A critical component of security risk management is ensuring that policies, plans and procedures are regularly reviewed and evaluated to measure compliance, effectiveness and impact at an organisation-wide and location-specific level. This chapter discusses monitoring mechanisms for security risk management.
Monitoring mechanisms should be adaptable, scalable and tailored to risk levels to avoid creating unnecessary burdens or bureaucratic impediments to programming. By prioritising effectiveness over mere compliance, monitoring efforts can help align security measures with programmatic objectives.
Monitoring efforts can be grouped into three interrelated (and sometimes overlapping) areas.
The purpose of compliance monitoring is primarily to understand the reasons behind non-compliance, not to penalise staff. It may be that processes are not being followed because they are unrealistic or unsuitable for the context. Non-compliance can also reveal challenges, such as insufficient resources, negative perceptions of security practices among staff and knowledge gaps. Monitoring of this nature can help identify gaps and challenges that require addressing, such as through training, guidance, support, or other positive security culture-building activities.
To monitor effectiveness, more organisations are now undertaking security audits, reviews and consultations. These can be used to assess the ‘health’ of security systems, and staff awareness and understanding of security measures and resources. These evaluations offer staff an opportunity to highlight security risks or challenges they face in their lives and work, which might not be adequately considered by existing security measures.
A security audit is a formal, compliance-focused assessment of an organisation’s security policies, procedures and practices against established organisational requirements and indicators. Security audits, particularly location-specific ones, can be used to verify that the mitigation measures identified in the risk assessment and security plan were implemented and assess the extent to which policies and procedures were followed. Organisations also benefit from including acceptance-related indicators in their security audits. What a security audit looks like, how regularly it takes place, who conducts it, and how in-depth it is, will vary from organisation to organisation.
Some organisations also carry out global or organisational reviews of security systems and approaches, which are formal evaluations based on specific terms of reference. These often go beyond an assessment of internal standards or requirements. Ad hoc staff consultations on challenges and weaknesses are also becoming increasingly common in the aid sector. These often follow a complaint or reports of misconduct or negligence, and can relate to issues such as racism, sexual exploitation and abuse, harassment and bullying.
Evaluating the impact of security risk management measures is challenging and, as a result, remains infrequent in the sector. However, this process can provide valuable insights into whether an intervention has contributed to meaningful changes, such as creating a safer work environment. A theory of change approach can be applied to map desired long-term outcomes and the steps required to achieve them. Evidence from the monitoring mechanisms discussed in this chapter can support this process. This evaluation should aim to produce a plausible, evidence-based narrative of impact, and can be guided by questions such as:
Finally, digital dashboards are increasingly used to display real-time data, including security levels, incident tracking and compliance monitoring. These tools can enhance decision-making by enabling quick corrective actions, simplifying and encouraging reporting, and identifying gaps to prioritise funding and support.
Bickley, S. (2017) Security risk management: A basic guide for smaller NGOs. EISF.
Finucane, C. (2013) Security audits. EISF.
The Swiss Centre of Competence for International Cooperation (CINFO). (n.d.). Duty of care maturity model.
