SRA Guide - Oct 2015 V5

Oct
2015
Security Risk Assessment

- Template Guide
SECURITY@INTERNATIONALMEDICALCORPS.ORG
INTERNATIONAL MEDICAL CORPS | Global Security Department

INTERNATIONAL MEDICAL CORPS – INTERNAL USE ONLY
Table of Contents
Introduction .................................................................................................................................................. 2
Objectives of Security Assessment .............................................................................................................. 2
Security Risk Assessment Template: Outline .............................................................................................. 3

Assessment Phase .................................................................................................................................... 3
Decision Phase .......................................................................................................................................... 3
Security Risk Assessment Template Process ............................................................................................... 4

Assessment Phase .................................................................................................................................... 4
I. Area of Responsibility.................................................................................................................... 4
II. Program Assessment ..................................................................................................................... 6
III. Threat Assessment ........................................................................................................................ 7
i. Vulnerability Assessment ............................................................................................................... 8
ii. First Risk Analysis ........................................................................................................................... 9
Decision Phase ........................................................................................................................................ 11
iii. Mitigation Measures .................................................................................................................... 11
iv. Final Risk ....................................................................................................................................... 12
IV. Overall Vulnerability.................................................................................................................... 13
V. Overall Risk .................................................................................................................................. 13
Annex .......................................................................................................................................................... 14
Definitions .............................................................................................................................................. 14
Security Risk Management Framework – Good Practice Review 8 ...................................................... 15
Security Risk Management Process – United Nations .......................................................................... 16
Page | 1
Security Risk Assessment

Guide
Introduction
The Security Risk Assessment is the process of identifying the risks which could affect personnel, assets
or operations and International Medical Corps’ vulnerability to them.
This is accomplished by assessing the threats to International Medical Corps in terms of likelihood and
impact, prioritizing those risks and identifying mitigations strategies and measures. The Security Risk
Assessment (SRA) is the cornerstone of any Security Systems: the SRA will assure that the right decisions
will be taken for the safety and security of all staff, to guarantee program activities and to support
sustainable development.
This guide and attached template are intended as tools, should the assessor (person who will conduct
the Security Risk Assessment) choose to use them.
They are derived from the experience of International Medical Corps’ Global Security Staff, their
education, research and testing, however it cannot be all-inclusive. There are other ways to conduct
Security Risk Assessments and take actions that are relevant to risks that could be identified in the
assessor’s own way.
Objectives of Security Assessment

 The result of a Security Risk Assessment (or SRA) is the ability to properly manage risks
 It is this understanding of the risks that will help to develop the standard operating procedures
(SOP) of any site and the protective measures necessary to enable staff and programs
 A Contingency Plan will complement the SRA(s) and SOP(s). These three security documents are the
backbone of our Security Risk Management system
 The SRA will help take preventive measures to avoid an incident, but it also invests in the capacity
to manage an actual crisis situation and the consequences of a critical incident. This will also require
ongoing assessment of security conditions to determine whether the security strategy remains
appropriate to the threats in that environment, and whether the risks remain acceptable
 The final objective of the SRA is to allow International Medical Corps staff to conduct their program
activities with calculated risks and mitigation measures to keep International Medical Corps staff
safe and sound, and to protect International Medical Corps assets (we are accountable to donors)
Page | 2
Security Risk Assessment Template: Outline

This page represents an outline of the SRA process described in the rest of this document
The SRA model follows a series of steps that allow it to be a comprehensive analysis of threats, calculate
the risks associated with them, and evaluate the measures to take in order to mitigate those threats. It
also assess the overall vulnerability and overall risk of the mission. The model is based on the United
Nations security standards and industry best practices (see p. 15 and 16).
Assessment Phase
1. Area of Responsibility
Define the geographic area in which the SRA is relevant. It can be as small as a compound, as large as a
state, and as adaptive as a travel itinerary. However, do not exclude the fact that the geographic area
can be affected by factors outside of its boundaries.
2. Program Assessment
Understand to what extent staff and programs may find themselves encountering the various threats:
size of the program, scope of movements and other parameters. A small program may not need the
same mitigation measures as a large one.
3. Threat Assessment
Identify and list the threats: these can be anything from terrorist group’s actions, to venomous snake’s
bites. Document the logical threats to staff and programming that are relevant.
4. Estimation of vulnerability
Here the assessor estimates the strengths and weaknesses threat by threat, and how they relate to the
program.
5. First Risk Analysis – Estimate the Likelihood and Impact

