Security audits

When applying duty of care, humanitarian and development aid agencies should count with a security risk management reference system adapted to its size, staff, type of activities, etc.

Even though there isn’t a defined international standard about what that reference system should contain, there is some consensus across different coordination organisations such as InterAction or the European Interagency Security Forum (EISF) about what elements should always be present.

According to the ISO 31000 on risk management, a security risk management reference system should be integrated in a wider framework that contemplates other risks (legal, financial, reputational, etc.), in order to have an integrated vision. To achieve this, the accountability of the security risk management system should be similar to that of other areas in the organisation.

An assessment of the current status is the basis on which to build a robust security risk management system. In this way, it will be possible to know what strengths to build on and any weaknesses that need improving.

Based on the Methodology of the EISF[1], through the evaluation of 28 indicators, an audit of the security risk management system would assess the following:

  • Governance and accountability.

  • Security policy.

  • Operations and programme management.

  • Information and knowledge management.

  • Training, learning and development.

  • Effectiveness monitoring.

[1] Finucane, C, “Security audits”, EISF, 2013.