NGO Risk Management. Principles and Promising Practice

Similar documents
LGMA Qld Governance and Corporate Planning Village Forum

Security Risk Assessment Tool

These guidelines can help you in taking the first step and adopt a sustainability policy as well as plan your further sustainability communication.

Compliance. Compliance Toolkit. Protecting Charities from Harm. Chapter 2 Due Diligence, Monitoring and Verification of End Use of Charitable Funds

Risk Management Strategy and Policy. The policy provides the framework for the management and control of risk within the GOC

WFP ENTERPRISE RISK MANAGEMENT POLICY

IFAD Policy on Enterprise Risk Management


Operational Risk Management Policy

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

Wowprime Corporation Ethical Corporate Management Best Practice Principles

PRIORITIZING CYBERSECURITY

Ensuring the Protection Aid Workers: Why a Special Mandate Holder is Necessary

Business Conduct, Compliance and Ethics Program. important

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

Corporate risk register

REPORT 2014/078 INTERNAL AUDIT DIVISION

Federal Bureau of Investigation s Integrity and Compliance Program

Inventec Corporation Ethical Corporate Management Best Practice Principles

Data Protection Breach Reporting Procedure

Our vision. A company where the best people want to work.

Module 4. Risk assessment for your AML/CTF program

RISK APPETITE IN THE WORLD FOOD PROGRAMME

KNOW YOUR THIRD PARTY

Fraud Risk Management

Location of the job: CFO Revenue Assurance

Department of Veterans Affairs Office of Inspector General Strategic Plan FY

Social Performance Management

Code of Ethics and Professional Conduct

ICSH Guidance Document: Preparing a Risk Register/ Risk Management Plan

General Assembly Security Council

Information technology Security techniques Information security management systems Overview and vocabulary

PROCEDURES RISK MANAGEMENT FRAMEWORK AND GUIDELINES PURPOSE INTRODUCTION. 1 What is Risk?

FRAUD PREVENTION STRATEGY FOR UGU DISTRICT MUNICIPALITY (UGU)

Position Area Manager Grade D2 Department Programs and Operations (Field Based) Date January 2016

MEMORANDUM. Municipal Officials. From: Karen Horn, Director, Public Policy and Advocacy; and Abby Friedman, Director, Municipal Assistance Center

Security Management Training Course Notes

Information Security Awareness Training

Instruction note for ECHO staff on Remote Management

1. Compliance with Laws, Rules and Regulations

Fraud Prevention and Deterrence

Ethics Everywhere Jones Lang LaSalle Incorporated Annual Report for Calendar Year 2013 Program

Enterprise Risk Management

AfDB New Procurement Policy: Training Program for the Bank s Procurement Staff. Risk-based design of Procurement Arrangements - Introduction

CIMA CODE OF ETHICS. For professional accountants

1 Human Rights Governance of the VPSHR at Barrick

State University of New York at Potsdam. Workplace Violence Prevention Policy and Procedures

Global Corporate IT Security Risks: 2013

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

CODE OF CONDUCT. It s how we do what we do

ERM Program. Enterprise Risk Management Guideline

Ethical Corporate Management Principles

A Comparison. Safety and Health Management Systems and Joint Commission Standards. Sources for Comparison

National Standards for Disability Services. DSS Version 0.1. December 2013

Considerations for Outsourcing Records Storage to the Cloud

KENYA NATIONAL BUREAU OF STATISTICS RISK MANAGEMENT POLICY

STANDARDS PROGRAM For Canada s Charities & Nonprofits

Managing in a Litigious World. Anna Elento-Sneed Alston Hunt Floyd & Ing

Anti-Bribery and Corruption Policy (including Gifts and Hospitality)

Anti-Bribery and Corruption Policy

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

In this document you will find additional information on each plug in by clicking the appropriate box.

The potential legal consequences of a personal data breach

Objective Oriented Planning Module 1. Stakeholder Analysis

POLICY SUBJECT: EFFECTIVE DATE: 5/31/2013. To be reviewed at least annually by the Ethics & Compliance Committee COMPLIANCE PLAN OVERVIEW

The guidance 2. Guidance on professional conduct for nursing and midwifery students. Your guide to practice

Corporate Code of Ethics

Financial Services Regulatory Commission Antigua and Barbuda Division of Gaming Customer Due Diligence Guidelines for

Cyber Risks in the Boardroom

The Role of Internal Audit in Risk Governance

Institutional Policy. Tackling the risk: Handicap International s Safety and Security Policy. Federal Executive Division 2012 IP 05

Sobel & Co. s Nonprofit and Social Services Group presents. Your Organization is Vulnerable: The Facts About Nonprofits and Fraud

LATEST ON THE DODD-FRANK ACT AND INTERNATIONAL COMPLIANCE RISKS

WHISTLE BLOWING GUIDELINES FOR PENSIONS

An Organizational Ethics Decision-Making Process

Adopted by the Board of Directors on 23 April 2015 with entry into force as of 24 April OPERATIONAL RISK MANAGEMENT POLICY

Does Fraud Matter? ASIS Middle East Security Conference and Exhibition Dubai, February 16, Torsten Wolf, CPP Head of Group Security Operations

Orange Polska Code of Ethics

Keren Elazari Hackers: The Internet s Immune System

Reproductive Medicine Associates of New Jersey, LLC

SUPERVISION GUIDELINE NO. 9 ISSUED UNDER THE AUTHORITY OF THE FINANCIAL INSTITUTIONS ACT 1995 (NO. 1 OF 1995) RISK MANAGEMENT

CONDUCTING A RISK ASSESSMENT

REGULATIONS ON OPERATIONAL RISK MANAGEMENT OF THE BUDAPEST STOCK EXCHANGE LTD.

