepolicydocumentreviewshowedalargeandsteadyincreaseinthenumberofpolicydocumentsandtoolseitherproducedorrevisedsince2011bythesampleorganizations.Sincethereviewincludedonlythedocumentsweweregiven,itispossiblethatother,pre-existingrisk-relatedpoliciesexistthatweren’tsharedsoweren’tcounted,butthefindingisalsosupportedbyinterviews.
Figure4:Policydevelopmentinriskmanagement
Documentproduced(dates) Documentsrevised
0.0
1.5
3.0
4.5
6.0
1996
1
2003 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
1 1 1 1
2 2
6
4 4
6
5
0.0
3.5
7.0
10.5
14.0
12006 2010 2011 2012 2013 2014 2015
1
4
2
11
13
9
![Page 15: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/15.jpg)
15
Fiduciaryriskmanagementwasfoundtoreceivethemostemphasisinpolicyonpaper,withmore writtenwordsdevotedtofinancialproceduresandprecautionsthananyotherriskarea.Securityriskwasaclosesecond,however,andthisgapclosesfurtherifoneconsiders“safetyandsecurity”asasinglecategoryofrisk,assomeINGOsdo.Inaddition,thesecuritypolicyareahasthemosttools,outsideofthepolicyandguidancematerials,tosupportthefunction.
Thethirdriskcategory,operations,wassignificantlylessrepresentedinwrittenpolicy,followedbythecategoryofdocuments(“all”)thataddressedrisksfromanumberofdifferentpolicyangles,coveringallcategories—fiduciary,security,reputational,operationalandlegal/compliance.Mostorganization-wideriskmanagementpoliciesandframeworks,aswellastoolsthatsupportthem,fellintothiscategory.
Figure5:Relativeemphasisinwrittenpolicy
Policy areas by word count
Legal/compliance 1%Safety & Security 2%
Safety 2%
Communicaons 5%
Informaon 6%
ALL 7%
Operaonal 7%
33% Security
37% Financial
Security risk management has some of the most robust policy documents with the overall highest level ofdetail.Thispolicyareahadacomprehensiveframeworkandstronglyembeddedorganizationalclarityandlanguageonwhatsecuritymanagementisandhowitpertainstotheentireorganizationanditsculture.Asdescribedinonemanual,“securitymanagementisasystem,notadocument.Itstartswitheachandeveryindividualwithintheorganization,maintaininghighlevelsofawarenesstoouroperatingenvironmentandtohowourownbehaviors,actions,andcommunicationscontributetoanimprovedsecurity posture or to the contrary places oneself and the larger agency at risk.”
Formanytypesofpolicies,anorganization’sheadquartersprovidesthegeneralframeworkorguidancematerialandexpectsthecountryprogramteamtodevelopaspecificpolicyappropriateforthatcontext.
![Page 16: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/16.jpg)
16
4.3Organizationalcoherence
InseveraloftheINGOfederationsorconfederations,differentmembersoraffiliatesmaintaindifferentrisk-relatedpoliciesand/orreportinglinesandrequirements.Differentaffiliatesofthesamefederationmay have more comprehensive and well-developed risk management frameworks than their counterparts do,ormayberequiredtoreporttotheirrespectiveboardsmorefrequentlyandwithdifferentinformation. Forinstance,oneorganizationmustreporttoitsboardonceperyearonhigh-levelrisksonly,whileitsinternationalaffiliatereportsriskstoitsboardonaquarterlybasis.
Thesedifferentstandardsoccasionallycreatetensionamongcounterpartsandcomplicaterisk management.AfeworganizationsreportedthatdifferentaffiliateshaddifferentlevelsofsecurityrisktolerancearoundprogramminginSyriaandSomalia,forexample,causingdelaysindecision-making.Severalorganizationshavedevelopedstrongercoherenceintheareaofcommunicationsinordertomanage risk. This was done because public statements and messaging (or lack of consistency therein) caneasilyentailfederation-widerisk.Manyhaveimposedastringentapprovalsprocesswherethelargerumbrellaorganizationapprovessensitivematerialbeforeaffiliatesreleaseit.
4.4INGOaffiliationsandpolicyareas
TypesofpolicydocumentscreatedbyUS,UK,Europeanand“international”umbrellaentitiesvary. First,US-basedINGOshaveoverfourtimestheamountofwrittenpolicyonfinancial/fiduciaryissuesthantheirEuropeancounterparts.ThissuggeststhattheUS-basedINGOsmaybeparticularlyconcernedwithfinancialandfiduciarycomplianceandsystems.Second,theinternationalumbrellaentitiesofa federationorconfederationaremostlikelytohavedevelopedpolicyintheareaofsecurity.Theyalsotendtobeinvolvedincraftingbroaderrisk-managementtoolsandframeworksfortheentityasawhole.
Specificriskfactorsandissuesregisteredmorehighlythanotherswithinthedifferentpolicyareas. Withinthesecuritypolicyarea,apreponderanceoforganizations(11)mostfrequentlydiscussedriskinthecontextofacceptancestrategies,followedbyabduction/kidnapping.Evacuationwasthenextmost-common element found in security risk documents. Risks pertaining to social media were least discussedinthesecuritypolicydocuments,butfiguredprominentlywithincommunicationsriskpolicy.MostoftheINGOsdidnothavespecificdocumentsrelatedtocounter-terrorlegislation,butrather coveredtheseissuesinrelatedpolicydocuments,includingfiduciaryandlegal/compliancepolicies.
Promisingpractice:RiskregistersasanalyticaltoolsandblueprintsforactionTheorganizationswiththemostadvancedandrobustrisk-managementsystemsalldothefollowing:
1. createandmaintain“riskregisters”(atfieldandHQlevels)byconsultingwidelywithintheorganizationtoidentifyandquantifydifferenttypesofrisk;
2. takeoperationaldecisionsbasedonprioritiesidentifiedintheriskregister,atfieldandHQlevels;
3. identifynecessarymitigationmeasuresorcorrectiveactions;and
4. followupwithregularvisitsorauditstoensurethesetakeplace.
EachoftheseINGOsreportedthatcountry-levelmanagerswereinvolvedinholisticassessmentsofrisk,whichfed organization-wideassessments.
![Page 17: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/17.jpg)
17
Promisingpractice:Allowingforin-countrynationalstaffevacuationsOneINGOmadethedecision,unprecedentedfortheorganization,toevacuatenationalstaffmembersandtheir familieswhenaprovincewasoverrunbyanti-governmentforcesandtheyweredeemedtobeatdirectrisk.Althoughnotwithoutpotentialrisks(suchassettingaharmfulprecedentorevenrunningafoulofnationallaws),theadhoc decisionrevealedtheneedfor,andhelpedtospark,policydevelopmentonthisissue.
