This chapter describes key elements of an organisation’s security risk management system – the organisational policy instruments, structures and roles and responsibilities involved in reducing risks to staff and fulfilling duty of care.
Security risk management involves many processes and overlaps with different areas of work and different functions. To help guide planning and implementation in security risk management, it may be helpful to visualise these elements in a framework, built from the foundational objective of achieving safer access and fulfilling duty of care through a person-centred approach (see figure below).
A security policy is a critical governance document and a fundamental aspect of the security risk management system of an organisation. The policy reflects the organisation’s culture and values, outlining how it will uphold duty of care while pursuing strategic objectives. Security policy documents can include:
Strong leadership and accountability, adequate resources, cross-functional integration, flexibility for local adaptation, continuous monitoring and effective dissemination all support the implementation of a security policy.
Properly positioning security risk management within the organisation’s governance structure means being clear about who is responsible for what. All staff, from senior programme managers to interns, should understand that they have a responsibility for their own security – and for the security of the team as a whole, as well as the organisation.
Ultimate accountability for security usually lies with the organisation’s executive director (or equivalent), or the governing board. In most organisations, executive leadership sets the tone for risk tolerance, ensures compliance with legal obligations (like duty of care) and allocates resources to implement security measures. The operational management of security is linked to organisation-wide management and decision-making practices. Most organisations decentralise security decisions to the closest relevant level of authority.
Many organisations employ security staff to provide expertise and advisory support to managers (who are usually ultimately responsible for security-related decisions) at the area, country, regional and head office levels. These security focal points are often tasked with undertaking security-related actions, such as developing security plans and sharing insight and expertise with non-security colleagues. Most organisations have either fully dedicated or multi-hatting security focal points across different levels, from head office to local project officers, with the highest-risk locations often receiving the most investment in staffing.
Security governance structures vary depending on the organisation’s overall approach. This can be conceived as a continuum with fully integrated security risk management at one end, and a heavily resourced and independent security structure at the other.
Most organisations typically sit somewhere along this continuum depending on their security risk management approach, resources and preferences. While governance models can shape the organisation’s overall approach to security, the attitudes and approaches of individuals can also play a significant role in how security is managed and perceived.
The success of any security risk management system is closely tied to its integration with other organisational functions. The siloing of security risk management remains a significant challenge. Security staff should regularly assess whether the security strategy enables everyone within the organisation to effectively achieve their objectives. A holistic view of risk – combined with a deep understanding of internal dynamics and organisational goals – can foster active collaboration across teams and improve how security is managed and perceived by non-security staff. Adopting an enterprise risk management approach can help embed security within a broader risk framework, ensuring coordination and alignment with other critical areas such as financial, reputational and operational risks.
Bickley, S. (2017) Security risk management: A basic guide for smaller NGOs. EISF.
GISF (2024) Security risk management (SRM) strategy and policy development: A cross-functional guide.
