the cost of security risk management for ngos · ngos (ingos). eisf fosters dialogue, coordination,...

European Interagency Security Forum (EISF)

The Cost of Security RiskManagement for NGOs

EISF Report

European Interagency Security ForumThe European Interagency Security Forum (EISF) is an independent platform for Security Focal Points from European humanitarian agencies operatingoverseas. EISF members are committed to improving the safety and security of relief operations and staff in a way that allows greater access to and impact forcrisis-affected populations.

The Forum was created to establish a more prominent role for security management in internationalhumanitarian operations. It provides a space for non-governmental organisations (NGOs) to collectivelyimprove security management practice, and facilitatesexchange between members and other bodies such as the UN, institutional donors, research institutions,training providers and a broad range of internationalNGOs (INGOs).

EISF fosters dialogue, coordination, and documentationof current security management practice. EISF is anindependent entity currently funded by the US Office of Foreign Disaster Assistance (OFDA), the Swiss Agencyfor Development and Cooperation (SDC) and membercontributions.

Research TeamHye Jin Zumkehr, Researcher, EISFChristopher Finucane, Research Consultant,Humanitarian Policy www.humanitarianpolicy.org

AcknowledgementsThe research team wishes to thank everyone whocontributed to this report.Frederic Bardou, Action Contre la FaimShawn Bardwell, USAID/OFDAFraser Bomford, AKE LimitedEbe Brons, Centre for Safety and Development Anna Bryant, Control Risks GroupWill Carter, War ChildDominic Crowley, Concern WorldwideGonzalo de Palacios, Acción Contra el HambreNeil Elliot, Save the ChildrenSylvain Fournier, Terre des Hommes, LausanneDenise Furnell, International Rescue CommitteeBruce Gilardi, Independent Business ConsultantDiego Guerrero Oris, OxfamThomas Hegenauer, Diakonie KatastrophenhilfeHenrieke Hommes, ZOAHeather Hughes, OxfamNic Lee, International NGO Safety Organisation (INSO)Javeria Ayaz Malik, Action AidRobert McPherson, Cosantoir GroupMaarten Merkelbach, Security Management Initiative, GCSPRebekka Meisner, MedairKiruja Micheni, Christian AidFraser Newton, AKE LimitedErin Noordeloos, NBC UniversalOliver Rodewald, Johanniter InternationalGuido Verbist, AKE LimitedAlvaro Villanueva, Acción Contra el HambreMarc Weil, Terre des Hommes, LausanneChristina Wille, Insecurity InsightLisa Reilly, EISF

DisclaimerEISF is a member-led grouping and has no separate legal status under the laws of England and Wales or any other jurisdiction, andreferences to ‘EISF’ in this disclaimer shall mean the member agencies, observers and secretariat of EISF.

While EISF endeavours to ensure that the information in this document is correct, EISF does not warrant its accuracy and completeness. Theinformation in this document is provided ‘as is’, without any conditions, warranties or other terms of any kind, and reliance upon anymaterial or other information contained in this document shall be entirely at your own risk. Accordingly, to the maximum extent permitted byapplicable law, EISF excludes all representations, warranties, conditions and other terms which, but for this legal notice, might have effect inrelation to the information in this document. EISF shall not be liable for any kind of loss or damage whatsoever to you or a third party arisingfrom reliance on the information contained in this document.

© 2013 European Interagency Security Forum

EISF Briefing Paper03

Contents

Executive summary 02

Introduction – the big picture 04

1 The Food, Blankets and Medicine (FBM) effect 06

2 Defining expenses 082.1 What is a security risk management cost? 09

3 In practice – what needs to be considered when costing security risk management? 11

3.1 The risk assessment 11

4 Risk Management Expense Portfolio (RMEP) tool 13

5 Units of measure – communicating risk management costs 14

5.1 Cost-benefit analysis 155.2 True-cost analysis 15

6 From cost-benefit to cost effectiveness 17

7 Value for money 20

8 The cost of not spending on security risk management 22

9 Key recomendations 23

Conclusion 23

Risk Management Expense Portfolio (RMEP) Tool Template 25

References and recommended reading 32

Other EISF publications 33

The Cost of Security Risk Management for NGOs02

The task of responding to humanitarian anddevelopment needs for millions of people is vast, whilethe amount of money spent on aid globally (from bothpublic monies and private donations) is truly staggering.Spending this money wisely is a challenge for aidorganisations that are constantly under the auditor’sspotlight of fiscal accountability. With this in mind, whatportion of these monies is, or ought to be, spent onsecurity risk management?

This paper is intended to assist all aid practitioners, butwill be particularly relevant to those responsible forprogramme planning and management, donorproposal writing, and safety and security riskmanagement. Aid donors may also find this text usefulas it proposes methods and approaches for proposalwriters and grants managers to communicate bettertheir risk management resource needs.

The objective of this paper is to assist aid practitioners todetermine their security risk management expendituremore accurately, and demonstrate an evidence-basedapproach when presenting this information to donors.Assessing and communicating needs and proposingappropriate and sustainable responses are the startingpoints to developing a relationship with aid donors.Safety and security risk management costs incurred insecuring safe access need to be introduced in the earlystages of this dialogue, and it needs to becommunicated that they are an integral part of theprogramme design, necessary for its sustainability andsuccess.

In this text ‘risk management costs’ refer to anyexpense related to reducing the potential for harm orloss to the organisation and its workforce, orcompensating for actual harm or loss. This includescosts associated with preparing to take risks (e.g.insurance, developing and implementing policy andprocedures, salaries, risk analysis, or buildingemployees’ capacity through training); responding toincidents (e.g. crisis management, programmesuspension or closure, or compensation payments); andprotecting against (or preventing) initial or on-going lossor harm (e.g. implementing acceptance approaches,provision of physical security, or employee welfare andpsychological support services).

The basis for costing risk management can only bedetermined accurately by considering the risk treatmentoptions and risk mitigation requirements of aprogramme, which can in turn only be derived from asafety and security risk assessment relevant to a givenoperating context. The programme’s safety and securityrisk assessment is the single most importantmanagement process if risk costs are to be accuratelydetermined and communicated. Each programme andcontext will present different risk challenges. Without arisk assessment as an integral part of the programmeplanning, only generic risk treatment options can beassumed.

For risk management to be included in a budget fordonor funding, its costs need to be justified. This is bestachieved through understanding the costs involved andthe reasoning behind the expenditure, rather thanlooking at a portion of a generic administrative charge.

Applying cost-benefit analysis to risk managementexpenditure is not simple. This is due to the ‘benefit’having a subjective aspect; it is not simply a financialreward measured against expenditure, but rather theprovision of some kind of benefit to others (aid recipientsare commonly referred to as beneficiaries). Abadia andLin, authors of the Non-profit Cost Analysis Toolkit (2009),provide the best summary of arguments for droppingthe term ‘benefit’ from the debate. This would go someway to providing a clearer path for expenditure analysiswithin the international aid sector. Abadia and Linexplain that

‘most organizations have a good understanding ofthe direct costs incurred by each of their programs.But since traditional accounting breaks downindirect (or overhead) costs by functions (e.g.administration, marketing, operations), rather thanby programs, it fails to capture the relationshipbetween these costs and the organization’sactivities, and consequently, its mission. The result isa cloudy economic picture that blinds non-profitleaders from truly understanding the financial healthof each of their program areas.’ 1

Executive summary

1 ibid

EISF Report03

The cost of risk management for NGOs cannot beexamined in a de-humanized manner, concentratingonly on tangible costs and financial comparisons.Programme decisions based solely on these facts andfigures would make it easier to determine where to workand what it is going to cost. However international aid isa human subject, needing nuanced and ethicalconsideration.

Cost effectiveness analysis provides a framework forconsidering options for achieving programmeoutcomes. This is particularly relevant in higher riskenvironments or in operating contexts that are prone tosporadic or unpredictable security changes. It isimportant to note that the analysis need not be confinedto a certain geographical context (unless donor fundshave been earmarked/restricted for a specific location).It is the intended outcomes and impact that areimportant. In other words, what can be achieved usingthe same sums of money in different ways and places?From a risk management point of view, this may raisethe question of an organisation considering thepossibility of working in a lower rather than a higher riskcontext.

How does an aid programme represent value formoney (VfM) when communicating risk managementrequirements? Is it as simple as achieving its statedobjectives within budget? Or better still, exceeding theseobjectives by reaching more for less? And can VfM bedemonstrated prior to the fact, in proposals or conceptnotes? Is spending above the typical 5% of the totalprogramme budget in a high-risk environmentacceptable if it allows for the successful delivery of theprogramme? Ethically it would be difficult to object to thisapproach. However, in financial terms, it is anothermatter. Donors as well as grant recipients have an(implicit or explicit) upper limit for acceptableexpenditure on risk management.