4.5 Policyversuspractice
Intervieweessuggestedthatsafety/securityriskmanagementreceivesthemostemphasisintermsofstafftimeandattentioninpractice,withfiduciaryrisksaclosesecond—thereverseofwrittenpolicy(asnotedabove).Thisdifferencecouldreflectthegreatereasewithwhichfinancial/fiduciarymanagementcanbestandardized,comparedwithsecuritymanagement,whichmustbemorecontext-driven.Itcouldalsoreflectadividebetweenheadquartersandfieldstaff.Ahandfulofintervieweesexpressedconcernaboutanover-emphasisonfiduciaryriskmanagementattheexpenseofsecurityriskmanagement.Oneseniormanagerintervieweebasedinahigh-risksetting,forexample,feltthatthebulkofhisfocusandmentalenergywasonthesecurityofhisstaff,whereasstaffinheadquartersweremorepreoccupiedwithpreventingfraudanddiversion.Intervieweesalsonotedgapsinsecurityriskmitigationfornationalstaff,includingspecificallyoff-hourstransportation,communication,andsitesecurity.
Lastly,intervieweesnotedthatfiduciaryriskmanagementwithlocalNGOs(inparticularthosemanagedremotely)wassignificantlymoredevelopedthansecuritymanagement.Insub-granting,INGOsareconsciousthattheywillbeultimatelyheldaccountableforfiduciaryrisk,whichhasledtomorecapacitybuildingforandoversightoftheirpartners.Thesameisnottrueforsecurityrisk,andmanyunderstoodtheirnationalNGOpartnerstobeexposedtohighlevelsofsecurityrisk,oftenwithoutsufficient support,training,anddiscussion.
Mostintervieweesfeltthebalanceoffocusondifferenttypesofrisk(intermsofadministrative workload,timeexpenditure,workload,mentalenergy/discussion)tobegenerallyright,however. Thiswasespeciallytrueforthoseorganizationsthatexplicitlyidentifythe“top”risksthroughariskmanagementframework.Asonesaid,“thebalanceiswhereitneedstobe…we’veidentifiedthetop13risks,andthosearetheonesthatgetthemostattention.”Bycontrast,arepresentativeofanINGOworkinginahigh-riskcontextdescribedanegative(andhigh-impact)incidentthattheybelievedcouldhavebeenavoided,hadtheorganizationbeenfocusingonthecorrectsetofrisks.ThatINGOdidnotyethave a well-developed system for assessing and comparing risks. Some interviewees reported that even INGOswithwell-developedriskmanagementframeworkscancontinuetoapproachriskinwaysthataresiloedratherthanholisticorintegrated.Financialrisksaredealtwithbythefinancedepartmentandsecurityrisksbythesecurityunit,forexample.Thistypeofapproachmaynotbewellsuitedtohigh-riskenvironments,wheredifferenttypesofriskareinter-linked,asdescribedabove.
Thefield-andregionally-basedstaffwhowereinterviewedgenerallydemonstratedanunderstandingof theirorganization’sriskmanagementpoliciesandproceduresthatwassimilartothatofheadquarters- basedstaff.Althoughintervieweesfrombothheadquartersandfield/regionallocationsdidacknowledgethatagapexistedbetweenpolicyandpractice,itdidnotappeartobeamajorconcern.Survey respondentswerepositiveoverallontheextenttowhichpolicieswereunderstoodandimplemented,withmajoritiesreportingthatimplementationwas“good”inallareasofriskmanagement.(Those representingtheINGOsfromthesamplegroupweregenerallymorepositive—moreoftenanswering“good”or“excellent”—thanthenon-samplerespondents,whohadagreaterpercentageof“fair”or“poor”responses.)Surveyrespondentsfeltthatsafety,securityandfiduciarypolicieswerethebest
![Page 18: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/18.jpg)
18
understoodandimplemented,while“informationsecurity”and“counter-terrorlegislationcompliance”policies were the least so. This appears to stem from the fact that both of these areas involve emerging threatareasand(forcounter-terrorlegislationcompliance)broaderchallengesinunderstandingthemeaningandimplicationsofthelegalagreementsandpolicydeclarations.
Awarenessoforganizationalriskmanagementpolicieswere,onthewhole,strongeramongthe samplegroupofINGOsthanthenon-samplerespondents,butvariedbycategorybetweenfieldandheadquartersrespondents.Forexample,awarenessofinformationsecuritypoliciesinthefieldwasstrongerthaninheadquarters(61percentand49percentofsurveyrespondents,respectively).
4.6 Theroleofdonors
Abouttwo-thirdsofINGOintervieweesaffirmedthatdonorsinfluencethetypeand/orlevelofrisk thattheirorganizationiswillingtoassume,whiletheremainingthirdbelievedtheydidnot.The generalsensewasthatdonorsinfluencewhereandhowINGOsprogram(pushingthemtoreachthemostvulnerablepeople,generallyfocusingontheir“highpriority”countries)andsobyextension influencingwhattypeofrisktheytakeon.Mostrespondents(withafewexceptions)feltthatdonorswerenotinfluencingthelevelofrisktheirorganizationtakeson.(Oneexceptionconcernedadonor requirementthatinternationalstaffbepresentduringprogramdelivery,whichanINGOrepresentativefeltputthematunduerisk.)SeveralINGOsfeltthattheirlargesizeand/orgeneralfinancialstabilityallowedthemto“walkaway,”i.e.,torefusetogowheretheyfeltthelevelofriskwastoohigh,despiteencouragement from donors to be present.
The INGOs in the sample group generally felt supported by donors for security related costs. Some INGOsfundsecurityinputsbyputtingapercentageintoeachbudgetforsecurity(e.g.,acertain percentageforprivatefoundations,anotherforlargerinstitutionaldonors).Othersbasetheirrequestsondetailedsecurityassessmentspresentedtothedonor.AsoneINGOrepresentativesaid,“Weexplainto donors what it will cost to manage those risks and we have never been refused by donors for security investments.”Aminorityofintervieweesfeltthatdonors“cansometimesstartbalking”withmore intensivecapitalinvestments,suchasthoseincommunicationstechnology.AfewfeltthatbothdonorsandINGOswerestillnotdedicatingenoughmoneytosecurityandriskmanagementgenerally.
Asnotedabove,theINGOsinterviewedperceivemajorgovernmentaldonorstobeincreasingtheiremphasisonfiduciaryrisk(preventionoffraudanddiversion)andtobetighteninginternalcontrolsandoversightmechanismsinturn.Anumberofdonors—thelistwasnotparticularlyconsistent—were referred to as having “zero tolerance” approaches to fraud and diversion. Several interviewees mentionedthattheriskofindividualINGOstaffbeingcriminallycharged,whilelow,nonethelessplays aroleindecision-making.OperationsinSomaliawereseenasunderparticularlyheavyscrutiny,becauseofrecentcorruptionscandals.OneINGOinSomaliasaiditsfinanceandprogramstaff“usedtospend 20percentofthetimetheyarespendingnow”onreportingandoversight.InSyria,donorsareseentohaveacceptedagreatdealoffiduciaryriskuntilrecently,but“thisisnowreceding.”
Promisingpractice:Institutesafe-failpartnershipmeasuresRatherthanblacklistingnationalNGOsbasedonrisk,forhigh-riskpartners,dosmaller,more-frequentdisbursements offundingandsecondstafftooversee/monitor.
