This chapter introduces the foundational ideas of security risk management for humanitarian action. These include the basic concepts of threat and risk, duty of care and risk thresholds, and how these relate to programme criticality. The chapter also describes the foundational principles of humanitarian action and their relationship to security, and good practice in creating an organisational security culture.
Humanitarian action, which often takes place amid instability, conflict and crisis conditions, inevitably entails some security risk. While risks can never be completely eliminated, their effective management can make the difference between people receiving life-saving aid or not. In the humanitarian context, therefore, security risk management is ultimately in service to humanitarian objectives; avoiding harm and loss is a means, not the end in itself.
Security risk is about the potential for harm: the likelihood of something harmful happening and the extent of that harm if it does. Security risk management is an organisational system for identifying, assessing and preparing for risks to help prevent security incidents from occurring and to minimise their impact when they do by responding to them effectively.
An organisation’s obligation to the safety, security and wellbeing of the individuals carrying out its work is linked to the concept of ‘duty of care’, which has important legal and moral implications for aid organisations. While there is no single, standard set of actions that define a duty of care policy, there are common elements of good practice, including assessing risks, implementing risk mitigation measures, informing staff of risks and measures, and responding to incidents when they occur.
Participating in humanitarian response efforts requires a willingness to take some risks. An organisation’s risk appetite will be shaped by its strategic objectives, mission and culture, and amounts to a shared understanding of the level of risk that is appropriate to achieve the organisation’s goals. Setting the threshold of acceptable risk as an explicit and transparent decision can help govern all other management decisions regarding what to do when faced with risk. Being clear on what trigger events or ‘red lines’ signify crossing beyond an acceptable level of risk can help determine when security has deteriorated significantly, and whether programme activities clearly justify the higher risk.
This introduces another key concept in security risk management – programme criticality. The more critical or life-saving the programme, the more risk an organisation may be prepared to accept to sustain it. This is an example of how security risk management in humanitarian operations differs from other sectors, and why humanitarian organisations often operate in areas where others do not.
Finally, building a positive security culture is a fundamental aspect of security risk management. To foster such a culture, organisations should treat security as a shared responsibility, not a sensitive topic confined to management discussions. Having a positive security culture means that all staff consider security risks and implications in their work because they understand its importance, and are respected for doing so.
Bickley, S. (2017) Security risk management: a basic guide for smaller NGOs. EISF.
CHS Alliance (2019) Introduction to duty of care.
cinfo (n.d.) Duty of care under Swiss law.
GISF (n.d.) What is humanitarian security risk management?
Hoppe, K. and Williamson, C. (2016) Dennis vs Norwegian Refugee Council: implications for duty of care. Humanitarian Practice Network.
ICRC (n.d.) The Geneva Conventions of 1949 and their Additional Protocols.
International Organization for Standardization (2018) ISO 31000:2018: Risk management – Guidelines.
Merkelbach, M. and Kemp, E. (2016) Duty of Care: A review of the Dennis v Norwegian Refugee Council ruling and its implications. EISF.