This is where one may find the “risk matrix” (found in the Annex) to be helpful. The assessor analyses,
statistics and reports, and utilizes their knowledge and education to determine how likely a threat may
occur, and how serious its impact could be.
Decision Phase
6. Mitigation Measures and “Final Risk”
As a result of the risk analysis, the assessor provides various procedures, trainings, or physical defenses
that help to lower the risk of each threat identified. He estimates here the final risk for International
Medical Corps.
7. Overall Vulnerability
Summary and analysis of all of the strengths and weaknesses for the Program in question.
8. Overall Risk
This last section analyzes the sum of all the assessments to determine an overall mission-wide risk
level, and how the final risk rating correlates to IMC’s risk tolerance. At this final stage Country
Directors can explain whether the overall risk determined is of an acceptable level for programs to
begin or continue.
Page | 3
Security Risk Assessment Template Process

Assessment Phase
As mentioned above, this first phase consists in identifying the program, where it exists and what threats
may impact it. Additionally, it provides a first analysis of the risks associated with those threats and how
they may impact staff and programs. Finally, it specifically sites the various vulnerabilities that staff and
programs may have at the moment of analysis to those threats.
I. Area of Responsibility
First heading to be filled in the template. Defining the area where the SRA applies is important, in order
to provide limits on the SRA.
If the area in question cannot be understood by the reader, then the rest of the report will fall out of
context. It is both the area of responsibility and the environment that surround this area.
For example, the location in question may rest on the border between two regions, or in a certain zone of
a town, or is about an itinerary so it means also what’s met on this itinerary. On the following page are
three examples for maps that can help the assessor understand what types of limits are helpful to make.
Data
At the very least, the person who conducts the Security Risk Assessment should provide the following
details of the area targeted (residence, office, program activities?) Each site can be detailed in a table.
Note: a map of the area or zone can still be placed in the front page of the SRA.
Example 1:
COUNTRY CITY SITE GPS
International Medical
United States Washington 38.90408, -77.03057
Corps – DC HQ
Example 2:
Liberia A Office UU.uuuuu, -VV.vvvvv
Liberia B Program Site – IDP OO,oooo, -PP,pppp
Example 3:
Philippines E GH – Main Office Town XX.xxxxx, -YY.yyyyy
Philippines F Site 1 ZZ,zzzz, -RR,rrrr
Philippines G Site 2 SS, ssss, -TT,tttt
Page | 4
Examples of maps:
Figure 1 – Specific Area
Figure 1 is an image of the city of Washington, DC.

The area here is the administrative boundaries of the
city. On this map we could highlight the nearest
emergency services (fire, police, etc.), local political
offices, and other information that might be relevant to
know.
Figure 2 - Region or Zone
Figure 2 describes the region that Washington, DC exits

in (larger scale)
The assessment for the whole region can include crime
levels, descriptions of government involvement, and
natural related security threats at a regional level and so
on. It can be a federal state, a whole country, or an
administrative zone. It depends on the region and the
places reached by International Medical Corps (where
staff work
Figure 3 – Itinerary or Route
Figure 3 is an example of a “specific” SRA.

The vehicle route between two locations in the
Washington, DC area. An SRA for this area might
describe local traffic patterns, major bridges or
checkpoints and other security threats along the way.
Additionally, if a map is used it can be tailored for its own purposes: different types of maps and areas
can be combined reliant on the need. Depending on the need of the SRA, so too should the map reflect
that need. As one can see from the above maps, we have one that displays political zones, one that
shows major roads and cities, and another that provides topographical information.
Page | 5
II. Program Assessment
Second heading of the template: in this section the assessor will describe the International Medical
Corps program itself.
By explaining the program, the size and scope of it, the reader will be able to understand how the
threats that the assessor will describe in the next section may impact staff.
For instance, a very small office of just a couple of doctors providing aid in an outlying community might
not face the same risks that a very large program housed on a well defended UN compound might face.
This table is designed to provide an understanding of the program.
Program Data
Example 1:
Program Objectives A main administration center for International Medical Corps
106 staff as of 1 July 2015, office hours 08:30 to 17:00 Monday to