![Page 19: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/19.jpg)
19
INGOsexpressedconcernthatdonorsweretransferringfiduciaryrisktoNGOswithoutguidanceonwhatlevelofriskisacceptable.Donorswereseentoacknowledgetheelevatedriskinsomecontextsduringinformalconversation,butnotinwriting,andneverintermsofanexplicitpercentageordollarfigureofwhatmightbedeemed“acceptableloss.”WhileanINGOmayachieveanunderstandingwithaspecificprojectofficer,thisisnotthesameasinstitutionalcommitmentoralegalorcontractualagreement.Several INGOs shared stories of auditors coming in a few years later and applying a higher standard than wasunderstoodtobeinplaceatthetime,requiringINGOstogivebackfundsbecauseprocedureswerenotproperlyfollowed,forexample.
Inadditiontoovertpressurefromdonors,manyINGOsobserveaphenomenonof“self-censorship”orself-regulationthatcanoccurwhenstaffassume that donors will disallow costs or not agree to certain programmingactionsorlocationsandthereforewillnotevenraisetheissue.Evenifdonorshaveproven receptivetosupportingsecuritycostsinthepast,forexample,aprogrammanagermayrefrainfrombudgetingfortheideallevelofsecurityinputs,onfearsthatitwouldmaketheINGO’sproposal“lesscompetitive.”Similarly,giventhegenerallackoffamiliaritywithcounter-terrorlegislationandconcernsaboutlegalimplicationsofviolatingit,manyINGOswilldefaulttothemostconservativeinterpretationoftheregulations—orsimplysteerclearofcertainprogrammingaltogether.
Interviews conducted for this study as well as for other research7suggestthatmanyINGOfieldstaff remainuncertainofhowtoengagewithnon-statearmedactorstoenableaccess,orwhethertheyshoulddosoatall.Humanitarianorganizationsalsostruggleinternallytoacknowledgeanddiscussthesometimes-necessarycompromisesthatenableaccess.Suchcompromisesorconcessionscanincludepayingmoneyatcheckpoints,payingunofficialtaxestolocalauthorities’alteringtargetingcriteriasothatpowerfulactorsortheirfamiliesreceiveaid,employingarmedguardsfromalocalmilitia,or working in one region and not another to avoid antagonizing a local authority or armed actor.8 Areluctancetodiscussthesepracticescanresultinaninternalcultureofsilenceoncorruption, fraud,anddiversion.Itcanalsofosteracultureofwillfulblindnessonthepartofinternationalstaff,whilenationalstaffareleftwiththeburdenandriskofmakingthetransactions.
SeveralINGOsinterviewedforthisstudyrelayedthefearofanegativestorylandinginthemedia, forexample,“whereanNGOistreatingsoldiersfromISIS,9 or had to pay Al Shabab for access.” This “nightmarescenario”wouldbefurtherexacerbatedbythefactthat,atthispoint,“politicsdrivesthe riskappetite,anditbecomesabsolutelyzero.”INGOsreliantondonor-governmentfundingstruggleto
7 SeeHumanitarianOutcomes(2015),“Component2PreliminaryBriefingNote,”SecureAccessinVolatileEnvironments(SAVE), https://www.humanitarianoutcomes.org/sites/default/files/component_2_summary_of_preliminary_findings.pdf.
8 Ibid.
9 Thiswouldnotbeillegalunderinternationalhumanitarianlaw(IHL),giventhatthislawrequiresthatallmembersofthearmedforcesandfightersfromarmedgroupswhoarewounded,sick,andhorsdecombatmustbetreatedaccordingtomedicalneed.ThisintervieweewasnotfromamedicalINGO.
Promisingpractice:CataloguingmisstepsandrealizedrisksTheseniormanagementofoneINGOhasbegunaregularpracticeofcompilingalistofallsignificantmistakesorbadoutcomesthataffectedtheorganizationovertheyearandsharingitwiththeentireorganizationasalearningtool.Itincludesbothdetailsonincidentsandwaystheymighthavebeenavoidedormitigated.Thiswasseenasparticularlyhelpfulinfosteringopennessandlesson-learning.Priortothispractice,manystaff/officeswereonlyvaguelyawareormisinformedoftheseincidents,whichtheylearnedthroughrumorsandspeculation.
![Page 20: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/20.jpg)
20
appropriatelymanageriskaroundthesetypesofincident,asthiswouldrequirethatdonors—and ultimatelytheirtaxpayingpublic—acceptsomelevelofcompromisewhendeliveringaidduringwar.
Withregardtodonors’counter-terrorpoliciesspecifically,abouttwo-thirdsofINGOrespondentsfeltthattheseinfluencedwhereandhowtheycouldworkinasignificantway.TwoINGOrepresentativescitedexampleswheretheyfeltdonorshaddirectedthemonwhichcommunitiestheycouldworkwith(e.g.,inSyria,LebanonandSomalia,atthecountrylevel),andfoundtheywereprohibitedfromworkingwithimportantactorsintheareabecauseoftheirpoliticalassociations.Manyothersviewedthe pressureaslessdirect,expressedinsteadthroughadditionalriskmanagementclausesorreporting requirementsincontracts.AsoneINGOdescribed,“IfyourprocurementprocessinIraqona USAID-fundedprojectseemsabitwonky,the[USgovernment]couldgetquiteinquisitive.”Several INGOsexpressedconcernsabouttheUSgovernment’sPartnerVettingSystem,whichrequiresINGOgranteestocollectandprovideinformationontheirlocalNGOpartnersandstaff.Theybelievethis potentiallycreatesadditionalsecurity,reputational,andinformationrisks(e.g.,throughcollecting informationthatwasnotproperlystored/protectedorbeingperceivedascollectingpersonal informationtobepassedontoagovernmentagency).
Promisingpractice:Briefanduser-friendlytoolsforfieldsettingsMorebasic,“digestible,”toolsgetused.Forexample,one-pagersthatcanbepostedorcarriedwillhavefargreater utilitythanlargesecuritymanagementplans,whichareoftenunwieldyandsitonashelf.Focusandinsistonmore practicaltoolsandmorepracticaltrainings.
![Page 21: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/21.jpg)
21
5.Principlesandprogramcriticality
Programcriticality(i.e.,theurgencyorpotentialimpactoftheprogram,intermsofsavinglivesandrelievingsuffering)iswidelyunderstoodbyhumanitarianINGOsandfactoredintotheirdecision-making.Almostallintervieweesaffirmedthattheytakethecriticalityoftheinterventionintoaccount,insomeway,whendeterminingthelevelofrisktheyarewillingtoaccept.Respondentsmadecommentssuch as“Iftheneedishuge,ouracceptablelevelofriskshiftssomewhat”;“Ifit’saboutsavinglives,yes, [ourorganization]iswillingtotakemorerisks”;and“Thisalwayscomesupin[seniormanagementteam]discussions[atfieldlevel].”Thiscriticalityassessmentismainlydoneinformally,however.Programcriticalitywastypicallynotpartofriskmanagementmechanisms,andtherewasnowayofsystematicallymeasuringit.NoneofthesampleINGOshadaformalwayofmeasuringthecriticalityoftheintervention, orawaytobalancethatagainstoveralllevelsofrisk.(Bycontrast,theUNhasdevelopedawayto systematicallymeasureprogramcriticalityandtobalancethiswiththelevelofsecurityriskassumedbyitsstaff(Haver,etal.,2014).