The Essential Guide to: Risk Post IPO

WHISTLE BLOWING POLICY & PROCEDURES

Corporate Governance. R esponse. T arget. A ddress. M anagement

august09 tpp Internal Audit and Risk Management Policy for the NSW Public Sector OFFICE OF FINANCIAL MANAGEMENT Policy & Guidelines Paper

VENDOR MANAGEMENT. General Overview

ASTRAZENECA GLOBAL POLICY SAFETY, HEALTH AND ENVIRONMENT (SHE)

Enterprise-Wide Risk Assessment

Continuous context-specific protection analysis

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Transcription:

NGO Risk Management Principles and Promising Practice With heightened levels of violence in some conflict settings, coupled with proliferating legal and fiduciary regulations related to anti-corruption and counter-terror efforts, humanitarian non-governmental organizations (NGOs) are contending with new and intensified risks to their personnel, operations, and organizations. Some of the larger international NGOs have begun to adopt organization-wide risk management frameworks to better enable effective programming in high-risk situations. This handbook is meant to serve as a primer and quick reference tool for humanitarian organizations on the basic principles of risk management. It presents concrete examples of promising practices as well as pitfalls to avoid. The handbook draws upon the findings of a 2016 study, NGOs and Risk, conducted by Humanitarian Outcomes for InterAction, with the participation of 14 major international NGOs. The full report, as well as a sample risk register template and a list of key resources, can be found here: https://www.humanitarianoutcomes.org/ngos-and-risk An independent organisation providing research evidence and policy advice to inform better humanitarian action

Risk Management: Definitions and basic principles Key Terms Threat: A danger or potential source of harm or loss Risk: The likelihood and potential impact of encountering a threat Risk management: A formalized system for forecasting, weighing, and preparing for possible risks in order to minimize their impact Types of risk Organizations have their own ways of categorizing and grouping types of risk. Below is the generic categorization used for the NGOs and Risk study, with examples. Risk area Definition Examples Security Violence or crime Kidnapping of staff Armed attack on facilities Collateral damage from airstrike Safety Accident or illness Road accidents Fire in office or residence Fiduciary Resources not used as intended Diversion of aid materials (fraud/theft/bribery) Bribery of local officials Misallocation of earmarked donations Information Data loss, breach, or misuse Theft of donor credit card information Breach of personnel data or other sensitive information Inappropriate communications by staff on social media Legal/compliance Violation of laws/regulations Violations of host-country labor codes or other laws Violations of international sanctions or counter-terror restrictions Reputational Action, information or Negative media stories perceptions damaging to Negative public statements or litigation by staff, integrity or credibility ex-staff or stakeholders Operational Inability to achieve Human error objectives Capacity deficits Financial deficits The risk management approach Organizational risk management frameworks seek to integrate all major areas of risk within a unified conceptual and planning platform. Sometimes referred to as enterprise risk management or ERM, this approach has its roots in the private sector and has only recently been taken up by aid organizations. The most well developed risk management frameworks include: a risk register tool for analyzing and prioritizing risks and planning mitigation measures; decision-making and implementation procedures flowing directly from that assessment and planning; a systematic follow-up or audit process to ensure good implementation and understanding; and, to incorporate learning; and a means for weighing criticality, or the degree to which the action is urgent or life-saving, in order to guide decision-making on acceptable levels of risk (sometimes called program criticality ). 2

The risk register: A tool to assess, prioritize and mitigate organization-wide risks A sample risk-register matrix template, compiled from examples used by the participating NGOs, can be downloaded here: https://www.humanitarianoutcomes.org/ngos-and-risk A risk register is a way to build a comprehensive picture of the most serious risks facing an organization at any given time. It should be built from the ground up, with each country office and each functional area of the organization (e.g., program, legal, communications) conducting an exercise to identify and rank the risks they face in all categories. These in turn inform the organization-wide risk register, which is compiled at the central level at least once per year. Using the same logic as for a security risk assessment, completing a risk register involves ranking risks in all categories by their perceived degree of likelihood as well as the level of impact they would have on the organization if realized. Once the risks are identified and prioritized, the process involves developing strategies to mitigate them, including outlining ways that procedures and practices may need to be adjusted. The risk register also provides a valuable tool for benchmarking progress against these plans throughout the year, including through risk audits or other follow-up measures. 3