Number of Staff
Friday.
Assets
Laptops, desk top computers, printers, office furniture and
administrative stores.
One of three primary administrative locations globally, this office

Operational Context houses the majority of programs and operations staff, security and
the emergency response unit.
Example 2:
Program Objectives Providing medical relief for an outbreak of infectious disease
Number of Staff
6 expatriates and 27 national staff as of 27 August 2015,
office hours 07:00 to 20:00 daily
2 ambulances, laptops, desk top computers, printers, office furniture,

Assets
medical equipment, drugs and medical aid, and administrative stores.
This is one unit of a series in country combating this outbreak. It

Operational Context serves the immediate area and surround villages, and through an
ambulance service, also serves the periphery and the bush
Page | 6
III. Threat Assessment
Third heading of the template, with 4 subsections as each threat is analyzed separately.
Threats Description
Important: every threat found should have its own table and a full thinking process. Therefore, the
assessor must duplicate each table as many time as necessary, for each threat.
Each table determines one threat that staff should be aware of / informed of and that may impact them
and the program. Be sure to take time and list all of the threats that pose a clear danger to staff and
programs, and create as many separated tables as necessary.
THREAT: LIKELIHOOD IMPACT RISK

Brief Description:
Vulnerability Assessment:
Strengths Weaknesses
 
Mitigation Measures FINAL RISK
Duplicate this table as many time as necessary – 1 identified threat = 1 table
In this identification stage, the assessor

works primarily in the highlighted section.
Threats can be natural or uncontrollable, for
instance (this list is non-exhaustive):
flooding, earthquake, severe weather,
equipment failure, or intentional like
Figure 4 - Listing Threats
carjacking, terrorist attacks, bombings,
kidnapping, robbery, road banditry...
THREAT: CRIME LIKELIHOOD IMPACT RISK

Brief Description: Violent Crime – Burglaries,
Robberies, Grand Theft Auto
Vulnerability Assessment:
 
Obviously there may be numerous things that could be just potential threats. However, it is the
assessor’s role to make a judgment as to whether they are a substantial enough risk to disclose.
Page | 7
i. Vulnerability Assessment
It is in this section that further explanation

on how the threat may actually be
encountered and what the staff and
program strengths and weaknesses are.
Some factors are exposure, type of
environment (desert or urban zone) Figure 5 - Estimating Vulnerability
importance of assets, acceptance of program
activities, infrastructures present in the area, measures already in place, experience of the staff, vehicles
quality, having well trained staff etc.
For instance, good quality of 4x4 vehicles on rough roads can limit the chances of mechanical failures
and reduce time to travel, but on the other hand increase chances of carjacking. For compound and
staff, as protective measures, low walls and absence of trackers can be potential weaknesses.
And other aspects can be highlighted here, such as travelling the same days at the same time, following
the same itinerary, which increase exposure of staff and vehicles: it is a significant vulnerability that may
be exploited by various threats, including terrorism activities.
Below is continuation of the example from before:

Vulnerability Assessment: Parts of the city are well known to have high levels of violent crime. The
neighbourhoods in question are typically well known and can be avoided, but occasional robberies due
occur in the safer areas of the city.
 Staff are aware of dangerous locations  Locations are adjacent to where staff live and
work
Page | 8
ii. First Risk Analysis
Estimate the likelihood and impact

It can be the opinion of the assessor to
estimate the likelihood and impact, but the
estimation should be derived from
statistics and reports. These 2 elements
(likelihood and impact - Fig. 8) will
determine the risk.
Figure 6 - Likelihood + Impact = Risk
Below is the risk matrix that is suggested to help determine the risk of any given threat. It is based on the
model used by the United Nations, and numerous other security institutions. (Fig 7)
Risk Matrix Impact

Very Minor Minor Moderate Severe Extreme
Very High Low Medium High Very High Very High
Likelihood
High Low Medium High High Very High

Medium Very Low Low Medium High High
Low Very Low Low Low Medium Medium
Very Low Very Low Very Low Very Low Low Low
Figure 7 - Risk Matrix
Likelihood Definition Impact Definition