Contrarytointerviewandpolicydocumentfindings,themajorityofsurveyrespondentsanswered“yes”tothequestionofwhethertheirorganizationhadaspecificmechanismforconsideringprogramcriticalityindecisionsonrisk.However,respondentswerelikelyexpressingthefactthattheconceptisfamiliarandconsideredindecision-making,ratherthanthattheyhadawritten/formaltool.Thiswasfurtherjustifiedbyseveralofthecommentsinthesurvey,whichnotedthatexistingtoolsdonotincludeameasurementoftheimportanceoftheprogram.Whenasked,intervieweessuggestedthatthereasonsfornotincludingprogramcriticalityelementsinriskmanagementwasnotbecausetheyareinherentlydifficulttomeasure(i.e.,criticalityisnotnecessarilymoredifficulttomeasurethanrisk).Theirabsencecouldstemfromthefactthatriskmanagementframeworksweredevelopedintheprivatesector,wherethebottomlineismoreeasilymeasured,i.e.,intermsofprofit.
Deliveringhumanitarianassistanceinthemidstofviolentconflictinevitablyinvolvesrisk.Delivering principledhumanitarianassistanceinvolvesgrapplingwithcontradictionsandethicaldilemmas,eveninthebestofsituations.Notably,upholdingtheprincipleofhumanity(savinglivesandalleviatingsuffering) mayattimesrequirecompromisingneutrality,independenceorimpartiality.Forexample,anarmedactor mayseektospecifywhichpeoplecanbehelpedwhen,forcinganethicaldilemma.Similarly,tobring securityandfiduciaryrisksdowntoacceptablelevelscanmeanadefactofailuretoprioritizepopulations ingreatestneed,andthereforeafailuretoactimpartially—atleastforthecollectivehumanitarian response,ifnotforasingleINGO.Inotherwords,thereisabuilt-intensionbetweenfulfillingthe mandateandmissionofone’sorganizationandmanagingitsrisk.
Whilemanyintervieweeswerequicktopointoutthattheirorganizationhadnotshiedawayfrom workinginthehighest-riskenvironments,theyalsoprovidedmultipleexamplesofwheretheirworkwas restrictedinvariousways.Severalintervieweesnotedthatwhiletheywererarelyentirelypreventedfromworkinginacertaincountryaltogether,theyrestrictedthemselvestospecificregionswithinit.Restrictionswerealsonotedinthetypesofprogrammingtheycouldcarryout.In-kindassistancewassometimesusedbecausecashwasseenastoorisky,forexample,duetoahostgovernment’snegativeperceptions(e.g.,inAfghanistan,Iraq,Syria,andUkraine).Insomeareas,sexualandgender-based violence(SGBV)programswereseenaslocallyunacceptableandthereforetooriskyfromasecuritypointofview.Inaddition,INGOsreportedoftennotspeakingoutonbehalfofaffectedpeople(i.e.,reducingtheiradvocacy)becauseofperceivedoractualriskstothesecurityofstaff,theorganization’sreputation,oritsfutureaccess.Feworganizationsseemedtohaveawayofmeasuringorassessingthislasttypeofrisk.Decision-makingonadvocacywascomplicatedbythefactthatoftenstaffbasedoutsidethecountryleadadvocacyefforts,buttheyarenotasawareoftherisksandsotendtodefertocountry- basedstaff,whoarenaturallymorefocusedonensuringthecontinuityoftheiroperations.
![Page 22: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/22.jpg)
22
Promisingpractice:“Pre-mortems”-chartingpossiblerisksandpotentialresponsesThoughitmayseemelementary,NGOsreportedthatthepracticeofexplicitlylistingrisksandtheirpossiblemitigationmeasureswasextremelyhelpfulindecision-making.Aselectionofexamplestheycitedarebelow,andcanbeviewedaspromisingpracticesinthemselves.
CATEGORY
Information
Compliancewithhost governmentlawsand regulations
Communicationsand outreach(reputation)
Operational
RISK
Systemsriskbeinghacked,withdonors’creditcardsorothersensitiveinformation stolen.Nationalstaffadministration softwareiseasytodefraud.
Tax,registration,andotherlegal complianceissuestakealotoftimeandenergy,andaresospecificthattheyaredifficultforagloballyoperatingNGOtoresolve(andforesee).
Workingwithexternalfundraising companiesthatengageinaggressive ordishonesttacticscanleadto reputationaldamage.
Alocalpartnerdoesnothavethe capacitytomeetdonorconditions,ordoesn’thavefinancialreserves.
MITIGATION MEASURES
GetanITsecurityaudit(technological andprocedural)byexternalprofessionalstoidentifyandfixvulnerabilities.
Havelawyersonretainerinthecountriesofoperation(notexpats)withspecificexpertiseinthatareaoflaw(e.g., employmentlaw,taxlaw)todealwithissuesastheycomeupandfeedinto decisionsandpolicies,e.g.,country- specificHRpolicies.
Ratherthanoutsourcing,investin in-housefundraisingstaff.
Secondstafftositwiththepartner organization.
Obtainfundingformentoringandcapacitybuildingforpartners.
The “risk management” approaches of INGOs have tended not to explicitly address the risk of programmingunethicallyorviolatinghumanitarianprinciples.Asoneintervieweenoted,“Thereislessofafocusondilemmasaroundwhoyouworkwith,accessissues,theinternationalpoliticalagendaetc.Thesearenotseenas‘risks’butratherjustconditionsthatyouhavetodealwitheveryday.”Risk managementhastendedtofocusmoreonsecurity,fiduciaryandcompliancerisks,ratherthanthemoregeneralriskofnotlivinguptoone’smandate/missiontodeliverprincipledandeffectivehumanitarianresponse.The“failuretodeliverresponsibly,inaprincipledway”isdeeplyintertwinedwiththeconceptofacceptance-basedsecurity,butnotconsideredariskinitself.Thismirrorsthefinding(above)that INGOslackastructuredwaytothinkaboutprogramcriticality—instead,takingitmoreorlessfor grantedthatitwillbeintuitivelyconsideredbydecision-makers.
![Page 23: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/23.jpg)
23
6.Conclusionsandrecommendationfornewpolicyguidance
Thebalanceofevidencefromthekeyinformantinterviews,surveyresponsesandpolicysynthesis suggeststhatthemajoroperationalINGOscontinuetoprofessionalizeandinstitutionalizerisk management,buthaveagooddealfurthertogoiftheirobjectiveistoachieveatrulyintegrative approachtorisk.Securityremainsthemostadvancedareaofpolicyandpractice,likelybecauseithasbeenstudiedlongerandwithmoreurgency(beingamatteroflifeandlimb),butsecurityfocalpoints donotyetconsistentlyengageinpracticalplanningordiscussionwithotherpolicyareaswithin organizations.Thestudyrevealedgeneralenthusiasmforthesystematicandholisticapproachoffered byriskmanagement.Atthesametime,however,somestaffworrythatifappliedthewrongwayitcanleadtoriskaversionandconstrainedactionasonepotentialnegativeoutcome,ortobox-tickingandcomplacency as another.
