Once an organisation has identified and evaluated the risks, it can make plans to manage them. A security plan is where these risks are documented, along with their corresponding mitigation measures. This chapter identifies good practice in creating security plans, with a focus on two major elements: standard operating procedures or SOPs (how the organisation will mitigate the threats identified in the risk assessment); and contingency arrangements (how the organisation will respond to disruptive and potentially high-risk events and situations).
The security plan serves as the foundation of security risk management at the programme implementation level. Depending on the context and the risks, a security plan may apply to an entire country, a specific geographic location or an individual project. Inclusivity in the security planning process – involving a diverse group of staff with different roles, backgrounds and personal profiles – is preferable to individual planning, as it leverages collective knowledge and experience and promotes broad ownership of the final product. Good practice in planning also includes following up with periodic reviews to adapt the plan as the environment changes.
Security plans differ across organisations, reflecting specific organisational needs, policies, and the context. The major components of a security plan can include the current context and risk assessment, security levels, roles and responsibilities, standard operating procedures (SOPs), and crisis management and contingency plans.
SOPs provide detailed directions on how to carry out the specific tasks or processes needed to implement the security plan – essentially, the operating instructions for mitigating each of the assessed risks. Good practice calls for separate SOPs, written in clear and simple language, and addressing all areas of operations where risks have been identified. SOPs can cover a wide range of activities, from daily routines to emergency response procedures, and be tailored to the specific risks and challenges present in the operating environment. For example, in areas where road travel entails security risk, an organisation will usually establish SOPs around assessing security for planned routes, travel authorisations, vehicle safety checks, check-ins at regular intervals, speed limits and behaviour at checkpoints. Having well-developed SOPs will help ensure consistency and reduce human error. When an organisation defines something as an SOP, it is typically understood to be a requirement as opposed to a guideline or advice. Because these terms are sometimes confused or used interchangeably, it is helpful for the organisation to make clear to staff the level of compliance expected.
Contingency plans support an organisation in managing anticipated high-risk events and situations where normal operations are disrupted or become untenable. In security risk management, contingency plans typically focus on situations where insecurity has increased suddenly or dramatically, necessitating decisions on whether and how to continue programming. In such cases, an organisation may be faced with the options of hibernation, relocation or evacuation (in the case of international organisations) and may approach these as progressive, escalating phases as security conditions worsen.
It is good practice for organisations to regularly review contingency plans with staff, especially in situations where it is becoming increasingly likely that withdrawal will be necessary. This can be done through simulation exercises or a team meeting to review policies, procedures and plans.
Bickley, S. (2017) Security risk management: A basic guide for smaller NGOs. EISF.
GISF (2020) Keeping up with COVID-19: Essential guidance for NGO security risk managers.
GISF (2020) Security to go: a risk management toolkit for humanitarian aid agencies.
GISF (n.d.) Security plans. NGO Security Toolbox.
GISF (n.d.) Contingency plans. NGO Security Toolbox.
Safer Edge (2014) Office closure. EISF.