An organisation that spends little or nothing on riskmanagement implies that it is comfortable with itspresent capacity to take and manage risks, and acceptsthe outcomes (e.g. harm, injury or loss of some sort). Themotivation to take such a position may be varied andinfluenced not only by financial considerations.Operational experience and perceptions of the riskenvironment may lead an organisation to deem riskmanagement expenditure as unnecessary, or not apriority for limited funding. If such a decision is based onevidence from a risk assessment, it may be justifiable.On the other hand, it may be reckless to assume thatany risk environment is a stable and certain context,since it could be affected by insecurity at some time inthe future.

In some contexts, aid managers may find themselvesanswerable in court to civil or criminal charges if it isproved they failed to fulfil obligations arising from theirduty of care. Proportionate and relevant investment inrisk management across the organisation is anappropriate and reasonable step to avoid suchoutcomes. The difficulty in justifying risk managementspending can come from audit and trend analysisoutcomes showing that while funding was allocated forthis purpose, the organisation did not use the services orassets such funding covers. It reminds us of theunanswerable question: if an aid organisation is freefrom safety and security incidents, is this due toappropriate risk management spending, or simply tochance?

The research team undertaking this study set out todiscover and examine good practices that demonstrateevidence-based processes for estimating andcommunicating risk management costs within the aidsector. Such processes are elusive and if they do exist,are yet to be widely communicated. The lack of data,although somewhat frustrating, presented anopportunity to engage with practitioners and developframeworks for future processes and tools. This papercaptures important issues for discussion between aidorganisations, their implementing partners and theirdonors.

This piece of research was commissioned on behalf ofEISF members, who reported a lack of tools andframeworks in the sector for estimating the cost of riskmanagement. Our research considered currentpractices and knowledge. The gaps in methodology weidentified led to us questioning the starting point of theresearch. Since risk management costs are currentlybeing met (albeit in a haphazard or adhoc way), is therea need for standardised tools? The EISF membersinterviewed believe so.

By addressing a number of key questions, this studymoves the debate forward and promotes an active useof standard tools for determining and estimating riskmanagement costs. Justifying risk management costs todonors ought to be evidence-based. Thinking aboutcosts prompts aid practitioners to think more explicitlyabout risks and to make risk management an integralpart of programme management. It is the view of theresarch team that professionalising and standardisingthe approaches to risk management expenditure willlead to improved programme efficiency andeffectiveness, allowing aid to continue to reachvulnerable populations even when the risks are high.


The Organisation for Economic Co-operation &Development (OECD) has estimated total developmentaid for 2010 at over $500 billion.2 Of this total, the 13countries that are home to the present EISF membershipcontributed $176 billion. This sum represents their OfficialDevelopment Assistance, or ODA, being the singlelargest quantifiable category of aid from governments.3

It therefore excludes monies spent on emergencyresponses, which make up a relatively small percentageof a donor country’s total aid expenditure, and privatedonations.

The task of responding to humanitarian anddevelopment needs for millions of people is vast, whilethe amount of money spent on aid globally (from bothpublic monies and private donations) is truly staggering.Spending this money wisely is a challenge for aidorganisations that are constantly under the auditor’sspotlight of fiscal accountability. With this in mind, whatportion of these monies is, or ought to be, spent on riskmanagement? Answering this question requires severalother issues to be considered first.

Is it correct to assume that aid programmes cost more toimplement in higher risk environments compared withlower risk environments? What are the necessaryjustifications for spending a higher-than-usual amountof funds on securing access to beneficiary populations?How much will it cost if a programme closes due to alack of appropriate risk management measures? Atwhat point does delivering aid become too expensivedue to insecurity? These are a few of the importantquestions aid practitioners and their donors areencouraged to answer. By doing so, risk management4

decision-making and subsequent spending will becomemore transparent and better understood as an integralpart of programme management.

The objective of this research is to assist aid practitionersto determine more accurately their safety and securityrisk management expenditure, and demonstrate anevidence-based approach when presenting thisinformation to donors. The key issues discussed in thetext aim to bring clarity to this objective. The issuesexamined and the accompanying tool are intended tocontribute to improved value for money decision-making when planning and implementing internationalaid programmes. The purpose of the study and itsrecommendations are not about minimising riskmanagement costs, but rather providing informationand knowledge to improve our understanding of riskmanagement costs, and to maximise the impact oflimited financial resources.

The study aimed to unpack how risk management costsare estimated and communicated in aid budgets, and toconsider the following key questions:

1. What needs to be included when calculating safetyand security risk management costs?

2. How do NGOs integrate these costs in projectbudgets?

3. What cost estimate tools and practices exist amongNGOs and other sectors?

4. How can NGOs estimate the potential costs of nothaving safety and security risk mitigation measures inplace?

5. To what extent is cost-benefit analysis a practicalapproach to use for safety and security cost estimatesin the aid sector?

6. How do donors look upon the cost of safety andsecurity risk management?

Introduction – the big picture

2 Total ODA development aid (2010) is US$509026 (million), http://www.oecd-ilibrary.org/development/development-aid-total-official-and-private-flows_20743866-table5.3 OECD Insights: From Aid to Development; p.494 Although there are other types of risk management, e.g. financial, in this paper the term risk management refers predominantly to safety and security risk management from the perspective of humanitarian

programmes.

Seeking answers to these questions led to furtherquestions, such as: how are aid expenses categorized?what exactly is a risk management expense?

Few aid practitioners or their board members will argueagainst the need to address risk management, nor denythat doing so incurs costs. While the general notion maynot be in dispute, the questions of how to address riskmanagement, and how much to spend on it, continue tobe debated, both internally within aid organisations andbetween aid deliverers and their donors.

This paper is intended to assist all aid practitioners, butwill be particularly relevant to those responsible forprogramme planning and management, donorproposal writing, and safety and security riskmanagement. Aid donors may also find this text usefulas it proposes methods and approaches for proposalwriters and grants managers to communicate their riskmanagement resource needs.

EISF Report05


Discussions of international aid (whether emergencyrelief or development) generally focus on material issuesthat are easily identifiable and quantifiable such as food,blankets and medicine (FBM). In many cases, theseterms relating to direct programming express thefundamental needs of a vulnerable population andattract the necessary funds to procure (but notnecessarily deliver) assistance. They are understandableterms with easily quantifiable costs. Less is understoodabout the delivery mechanisms and associated coststhat ensure material goods or services reach theirintended recipients.

This focus on tangible, direct costs has been describedas the ‘food, blankets and medicine’ (FBM) effect. It iseasy in today’s humanitarian and development rhetoricfor fundraising efforts to be consumed by it; The FBMeffect is felt by grant recipients and donors alike.Securing funding for the express purpose of riskmanagement (in particular, safety and security risks) ischallenging. State donors are perhaps more aware ofthis need than private donors and philanthropicfoundations, where risk costs do not fit with their presentfunding agendas and priorities. One private foundationfocusing on public health declined to fund a riskmanagement project component saying in explanationthat risk management was not directly related to publichealth programmes. This is in spite of the fact that manyaid worker fatalities over the past decade were amongpeople working in public health programmes. Thisexample suggests improved dialogue between donorsand (potential) grant recipients is urgently required toimprove the understanding of the relationships betweenprogramme management, access and risk.

Compounding this issue is the use of sometimes over-general assumptions when evaluating aid effectiveness.Some donors make use of the website CharityNavigator,6 considering it a useful resource that providesan independent assessment of an aid organisation’sfinancial performance. Part of the website’s financialhealth methodology is based on the stated assumptionthat charities

‘exist to provide programs and services. They fulfillthe expectations of givers when they allocate mostof their budgets to providing programs. Charities failgivers’ expectations when their spending onprograms is insufficient’.7

Such assumptions may fit the majority of aid spendingbehaviours, but due to the comparative nature of themethodology, the website’s ranking system couldpotentially penalize an aid programme that is successfulin delivering its objectives in a high-risk context (if itssecurity risk management costs are categorized as‘non-programme’ costs). Comparisons should be madebetween programmes in similar risk contexts, since anaid programme in a high-risk context is likely to spend ahigher proportion of its funding on risk managementthan one in a low-risk context.

In other words, effectiveness metrics cannot rely solelyon a standard division between programme and non-programme expenditure, especially when no consistentapproach is applied to categorizing security riskmanagement costs within budgets. This discussion isnot intended to discourage the use of resources such asthe Charity Navigator nor to cast doubt on their validity,but rather to illustrate that risk management costsrequire specific consideration in terms of how they arecategorized (e.g. programme or non-programme) andcommunicated in aid budgets, and to reiterate that riskmanagement costs can have a significant and justifiableeffect on programme expenditure.

Assessing and communicating needs and proposingappropriate and sustainable responses are the startingpoints for developing a relationship with aid donors.Safety and security risk management costs need to beintroduced in the early stages of this dialogue, andshown to be an integral part of the programme design,necessary for its sustainability and success. Thechallenge this presents is to communicate all tangiblecosts (e.g. the need to travel in convoy, radios, employeetraining) as well as marginal costs (e.g. implementing anacceptance approach to security) necessary to obtainand maintain safe, secure and sustainable access to aidrecipients.