Finally,therearethingsthatriskmanagementdoesn’tcoverandarguablyshould.Oneisprogram criticality,avitalconsiderationwhendecidinghowmuchresidualriskisacceptable.Withoutit,there isthepossibilityofmakingdecisionsusingalowestcommondenominatorriskthreshold,andfailing totakelife-savingactionasaresult.Anotheristheissueofhumanitarianprinciplesandtheethicaldilemmasthatcanresultwhentheyconflictwitheachotherorwithotherriskmanagementobjectives.Giventheprimarymissionofhumanitarianorganizations,therisksoffailingtoliveuptocore humanitarianprinciples,ortherisksofactingunethicallytowardaffectedpopulations,arealso important to manage and be honest about.
6.1Recommendedpracticalproduct:Riskmanagementpolicybrief
Thetermsofreferenceforthestudycallfortheresearcherstoproposeanddevelopanadditionalpractical toolorguidancedocumentforNGOsinaddressingrisk.Approachingthistask,wewereguidedbytheunderstandingthatintroducinganewtoolortemplateintoanalreadycrowdedfieldwillnotaddvalueunless it addresses a key gap or problem and is simple enough to be readily understood and implemented. Interviewees and survey respondents were prompted for their opinions and ideas on what sorts of tools mightbemostuseful.Althoughanumberofthemexpressedthesentimentthat“toomanytools”already exist,thiswasaminorityopinion.Nostrongconsensusorspecificideasemerged,however,onwhatnew instrumentsareneededorwouldbemosthelpful.Themostfrequentlymadesuggestionwasforconsolidated guidance on the basic principles and procedures for risk management that was “short” and “simple.”
Basedonthereviewfindingsandtheidentificationofgaps,theresearchteamproposedthreepossibleoptionsforconsiderationtotheparticipatingINGOsatworkshopsinWashington,DC,andDublin.Theoptionsincludedahandbookonbasicprinciplesofriskmanagement,aprogramcriticalityassessmenttool,andpolicyguidanceonethics-relatedrisk.Despitethestudy’sfindingthatissuesofprogram criticalityandethicsarenotsystematicallyincludedinriskmanagementprocesses,neithergroup expressedinterestintheselattertwooptions.Afterdiscussionoftheprosandconsofeach,consensusemergedaroundahandbook/briefingpaperthatwouldincludenotonlybasicprinciples,butalso specificexamplesofpromisingandpoorpractice,andanannotatedriskregistertemplate.Thehandbook canbefoundhere[link].Bothgroupsalsoexpressedinterestinthepossibilityoffurtherresearchonmeasuringandacceptingresidualrisk(seesection6.2).
6.2Prospectsforfurtherresearchandadvocacy
Inadditiontothehandbook,anotherareaofconsensusthatemergedattheworkshopswasinterestinfutureappliedresearchintoresidualrisk.Afterallappropriatemeasureshavebeentakentomitigatethe risk,canhumanitarianorganizationsanddonorscollectivelysetparametersforacceptablelevelsofresidual risk?TheparticipatingINGOsexpressedtheirwillingnesstoconsiderthepotentialforadditionalin-depthresearchonthisissue,withaneyetoproducinganoutputthatcouldbeusedforcoordinationandadvocacy.
![Page 24: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/24.jpg)
24
References
ALNAP(2006).EvaluatinghumanitarianactionusingtheOECDDACcriteria:AnALNAPguidefor humanitarianagencies.London:OverseasDevelopmentInstitute.
ALNAP(2010).Thestateofthehumanitariansystem:Assessingperformanceandprogress.London:OverseasDevelopmentInstitute.
Collinson,S.,&M.Duffield(2013).Paradoxesofpresence.HumanitarianPolicyGroup. www.odi.org/publications/7514-risk-humanitarian-remote-management.
CounterterrorismandHumanitarianEngagementProject(2014).Ananalysisofcontemporary anti-diversionpoliciesandpracticesofhumanitarianorganizations.CounterterrorismandHumanitarianEngagementProject.http://blogs.harvard.edu/cheproject/files/2013/10/CHE_Project_-_Anti-Diversion_Policies_of_Humanitarian_Organizations_May_2014.pdf.
Haver,K.,A.Stoddard,andA.Harmer(2014).Independentreviewofprogrammecriticality,Humanitarian Outcomes,July.
Healy,S.,&S.Tiller(2014).Whereiseveryone?:Respondingtoemergenciesinthemostdifficultplaces. London:MedecinssansFrontieres.
Hoppe,K.(2015).Climbingbackdown:Thechallengeofreducingsecuritylevels.HumanitarianPracticeNetwork,23November.http://odihpn.org/blog/climbing-back-down-the-challenge-of-reducing- security-levels/.
Humanitarian Outcomes (2014). Ratesofviolence(1997–2014).London:HumanitarianOutcomes.
HumanitarianPracticeNetwork(2010).Goodpracticereview:Operationalsecuritymanagementin violentenvironments(2nded.)London:OverseasDevelopmentInstitute.
Kaplan,R.,&A.Mikes(2012).Managingrisks:Anewframework.HarvardBusinessReview,48–60.
Mackintosh,K.,&P.Duplat(2013).Studyoftheimpactofdonorcounterterrorismmeasuresonprincipled humanitarianaction.UN OCHA and Norwegian Refugee Council.
OfficeofForeignAssets(2014).Controlguidancerelatedtotheprovisionofhumanitarianassistancebynot-for-profitnon-governmentalorganizations.Washington,DC:DepartmentoftheTreasury.
RIMS(2015).WhatisERM?RIMS:TheRiskManagementSociety.https://www.rims.org/resources/ERM/Pages/WhatisERM.aspx.
Schafer,J.,&P.Murphy(2011).Securitycollaboration:bestpracticesguide.Washington,DC:InterAction.
Slovic,P.(2000).Theperceptionofrisk.London:Earthscan.
Tversky,A.,&D.Kahneman(1974).Judgmentunderuncertainty:Heuristicsandbiases.Science,185 (4157),1124–31.