Promising (and poor) practices in risk management Some promising practices related to risk management identified in the report include: Catalogue missteps and realized risks: The senior management of one INGO compiled a list of all significant mistakes or bad outcomes that affected the organization over the year, (and ways they may have been avoided or mitigated) and shared it with the entire organization as a learning tool. Because many staff members tended to be only vaguely aware or misinformed of such incidents, this new practice helped foster openness and lesson-learning. Adapt to work with high-risk partners: Specific steps can be taken when working with highrisk national-partner NGOs, such as those that lack the capacity to meet donor requirements or don t have financial reserves. INGO staff can be seconded to sit within a partner organization; funds can be disbursed in smaller amounts or more frequently; and additional funds can be obtained for mentoring and capacity building. INGOs should also assess their motivations for partnering and their capacity to partner before initiating the partnership. Prepare for host-country legal challenges: Tax, registration, and other legal compliance issues take time and energy and are so country-specific that they are difficult for a globally operating organization to resolve and foresee. Some INGOs have found that retaining national lawyers can avoid legal missteps, deal quickly with situations that arise, and provide input into relevant policies, e.g., country-specific HR policies. Hire external experts to conduct IT security audits: Many INGOs are under-informed about the increase in information risks, which include hacking into fundraising systems (to steal donors credit card or other sensitive information) and defrauding national-staff administration software. External professionals can conduct IT security audits to identify technological and procedural problems and fix vulnerabilities. Ensure that brief and user-friendly tools are available in the field: Basic, digestible tools get used. For example, sample risk-register templates can be posted in field offices. Focus and insist on tools and trainings that are practically-oriented. Review and improve national-staff security: One INGO made the unprecedented decision to evacuate national-staff members and their families when a province was overrun by anti-government forces and they were deemed to be at direct risk. The ad hoc decision revealed the need for, and helped to spark, policy development on this issue. Generally, many INGOs could take steps to mitigate national-staff security risks, including improving off-hours transportation, communications, and site security at home. Admit and disclose fraud: Several INGOs have taken a decision to proactively disclose incidents of fraud or financial mismanagement. This can demonstrate openness and good management, which institutional as well as private donors can appreciate. 4

Poor practices Miscalculating risks by focusing on likelihood over potential impact: An INGO working in Turkey providing cross-border aid to Syria was storing humanitarian goods inside Syria instead of Turkey, in order to comply with Turkish customs regulations. The INGO s stocks in Syria were stolen, which contributed to a suspension of the program. In retrospect, the potential negative impact of storing the goods in Turkey was far less than that of storing them in Syria and a systematic risk assessment could have prevented the situation. Another INGO noted that it focused on known risks, such as small diversion, rather than less-understood but potentially more impactful ones, such as bid rigging by vendors. Failing to balance risk-taking with program criticality: An INGO noted that one of its field teams was crossing a frontline regularly to conduct supervision and quality improvement visits not lifesaving outputs. They re-assessed and decided that the risk was not worthwhile because the program would have to stop if the staff members were shot. Transferring risks to national staff and/or partners without support: Many INGOs interviewed observed that their national NGO partners are exposed to high levels of risk, often without support or training. On the financial side, INGOs perceive risks to still be on their shoulders, which has led to oversight procedures and capacity building. But, INGOs tend not to sufficiently acknowledge or discuss the security risks faced by their national NGO partners, especially when they depend on them for access. Similarly, INGOs security risk mitigation for national staff (e.g., off-hours transportation, communication, site security) is seen as often insufficient. Maintaining a culture of silence on corruption, fraud, and diversion: In the highest-risk environments, some aid agencies are forced to compromise or make concessions in order to maintain access. These can include paying money at checkpoints, paying unofficial taxes to local authorities, altering targeting criteria so that powerful actors receive aid, employing staff connected with local militia, or working in one region and not another to avoid antagonizing a local authority or armed actor. Organizations too often are reluctant to discuss these practices, even internally, leaving local field staff to face difficult ethical dilemmas without support, and sometimes putting them at physical risk. Failing to talk to armed groups because it s not allowed : Frontline humanitarian staff are sometimes under the misimpression that engaging in dialogue with armed actors for the purpose of reaching those in need is illegal or against counter-terror regulations. This is not the case. Effective dialogue and negotiation are key to enabling access in high-risk environments, and staff should be empowered to discuss these options with their organizations when carrying out these activities becomes necessary. 5

Useful resources SO 31000 Risk Management: http://www.iso.org/iso/home/standards/iso31000.htm Operational Security Management in Violent Environments: http://odihpn.org/resources/operational-security-management-in-violent-environments-revised-edition/ Security to Go: https://www.eisf.eu/library/security-to-go-a-risk-management-toolkit-for-humanitarian-aid-agencies/ Counter-terrorism Laws: What Aid Agencies Need to Know: http://odihpn.org/resources/counter-terrorism-laws-what-aid-agencies-need-to-know/ Risk Management Toolkit in Relation to Counterterrorism Measures: http://www.nrc.no/arch/img.aspx?file_id=9211223 Transparency International, Handbook of Good Practice: Preventing Corruption in Humanitarian Operations, 2010: http://files.transparency.org/content/download/1899/12606/file/2014_humanitarian_handbook_en.pdf An independent team of professionals providing evidence-based analysis and policy consultation to governments and international organisations on their humanitarian response efforts

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information