Rights-based and humanitarian organisations must take risks to achieve change in the world. But in the face of attacks and harassment by governments, corporations, criminals, and armed groups, how do they take the right risks? The most-effective way to do this is through implementing a security risk management framework of policies and procedures.
‘Duty of care’ is your organisation’s obligation to provide a reasonable standard of care to those performing activities on its behalf that could bring them to foreseeable harm. The drivers behind duty of care are multiple and include legal and contractual requirements (including donor compliance) and your own organisation’s moral commitments. It is useful to break down the different elements of this definition for a deeper understanding:
- Obligation. The drivers behind this obligation can be multiple, and no one driver is more important than any other. What is important is to recognise, set, and ultimately fulfil a standard to achieve the obligation.
- Reasonable standard. Your obligation is to provide a reasonable standard of care. This means that the care you provide should be appropriate to the foreseeable risks. So, if detention is a foreseeable risk, for example, we must implement measures to reduce this risk.
- On your behalf. The people performing activities on your behalf could be staff, consultants, partners, sub-contractors, sources, volunteers, etc. You bear a different level of duty to each of these categories of people which is why you must define the level of care to each in your Security Policy.
- Foreseeable. Duty of care simply asks us to safeguard against harm that can be foreseen. In this sense, it rightly considers that we cannot foresee (and therefore cannot protect against) every single situation.
Informed consent is a critical part of achieving your organisation’s duty of care. The concept can be broken into two parts as follows:
- Informed. Your organisation has a duty to inform those who work on its behalf of the foreseeable risks that they could face as part of their work with you. This requires you to both assess and communicate these risks in advance.
- Consent. Once co-workers have been informed of the risk, they must either consent to the activities involving the risk or decline them. Their consent or decline must be recorded (for example, in a travel form). If someone declines to be involved in an activity, they cannot be coerced or forced to change their mind.
It is important that decision-making around security risks are taken by suitable people in your organisation. Within many of the policies, procedures, and resources in Frontline Policies, decisions are allocated to a ‘Senior Person’. In this context, this refers to the executive director or other senior manager.
A clear and measurable risk appetite is a legal requirement in many jurisdictions. Even if not a legal requirement, having a defined risk appetite has the following benefits:
- Providing clear parameters for your teams. This enables your team to understand what level of risk is acceptable to the organisation so that they can make informed decisions about taking the right risks.
- Providing a systematic approach to risk management. This provides your team a consistent methodology to assess and manage risk that is less reliant on personal opinion. This approach is critical, as it means that you can consistently compare risks throughout the entire organisation.
- Protecting your organisation from collapse. Setting a defined risk appetite below the level at which your organisation would collapse clearly protects your organisation from taking the wrong risks – risks that would be fatal to your people, programmes, or organisation.
Co-workers have the right to be informed of the risks that they face. This includes understanding how to respond to incidents, which can be effectively delivered through a learning programme. Additionally, if co-workers are to have additional responsibilities or tasks as a result of the security framework, it is important to ensure that they have a full understanding of how to achieve them. This learning programme is communicated through the Learning Management Procedure.
The risks, workload, and culture in our sector have positive and negative impacts on those who work on our behalf. In the most severe cases, these can have psychological impacts on individuals in the long term, including stress, trauma, and burnout. Thus, it is crucial to provide relevant information and support to those who work on our behalf. This support is communicated through the Wellbeing Management Procedure.
If co-workers report incidents that affect them or others, it allows your organisation to respond in the correct way. This may involve managing the incident locally or escalating it to the Crisis Management Team. Regardless of where or how the incident management takes place, your organisation has a duty to respond, so it is vital that you are aware of incidents as soon as possible. Knowing what incidents regularly occur in your organisation can also help you improve your security framework and accordingly adapt risk reduction measures to limit the likelihood of similar incidents occurring again.
Being able to respond to critical incidents is a vital part of achieving your organisation’s duty of care. This is because your organisation must demonstrate that sufficient measures have been taken to respond to an individual who is at risk of harm. As critical incidents can rapidly become complex, challenging, and difficult to manage, it is only sensible to have a procedure in place to guide the organisation that can be implemented by a team that is trained to respond and whose members are clear on what their roles in the response entail.
As a rights-based organisation, we firmly believe that duty of care for co-workers should include both external safety and security threats and internal bullying and harassment - the latter of which falls under safeguarding. We also believe that duty of care extends beyond our organisation to include those who come into contact with our team or services, particularly if they are a child or at-risk adult. In the context of safeguarding, this includes protecting beneficiaries and other stakeholders from sexual exploitation and abuse. We have included a safeguarding policy, procedure and resources in Frontline Policies (as a core module) to encourage the mainstreaming of safeguarding and the wider uptake of safeguarding best practice among civil society organisations around the world. The Safeguarding Policy sits outside the overarching Security Policy because the roles and responsibilities surrounding safeguarding are different to those associated with security risk management and are often performed by different people within an organisation.
Second, you should review and, as required, amend each policy, procedure, and resource in the framework. This should be carried out with a variety of co-workers so that the framework is fully tailored to your organisation’s needs and there is ownership across the organisation.
Third, you should get approval to implement the security framework from the Senior Person. This demonstrates senior management’s commitment to security and allows them to consider the best way to implement the framework, including any changes in responsibilities and additional financial resources.
Fourth, once approved, the framework needs to be implemented. This is best achieved through introductory sessions followed by consistent support for those who will use the framework. This requires a balance of both requiring people to use the framework and providing them with active support to use it.
Disclaimer: To the fullest extent permitted by law, Open Briefing will not be liable for any loss, damage or inconvenience arising as a consequence of any use or misuse of this resource.
Copyright © Open Briefing Ltd, 2020. Some rights reserved. Licensed under a Creative Commons Attribution-NonCommercial 4.0 International Licence.