![Page 25: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/25.jpg)
25
Figure6:TopicareasbeingdiscussedbyINGOsinregardstorisk
Num
bero
fmen
tions
0
6
12
18
24
30
Acce
ptan
ce
27
Loca
l par
tner
ship
s
Abd
uc�o
ns &
Kid
napp
ing
21 20 19 18 17 16 1614 13 12 12 11 11 11 10 10 9 8 8 7 6 5 5 4 3 3
Prot
ec�o
n
With
draw
/sus
pend
Info
Sec
CT
& C
T Le
gisla
�on
Eva
cua�
on
Dut
y of
Car
e
Hum
anita
rian
Prin
cipl
es
Con
flict
of I
nter
est
Dono
rs
Cas
h pr
ogra
mm
ing
Civ
-Mil
Rig
ht to
with
draw
Do n
o ha
rm
Sex
ual a
ssau
lt/ex
ploi
ta�o
n
Loc
al S
taff
Pro
gram
cri�
calit
y
Rem
ote
Man
agem
ent
Soci
al M
edia
Info
rmed
Con
sent
Pol
i�cs
(for
eign
influ
ence
)
Risk
tran
sfer
Neg
o�a�
ons
Arm
ed a
ctor
s
OFA
C
Topic area
Annex 1. Policy synthesis summary
Figure7:Toptenthematicareasofdiscussion inrelationtorisk
Num
bero
fmen
tions
Loc
al P
artn
ersh
ips
0
7
14
21
28
21
Abd
uc�o
ns &
Kid
napp
ing
20
Prot
ec�o
n
With
draw
/sus
pend
Info
Sec
CT
& C
T Le
gisla
�on
Eva
cua�
on
Duty
of C
are
19 18 17 16 1614
27
Acce
ptan
ce
Hum
anita
rian
Prin
cipl
es
13
Figure8:Lowesttenthematicareasofdiscussioninrelationtorisk
Num
bero
fmen
tions
Pro
gram
cri�
calit
y
0
3
6
9
8
Rem
ote
Man
agem
ent
8
Soc
ial M
edia
Info
rmed
Con
sent
Pol
i�cs
(for
eign
influ
ence
)
Risk
tran
sfer
Neg
o�a�
ons
Arm
ed a
ctor
s
76
5 54
3
9
Loc
al S
taff
OFA
C
3
![Page 26: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/26.jpg)
26
Figure9:INGOaffiliationsandpolicyarea(policywordcount)
0 80000 160000 240000 320000
Security
Safety & Security
Safety
Opera�onal
Legal & Compliance
Informa�on
Financial
Communica�ons
ALL
US
INT
UK
EU
127,050165,424
87,29330,043
20,176
225
10,2801,754
16,368
14,32253,036
18,137
1,6165,004
7,0771,382
14,55445,610
2,00511,292
318,67947,204
12,50069,701
3,58344,733
10,474
17,30757,414
3,779
7
4,542
![Page 27: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/27.jpg)
27
Figure10:Thematicdiscussionsofriskwithinsecuritypolicy
Acceptance Abduc�ons & Kidnapping
Evacua�onProtec�on
Duty of Care Withdraw/suspend
Right to withdraw Humanitarian Principles
Civ-Mil Sexual assault/exploita�on
Program cri�cality Local Partnerships Informed Consent
Nego�a�ons Poli�cs (foreign influence)
Local Staff Do no harm
Armed actorsInfoSec
CT & CT Legisla�onRemote Management
Risk transferDonors
Social Media
0 5 10 15 20
Figure11:Thematicdiscussionsofriskwithinfinancialpolicy
Conflict of Interest
Local Partnerships
Cash programming
CT & CT Legisla�on
Donors
OFAC
Evacua�on
Duty of Care
Remote Management
Local Staff
Withdraw/suspend
0 2 4 6 8
![Page 28: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/28.jpg)
28
Figure12:Thematicdiscussionsofriskwithincommunicationpolicy
Social Media Local Staff
DonorsAcceptance
Withdraw/suspend programInfoSec
Abduc�ons & KidnappingProtec�on
Humanitarian PrinciplesCiv-Mil
Do no harm
0 1 2 3 4
Figure13:Thematicdiscussionsofriskwithin“all”policycategory
CT & CT Legisla�onProtec�on
Local Partnerships Do no harm
Duty of CareProgram cri�cality
Cash programmingRemote Management
InfoSec Risk transfer
Humanitarian PrinciplesConflict of Interest
Local Staff0 1 2 3 4 5
Figure14:Thematicdiscussionofriskwithinoperationalpolicy
Remote Management
Do no harm
CT & CT Legisla�on
Local Partnerships
Local Staff
Humanitarian Principles
Duty of Care
Conflict of Interest
InfoSec
Risk Transfer
0 1 2 3
![Page 29: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/29.jpg)
29
ValuesAcceptance 1 2 20 23Abductions&Kidnapping 1 1 18 20LocalPartnerships 8 1 2 6 17Evacuation 2 1 13 16InfoSec 1 9 1 1 3 15Protection 1 1 1 11 14Withdraw/suspendprogram 1 1 2 10 14DutyofCare 1 1 10 12Humanitarian Principles 1 1 9 11CT&CTLegislation 5 1 2 1 2 11Right to withdraw 1 10 11ConflictofInterest 8 1 1 10Civil military 1 1 8 10Donors 1 4 2 2 9Sexualassault/exploitation 1 1 7 9LocalStaff 1 1 2 4 8Cash programming 7 1 8Social Media 4 1 1 1 7Donoharm 1 2 1 3 7Remote Management 1 3 2 6Programcriticality 6 6Informed Consent 1 5 6Politics(foreigninfluence) 4 4Negotiations 4 4Risk transfer 1 2 3OFAC 3 3Armed actors 3 3
Table2:Overviewofpolicyareasinrelationtothematicdiscussionsaboutrisk
Commun
icati
ons
Fina
ncial
Inform
ation
Legal/c
ompliance
Ope
ratio
nal
Safety
Safety&Security
Security
Gran
dtotal
![Page 30: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/30.jpg)
30
Figure15:TypesoftoolsusedbyINGOsinriskmanagement
Figure16:Riskmanagementtoolsinrelationtotheirpolicyareas
Procedural 35%
22% Declara�ve
43% Analy�cal
ALL 23%
Security 50%4% Safety & Security
2% Communica ons4% Compliance
4% Finance
9% Opera onal
4% Safety
![Page 31: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/31.jpg)
31
Annex 2. People interviewed
NAME TITLE INGO/DONOR
ChrisLockyear DirectorofOperations(US) ACF
LuisGarcia DirectorofFinance ACF
AlexCottin DirectorofExternalRelations ACF
ColinMcIlreavy SecurityDirector ACF
BarbaraJackson HumanitarianDirector CAREInternational
RobertYallop PrincipalExecutiveInternationalOperations CAREAustralia
Greg Brown Head of Corporate Services CARE Australia
ChrisWilliams HeadofSafetyandSecurity CAREUSA
DawMohammed CountryDirector,Yemen CAREUSA
ChristinaNorthey CountryDirector,Afghanistan CARE
ÁineFay PresidentandChiefOperatingOfficer Concern
RichardDixon DirectorofPublicAffairs Concern
Abdi-RashidHajiNur CountryDirector,Somalia Concern
FeargalO’Connell CountryDirector,SouthSudan Concern
MubashirAhmed CountryDirector,Pakistan Concern
DominicCrowley EmergencyDirector Concern
SeanCallahan ChiefOperatingOfficer CRS
KevinHartigan RegionalDirector,Europe,MiddleEast,andCentralAsia CRS
JenniferPoidatz VicePresident,HumanitarianResponse CRS
JimO’Connor Director,RiskManagementandStaffSecurity CRS
MauriceMcQuillan SeniorAdvisor,StaffSafetyandSecurity CRS
TimothyBishop CountryRepresentative,DRCongo CRS
JonasMukidi SecurityManager CRS
NiekDeGoeij CountryRepresentative,Mali CRS
AnneMaltais HeadofOffice,Sevare,Mali CRS
GorelSidibe SecurityManager,Mali CRS
