Professional Documents
Culture Documents
SRA Guide - Oct 2015 V5
SRA Guide - Oct 2015 V5
2015
SECURITY@INTERNATIONALMEDICALCORPS.ORG
Table of Contents
Introduction .................................................................................................................................................. 2
Objectives of Security Assessment .............................................................................................................. 2
Annex .......................................................................................................................................................... 14
Definitions .............................................................................................................................................. 14
Security Risk Management Framework – Good Practice Review 8 ...................................................... 15
Security Risk Management Process – United Nations .......................................................................... 16
Page | 1
INTERNATIONAL MEDICAL CORPS – INTERNAL USE ONLY
Introduction
The Security Risk Assessment is the process of identifying the risks which could affect personnel, assets
or operations and International Medical Corps’ vulnerability to them.
This is accomplished by assessing the threats to International Medical Corps in terms of likelihood and
impact, prioritizing those risks and identifying mitigations strategies and measures. The Security Risk
Assessment (SRA) is the cornerstone of any Security Systems: the SRA will assure that the right decisions
will be taken for the safety and security of all staff, to guarantee program activities and to support
sustainable development.
This guide and attached template are intended as tools, should the assessor (person who will conduct
the Security Risk Assessment) choose to use them.
They are derived from the experience of International Medical Corps’ Global Security Staff, their
education, research and testing, however it cannot be all-inclusive. There are other ways to conduct
Security Risk Assessments and take actions that are relevant to risks that could be identified in the
assessor’s own way.
It is this understanding of the risks that will help to develop the standard operating procedures
(SOP) of any site and the protective measures necessary to enable staff and programs
A Contingency Plan will complement the SRA(s) and SOP(s). These three security documents are the
backbone of our Security Risk Management system
The SRA will help take preventive measures to avoid an incident, but it also invests in the capacity
to manage an actual crisis situation and the consequences of a critical incident. This will also require
ongoing assessment of security conditions to determine whether the security strategy remains
appropriate to the threats in that environment, and whether the risks remain acceptable
The final objective of the SRA is to allow International Medical Corps staff to conduct their program
activities with calculated risks and mitigation measures to keep International Medical Corps staff
safe and sound, and to protect International Medical Corps assets (we are accountable to donors)
Page | 2
INTERNATIONAL MEDICAL CORPS – INTERNAL USE ONLY
Assessment Phase
1. Area of Responsibility
Define the geographic area in which the SRA is relevant. It can be as small as a compound, as large as a
state, and as adaptive as a travel itinerary. However, do not exclude the fact that the geographic area
can be affected by factors outside of its boundaries.
2. Program Assessment
Understand to what extent staff and programs may find themselves encountering the various threats:
size of the program, scope of movements and other parameters. A small program may not need the
same mitigation measures as a large one.
3. Threat Assessment
Identify and list the threats: these can be anything from terrorist group’s actions, to venomous snake’s
bites. Document the logical threats to staff and programming that are relevant.
4. Estimation of vulnerability
Here the assessor estimates the strengths and weaknesses threat by threat, and how they relate to the
program.
Decision Phase
6. Mitigation Measures and “Final Risk”
As a result of the risk analysis, the assessor provides various procedures, trainings, or physical defenses
that help to lower the risk of each threat identified. He estimates here the final risk for International
Medical Corps.
7. Overall Vulnerability
Summary and analysis of all of the strengths and weaknesses for the Program in question.
8. Overall Risk
This last section analyzes the sum of all the assessments to determine an overall mission-wide risk
level, and how the final risk rating correlates to IMC’s risk tolerance. At this final stage Country
Directors can explain whether the overall risk determined is of an acceptable level for programs to
begin or continue.
Page | 3
INTERNATIONAL MEDICAL CORPS – INTERNAL USE ONLY
I. Area of Responsibility
First heading to be filled in the template. Defining the area where the SRA applies is important, in order
to provide limits on the SRA.
If the area in question cannot be understood by the reader, then the rest of the report will fall out of
context. It is both the area of responsibility and the environment that surround this area.
For example, the location in question may rest on the border between two regions, or in a certain zone of
a town, or is about an itinerary so it means also what’s met on this itinerary. On the following page are
three examples for maps that can help the assessor understand what types of limits are helpful to make.
Data
At the very least, the person who conducts the Security Risk Assessment should provide the following
details of the area targeted (residence, office, program activities?) Each site can be detailed in a table.
Note: a map of the area or zone can still be placed in the front page of the SRA.
Example 1:
COUNTRY CITY SITE GPS
International Medical
United States Washington 38.90408, -77.03057
Corps – DC HQ
Example 2:
COUNTRY CITY SITE GPS
Liberia A Office UU.uuuuu, -VV.vvvvv
Liberia B Program Site – IDP OO,oooo, -PP,pppp
Example 3:
COUNTRY CITY SITE GPS
Philippines E GH – Main Office Town XX.xxxxx, -YY.yyyyy
Philippines F Site 1 ZZ,zzzz, -RR,rrrr
Philippines G Site 2 SS, ssss, -TT,tttt
Page | 4
INTERNATIONAL MEDICAL CORPS – INTERNAL USE ONLY
Examples of maps:
Additionally, if a map is used it can be tailored for its own purposes: different types of maps and areas
can be combined reliant on the need. Depending on the need of the SRA, so too should the map reflect
that need. As one can see from the above maps, we have one that displays political zones, one that
shows major roads and cities, and another that provides topographical information.