The Food, Blankets andMedicine (FBM) effect 51

5 The term “Food, Blanket & Medicine (FBM) Effect” is a theory introduced by the author in 2009 to describe the sometimes narrow focus of aid funding-raising rhetoric.6 Charity Navigator, http://www.charitynavigator.org/index.cfm?bay=content.view&cpid=33.7 Charity Navigator, Performance Metric 1: Program Expenses; http://www.charitynavigator.org/index.cfm?bay=content.view&cpid=33.

EISF Report07

Any proposed expenditure on safety and security shouldbe informed by the outcomes of risk assessments. Onlythen can appropriate risk treatment8 options bedetermined and budgeted.

The FBM effect can stand in the way of communicatingsuch costs (sometimes incorrectly described as‘additional’). Potential grant recipients fear that byexplicitly naming such costs they might price themselvesout of a very competitive donor market. Yet if these costsare not communicated effectively, donors may questionbudgets that show higher-than-expected line items (as aresult of safety and security requirements being factoredin, but not explicitly detailed). One result of the FBM effectis that risk management costs are either discarded, orbecome so blurred in a complex web of separateaccounting lines (across the entire organisation) thatthey cannot be clearly communicated, however justifiedthe expenditure.

Confronting the FBM effect ought not be the soleresponsibility of an NGO security manager or securityfocal point. This effect can be reduced by improvingdialogue between grant recipients and their donors.Language used to describe humanitarian anddevelopment efforts ought to be clear and concise whileshowing an understanding of aid as including not onlydirect programmatic goods and services, but also thenecessary efforts to manage the associated risks. Theseexpenses are part and parcel of an aid programme;without access there can be no programmeimplementation.

Those responsible for proposal writing and programmeplanning and management need to be fully conversantwith their donor’s policy position on risk management,as well as their own organisation’s risk managementsystems, so that the assessed risk mitigation activitiesneeded can be appropriately resourced.

8 The term ‘risk treatment’ used in this text is derived from the International Standard on Risk Management (ISO 31000/2009) and is used to describe the broad range of options that a risk owner may take to manage risks,including risk reduction or mitigation, avoidance, risk transfer, or any combination of these.

NGOs broadly categorize expenditure in terms of ‘direct’and ‘indirect’, with annual reports dissecting budgetsbetween ‘programme’ costs and ‘non-programme’costs. On their own these terms are relatively easy todefine. However, attempting to break down budgetsfurther can become confusing as other terms areintroduced in response to grant guidelines, donorreporting requirements, programme planningapproaches, the terms of legacies or simply differencesin vocabulary between charities speaking the samelanguage. Programme proposals and budgets caninclude reference to ‘support costs’, ‘overheads’,‘restricted’ and ‘unrestricted’ funding, ‘programmeadministrative costs’ and ‘management’ costs (and thelist goes on). In the USA, the Internal Revenue Service‘requires charities to allocate their expenses into threecategories: Program, Management/General, andFundraising’.9 It is not surprising that aid practitionersexperience difficulties when it comes to defining andcommunicating their risk management fundingrequirements, especially when working with multipledonors, each with their own glossary of terms.

Can ‘programme’ costs be both ‘direct’ and ‘indirect’?Yes. And, are all ‘non-programme’ costs by nature‘indirect’ costs? Probably not. Likewise is an ‘overhead’ a‘programme’ or ‘non-programme’ cost? And within thisdiscussion, where do aid organisations put their riskmanagement costs (in particular safety and securityexpenditure)?

Helping to make sense of these terms, and in an effort topropose a basic level of standardization to the languageused when communicating risk managementexpenditure, this text proposes a simplified use ofexisting funding terms as well as introducing somedefinitions drawn from the criminal justice sector,restricting nuanced changes unless deemed necessaryto add clarity for the aid context.

Programme expenditure refers to all explicitprogramme costs including programmemanagement and implementation. This may includesecurity risk management costs.

Non-programme expenditure refers to allexpenditure related to institutional management,fundraising and other activities that enable an aidorganisation to function. As with programmeexpenses, non-programme expenses may includesecurity risk management costs.

Institutional costs refer to costs associated with theorganisation as a whole, inclusive of regional andcountry functions. Institutional costs are not confinedto head offices and include expenses that are notprogramme-specific but are essential for theorganisation to function.

Direct costs refer to costs that are ‘directly related to aspecific [programme] activity’.10 This may includesecurity risk management costs.

Indirect costs refer to ‘central administrativeexpenses that are necessary for the continuedfunctioning of an organization, but cannot be directlyallocated to a specific [programme] activity’.11 Thismay also include risk management costs.

Overhead costs are described as ‘expenses that arerequired for running the organisation. Theseexpenses may not be directly contributing towardsimplementing a project but they are still essential tomaintain the office[s] and manage the day-to-dayaffairs of the organization’.12 In the aid sector thesecosts are sometimes defined as separate fromindirect costs and usually (although not always) relateto the percentage of a donation that may be alignedto general head-office operating costs.

Tangible costs. These are ‘costs that can bemeasured directly in dollar [monetary] terms’.13 Thisincludes any cost that may be measured, regardlessof its categorization within an organisation’s financialsystems.


Defining expenses2

9 Charity Navigator, Indirect Cost Allocation Adjustment, http://www.charitynavigator.org/index.cfm?bay=content.view&cpid=35.10 Cost-Benefit Knowledge Bank for Criminal Justice (CBKB), http://cbkb.org/basics/glossary/.11 Cost-Benefit Knowledge Bank for Criminal Justice (CBKB), http://cbkb.org/basics/glossary/.12 http://www.fundsforngos.org/budget-for-ngos/defining-terms-budget/.13 Cost-Benefit Knowledge Bank for Criminal Justice (CBKB), http://cbkb.org/basics/glossary/.

EISF Report09

Intangible costs are ‘costs that cannot be measureddirectly in dollar [monetary] terms. Examples ofintangible costs include pain and suffering’.14 Withinthe aid context, intangible costs may also include theinformal activities carried out to obtain and maintainacceptance by host and beneficiary communities orother actors in the operating environment. Aside froma portion of salary (i.e. working time on such activities)intangible costs are very difficult to measure.Estimating the financial impact of a programmesuspension or closure due to insecurity would includeboth tangible and intangible costs.

Marginal costs are defined by the Cost-BenefitKnowledge Bank for Criminal Justice (CBKB) as

the costs that are incurred because of changes inunits of activity at the margin of an existing levelof operation. Short-term marginal costs includethose costs that change with a slight change inunits of activity. Long-term marginal costs arecosts that change as a result of more substantialchanges in activity.15

In the context of aid programmes, marginal costs areincurred when risk management expenditurechanges due to a change in the operatingenvironment. A short-term marginal cost may beincurred when a programme is temporarilysuspended and employees relocated due to ananticipated security issue such as upcomingelections. A long-term marginal cost may be incurredwhen a natural disaster strikes an area whereexisting humanitarian or development programmesare already taking place, thus requiring a rapidchange to safety and/or security resourcing in orderto continue these programmes or transition to anemergency response. Marginal costs may be difficultto predict in many contexts. Scenario planning is onemethod available to aid organisations to considerpotential changes to their operating contexts, and theestimated marginal risk management costs thatmight arise. Organisations may then budget for orinsure against such costs.

Victim costs, also referred to as victimization costs,are defined by CBKB as

losses suffered by crime victims and includetangible and intangible costs. Tangible losses are those that easily translate into financialdisadvantage, for instance, medical costs, lostincome, and property loss incurred because aperson was the victim of a crime. Intangible

losses refer to the pain, suffering, and reducedquality of life that a crime victim may experienceand are usually harder to monetize than tangible losses.16

When aid workers are subject to violence due toinsecurity they are, by definition, victims of crime(whether direct or incidental). Victim costs are oftennot explicitly considered or budgeted for in aidprogrammes as these are usually addressed throughinsuring against potential injury, harm or death of anemployee.

Risk management costs refer to any expense relatedto reducing the potential for harm or loss to theorganisation and its workforce, or compensating foractual harm or loss, while maximising the potentialfor successful programme implementation. Thisconcept is explained in greater detail below.

2.1. What is a security risk management cost?Risk management costs include: costs associated withpreparing to take risks (e.g. insurances, developing andimplementing policy and procedures, salaries,programme assessments that include risk analysis aspart of programme planning and design, or building thecapacity of employees through training); responding toincidents (e.g. crisis management, programmesuspension or closure, or compensation payments);protecting against (or preventing) initial or on-going lossor harm (e.g. implementing acceptance approaches,provision of physical security, or employee welfare andpsychological support services).

These are general examples. Each operating context(and relative to mission objectives) will present specificcosts related to the programme’s risk managementneeds. In every case, these costs are likely to include acombination of institutional risk managementexpenditure and context-specific, operational riskmanagement expenditure. Some organisations mightconsider the salary of a security director (whoseresponsibilities include global oversight of allprogrammes) as a non-programme cost. However, asthe salary for the position is quantifiable it could equallybe divided between all country programmes, and thusbe considered a programme cost and communicated inregional or country-level budgets accordingly.