Insignificant harm for International Medical
Very Low Very uncommon (rare) Very Minor Corps and staff
No effort required to repair, etc.
Tangible harm - Extra effort required to
repair or cure - Significant harm for
Low Uncommon Minor
International Medical Corps - Financial loss
can be absorbed easily
Staff could be injured - Damage to
reputation and confidence/damaging harm–
Medium Common Moderate
Significant expenditure of resources
required
Possible death of staff - Extended outage
High Very common (very frequent) Severe and/or loss of connectivity – Compromise of
large amounts of program activities.
Possible death of staff - Permanent
Very High Extremely common (Regular) Extreme shutdown - Complete compromise of
program activities
Figure 8 – Likelihood and Impact
Page | 9
First risk analysis: how to use the matrix

Here is how to use the matrix in order to determine a first risk analysis for an identified threat:
Risk Matrix Impact

Likelihood

So for an identified threat (such as crime, terrorist attack, carjacking, kidnapping, venomous snakes,
natural disasters, etc.) the risk value, or level, can be determined.
In this example, a medium Likelihood (x) Severe Impact (compromise of program activities) will equal to
a HIGH RISK for the organization.
Finally, once the assessor has determined how often the threat presents itself, and how much impact it
may have on staff and programs, they can determine the level of risk, and log all information in the
table.
The below form in yellow is now a part of the risk analysis. The SRA is partially complete at this point as
we move into phase 2.

Medium Moderate Medium
 Staff are aware of dangerous locations  Locations are adjacent to where staff live
and work
Page | 10
Decision Phase
iii. Mitigation Measures
This stage presents the various ways the risks of the threats can be mitigated (Fig. 9)
Figure 9 - Mitigation Measures
For instance, this is where metal bars may be suggested to be installed on windows, special vehicles to
be ordered, or staff awareness training to be organized.
Finally, this also presents a suggested analysis of how much lower the risk is for the threats after the
mitigation measures have been put in place.
The mitigation measures written here can be suggestions for a program that is going to begin, or a
review of existing measures in place.
As mentioned before, the mitigation measure provided can be an explanation of procedures, requests
for trainings, or even physical defense to infrastructure.
This can be also call for finance and budget lines for security in the future (to be determined with the
Country Director)

work
Staff awareness training (affected areas of the city),
residential hardening (purchase of secure doors
windows and locks), optional personal defence training
(to be planned in Oct XXX )
Page | 11
iv. Final Risk
The last step in this process is to estimate

the final risk for an identified threat (Fig.10)
after the mitigation measures have either
been applied, or their projected result after
the measures would be applied.
Figure 10 –Final Risk estimated
Sometimes the risk can change, sometimes it doesn’t, and ideally one would strive to reduce the
likelihood and/or the impact through the implementation of mitigation measures.
Example:

work
Staff awareness training (affected areas of the city),
residential hardening (purchase of secure doors
Low Moderate Low
windows and locks), optional personal defence training
(to be planned in Oct XXX )
Final Risk estimated for an identified threat
Page | 12
IV. Overall Vulnerability

Fourth heading of the template to be filled. At this stage, the assessor will consider the combined
weaknesses and strengths. If the location has numerous strengths and few weaknesses, then clearly it will
have few vulnerabilities, however it can be understood only in the analysis of describing the strengths and
weaknesses.
Overall strengths
Overall weaknesses
V. Overall Risk
At the end of the SRA a summary of the
overall risk is required from the assessor (Fig.
11)
With everything in mind, is the risk
acceptable for work to begin or continue?
Briefly explain yes or no, with an
Figure 11
explanation, or “yes, provided the mitigation
measures are implemented”
Example:
Is the overall risk of all threats acceptable for programs to begin/continue? Explain, why
or why not:
At this time, given the initial medium level of risk posed to staff and programs, and subsequent low
risk following the implementation of mitigation measures, it is believed that the level of risk is
acceptable to continue program activities in the area.
Country Director Contribution