Page | 5
INTERNATIONAL MEDICAL CORPS – INTERNAL USE ONLY
Second heading of the template: in this section the assessor will describe the International Medical
Corps program itself.
By explaining the program, the size and scope of it, the reader will be able to understand how the
threats that the assessor will describe in the next section may impact staff.
For instance, a very small office of just a couple of doctors providing aid in an outlying community might
not face the same risks that a very large program housed on a well defended UN compound might face.
This table is designed to provide an understanding of the program.
Program Data
Example 1:
Assets
Laptops, desk top computers, printers, office furniture and
administrative stores.
Example 2:
Number of Staff
6 expatriates and 27 national staff as of 27 August 2015,
office hours 07:00 to 20:00 daily
Page | 6
INTERNATIONAL MEDICAL CORPS – INTERNAL USE ONLY
Third heading of the template, with 4 subsections as each threat is analyzed separately.
Threats Description
Important: every threat found should have its own table and a full thinking process. Therefore, the
assessor must duplicate each table as many time as necessary, for each threat.
Each table determines one threat that staff should be aware of / informed of and that may impact them
and the program. Be sure to take time and list all of the threats that pose a clear danger to staff and
programs, and create as many separated tables as necessary.
Strengths Weaknesses
Strengths Weaknesses
Obviously there may be numerous things that could be just potential threats. However, it is the
assessor’s role to make a judgment as to whether they are a substantial enough risk to disclose.
Page | 7
INTERNATIONAL MEDICAL CORPS – INTERNAL USE ONLY
i. Vulnerability Assessment
Page | 8
INTERNATIONAL MEDICAL CORPS – INTERNAL USE ONLY
Below is the risk matrix that is suggested to help determine the risk of any given threat. It is based on the
model used by the United Nations, and numerous other security institutions. (Fig 7)
Page | 9
INTERNATIONAL MEDICAL CORPS – INTERNAL USE ONLY
So for an identified threat (such as crime, terrorist attack, carjacking, kidnapping, venomous snakes,
natural disasters, etc.) the risk value, or level, can be determined.
In this example, a medium Likelihood (x) Severe Impact (compromise of program activities) will equal to
a HIGH RISK for the organization.
Finally, once the assessor has determined how often the threat presents itself, and how much impact it
may have on staff and programs, they can determine the level of risk, and log all information in the
table.
The below form in yellow is now a part of the risk analysis. The SRA is partially complete at this point as
we move into phase 2.
Page | 10
INTERNATIONAL MEDICAL CORPS – INTERNAL USE ONLY
Decision Phase
This stage presents the various ways the risks of the threats can be mitigated (Fig. 9)
For instance, this is where metal bars may be suggested to be installed on windows, special vehicles to
be ordered, or staff awareness training to be organized.
Finally, this also presents a suggested analysis of how much lower the risk is for the threats after the
mitigation measures have been put in place.
The mitigation measures written here can be suggestions for a program that is going to begin, or a
review of existing measures in place.
As mentioned before, the mitigation measure provided can be an explanation of procedures, requests
for trainings, or even physical defense to infrastructure.
This can be also call for finance and budget lines for security in the future (to be determined with the
Country Director)
Page | 11
INTERNATIONAL MEDICAL CORPS – INTERNAL USE ONLY
Sometimes the risk can change, sometimes it doesn’t, and ideally one would strive to reduce the
likelihood and/or the impact through the implementation of mitigation measures.
Example:
Page | 12
INTERNATIONAL MEDICAL CORPS – INTERNAL USE ONLY
Overall strengths
Overall weaknesses
V. Overall Risk
At the end of the SRA a summary of the
overall risk is required from the assessor (Fig.
11)
With everything in mind, is the risk
acceptable for work to begin or continue?
Briefly explain yes or no, with an
Figure 11
explanation, or “yes, provided the mitigation
measures are implemented”
Example:
Is the overall risk of all threats acceptable for programs to begin/continue? Explain, why
or why not:
At this time, given the initial medium level of risk posed to staff and programs, and subsequent low
risk following the implementation of mitigation measures, it is believed that the level of risk is
acceptable to continue program activities in the area.
Page | 13
INTERNATIONAL MEDICAL CORPS – INTERNAL USE ONLY
Annex
Definitions
Assets
Employees: nationals and international staff are the first and most important “asset” for
International Medical Corps
Equipment: financial estimation
Building, cars, guarding services: contract and liabilities
Threat
Any factors which have the potential or possibility to cause harm, loss, or damage to personnel,
assets, and programs.
Risk
The impact a given threat has combined with the likelihood of it happening.
Vulnerability
The extent to which you are exposed to a specific threat.
Mitigation Measures
Tool, policies, and other actions taken to lessen the impact and/or likelihood of a particular
threat.
Risk Matrix
Page | 14
INTERNATIONAL MEDICAL CORPS – INTERNAL USE ONLY
"Key Concepts and Principles of Security Management." Good Practice Review - Operational Security
Management in Violent Environments. Ed. Adele Harmer, Abby Stoddard, and Katherine Haver. 8th ed.
Vol. 1. London: Humanitarian Practice Network (HPN), 2010. 9. Print.
http://odihpn.org/wp-content/uploads/2010/11/GPR_8_revised2.pdf
Page | 15
INTERNATIONAL MEDICAL CORPS – INTERNAL USE ONLY
"Chapter IV." United Nations Security Management System - Security Policy Manual. New York: United
Nations Department of Safety and Security, 2009. 4. Print.
Page | 16