Security Risk Management Within the Nonprofit Sector

When I was asked to share thoughts about security risk management considerations within the nonprofit sector, I knew I would be remiss if I did not start by acknowledging the existing publications, research and expertise that has been shared on this topic by professionals supporting non-government organizations (NGOs) such as the Global Interagency Security Forum (GISF), Overseas Security Advisory Council (OSAC) International Development Sector Committee (IDSC), Humanitarian Practice Network, and International NGO Safety and Security Association (INSSA). Colleagues with decades of humanitarian and development sector experience have done incredible work to advance NGO security risk management; these same colleagues’ resource sharing, networking and mentoring have been critical to my professional development as well.

From the perspective of someone who transitioned into the NGO security sector more than 10 years ago, I’ve found that understanding the following is essential to evaluating or developing a successful NGO security risk management program:

1. Organization’s risk tolerance and appetite
2. Risk assessment and mitigation planning process
3. Organization’s commitment to duty of care
4. Key stakeholders and funding
5. Security’s reputation and culture

Let’s explore each of these considerations one by one.

Risk Tolerance and Appetite

Key to an organization’s security risk management program is the level of risk that an organization is willing to accept and how much deviation from that tolerance it is ready to accept. Depending on an NGO’s mission, the organization’s risk tolerance can vary widely. Organizations that deliver life-saving assistance in complex environments such as Yemen or Afghanistan likely have a higher risk tolerance than their peers who implement programs that may be viewed as more developmental in nature. Having a clear understanding of the risk tolerance and appetite an organization (including its senior leadership and Board of Directors) is willing to accept is essential and should be documented in a board and/or organizational security policy.

Risk Assessment and Mitigation Planning

Another critical component of an NGO’s security risk management program is the risk assessment. GISF’s Security to go: a risk management toolkit for humanitarian aid agencies guides staff in identifying and measuring specific risks. Once a comprehensive risk assessment has been completed, an NGO can develop its risk mitigation measures and plans within the organization’s risk tolerance; ensure they are properly resourced in project proposals and budgets; and enable the NGO to fulfill its donor objectives, as well as honor commitments to the communities they are serving. A risk assessment enables an NGO to meet its duty of care to staff, volunteers, partners and other stakeholders.

Duty of Care

An NGO’s commitment and ability to fulfill its duty of care is a key indicator of success for a security risk management program and helps clarify what the organization values most. Organizations with a strong commitment to duty of care are those that have robust safety and security training programs, adequate security budgets, comprehensive psychosocial support mechanisms, and engaged leadership who value security and recognize the relationship between duty of care and resilient programming. Security and risk management professionals new to the NGO sector may find themselves quickly overwhelmed by trying to manage all aspects of duty of care, so it is important to balance the needs of the staff and projects with what is sustainable and appropriate for the context. This has become even more critical during a global pandemic where national staff are at the greatest risk for violence against aid workers.

Key Stakeholders and Funding

Understanding the organization’s internal and external key stakeholders and how the NGO is funded undergirds NGO security risk management. Internally, it’s essential to build strong relationships with key individuals and departments that support security by understanding the resources and policies available and responding to issues in a timely and efficient manner. For example, assessing and leveraging insurance policies and the resources that accompany those policies often involves engagement with human resources or legal departments. Every external collaboration or partnership has the potential to impact an NGO’s reputation and ability to operate safely, so maintaining an awareness of those relationships and monitoring for any events or issues that pose a risk to the NGO is important. Maintaining neutrality while delivering aid or service in conflict areas, particularly if the NGO is funded by a government, is also essential.

Security Reputation and Culture

Building rapport and earning a reputation as a trusted advisor and leader requires consistency, integrity, trust and respect. No matter how strong the security infrastructure one implements within an organization, the ultimate determination of success is whether you can develop a culture of security. Organizations that learn from what others have experienced and adapt their operations accordingly are more likely to have resilient and adaptable programming, which facilitates positive impressions from donors who are expecting program objectives and goals to be met.

These are just a few key considerations when developing an NGO security risk management program. It’s worth noting that there is no established standard for NGO risk management. Though many nonprofits benchmark and share information, each organization has a unique approach to managing its operational risks.