14 Cost-Benefit Knowledge Bank for Criminal Justice (CBKB), http://cbkb.org/basics/glossary/.15 ibid.16 Cost-Benefit Knowledge Bank for Criminal Justice (CBKB), http://cbkb.org/toolkit/victim-costs/.

In practice, risk management costs are not consistentlydefined as programme or non-programme, direct orindirect costs. It is not the purpose of this text to suggestthat they belong in a specific budget category. At thepolicy level (e.g. head office or international consortia),risk management is a function of institutionalgovernance and therefore may be considered non-programme. At the programme level (i.e. in the field),risk management may be considered as eitherprogramme or non-programme depending on theorganisation’s desired position in allocating such funds.Anecdotally, many organisations count riskmanagement costs as programme costs. This is morean indication of a tendency rather than a definitivestatement of current practice as little detailed evidence isavailable of how risk management expenditure isallocated by organisations.

What assets or services fall within the definition of riskmanagement costs given above? Practitioners need toconsider the purpose of the expense to determinewhether it fits the definition. Certain assets have a clearsafety and security purpose, such as fire extinguishersand first aid kits. The purpose of other assets may not besolely risk management. For example, a programmemay procure vehicles and communications equipmentas assets necessary for programme implementation.However, they may have a secondary function related torisk management, or vice versa. The decision to procurea specific type of vehicle or communications technologymay be influenced by the programme’s risk treatmentstrategy and approach. Therefore, a proportion of theexpense can be categorized as a risk managementexpense. Judging the exact amount is a subjectiveprocess, depending on the programme manager’sviewpoint, and may be guided by the organisation’ssecurity policies and procedures.

Nevertheless, if a consistent methodology is appliedacross the organisation, these expenses can beestimated and recorded accurately. For example, anorganisation may decide that in cases where risktreatment options led to the procurement of a specifictype of item (e.g. vehicle), then 50% of the expense willbe tagged as a risk management expense (even thoughthe item’s primary purpose is programme delivery).

Tangible costs (i.e. those that have a monetary valuesuch as assets and salaries) can be identified with areasonable level of confidence. The costs, whetherassets, services or human resources, will be informedby a combination of programmatic experiences, riskassessment outcomes, and operating norms within thesector. Intangible risk management costs will be moredifficult to identify and include in budgets, and thereforemay be more complex to justify to donors. From apractical perspective, a portion of a programme’scontingency funding (assuming this is available) may beexplicitly allocated to addressing intangible riskmanagement costs at the field level. However,organisations are best protected from incurring someintangible costs through appropriate insurance policies,meaning tangible risk costs (e.g. the insurancepremium) are expended in order to reduce the potentialfor, and level of, intangible risk management costs.


EISF Report11

A key question of this study is ‘What needs to beincluded when calculating safety and security riskmanagement costs?’ Evidence is limited within the aidsector of existing methodologies or tools for determiningwhat costs to include. This gap offers an opportunity todevelop a framework for practitioners to build upon.Before presenting the tool we have developed, we willexamine the information sources and evidence-base forrisk management costs. Some aid organisations will beable to draw on years of experience to establish a list ofpotential risk costs associated with a given programme.However the basis for costing risk management canonly be accurately determined by considering the risktreatment options and risk mitigation requirements of aprogramme, which can only be derived from a safetyand security risk assessment relevant to a givenoperating context.

The research team observed a common practice in aidorganisations of allocating an arbitrary percentage ofthe total programme budget to risk management costs.This is intended to provide each programme with thecapacity for some level of safety and securityexpenditure. The inherent problem with this approach isthe lack of evidence for determining the percentage.Such an approach cannot be used to develop aconsistent methodology across all programmes due tothe differences each context presents in terms of threatsand risks, as well as possible differences in acceptablerisk thresholds according to immediacy of need served.The approach also assumes that the higher theprogramme budget, the higher the risk managementcosts, which fails to take account of the assessed risks.

Attitudes and assumptions about what is considered anacceptable percentage of a programme budget toallocate to safety and security vary widely across the aidsector. A sample from within the EISF membershipindicated variations between 4% and 30% would beacceptable for high risk contexts, 0% to 20% for mediumrisk contexts, and 0% to 10% for low risk contexts. Thesefigures are based on the subjective opinions ofpractitioners and do not reflect the policy position of theaid organisations. With such a wide variation in what isallocated to risk management costs, it is not difficult to

see that this approach, based on arbitrary percentagesof total programme budget, can be problematic. Animportant way to address these problems is todetermine the precise type of risk management costmore accurately. This may be achieved by conducting arisk assessment.

Treating risk management as a generic institutional costalso means that it is often reduced to the lowest possiblelevel, both to be more acceptable to donors (as anindirect cost), and to be viewed positively by oversightbodies or evaluators (e.g. Charity Navigator).

3.1. The risk assessmentA programme’s safety and security risk assessment isthe single most important management process if riskcosts are to be determined and communicatedaccurately. Each programme and context will presentdifferent risk challenges. Without a risk assessment asan integral part of the programme planning, onlygeneric risk treatment options can be assumed. Notconsidering a risk assessment may seem time-efficientbut cannot guarantee that all threats have beenconsidered and all risks assessed.

Likewise, aid organisations need to consider institutionalcosts, as well as other related risk expenditure includingpotential liability for victim costs. Determining these costsrequires institutional risk assessments, in addition tocontext-specific or programme-oriented riskassessments.

Programme planning ought to include a safety andsecurity risk assessment. This may be carried outinternally where the capacity exists, or outsourced toone of the many commercial service providers (anexpenditure which may be a justifiable risk cost in itself).This study does not suggest how an organisation oughtto conduct its risk assessments. Several differentapproaches exist in the aid sector. Choosing whichassessment approach to use is at the discretion of eachaid organisation. While the assessment methodologieswill vary, the outputs are similar, reflecting the assessed

In practice – what needs tobe considered when costingsecurity risk management?3

level of risk certain threats present to the organisationand its planned programme activities. This risk isreduced through treatment options. These options willhave tangible and possibly marginal costs that may beestimated and recorded using the Risk ManagementExpense Portfolio (RMEP) tool, which is available todownload in editable format from www.eisf.eu and isdescribed in Section 4. An example of the tool is alsoavailable on p.25.

Those responsible for drafting proposals ought to haveup-to-date risk assessments for each programmeactivity on their desk at the time of writing and if not,should be asking for these from relevant programmeand/or security managers. The risk assessmentsprovide the most appropriate evidence forcommunicating the programme’s risk managementcosts to donors. Presenting risk costs in this wayprovides clarity and transparency on how certain budgetlines have been estimated, and importantly why the costis necessary for programme success.

Any proposal that uses a log frame approach includes asection on risks and assumptions, but this is rarely usedto consider and justify safety and security risks andmitigation measures even though these are key tominimize risks to programme implementation. Forexample, the assumption that a particular communitywill continue to allow implementation of public healthprogramming could be used to justify budgeting for an‘active acceptance’ approach (and related costs) toensure that communities do continue to allow suchprogramming.


EISF Report13

A standardized approach to costing risk managementmay be achieved using the RMEP tool which we havedeveloped.17 This tool is aimed at proposal writers andprogramme and security managers as a joint resource.It is designed to unpack risk management costs andallow the data to be sorted and exported to programmebudgets and proposal documents.

Deciding on the details that need to be included whencalculating safety and security risk management costs isa practitioner-led operational activity, and cannot bedirectly answered from this research. The research teamhas incorporated a list of the common risk managementcosts as line items in the RMEP tool. Organisationsapplying the tool will provide the necessary field-testing,and will probably make additions to the list of line items.Users of the tool are able to modify the expense portfolioto meet their specific requirements and may see itevolve into a more automated system, whereby the end-user interacts via an interface that allows outputs to beexported and attached to budget and proposaldocumentation accordingly.

This tool is intended to assist aid organisations that have struggled to secure risk management funding.Senior managers will have a clearunderstanding of how the risk line itemshave been estimated and where they areallocated within budgets. This in turn canbe clearly presented to donors byallowing budget line items to be linked toa specific risk management purpose.Dialogue with donors will prove moreeffective when a logical and evidence-based format can be put on the table. Itwill also enable organisations to seehow different programmes/contexts andlevels of risk affect costs.

The initial version has been designedwith practitioner usability in mind,keeping inputs flexible and relevant toalmost any context or aid organisationstructure. Most line items representtangible costs, but the tool also provides the space toconsider marginal and intangible costs (e.g. percentage

of salaried work time dedicated to an acceptanceapproach to security management). Whether the lineitems are categorised as programme, non-programme,direct or indirect will be determined by eachorganisation’s current practices.

The portfolio includes clusters such as salaries, trainingcosts, and assets. Each cluster is further divided intoindividual line items. For example, the ‘communicationsassets’ cluster includes mobile telephones, satellitetelephones, radios, etc. End-users may wish to providemore specific information against each line item, suchas the specific type of satellite telephone that is requiredfor the given context. Presenting risk costs in this wayallows users to consider whether certain riskmanagement resources are relevant to theirprogramme and to estimate the cost with a relativelyhigh degree of accuracy. Attaching the RMEP and theoutcomes of a risk assessment to proposals will providean effective means of demonstrating a logical, justifiableevidence-base for budgets.

