There is a growing realisation among organisations that operating in developing countries requires some form of security management framework. This realisation answers the what question, but not the how question.
This discrepancy results in security management often having an ad-hoc nature, without a clear policy, rules and regulations. This not only makes it costly but makes it, most of all, ineffective in what we believe is its main task: supporting your organisation’s mission by providing confidence and security in your work abroad.
We specialise in organisational & strategic solutions for an organisation’s need to manage security issues and thus recognise common mistakes. Today, I want to look at five critical pitfalls every organisation should avoid while implementing a security framework, from worse to worst.
The five are:
Unclear goal setting in advance.
The duty of care responsibility is wide-ranging.
There is no quick-fix solution.
Upper management needs to be onboard.
Security management is a sum of its parts.
Of course, there are also ‘mundane’ problems, like lack of funds, time or knowledge. We prefer to call them constraints, as these are just hurdles to overcome through donors or attracting external advisors.
Let’s get on with the list!
1. Unclear goal setting in advance
This reverberates up the chain to the other four. While a focus on the solution is important, a good definition of the problem should not be overlooked. Unclear goals generate problems far down the line and increases inefficiency, cost and time.
It can result in missing part of your duty of care obligation (point 2), opting for quick fixes instead of long-term solutions (point 3), starting without the support of upper management (point 4) or a combination of all these (point 5).
Setting clear goals means you need to think about things like the level of risk you accept, how strict your safety rules are and how thorough your preparation should be. This all depends on your organisation’s goals and mission. For example, a start-up selling solar panels has a different level of risk acceptance than an NGO supporting first-responders in war zones. The start-up will also require less thorough preparation.
Another example of what you should think about is that more security and safety often means less flexibility. You have to decide where on the spectrum you want to be. An organisation like Shell is clearly on the safety side, but your organisation might op for a more flexible approach. Reason for this might be because you have very experienced travellers, or want to profit from flexibility when an opportunity presents itself.
2. The duty of care is wide-ranging
Recent events and court cases have made clear that the duty of care, the moral & legal obligation to look after the wellbeing of your employees, starts at pre-travel preparation and ends long after an employee returns home. A security framework should cover all aspects.
The most notorious example is Dennis v the Norwegian Refugee Council court case, where an NGO staffer got shot, kidnapped, diagnosed with a severe case of PTSD and sent home without pay or help. In the end, he decided to take the NRC to court for negligence of the duty of care and won.
Recent real-world examples have also emphasised the importance of this obligation, from the attack on the Save the Children building in Afghanistan to, for Dutch readers, Floortje Dessing in Yemen with the Red Cross. These are, of course, extreme examples but do show how thorough preparation limited the effects of potentially disastrous events.
Now, I am not saying you should have all these strict rules (remember point 1). What I am saying is that just having travel insurance is no longer enough. Organisations operating in developing countries need to take into account all facets of travel. And that takes us to the third pitfall...
3. There is no quick-fix solution
Fulfilling your duty of care requires long-term commitment to change within your organisation. Taking a single training is not a job well done.
It’s not just about having a travel policy, it’s about enforcing it. It’s not just about having a pre-travel checklist, it’s about filling in the checklist every time you go on a trip. It’s not about sending your current personnel to a training seminar, it's about consistently preparing, training and supporting all who travel abroad in name of your organisation. I could go on.
The problem might be clear but an answer is not. Every organisation is different and every organisation will need a different solution. Important to keep in mind is that a security policy without the commitment to that policy is pointless. And getting that commitment is a long term investment.
4. Upper management needs to be onboard
This is maybe the most underestimated problem we encounter regularly. Especially in smaller organisations that are led by people who are driven by ideals. Without the commitment of management, you can spend as much time and money as you want, without any effect.
We’ve heard plenty of examples where courses were followed or security management plans were executed but fizzled due to lack of continued support from management.
This support usually comes in three shapes. First, management needs to provide money to support the implementation. Second, time needs to be allocated. And third is that upper management needs to follow the policy strictly. Their behaviour sets an example for the rest of the organisation. If they don’t do it, why would the rest do it?
5. Security management on an organisational level is often overlooked
The previous points are all part of the greater picture. The last pitfall combines all the above aspects, it’s the glue that holds it all together. This pitfall is by definition a lot vaguer because it is different for every organisation. How we explain it, is that security management isn’t about a single training or policy document, it is all aspects combined and connected.
We identify four pillars in a durable long-term framework:
Strategy: setting goals, propagate a vision and having a security policy.
Structure: translating policies into your organisational structure. Who does what and when.
System: implementing a security system with regulations and protocols. Check its performance.
Culture: creating and maintaining shared norms and values that endorse security.
(We’ll dive into all four pillars extensively in an upcoming blog)
All four pillars need to be addressed, on a long-term basis. Having just three out of four pillars is not enough to hold up the roof. In other words, having a security policy is one part and having a ‘security aware’ culture is another. All are important and neither can function without the others.
For us, the big takeaway with all of this is that proper security management really is a long-term commitment to various, equally important, aspects. Ignoring one is to the detriment of all the others. Focusing on just one is to the detriment of all the others. In other words: a security management framework is the sum of its parts.
How Dispatch can help your organisation
Our expertise is in designing and implementing a full security framework that provides your employees with confidence and security abroad, so that they can focus on their most important task: their work.
Whether you need one-time advice or help with a full implementation, our goal is to support your mission.
If you have any questions about this blog or are wondering how we could help you, send me an email!