مراقبة الامتثال والفعالية والتأثير

Chapter summary

ينبغي أن تكون آليات المراقبة قابلة للتكيف والتوسع ومُصممة خصيصًا لمستويات المخاطر لتجنب خلق أعباء غير ضرورية أو عوائق بيروقراطية أمام البرمجة. ومن خلال إعطاء الأولوية للفعالية على مجرد الامتثال، يمكن لجهود المراقبة أن تُساعد في مواءمة التدابير الأمنية مع الأهداف البرمجية.

يمكن تصنيف جهود المراقبة إلى ثلاثة مجالات مترابطة (وأحيانًا متداخلة).

الامتثال: مراجعة دورية لتطبيق ممارسات إدارة مخاطر الأمن، بما في ذلك إعداد التقارير الدورية ومراقبة المؤشرات الرئيسية لضمان سير العمل ومعرفة ما إذا كانت هناك حاجة إلى تغييرات. وتلعب قوائم التحقق ولوحات المعلومات دورًا مفيدًا في هذا.

الفعالية: تعمق دوري في العمليات لقياس فعالية ممارسات وأنظمة الأمن، بما في ذلك عمليات تدقيق أمنية رسمية.

التأثير: تحليل متعمق باستخدام المعلومات المستمدة من جهود المراقبة ومصادر أخرى لفهم ما إذا كان نظام إدارة مخاطر الأمن في المؤسسة يؤثر على التغيير أو يُساهم فيه.

The purpose of compliance monitoring is primarily to understand the reasons behind non-compliance, not to penalise staff. It may be that processes are not being followed because they are unrealistic or unsuitable for the context. Non-compliance can also reveal challenges, such as insufficient resources, negative perceptions of security practices among staff and knowledge gaps. Monitoring of this nature can help identify gaps and challenges that need to be addressed, including training, guidance, support or other positive security culture-building activities.

To monitor effectiveness, more organisations are now undertaking security audits, reviews and consultations. These can be used to assess the ‘health’ of security systems and staff awareness and understanding of security measures and resources. These evaluations offer staff an opportunity to highlight security risks or challenges they face in their lives and work, which might not be adequately considered by existing security measures.

A security audit is a formal, compliance-focused assessment of an organisation’s security policies, procedures and practices against established organisational requirements and indicators. Security audits, particularly location-specific ones, can be used to verify that the mitigation measures identified in the risk assessment and security plan were implemented, and assess the extent to which policies and procedures were followed. Organisations also benefit from including acceptance-related indicators in their security audits. What a security audit looks like, how regularly it takes place, who does it and how in-depth it is will vary from organisation to organisation.

Some organisations also carry out global or organisational reviews of security systems and approaches, which are formal evaluations based on specific terms of reference. These often go beyond an assessment of internal standards or requirements. Ad hoc staff consultations on challenges and weaknesses are also becoming increasingly common in the aid sector. These often follow a complaint or reports of misconduct or negligence, and can relate to issues such as racism, sexual exploitation and abuse, harassment and bullying.

Evaluating the impact of security risk management measures is challenging and, as a result, remains infrequent in the sector. However, this process can provide valuable insights into whether an intervention has contributed to meaningful changes, such as creating a safer work environment. A theory of change approach can be applied to map desired long-term outcomes and the steps required to achieve them. Evidence from the monitoring mechanisms discussed in this chapter can support this process. This evaluation should aim to produce a plausible, evidence-based narrative of impact, and can be guided by questions such as:

• To what extent are the organisation’s security training programmes improving staff awareness and behaviour regarding security risks?
• Are there observable improvements in security risk management outcomes compared to previous periods and other peer organisations operating in the same areas?
• What lessons can be learned from recent security incidents, and how have they been applied to improve practice?

Finally, digital dashboards are increasingly used to display real-time data, including security levels, incident tracking and compliance monitoring. These tools can enhance decision-making by enabling quick corrective actions, simplifying and encouraging reporting, and identifying gaps to prioritise funding and support.