If the writer of the Security Risk Assessment is not the Country Director, it is at this point that the Country
Director will provide his / her own insight and understanding to the SRA.
The final section is intended to provide a last opinion and more oversight into the SRA process, as in all
cases the Country Director is ultimately in charge of the staff and assets. He or She can determine the
threshold of acceptable risk (and how to control, avoid or transfer the risks) depending on the potential
benefits of having a presence and a program, and on the mandate of the organization.
Page | 13
Annex
Definitions
Assets
 Employees: nationals and international staff are the first and most important “asset” for
International Medical Corps
 Equipment: financial estimation
 Building, cars, guarding services: contract and liabilities
Threat
 Any factors which have the potential or possibility to cause harm, loss, or damage to personnel,
assets, and programs.
Risk
 The impact a given threat has combined with the likelihood of it happening.
Vulnerability
 The extent to which you are exposed to a specific threat.
Mitigation Measures
 Tool, policies, and other actions taken to lessen the impact and/or likelihood of a particular
threat.
Risk Matrix
Risk Matrix Impact

Likelihood

Page | 14
Security Risk Management Framework – Good Practice Review 8
"Key Concepts and Principles of Security Management." Good Practice Review - Operational Security
Management in Violent Environments. Ed. Adele Harmer, Abby Stoddard, and Katherine Haver. 8th ed.
Vol. 1. London: Humanitarian Practice Network (HPN), 2010. 9. Print.
http://odihpn.org/wp-content/uploads/2010/11/GPR_8_revised2.pdf
Page | 15
Security Risk Management Process – United Nations

United Nations Security Management System Policy Manual
"Chapter IV." United Nations Security Management System - Security Policy Manual. New York: United
Nations Department of Safety and Security, 2009. 4. Print.
Page | 16

SRA Guide - Oct 2015 V5

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SRA Guide - Oct 2015 V5

Uploaded by

Copyright:

Available Formats

Oct

Security Risk Assessment

INTERNATIONAL MEDICAL CORPS | Global Security Department

Security Risk Assessment Template: Outline .............................................................................................. 3

Security Risk Assessment Template Process ............................................................................................... 4

Security Risk Assessment

Objectives of Security Assessment

Security Risk Assessment Template: Outline

5. First Risk Analysis – Estimate the Likelihood and Impact

Security Risk Assessment Template Process

Figure 1 – Specific Area

Figure 1 is an image of the city of Washington, DC.

Figure 2 - Region or Zone

Figure 2 describes the region that Washington, DC exits

Figure 3 – Itinerary or Route

Figure 3 is an example of a “specific” SRA.

II. Program Assessment

Program Objectives A main administration center for International Medical Corps

106 staff as of 1 July 2015, office hours 08:30 to 17:00 Monday to

One of three primary administrative locations globally, this office

Program Objectives Providing medical relief for an outbreak of infectious disease

2 ambulances, laptops, desk top computers, printers, office furniture,

This is one unit of a series in country combating this outbreak. It

III. Threat Assessment

THREAT: LIKELIHOOD IMPACT RISK

Mitigation Measures FINAL RISK

Duplicate this table as many time as necessary – 1 identified threat = 1 table

In this identification stage, the assessor

THREAT: CRIME LIKELIHOOD IMPACT RISK

Mitigation Measures FINAL RISK

It is in this section that further explanation

Below is continuation of the example from before:

THREAT: CRIME LIKELIHOOD IMPACT RISK

ii. First Risk Analysis

Estimate the likelihood and impact

Risk Matrix Impact

High Low Medium High High Very High

Figure 7 - Risk Matrix

Likelihood Definition Impact Definition

Figure 8 – Likelihood and Impact

First risk analysis: how to use the matrix

Risk Matrix Impact

High Low Medium High High Very High

THREAT: CRIME LIKELIHOOD IMPACT RISK

iii. Mitigation Measures

Figure 9 - Mitigation Measures

THREAT: CRIME LIKELIHOOD IMPACT RISK

iv. Final Risk

The last step in this process is to estimate

Figure 10 –Final Risk estimated

THREAT: CRIME LIKELIHOOD IMPACT RISK

Final Risk estimated for an identified threat

IV. Overall Vulnerability

Country Director Contribution

Risk Matrix Impact

High Low Medium High High Very High

Security Risk Management Framework – Good Practice Review 8

Security Risk Management Process – United Nations

You might also like