I feel a little uncomfortable writing about this subject since I am a big advocate for security risk management (SRM) approaches in the humanitarian security sector. You might say I’ve been part of the wave of security professionalisation that has helped spread SRM among large and small NGOs over the past 10-15 years as the main security approach. I’m even doing a doctorate in security risk management, so I’m what you might describe as ‘a bit invested in it’.
The Troubling Thing
So why –just when SRM seems to have universal acceptance in the sector– am I becoming so uncomfortable? SRM is a proven approach, particularly in the private sector and government where it is used pretty much exclusively to identify security risks and address them with mitigation measures and controls so they can operate within acceptable risk levels. What is considered acceptable risk might be rather different depending on the organisation (humanitarians have a well-earned reputation for going toward the danger rather than away) but the principle remains the same: Identify – Mitigate – Operate.
What’s troubling me is whether we’ve been kidding ourselves that SRM –either as an approach in its own right or in the way that it is practiced within the sector– is really effective enough to manage security risks to acceptable levels in the most dangerous, complex and unpredictable environments where humanitarians commonly work. SRM seems to make sense as an approach, particularly when you consider how it is used in corporate or government sectors that are not unlike the aid sector where security mistakes can be catastrophic. And let’s be honest, corporates and government are where we look to for advances in the industry and then do our best to adopt their practices even if we don’t always have all of their resources.
An Uncomfortable Fit
My discomfort lies in the fact that humanitarian security has adopted something that was designed to address the risks in the corporate world where (despite often being high risk) they tend to work in environments where risks are knowable, can be managed systematically and they can often exercise greater control over their operating areas. Whereas, the humanitarian sector must manage risks in complex and dangerous field settings that they do not control and where threats and how they eventuate are less certain. Even the military, who often work in the same spaces as humanitarians, rely heavily on protection and deterrence measures that are not usually available to humanitarians. Humanitarians on the other hand must rely to a large extent on good acceptance, yet their ability to ensure this across all actors can be fraught with difficulty and the consequences of getting this calculation wrong are often very high. Old news I know. The time for this argument was probably in the early 2000s, but who knew back then that the humanitarian space was going to become so much more dangerous? Hopefully, humanitarians will never go down the “hard security” path, but their exposure to risk in these environments and their vulnerability means they better know how to navigate the complexity of their operating contexts so they can avoid getting into harm’s way. Rather than being “soft security”, this is arguably much harder and requires security that is much smarter and more adaptable.
A “cookie cutter” approach where security risk management practices are adopted without adapting it for the humanitarian space won’t cut it. Instead of sitting uncomfortably next to it, acceptance needs to be fully integrated into SRM for it to be fit for humanitarians.
Resources – Or the Lack Thereof
One advantage that corporates and governments share is the availability of resources and the expertise to use them. If security risk management is dependent on good infrastructure and effective systems in place to manage it, then adopting it as the main approach when these things are not in place could do more harm than good. It could also give the illusion that risks are being managed better than they are. Yet humanitarians are often working under resource constraints and are particularly affected by funding tied to particular programmes making it difficult to shift resources to adapt to changing risks. Whether security risk management as a management discipline has ownership at a high enough level to influence these decisions in humanitarian organisations is another important consideration. Even if security risk management is a good fit for humanitarian work the fact that it requires significant capacity and organisational buy in to make it work seems to currently be a barrier to its success.
Our Greatest Gift
Local security capacity is critical because that’s where much of the value security provides (such as timely advice and reassurance) sits, even though it may be too ad hoc to be considered as part of SRM. Yet it’s this local understanding that’s not easy to quantify in a spreadsheet that is security’s greatest gift and is key to building acceptance and keeping people safe. But field level security often doesn’t have a say in the approaches designed for them, like SRM. To them, SRM tends to add technical complexity and bureaucracy but doesn’t leave much room for the human element. And even the most technical systems can fail to spot risks that emerge rapidly or without warning. If SRM only measures tangible things then we risk undervaluing the field contribution that occurs every day behind the scenes.
So, far from arguing that humanitarian security professionals don’t compare well against their non-humanitarian counterparts, I would suggest their close engagement with communities and intimate contextual knowledge gives them a far superior ability to navigate the complexity of their operating environments. And humanitarian security professionals seem to be able to “do the impossible” when it comes to achieving good outcomes in the most challenging places and with very few resources. I am just concerned that security risk management as a process is too static for the constantly changing humanitarian contexts and if anything may serve to diminish the nimbleness that is the hallmark of a good humanitarian security field practitioner. Field security people have good judgment and are adaptable but SRM seems to make that skill set less important.
I Believe
Despite these shortcomings I still believe in SRM for the humanitarian sector; but being a believer shouldn’t mean turning a blind eye to the parts that don’t work.
SRM needs to be reshaped to fit a sector that relies more on context information, “good enough” judgments and rapid decision making than data, processes and resource intense mitigation measures.
And with the growing emphasis on duty of care in the sector, SRM is probably the only approach that inherently measures what levels of risk are acceptable to humanitarian organisations, provides visibility on when those thresholds are surpassed and then agreement on what should be done. In the modern era of increased accountability and management discipline, the risk of not doing security risk management well undoubtedly outweighs the other risks it brings. That is however no excuse to ignore the unique advantages of the humanitarian security sector and not tailor the approach accordingly.
Fuelled? Decidedly so!
The author of this blog posting is currently conducting research on the effectiveness of security risk management in the humanitarian security sector as part of his doctorate at the University of Portsmouth. If any of the issues raised in this post further fuelled your interest in the subject he would be grateful if you would complete his SURVEY.
Not a Think Tank 
2 thoughts on “Is Security Risk Management Worth the Risk?”