The tool has been trialed successfully, and the authorwould be interested in hearing from other organisationswith their feedback.

4 The Risk ManagementExpense Portfolio (RMEP) Tool

Download the RMEPtool from www.eisf.eu

17 The RMEP tool is presently available in MS Excel format.


18 Development Initiatives Briefing Paper, Input into DFID’s Humanitarian Emergency Response Review, 2010, p.1.

Before we begin estimating risk management costs it isuseful to determine a consistent unit of measurement asa means to communicate these costs in programmeproposals and planning documents. This will assistwhen taking decisions about a programme’s overallcost-benefits and whether it represents value for money.

Examining the risk management costs of aidorganisations is a process which will always includehuman subjects as well as discussions about assetsand their monetary values. There is further potential forethical debates when considering how to measure arisk management cost. What unit of measure isappropriate, useful or relevant? And if the unit ofmeasure is based on a quantifiable population (e.g. aidworkforce or beneficiary), could it be used to suggestthat different population groups have different ‘values’?A unit of measure is proposed in this text, however itmust to be tested to determine if it is useful for riskmanagement costs in the aid sector. The secondquestion is addressed by aligning the unit of measurewith existing literature where aid efficiency andeffectiveness use metrics of ‘unit cost per beneficiary’ or’aid per affected person’.18

Beneficiary numbers, although at times difficult toquantify, are often the cornerstone of a proposal’s statedobjectives and as such may provide a basis fordeveloping a unit of measure for communicating riskmanagement costs. Again, this methodology does notimply a monetary value is placed on a person. It impliesa monetary value is placed on risk management (for agiven programme) that may be communicated as a unitcost per person.

The unit of measure is intended to provide a base linefor communicating costs consistently across allprogrammes. It is not intended to suggest that where ahigher risk cost per person exists, those persons aredeemed more valuable than others. Every programmewith quantifiable employee and/or beneficiary numberscan be calculated as a cost per person equation.

We have already discussed that donors fundprogrammes for a variety of reasons and it is thesereasons, as well as contextual variations, and theorganisation’s motivations that influence whether or notone programme’s unit cost per person differs fromanother. When taking this approach, it is important to beaware of these variations if making comparisonsbetween programmes, organisations and/or operatingcontexts.

Risk cost per beneficiary

A proposed unit of measure based on programmebudgets divided by beneficiary population numbers isrelatively simple to calculate and understand. Forexample, if a programme serves a population of Ynumber of people for a budget of Z dollars, theprogramme’s unit cost per beneficiary is Z divided by Y.Any specific budget line item can be communicated inthis way, including risk management. Caution needs tobe applied to assumptions or deductions drawn fromthe results of this simple equation. However, over time,trends may be identified that assist proposal writers andprogramme managers to better estimate their potentialand actual risk management costs.

The notion of ‘cost per beneficiary’ as a unit of measureis not common in present literature and some aidpractitioners, policy makers and donors may want todeliberately avoid the notion due to the potential for anyresulting comparative analysis to raise questions ofbeneficiary population (in)equality, fairness or choice ofresponse, resource prioritisation and the like. That said,the data to calculate and communicate aid costs in thisway is readily available and is in fact emphasized in theannual reports of aid organisations, where totalbudgets, number of programmes and number ofbeneficiaries are reported.

The above sections have discussed a number ofimportant questions that remain to be answered as wellas introducing definitions and approaches aimed atstreamlining the communication of risk managementcosts within the aid sector. We now turn to some furtherkey questions about cost-benefit and current practices.

Units of measure –communicating riskmanagement costs5

EISF Report15

5.1. Cost-Benefit Analysis (CBA)To what extent is cost-benefit analysis a practicalmethodology for determining risk managementexpenditure in the aid sector? CBA is a commonly usedtool in the for-profit sectors where expenses (e.g.operating costs) are considered against potentialrevenues. In other words, CBA examines the balancebetween spending to generate income and the potentialfinancial rewards (i.e. the benefit) resulting from thatspending.

Applying cost-benefit analysis drawn from the ‘for-profit’sector to the ‘not-for-profit’ sector is not simple. This isdue to the ‘benefit’ being subjective: it is not simply afinancial reward but the provision of some kind ofbenefit to others. Donor proposals generally require adetailed analysis and prediction of a programme’simpact and outputs. Many proposal writers will attest tothe not-for-profit benefit being difficult to accuratelypredict, measure and communicate to donors,particularly in the case of benefits associated withavoiding costs such as those due to office closure, crisisresponses, reputatinal damage or programmesuspensions. A scenario is a useful means todemonstrate the challenges of applying CBA to aidprogrammes.

Scenario

An international NGO with a global humanitarian anddevelopment remit (i.e. multi-missioned) is conductingan emergency response in the wake of a naturaldisaster. The operating context is in a country that hason-going armed conflict between the government andnon-state armed actors. The NGO assesses this contextto be high-risk yet permissible, and decides the risk levelfalls within their acceptable risk threshold (risk tolerance)and policy position.

The costs

The organisation has invested resources in a formal riskmanagement training programme that is considered amandatory condition of employment for all emergencyresponse personnel. The cost of this programme isquantifiable, being X number of training days peremployee per year, X number of staff days allowing foremployees to attend, and travel to and from, thetraining, logistical expenses such as travel andaccommodation, and training fees paid to the trainingservice provider (assuming in this scenario that the

training is outsourced). These costs may be estimatedwith a relatively high degree of accuracy. For thepurposes of this scenario, let’s assume the trainingprogramme costs a total of $40,000 per year. So what isthe benefit to the NGO?

The benefits

In a conventional CBA, the benefit is analysed from thepoint of view of the employer (the body responsible forthe expense), who believes that spending money on arisk management training programme is one means ofbuilding the workforce’s capacity. Equipping employeeswith skills and knowledge which will help them to workmore effectively in high-risk environments is considereda benefit by the organisation’s leadership, as is theavoidance of legal action that might arise fromneglecting a duty of care. However, measuring andquantifying these benefits is difficult due to theirintangible nature, making CBA a challenging andperhaps not-so-useful exercise. A more relevantanalytical approach is True-cost Analysis (TCA).

5.2. True-cost analysisThe best summary of this approach is provided byAbadia and Lin (2009), authors of the Non-profit CostAnalysis Toolkit.19 They propose that the term ‘benefit’ isdropped from the debate, providing a clearer path forexpenditure analysis within the international aid sector.The primary purpose of any such financial analysis is togain a thorough understanding of costs, rather thanseeking to determine potential benefits that arise fromthese costs. Abadia and Lin claim that what they call‘true-cost analysis’ ‘accurately allocates direct as well asindirect costs across focus areas such as programs,geographic sites or particular products, allowingnonprofit leaders to make more informed decisionsabout strategy and funding’.20 Current practice in theinternational aid sector fails to demonstrate processesfor accurately calculating and allocating riskmanagement resources, whether they are defined as‘direct’ or ‘indirect’ costs. The underlying reason for thisomission can be linked back to the programmemanagement cycle, and specifically the threat and riskanalysis processes.

19 Martha Garcia Abadia & Johnny Lin, (2009). Non-profit Cost Analysis Toolkit, Bridgespan Group, http://www.bridgespan.org/nonprofit-cost-analysis-toolkit-introduction.aspx.20 ibid.


Abadia and Lin explain that

‘most organizations have a good understanding ofthe direct costs incurred by each of their programs.But since traditional accounting breaks downindirect (or overhead) costs by functions (e.g.administration, marketing, operations), rather thanby programs, it fails to capture the relationshipbetween these costs and the organization’sactivities, and consequently, its mission. The result isa cloudy economic picture that blinds nonprofitleaders from truly understanding the financial healthof each of their program areas.’ 21

Without explicit budget lines for safety and security riskmanagement resources, it is not only the financial healthof the programme that is unclear. The capacity of theprogramme to resource risk treatment options will alsobe in question or overlooked altogether.

Donors will always require information aboutquantifiable programme outputs such as the number ofbeneficiaries who receive services or support and whatthis has cost. These figures produce limited ‘benefit’statistics but on their own do not reflect true benefits.Risk management activities that result in sustainableaccess to a beneficiary population, while at the sametime protect (to the extent possible) the organisation’semployees and assets from harm, represent truebenefits of risk management expenditure. True-cost isrelatively quantifiable, but true benefit less so, assuccess may be described by what doesn’t happenrather than what does. If a programme is free fromsafety or security incidents, is this due to prudent riskmanagement expenditure (leading to competent riskmanagement actions and decisions) or simply down tochance?

True-cost analysis process

True-cost analysis follows a simple framework.22 Withslight modifications this framework may be applied tocost analysis of risk management expenditure. Adding‘gather risk data’ alongside ‘gather financial data’ on theframework places threat and risk analysis requirementsat the forefront of programme planning and providesthe necessary outputs (i.e. the risk treatment options) todetermine the next steps in the process (i.e. theallocation of direct and indirect costs).