LorraineBramwell CountryRepresentative,SouthSudan CRS
FarukhKhan SecurityManger,SouthSudan CRS
ChristineTucker LiaisonwiththeEnterpriseRiskManagementCouncil CRS
MiaNeumann ChiefTechnicalAdvisor,RiskandCompliance DRC
FredrikPaalson ChiefTechnicalAdvisor,SafetyandSecurity DRC
PeterKlansoe RegionalDirector,MiddleEast DRC
HeatherAmstutz RegionalDirector,HornofAfrica/Yemen DRC
ImmoMeyer-Christian RegionalSafetyAdvisor,MiddleEast DRC
MichaelMatt RegionalSafetyAdvisor,HornofAfricaandYemen DRC
RikkeJohannessen RegionalHeadofProgram,HornofAfrica/Yemen DRC
![Page 32: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/32.jpg)
32
NAME TITLE INGO/DONOR
BryanWalden ProjectManager,LogisticsSystemsandTraining DRC
ShaunBickley ExecutiveCoordinator(interim) EISF
MarinTomas GlobalLogisticsManager IMC
ChrisSkopec SeniorDirector,EmergencyPreparednessandResponse IMC
StephenTomlin SeniorAdvisor,Program,Policy,andPlanning IMC
TimMcAtee DeputyDirectorofGlobalSecurity IMC
TaralynLyon EpidemiologyandSystemsCoordinator IMC
JonCunliffe EmergencyTeamLeader,Turkey IMC
AdenNoor CountrySecurityManager,Somalia IMC
BobKitchen Director,EmergencyPreparednessandResponseUnit IRC
DeniseFurnell SeniorDirector,GlobalSafetyandSecurity IRC
ColleenRyan VicePresidentofCommunications IRC
SannaJohnson RegionalDirector,Asia,Caucasus,andMiddleEast IRC
MarkSchnellbaecher RegionalDirector,SyriaRegionalResponse IRC
BrycePerry EmergencyFieldDirector IRC
YusufAhmed RegionalDirect,EastAfrica IslamicRelief
AteeqRehman CountryDirector,Pakistan(former) IslamicRelief
MohammedSalah CountryDirector,Yemen IslamicRelief
Dr.AhmedNasr HeadofGlobalOperations IslamicRelief
JavedBostan InternalAuditManager IslamicRelief
BethdeHamel ChiefFinancialOfficer MercyCorps
Barnes Ellis General Counsel Mercy Corps
ChristineBragale DirectorofMediaRelations MercyCorps
NajiaHyder DirectorofGlobalProgramming MercyCorps
DamienValletted’Osio RovingSecurityAdviser,Africa MercyCorps
ChristianKatzer OperationsManager,MSFOCABerlindesk-Chad, CAR,Zimbabwe,Swaziland,PNG,mobileHAT MSFHolland
ThijsvanBuuren Controller(finance) MSFHolland
PeteButh DeputyDirectorofOperations MSFHolland
WouterKok FieldSecurityAdvisor MSFHolland
JustinArmstrong HeadofProgramsforOCAinAfghanistan MSFHolland
GautamChatterjee HeadofMission,Somalia MSFHolland
Kelsey Hoppe Head of Service Safety and Security Pakistan Humanitarian Forum
MarcosFerreiro InformationandAnalysisManager NGOSafetyProgram, Somalia
GregNorton HeadofInternalAuditandQualitySupport NRC
![Page 33: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/33.jpg)
33
NAME TITLE INGO/DONOR
MagnhildVasset DirectorofFieldOperations NRC
QuratSadozai CountryDirector,Afghanistan NRC
NasrMuflahi CountryDirector,Iraq NRC
Heather Hughes Global Security Advisor Oxfam GB
KathleenParsons DeputyProgramDirector,BusinessPractices OxfamGB
SagarDave HeadofInternalAudit OxfamGB
ChristianBadete SecurityAdviser,DRCongo OxfamGB
AndresGonzalez CountryDirector,Iraq OxfamGB
Rod Slip Response and Resiliency Team Security Advisor Oxfam GB
NahuelArenas HumanitarianDirector OxfamAmerica
MarkKripp ChiefFinancialOfficer OxfamAmerica
RachelHayes SeniorDirectorofCommunications and Community Engagement Oxfam America
ElFatehOsman OxfamCountryDirector(Sudan) OxfamAmerica
MikeNovell DeputyInternationalProgramDirector SavetheChildrenIntl.
Karl Sandstrom Risk Manager Save the Children Intl.
GregRamm VicePresident,HumanitarianResponse SavetheChildrenUS
RafaelKhusnutdinov SeniorDirectorGlobalSafetyandSecurity SavetheChildrenUS
HajiraShariff VicePresident,BusinessIntegration SavetheChildrenUS
SeanLowrie Director StartNetwork
EricHembree OfficeoftheComptroller(Director) US/BPRM
KatherinePerkins OfficeofPolicyandResourcePlanning(ActingDirector) US/BPRM
StacyGilbert OfficeofAsiaandNearEast(SeniorCivilMilitaryOfficer) US/BPRM
JenniferSmith OfficeofMultilateralCoordinationandExternalRelations US/BPRM
MariaRowan OfficeofPolicyandResourcePlanning(Monitoring andEvaluation) US/BPRM
FaithChamberlain OfficeofPolicyandResourcePlanning(MilitaryAdvisor) US/BPRM
AndrewKent SeniorHumanitarianPolicyAdvisor US/OFDA
CaraChristie TeamLeadforEastandCentralAfrica US/OFDA
PaulSitnam EmergencyResponseManager,CentralAfricanRepublic WorldVision
PerryMansfeild NationalDirector,SouthSudan WorldVision
KhalilSleiman ResponseManager WorldVision
SeanDenson OperationsDirector,OfficeofCorporateSecurity WorldVision
LaurenceBaird GlobalSecurityAdvisor WorldVision
![Page 34: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/34.jpg)
34
Figure17:Staffpositionsrepresented
Field HQ
Subna�onal field staff 11
Senior management 129
78 Program
4 Security
Admin/support 12Communica�ons 2
Finance 9
Logis�cs 19
Senior management 76
35 Program
4 Security
Admin/support 1Communicaons 3
Legal 5
Logiscs 3
Existence/awarenessofriskmanagementpolicies
Thepresenceofexplicitriskmanagementpolicies,particularlyintheareasofsafetyandsecurity,wasconfirmedbyamajorityofrespondents.Majoritiescouldconfirmtheexistenceofformalproceduresandpoliciesinsafety(themostwell-knownarea)andsecurity(thesecondmostconfirmed).Financial/ fiduciaryriskwasthethirdmostconfirmedareaofexplicitpolicy,followedbyinternational(sanctionsandcounter-terror)andnationallegalcompliance.
Informationsecurityandpoliciesregardingcompliancewithinternationalsanctionsandcounterterrorregulationshavethelowestlevelofawareness,buttheirexistencewasstillconfirmedbyamajorityofoverallrespondents(56–57percent)exceptforthenon-sampleNGOsandHQstaff.
Annex 3. Survey results
Responsebreakdown
The survey collected 398usableresponsesout of 401 completed surveys (three were excluded as non-NGOaffiliated,i.e.UNagencies).Themajorityofresponses(339or85percent)werefromINGOsinthesamplegroup.Oftheremaining,43non-sampleINGOs,sevenresponseswerefromnationalNGOs.
Altogether,thesurveyrespondentsrepresentedatleast57uniqueNGOs(two respondents declined to nametheirorganizations)workingin79countries.