21 ibid.22 ibid.

EISF Report17

True-cost analysis may be a useful methodology to helpdetermine budgets and estimate expenses. Howeverthe approach is less useful in determining whetherresources have been used efficiently and effectively. Todetermine this, cost effectiveness analysis may be used.Cost effectiveness analysis measures ‘the cost ofachieving intended programme outcomes and impacts,and can compare the costs of alternative ways ofproducing the same or similar benefits’.23 This helps usaddress challenges and at times, difficult ethicaldecisions.

The cost of risk management for NGOs cannot beexamined in a de-humanized manner, concentratingonly on tangible costs and financial comparisons.Making programme decisions solely on the basis ofthese facts and figures might make life easier butinternational aid is a humanized subject and needsnuanced and ethical consideration.

Cost effectiveness analysis provides a framework toconsider options for achieving programme outcomes.This is particularly relevant in higher risk environments orin operating contexts that are prone to sporadic orunpredictable security changes. What is important tonote here is that the analysis need not be confined to acertain geographical context (excluding situations wheredonor funds are restricted for use in an particularlocation). It is the intended outcomes and impact thatare important. In other words, what can be achievedusing the same funds in different ways and places?From a risk management point of view, this may raisethe question of an organisation considering thepossibility of working in a lower rather than a higher riskcontext.

In conducting the analysis, different programming andcost options may be explored, with options varyingaccording to the organisation’s attitude towards risk-taking and risk-aversion. These might include:

remote management structures or working solelythrough local partners

increasing employee skills and competenciesthrough specialist, high-level training

procurement of specialist risk management servicesand/or assets specific for that programme

considerations of policy derogation (e.g. using armedescorts)

external risk management training versus internaltraining

cost comparisons between national and mixed(international and national) programme teams incases where a nationalized team is assessed to be alower risk than having a mixed team

declining to implement, or suspending or closing anexisting programme in order to use the same budgetto service a beneficiary population in a lower riskenvironment

In all the above cases, determining effective use of fundsdoes not imply finding the cheapest option. The analysisaims to provide a logical approach to justifying riskmanagement spending, enabling different spendingoptions to be documented and compared. For example,a remote management option may be deemed moreeffective (in terms of cost) as it may demonstrate a moresustainable and long-term programme managementmodel due to building local capacity (when compared tothe organisation’s usual implementation approach). Atthis point it is useful to reiterate the unit of measureargument. Each option may be compared using thecommon denominator of risk cost per beneficiary.

From cost-benefit to costeffectiveness 6

23 A. Hodges, P. White & M. Greenslade, 2011, Guidance for DFID country offices on measuring and maximising value for money in cash transfer programmes, p.5.


Key questions when conducting cost effectivenessanalysis include:

are programme management options available thatwill reduce the assessed risks?

can assessed risks be effectively treated? (i.e. whatmitigation options exist?)

is the funding specifically tied to this programme/location/response/theme or can it be applied to other programmes?

can the same intended impact and outcomes beachieved elsewhere (with the same funds), where therisk to our employees is lower?

can the success of the programme be predicted withrelative certainty, or does the security situationprohibit this outcome?

what is the risk cost per beneficiary for each identifiedprogramme option?

Cost effectiveness may be demonstrated using a set ofdefined criteria that may be either constants orvariables. This is best illustrated by the followingexample.

Cost effectiveness analysis example

This example is presented to illustrate the concept ofcost effectiveness comparisons. It assumes:

1. needs are assessed as equal or similar between thecontexts and the desired impact or outcomes may beachieved with each option,

2. insecurity affects access and is documented as asubjective % of the total beneficiary population figure,

3. increased risk equates to decreased access, and

4. risk costs are determined from the risk assessmentoutcomes.

Specific contexts will determine what the effect will be oneach possible variable and possibly introduce othervariables into the equation.

Programme scenario

Programme impact and outputs: Rehabilitation ofprimary health care facilities to service an estimated500 families (each household is described here as abeneficiary or B). A risk assessment has beenconducted and risk costs estimated.

Cost effectiveness analysis can be used to illustrate theunit costs when it is decided to increase the risk costsufficiently to achieve and maintain access to 100% ofthe beneficiary population. If access is determined to bethe ‘impact’ indicator, and all options can achieve 100%,then the option that achieves this for less may bedeemed as having the highest impact. Alternatively, aproposal can illustrate to donors that cost efficiencycomparisons have been conducted and that thecheapest option may not be the most appropriate (e.g.due to sustainability or other contextual influences).

Risk cost per beneficiary is the division of risk cost by theassessed actual beneficiary figure (e.g. in Table 2:Option 1 being 80% of 500 = 400 families; £10,000 isallocated for risk management which provides a riskcost per beneficiary of £25).

Without actual data this study cannot determine if aquantifiable relationship exists between variables. Forthe present, the cost per beneficiary formula remains aguide to illustrate costs between programme options. Itallows for differing scenarios to be explored and theeffect on budgets and risk management costs to beestimated. In other words, options demonstrating lowerrisk cost per beneficiary figures indicate a certainamount of ‘change’ may be available for other purposeswithin the programme or re-aligned to other riskmanagement needs. Alternatively, higher unit costs maybe justified and presented in proposals accordingly.

EISF Report19

Options for comparison

1. Usual programmemanagement structure andimplementation

2. Deliver via established localpartner

3. Conduct the programmeelsewhere in a morepermissive context

Assessedaccess to B (%)

80

95

100

Risk cost per B (£)

25

31

18

Programmebudget (£)

500,000

500,000

500,000

Beneficiary (B)(household)

500

500

500

Risk cost (£)

10,000

15,000

9,000

Table 2: Comparing programme options when both assessed access and riskcosts vary

Options for comparison

1. Usual programmemanagement structure andimplementation

2. Deliver via local partner

3. Conduct the programmeelsewhere in a morepermissive context

Assessedaccess to B (%)

100

100

100

Risk cost per B (£)

40

30

20

Programmebudget (£)

500,000

500,000

500,000

Beneficiary (B)(household)

500

500

500

Risk cost (£)

20,000

15,000

10,000

Table 1: Maintaining 100% access, requiring risk costs to vary betweenprogrammatic options


How does an aid programme represent value formoney (VfM)? Is it as simple as achieving its statedobjectives within budget? Or better still, exceeding theseobjectives by reaching more for less? And can VfM bedemonstrated prior to the fact, in proposals or conceptnotes?

Value for money is the ‘holy grail’ for any charitableenterprise. The division of costs between programmeand non-programme is a highly prized statistic forannual reports. In general, the perception is that thelower the non-programme costs, the more competentthe organisation is in allocating the majority of funding todirect programme expenses. This may be true whencommunicating fiscal efficiency, however such statisticscannot demonstrate programme effectiveness orimpact. Spending the majority of a donation onprogramme costs does not necessarily mean that theprogramme is meeting its stated objectives or is beingconducted is a safe and secure manner.

Delivering aid according to humanitarian principleshelps aid organisations prioritise limited resources.However this is a utopian position and in reality, aid isoften funded and delivered for reasons other thanhumanitarian. State donors may (although not always)have political agendas requiring aid funding to beassociated with foreign policy outcomes. Diasporacommunities raise thousands of dollars to support thoseremaining in home countries. This source of fundingmay not always be motivated by humanitarianprinciples but rather for personal, political or ideologicalreasons. Some aid organisations opt for specificcountries and/or regions (e.g. regions where the need isaligned with their specific mission objectives). Themotivation of donors to provide funding for specificpurposes needs to be understood if proposals are tocommunicate risk management resourcingrequirements clearly. Moreover, aid organisations needto understand what value for money represents in theview of the donor.

Is spending above the typical norm on risk-relatedexpenses (e.g. 5% of the total programme budget) in ahigh-risk environment acceptable if it allows for thesuccessful delivery of the programme? Ethically it wouldbe difficult to object to this approach. However, infinancial terms, it is another matter. Donors as well asgrant recipients have an (implicit or explicit) upper limitfor acceptable expenditure on risk management. Thisthreshold will be subjective and from the point of view ofeach organisation (and for that matter, individual). Justas individual risk tolerances vary, so too will individualperceptions of value for money when it comes toassisting people in need.

Donors expect (and rightly so) that the people theyentrust with spending their money will do so asefficiently and effectively as possible. This is particularlyimportant with state donors, charged with ensuringresponsible use of public (i.e. taxpayer’s) funds. The lastthing a government wants is to have to respond toallegations of wasteful spending. Therefore donors havestrict guidelines and regulations on eligibility for funds,and for what purpose these funds will be used. Grantrecipients have an obligation to ensure thoroughfinancial reporting on programme expenditure, thusproviding the donor with a level of confidence that thefunds are being allocated for their intended purposes.

In terms of risk management, state donors in particularare acutely aware of the need to ensure that grantrecipients demonstrate the capacity to deliver theirprogrammes successfully. Many state donors expectgrant recipients to include risk management costs withintheir programme and non-programme budgets. Somedonors explicitly require security management evidenceto accompany grant proposals as a means ofdetermining if the potential recipient has consideredsafety and security.24 Despite this, concerns about legalliability may mean that while a donor might not approvea proposal if the risk management evidence is held tobe poor, it does not follow that approved proposalsenjoy donor endorsement of the programme’s safety orsecurity management approach. In short, some do andsome don’t. What will determine this are the donorcountry’s legal frameworks relevant to duty of careliability and negligence, as well as individual policydecisions.

Value for Money 7

24 USAID/OFDA Guidelines for Unsolicited Proposals and Reporting, 2008, p.41.

In terms of risk management expenditure, as in otherareas, value for money is attractive to donors. Wherecan donors receive best value for their investments?State donors (i.e. governments) are required todemonstrate responsible spending. They do thisthrough ensuring grant recipients are – as far aspossible – responsible spenders. This process isevolving beyond fiscal accountability and reporting withnew steps being taken towards holding grant recipientsto an even higher level of professionalism. Donors mayintroduce specific risk management standards as part ofcontractual arrangements between the donor and grantrecipients. In other words, if an aid organisation wantsto receive tax dollars, it will need to conform to riskmanagement standards just as it presently does forfinancial reporting standards.

This introduces a new dimension to the donor / grantrecipient relationship. If a donor introduces a newstandard, is the donor obliged to make resourcesavailable to existing and potential grant recipients toensure conformity can be achieved? And if so, how canthe cost of this requirement be calculated? Would this beaffected by whether the standard was a contractualobligation or suggested guidance?

Grant recipients that are able to demonstrate conformityto risk management standards are in effectdemonstrating a capacity to manage foreseeable riskseffectively. Successful programmes loosely equate toeffective spending, but for VfM, alternative uses of theavailable funds need to be considered. Riskmanagement expenditure can come in many forms inthe international aid sector and while donors will activelysupport their implementing partners, they will also lookfavourably on collective initiatives that serve multiplepartners’ risk management needs. The funding ofconsortia security programmes such as the AfghanistanNGO Safety Office (ANSO) is once such example whereVfM may be demonstrated.

Collaborative or cooperative initiatives are not alwaysavailable to NGOs but where they do exist, the servicesthey provide can represent an efficient use of time andmoney, especially when combined with an organisation’sown internal risk management efforts in a given context.Such organised initiatives (e.g. ANSO, NSP, GANSO, etc.)should not be considered as competing with individualaid organisations for risk management funding. Donorswill generally consider the efforts as complementary toan organisation’s safety and security processes, withboth risk management approaches requiring separateand due consideration.

EISF Report21


Throughout this paper, we have examined issues of riskmanagement expenditure in an effort to determine whatit costs to deliver an aid programme safely. But whatwould be the cost if aid organisations took a consciousdecision not to spend money on risk management? It isimpossible to answer this question with any certainty orfiscal accuracy, partly due to the inherent uncertainty ofwhether risks identified will actually materialise (andtherefore affect a programme), and partly due to a lackof evidence.

Scenarios and case studies are a means to estimate thepotential costs to an organisation if it were subject to asafety or security incident. To some extent, suchexercises are used as the basis for determiningappropriate compensation and relevant insurance. Anorganisation that spends little or nothing on riskmanagement implies that it is comfortable with itspresent capacity to take and manage risks and acceptsthe outcomes (e.g. harm, injury or loss of some sort, orloss of access to implement programmes). Themotivation to take such a position may be varied andinfluenced by more than just financial considerations.Operational experience and perceptions of the riskenvironment may lead an organisation to deem riskmanagement expenditure as unnecessary, or not apriority for limited funding. If such a decision is based onthe evidence from a risk assessment, it may bejustifiable. On the other hand, it may be reckless toassume that any risk environment is a stable and certaincontext, since it could be affected by insecurity at sometime in the future. At a minimum, some form of riskmanagement contingency funding should be plannedand readily available.

Tangible costs may be applied to scenarios where theprogramme has been affected by insecurity. Worst-casescenarios may include the death of employees andprogramme closure. Apart from due financialcompensation to the victims’ families, these costs arelikely to include loss of assets, increased insurancepremiums and the requirement to repay unspent grantsto donors. Organisations that self-insure might find theiroperating capital reduces significantly if they are found

to be negligent. Other examples are likely to includeunexpected costs for evacuation or relocation (e.g.flights and accommodation), re-assigning employeesfrom their usual duties to crisis management functions,and on-going salary and office expenses (even if aprogramme is not delivering due to the securitysituation).

Intangible costs may include irreparable damage toreputation, and transferring risks to others (such as localpartners). In some contexts, aid managers may findthemselves answerable in court and face civil or indeedcriminal charges if it is proved that they failed to exerciseduty of care. Proportionate and relevant investment inrisk management across the organisation is anappropriate and reasonable step to avoid suchoutcomes. The difficulty in justifying risk managementspending can come from audit and trend analysisoutcomes showing that while funding was allocated forthis purpose, the organisation did not use the services orassets such funding covers. It reminds us of theunanswerable question. If an aid organisation is freefrom safety and security incidents, is this due toappropriate risk management spending, or simplyrandom chance? Relying on chance is not justifiable intoday’s operating context.

Spending money on risk management is a legalrequirement in many jurisdictions, as well as being theethically right thing to do. Many aid practitioners whohave been victims of serious security incidents (e.g.kidnapping) believe they were able to manage theimpact of the incident due to having received relevanttraining from their employer. Conversely, some victimshave alleged their employer was negligent in notappropriately preparing them to assess and managethe risks associated with their work. Failing to considerrisk management and associated costs as part of eachand every programme can only be described as‘negligent’.

The cost of not spending onsecurity risk management8

Key recommendations1. Aid practitioners are encouraged to record present

risk management expenditure in a more transparentmanner and use tools that not only demonstrate this,but also assist them in estimating potential costs

2. Those responsible for fundraising and grantsmanagement are to ensure their proposal budgetsare informed by the outcomes of a risk assessmentrelevant for each programme

3. The dialogue between proposal writers, programmeand security managers is improved to ensure eachprogramme’s risk management needs are identified,budgeted for and communicated

4. Aid practitioners are recommended to establish acommon framework for identifying and estimatingrisk management costs and work with their donors torefine this framework so that financial reporting onrisk management expenditure is an efficient andaccurate process

5. Aid practitioners are recommended to actively seekout or create collaborative and cooperative riskmanagement initiatives, determine whether theserepresent value for money and communicate theseinitiatives to donors

ConclusionThe research team undertaking this study set out todiscover and examine good practices that demonstrateevidence-based processes for estimating andcommunicating risk management costs within the aidsector. Such processes are elusive and are yet to bewidely communicated. The lack of data, althoughfrustrating, presented an opportunity to engage withpractitioners and develop frameworks for futureprocesses and tools. This paper captures importantissues for discussion between aid organisations, theirimplementing partners and their donors.

There is no set formula for deriving risk managementcosts for an overall programme budget. One approachthat was identified is the allocation of an arbitrarypercentage of the total programme budget to riskmanagement costs. Typically this does not exceed 5%,however if we were to apply this formula to the totalODA for 2010, it would suggest that aid implementerswould have had access to $25 billion for riskmanagement expenditure in that year; a sum whichwould be neither justifiable nor realistic.

This research proposes that aid organisations begin tomore accurately estimate and record their riskmanagement costs, and presents a tool to guide thisprocess. Practitioners are encouraged to use the RMEPtool and help it evolve. Good practices for riskmanagement costing need to be shared widely withinthe sector in order to improve current processes. Overtime this subject may be revisited when sufficientquantifiable data becomes available for analysis, whichin turn may lead to addressing some of the unansweredquestions and allow for a greater degree of accuracy indetermining risks to aid programmes and the costsassociated with managing these risks.