Asaimedfor,thereweremorefield-basedrespondents(265)thanHQstaff(128),andfiveidentified asbeingfromregionaloffices.Ofthese,159identifiedasexpatriates/internationalsand 103as nationalstaff.
ThemostprevalentfieldsettingswereLebanon(26),DRC(24),Jordan(24),SouthSudan(22),and Afghanistan(19).ByfarthemostHQrespondentswerefromtheUS(39),followedbyDenmark(7), Switzerland(6),andGermany,Ireland,andUK(4each).
Themajorityofrespondents(207)wereinseniormanagementpositions,followedbyprogramand technicalstaff(113),logistics(22),security(11)andotherroles.
![Page 35: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/35.jpg)
35
Toyourknowledge,doesyourorganizationhavespecific Sample Other policiesandproceduresonanyorallofthefollowing? Total group NGOs
Safety 92% 94% 81%
Security 89% 91% 83%
Fiduciary/financial 82% 84% 71%
Legalcompliance(hostgovernmentlaws) 72% 74% 59%
Informationsecurity 57% 60% 44%
Legalcompliance(int’lsanctions/counterterror) 56% 57% 47%
Existenceand/orawarenessofrisk-managementpoliciesingeneralwerestrongeramongthesamplegroupofNGOsthanthenon-samplerespondentswere,butvariedbycategorybetweenfieldand headquartersrespondents.Forinstance,awarenessofinformation-securitypoliciesinthefieldwasstrongerthaninheadquarters(61percentand49percentrespectively).
Effectivenessofimplementationofriskmanagementpolicies
Overall,respondentswerepositiveontheextenttowhichpolicieswereunderstoodandimplementedinthefield,withmajoritiesreportingthatimplementationwas“good”inallareasofriskmanagement.ThoserepresentingtheINGOsfromthesamplegroup,however,weregenerallymorepositive(moreoftenanswering“good”or“excellent”)thanthenon-sampleones(whichhadagreaterpercentageof“fair” or “poor” responses).
Table3.Policyemphasis
Excellent Good Fair
Sample
Non-sample
0.0
0.1
0.2
0.3
0.4
0.5
0.6
Poor
Figure18:Securitypolicyimplementation
![Page 36: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/36.jpg)
36
0
50
100
150
200
Secu
rity
Safe
ty
Info
rma�
on
Excellent
Fair
Int'l
com
plian
ce
Host
govt
com
plian
ce
Fiduc
iary
Com
mun
ica�o
ns
RM ov
erall
Good
Poor
Largemajoritiesalsoreportedthattrainingwasprovidedforeachcategoryofriskmanagement,withthehighestnumberof“yes”responsesintheareasofsafetyandsecurity.Again,thepositiveresponseswerestrongerinthesamplegroupofINGOs,whoseratioofyes-to-noanswerswasovertwiceashighasthatof the non-sample group.
Programcriticalityconsiderations
Contrarytointerviewandpolicydocumentfindings,themajorityofsurveyrespondentsanswered“yes”tothequestionofwhethertheirorganizationhadaspecificmechanismforconsideringprogramcriticality indecisionsonrisk(i.e.,allowingfortheacceptableriskthresholdtobehigherforactivitiesthatservemorecriticalneeds).Respondentspossiblywereexpressingtheirfamiliaritywiththeconceptandthatitisconsideredindecision-making,ratherthanthattheirorganizationhasawritten/formaltool.
Onecommentsaid,“intermsofdecision-makingonbalancebetweenriskandprogrammingare mechanismsandsystemsthatarewellestablished(riskmatrixandanalysis,etc.)toassessthesecurityrisksthemselves,butasfarasIknowthereisnoexplicitmechanismtoweighriskagainstimportanceofprogramimplementation.”
Forothersitmaybethattoolsareavailablebutnotorganization-wide:
• “Yes,butprobablynotallcountryoperationsusethesametool,oruselocallydevelopedtools.”
• “Yes,butthetoolismoretoensuremitigationmeasuresareinplacetoaddressrisks.”Itneedstohaveastrongcomponent(oradifferenttoolisneeded).
Figure19:Howwellarepoliciesimplementedandunderstood?
![Page 37: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/37.jpg)
37
DoesyourNGOexplicitlyweigh“programcriticality”inrisk-managementdecisions?
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
Yes No I don’t know
Sample NGOs
Others
Figure20:Weighing“programcriticality”inrisk-managementdecisions
Forsomeitwascontainedinotherpolicies:“Forciv-milissues,weuseatoolwedevelopedcalledtheHISS-CAMwhichguidesdecisionmakingaboutarmedactors/militaryinvolvement.Thetoolcontainsapart on risk vs. program urgency.”
Policyemphasis
Respondents were asked to rate areas of risk management in terms of what received the most emphasisinorganizationalpolicyandprocedures.Securityandsafetywerethetoptwoareasof emphasis,followedbyfiduciaryrisk,hostgovernmentlegalcompliance,reputationalrisk,and internationalcounter-terrorcompliance.Thelowestrankedareawasinformationrisk.
Attitudestowardriskacceptance
Most respondents rated their own agencies as being more toward the “risk tolerant” end of the spectrum.However,theyalsoreportedthatriskappetiteattheirorganizationhaddeclinedinrecentyears–slightlymorethanreportedithadstayedthesame.
Whenresponsesaretalliedbyorganization,wesee4organizationsinthesamplegroupwhose respondingstaffperceivethemtobelessrisktolerantthanpreviously,5whosestaffperceivethemto bemorerisktolerant,and4reportingnochange.TheremainingINGOhadstaffwhowereevenlysplit on the issue.
![Page 38: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/38.jpg)
38
Organizationhasbecome:
More risk tolerant
Less risk tolerant
About the same
Field
HQ
0 35 70 105 140
79 33
90 48
91 46
Figure21:Changeinrisktoleranceovertime
Open-endedresponsesstressedthevarianceincontextsandindividualswhenitcomestoriskappetite.However,whenfilteredforthehigh-securityriskcountries,theresultsaregenerallythesamefortheseorganizations,withstrongermajorities.
ThesurveyaskedINGOstaffhowmuchtheyagreedwiththestatement“INGOshavebecomeincreasingly risk averse and are curtailing humanitarian response as a result.” Overall most respondents answered thattheyagreedor“somewhatagreed.”StaffofUS-basedINGOsweremorelikelytodisagree,andlesslikelytoagreecompletely,thantheirEuropeancounterparts,butstillhadapluralityofrespondentsthat“somewhat agreed” with the statement.
Figure22:Changeinrisktoleranceaccordingtocontext
Changeinrisktolerance(high-risksettings)
More risk tolerant 20%
33% About the same
Less risk tolerant 47%
![Page 39: NGOs and Risk - InterAction€¦ · operational, and information risks. They broadly share a common underpinning methodology, borrowed from the private sector, which systematizes](https://reader034.vdocument.in/reader034/viewer/2022042419/5f3610516d34f2523c20866a/html5/thumbnails/39.jpg)
39
Figure23:“INGOshavebecomeincreasinglyriskaverseandarecurtailing humanitarianresponseasaresult.”
Agree with statement
N. America
Europe
0
35
70
105
140
32
58
45
92 20
78
Disagree Somewhat agree Agree