EISF Report23

9

EISF Report25

Risk Management ExpensePortfolio Tool Template


Programme: [enter text here]Country:Specific locations: [enter text here]Overall risk level: [enter text here]Risk assessment attached: Yes / NoGrant / Proposal ref: [enter text here]Expense estimate period: [enter months, years here. Eg. Totals on this file are for 3 years]Donor guide ref: [enter title and page numbers here]Contact person: [enter text here]Date of last update: 30 October 2012

Ref Cluster Expense descriptionSalarIes Safety & Security Director

Head Office-based Security ManagerRegional Security ManagerCountry Security ManagerCountry Director / ManagerProgramme / Project ManagerSecurity Focal PointTechnical ConsultantTraining Manager[insert other specific items here]

Admin Security Director and/or Manager Travel& Logistics Security Director and/or Manager Accommodation

Security Director and/or Manager Visa feesSecurity Director and/or Manager IT & telecommunicationsSecurity Director and/or Manager Administration & Logistics[insert other specific items here]

Training, Employee induction training daysLearning & Personal security training daysDevelopment Security management training days

Scenario training development and deliveryRefresher training daysHostile Environment Awareness training daysMentoring of SFPsLeadership & Management training daysCommunications & Media training daysFamily Liaison training daysDriver training (Basic)Driver training (Advanced)First Aid training days (Basic)First Aid training days (Advanced)Capacity building local partner training daysCrisis management training daysGuard training daysBoat safetyProfessional development training daysTravel and accommodation to attend L&D or professional development events[insert other specific items here]

Units

EISF Report27

Cost perunit Total

% of Budget lineallocated to risk mgt

Risk mgttotal

Source information

Risk assessment& notes

Accountcode/s

Prog /Non-prog

Direct/ Indirect

Currency: £ Pounds Sterling Expense category:Evidence:


Ref Cluster Expense descriptionInformation Forum / Association fees or contributions& Knowledge Conference / Event feesManagement Incident reporting IT system

Threat & Risk AnalysisRisk management system reviewPolicy development & maintenancePlans & procedure development & maintenanceTravel tracking system subscriptionsSafety and/or security information subscriptionsReference publications and/or subscriptionsData backup and storage systemSecure physical storage (e.g. safe)Shredder[insert other specific items here]

Access Community engagement activitiesSalary for dedicated community liaison teamsInsert community engagement activities here (e.g. local sports event, meetings, etc.)Acceptance strategy implementation (e.g. host community project, meetings, etc.)Refer to the Acceptance Toolkit for specific activites & options & insert these options hereHost country legal / regulatory feesCustoms / Duty taxes and feesContext assessmentCommunity dispute resolution activities[insert other specific items here]

Facilities Building / Compound lease (Regional)Management Building / Compound lease (Country)

Building / Compound lease (Field sub-office)Physical access controls (gates, fences, locks, etc.)Alarm systemCCTV systemElectrical generatorsGuard service contractsGuard equipment (vehicle search mirrors, etc.)Building / Compound lightingBlast film for windowsStand-off construction (hesco barriers, wire, etc.)Fire fighting equipmentSafe room construction & maintenance[insert other specific items here]

Comms Mobile telephoneAssets Mobile telephone service subscriptions/SIMs

Satellite telephone (Portable)Satellite telephone (Base station)Satellite telephone service subscriptionsComputing & IT equipmentRouters and cables, etc.Radio VHFRadio HFVSATInternet Service Provider (ISP) contracts[insert other specific items here]

Units

EISF Report29

Cost perunit Total


Risk mgttotal

Source information


Accountcode/s

Prog /Non-prog

Direct/ Indirect



Ref Cluster Expense descriptionMedical First aid kit (Basic)Assets First aid kit (Advanced)

Maintenance of first aid kitsPrimary health medicationPreventative medicationPEP kit[insert other specific items here]

Transport 4x4 vehicleAssets 2x4 vehicle

Special / Technical vehicleLocal vehicle hireLocal driver hireSecure parking facilityVehicle tracking systemVehicle alarm systemVehicle recovery and spare parts equipment (tow ropes, spare wheels and tyres, etc.)BoatLife jacketsOutboard motor[insert other specific items here]

Crisis Hibernation/Relocation suppliesManagement Evacuation contingencyAssets [insert other specific items here]Insurances Medical evacuation

K&RPersonal accident[list policy types here]

General Unrestricted funds that may be immediately available in Contingency the event of an unforeseen crisis or incident

Totals

Units

EISF Report31

Cost perunit Total


Risk mgttotal

Source information


Accountcode/s

Prog /Non-prog

Direct/ Indirect


The RMEP tool is available to download in editable format from www.eisf.eu.

The tool has been trialed successfully, and the author would be interested inhearing from other organisations with their feedback.


Donor guidelines

DFID Proposal Guidancehttp://www.dfid.gov.uk/work-with-us/funding-opportunities/not-for-profit-organisations/uk-aid-match/submit-a-proposal/

DFID Guide to the log framehttp://www.dfid.gov.uk/Documents/publications1/how-to-guid-rev-log-fmwk.pdf

DFID Pre-grant Due Diligence Guidehttp://www.dfid.gov.uk/Documents/funding/gpaf/Pre-grant-due-diligence-guidance.pdf

A. Hodges, P. White & M. Greenslade, 2011, Guidance forDFID country offices on measuring and maximising valuefor money in cash transfer programmeshttp://www.dfid.gov.uk/Documents/publications1/guid-dfid-cnty-offs-meas-max-vfm-csh-trsfr-progs.pdf

USAID Guidelines for Proposals and Reporting, 2004, USAgency for International Development, Bureau forDemocracy, Conflict and Humanitarian Assistance,�Officeof US Foreign Disaster Assistance (OFDA)http://transition.usaid.gov/our_work/humanitarian_assistance/disaster_assistance/resources/pdf/updated_guidelines_unsolicited_proposals_reporting.pdf

General publications

What is Aid?http://www.oecd-ilibrary.org/docserver/download/fulltext/0111101ec004.pdf?expires=1343040239&id=id&accname=guest&checksum=823C113AE2DF8981EACCC70B2EB8C44F

Where Does the Money Go?http://dspace.cigilibrary.org/jspui/bitstream/123456789/25557/1/Where%20Does%20the%20Money%20Go%20-%20Best%20and%20Worst%20Practices%20in%20Foreign%20Aid.pdf?1

The 2011 UN CAP appeal: Did humanitarian aid just getcheaper?http://www.globalhumanitarianassistance.org/the-2011-un-cap-appeal-did-humanitarian-aid-just-get-cheaper-1910.html

DDR Cost-Benefit Analysis, ALNAPhttp://www.dfid.gov.uk/work-with-us/funding-opportunities/not-for-profit-organisations/uk-aid-match/submit-a-proposal/

Development Initiatives Briefing Paper, Input into DFID’sHumanitarian Emergency Response Review, 2010http://www.globalhumanitarianassistance.org/wp-content/uploads/2010/12/DI-Submission-to-DFID-HERR-1012091.pdf

Management tools and handbooks

Martha Garcia Abadia & Johnny Lin (2009). Non-profit Cost Analysis Toolkit, Bridgespan Group http://www.bridgespan.org/uploadedFiles/Homepage/Articles/Cost_Toolkit/Bridgespan-Nonprofit-Cost-Analysis-Toolkit-Complete.pdf

Five Winds Cost-Benefit Analysis Toolhttp://www.dep.state.pa.us/dep/deputate/pollprev/Iso14001/Tools/Facility%20Environmental%20Issues%20Toolbox/WW%20Wastewater/WW7%20Simple%20Benefit-Cost%20Analysis%20Tool.pdf

Project Cycle Management Handbook, 2002, European Commissionhttp://www.sle-berlin.de/files/sletraining/PCM_Train_Handbook_EN-March2002.pdf

AusAID Aid Management Cycle (2012). Australian Governmenthttp://www.ausaid.gov.au/about/pages/transparency-subpage.aspx

References andrecommended reading

EISF Report33

Briefing PapersSecurity Management and Capacity Development: International agencies working with local partnersDecember 2012EISF Secretariat, Iesha Singh

Gender and Security: Guidelines for MainstreamingGender in Security Risk ManagementSeptember 2012Christine Persaud (author), Hye Jin Zumkehr (ed.)

Engaging Private Security Providers: A Guideline for Non-Governmental OrganisationsDecember 2011Max Glaser (author), supported by the EISF Secretariat (eds.)

Abduction ManagementMay 2010Pete Buth (author), supportedby the EISF Secretariat (eds.)

Crisis Management of Critical IncidentsApril 2010Pete Buth (author), supported by the EISF Secretariat (eds.)

The Information Management ChallengeMarch 2010Robert Ayre (author), supported by the EISF Secretariat (eds.)

ReportsRisk Thresholds in Humanitarian AssistanceOctober 2010Madeleine Kingston and Oliver Behn (EISF)

Joint NGO Safety and Security TrainingJanuary 2010Madeleine Kingston (author), supportedby the EISF Training Working Group

Humanitarian Risk Initiatives: 2009 Index ReportDecember 2009Christopher Finucane (author), Madeleine Kingston (editor)

ArticlesIncident Statistics in Aid Worker Safety and SecurityManagement: Using and Producing themMarch 2012Koenraad van Brabant (author)

Managing Aid Agency Security in an Evolving World:The Larger ChallengeDecember 2010Koenraad Van Brabant (author)

Whose risk is it anyway? Linking Operational RiskThresholds and Organisational Risk Management(in Humanitarian Exchange 47)June 2010Oliver Behn and Madeleine Kingston (authors)

Risk Transfer through Hardening Mentalities?November 2009Oliver Behn and Madeleine Kingston (authors)Also available as a blog atwww.odihpn.org/report.asp?id=3067

GuidesFamily First: Liaison and support during a crisisFebruary 2013Sara Davidson (author), Ellie French, EISF Secretariat (eds.)

Forthcoming publicationsGuide on Office Closure

Religion and Security

Other EISF Publications

If you are interested in contributing to upcoming research projects or want to suggest topicsfor future research please contact [email protected].

Available atwww.eisf.eu

First published February 2013

European Interagency Security Forum

EISF Coordinator+44 (0)203 195 [email protected]

EISF Researcher+44 (0)203 195 [email protected]

www.eisf.eu

design and artwork: www.wave.coop