Information Security – Responsibility and Accountability

By | Training, Updates from the Field | No Comments

On behalf of all those involved in security generally, and information security in particular, may I be the first to say, ‘thankyou very much’ to those Members of the British Parliament who insist on using weak passwords contrary to best practice. If true, you provide yet another example for us to use in our presentations and training on the topic. But if these initial indications are correct, and British MPs have compromised their own and their Nation’s security by not following simple instructions, will they be sacked? Where will the buck stop?

Photo courtesy of The Guardian

[British MPs have also given Western citizens another reason to doubt their governments when in the context of debates on data retention these governments seek to reassure their citizens their information is safe with the government. But this is the subject of a different post.]

Who Did It?

Of course everyone is pointing their fingers at the Russians and North Koreans. I have my money on a spotted youth operating out of Dad’s shed taking a break from trading Bitcoins to have a crack at the Houses of Parliament – just because he can. I amuse myself by believing British Members of Parliament exercise more discipline when using public WiFi after reading my post on the topic here, and let their guard down in the office. They probably think someone else is looking after their security for them.

This would be a distraction. Even if it was a foreign government, it is their role to spy on the UK government, as it is Britain’s to spy on others. Accordingly it is the role of British MPs to both do their bit for collective security and set an example for others by not getting caught with their pants down.

Your Emails are More Interesting Than You Think

More seriously, for those in the Humanitarian and Development sectors delivering essential programming support in areas riven with conflict; Somalia, the cholera response in Yemen, the vast numbers of displaced across West Africa (Boko Haram being just one of many causes), Afghanistan, and any kind of humanitarian programming in Syria or Iraq there is a lot of interest in your email accounts and servers to parties to the conflict.

How much money are you spending? Where does it come from? If doing remote programming in Syria, who are the local staff you are employing? How and how much are you paying them? What information are they providing? All of this information and more is contained in the email traffic of Country Directors, Heads of Programming, Heads of Finance, Security Focal Points and others.

We are reminded that security is everyone’s business, and this is especially the case for information security. The days of believing you can just ‘do your job’ and leave safety to the driver, security stuff to the security bloke and IT stuff to the IT guy are long gone. We all must work together.

Responsibility and Accountability

It is early days in this British investigation. Let us assume the smoking gun is pointing in the right direction and the accountability for this vulnerability remains with MPs failing to follow simple procedures. Will the British Prime Minister do us all a favour and immediately sack or severely sanction those MPs who have put their own and their nation’s security at risk by being lazy?

What a great example that would be!

(Main photo courtesy of MapAction operating in Tacloban after the 2013 hurricane.)

If there are any questions arising from this post, please do not hesitate to do so in the comments section below. You are also invited to sign up for email notifications of future posts on this site.

RM4HD Email Subscription Form

Please enter details below.

Minimising Public WiFi Risk

By | Book/Literature Reviews and Standards, Travel Safety and Duty of Care | No Comments

For those of us living itinerant lives, constant connectivity while moving within and in-between countries is a necessity. We love our Free WiFi. Among friends and colleagues we discuss and recommend the relative merits of cafes and restaurants partially according to how reliable is their free WiFi. Whether adding the finishing touches to the final written pieces of the contract just completed, transferring funds in between accounts to pay bills or onward flight tickets, emailing back and forth on a piece of work or a contact yet to be gained, or simply remaining in touch with family and friends, near constant email connectivity is essential to the modern professional within the Humanitarian and Development sectors.

But another truism is that most of this work is rarely conducted at ‘home’. Indeed, for those of us who base in places like Bali and Thailand, our office while ‘in between contracts’ is an obliging café where we do our work. These home base locations, or temporary ports of call may have poor 4G or 3G connectivity. While in transit in hotels and airports we are grateful to find a free WiFi connection somewhere. It may not be fast, but it is enough to get stuff done.

But it is safe?

The Harvard Business Review have been the most recent in a long line of articles advising us against the use of public WiFi. I have summarised and expanded on their points below. They are right to warn us. They quote a Verizon cyber security report describing how ‘Man in the Middle’ and ‘Evil Twin’ attacks have been identified in an increasing number of hotels and public places, especially in Asia. These are useful to extract login and password data, steal information from laptops and other devices, and/or lay the ground work for a far more elaborate and costly identity theft.

What Can We Do About It?

Because I live in Indonesia where there is relatively cheap internet packages available on pre-paid phones, I minimise the risk of public WiFi access by not using it and tethering my phone instead. And when I must connect to a public WiFi connection, I do so via a VPN. I would recommend a paid one. I use Zen, but there are many more on the market, Please see here a recent review of Zen that compares it to others currently on the market. Please note I am not endorsing this product. But if it is simple enough for me to use then anyone can.

Another must is an easy to use Password Manager. Personally I use KeepAss (think, ‘Keep your arse safe’) and the password hygiene greatly reduces the risk of Man in the Middle and Evil Twin attacks. But there are many others on the market. Do your research to ensure the database is encrypted and it can be easily backed up to a USB and printed hardcopy (for secure storage elsewhere). Remember, in a man in the middle attack the thief is logging your key strokes to get your login and password details. If the password is an easy to remember one you use everywhere, like the name of your first pet, with Upper and Lower, numbers (eg, ‘Blacky123’) and the username is your email address you can be guaranteed that this combo will be tested on banks, Facebook, LinkedIn and other places where your identity and personal information can be hijacked. But if your password is Pj67$tHyfg&90dessTmb* it is clear in the mind of the thief that this is not a password you use for every site you access; you are using a password manager and there is no point attempting to apply that username/password combo on other sites.

How do these tools manage Risk? The VPN or WiFi avoidance method (ie, by tethering to your phone’s internet connection) greatly reduces the likelihood of being compromised by a thief. However, if compromised, the password manager will ensure that whatever Username/Password combo you use for the compromised site is not repeated for other sites thus containing the breach.

Other basic and easy to implement precautions include switching off your Bluetooth and WiFi when not in use so they do not randomly connect to a network without you noticing, and using two-factor identification for sensitive sites like email and banking sites.

To summarise the tips given by the Harvard Business Review to both reduce both the likelihood and impact of this threat:

  • Avoidance. Don’t use public Wi-Fi to shop online, log in to your financial institution, or access other sensitive sites.
  • Mask. Use a Virtual Private Network, or VPN, to create a network-within-a-network, keeping everything you do encrypted
  • Complicate. Implement two-factor authentication when logging into sensitive sites, so even if malicious individuals have the passwords to your bank, social media, or email, they won’t be able to log in
  • Verify. Only visit websites with HTTPS encryption when in public places, as opposed to lesser-protected HTTP addresses
  • Switch Off. Turn off the automatic Wi-Fi connectivity feature on your phone, so it won’t automatically seek out hotspots
  • Pay Attention. Monitor your Bluetooth connection when in public places to ensure others are not intercepting your transfer of data
  • Avoid. Buy an unlimited data plan for your device and stop using public Wi-Fi altogether
  • Obscure. Use a password manager, and get into the habit of changing passwords regularly

This is not rocket science. Merely the 21st century version of locking valuables away in the hotel safe, not carrying all your cash and cards in the one place, not visibly flaunting wealth, and not changing cash on the black market.

If there are any questions arising from this post, please do not hesitate to do so in the comments section below. You are also invited to sign up for email notifications of future posts on this site.

RM4HD Email Subscription Form

Please enter details below.

Trading Development for Security: A Faustian Pact

By | Travel Safety and Duty of Care, Updates from the Field | No Comments

The author did three contracts in Afghanistan in Security Risk Management roles. One for the UN, one for a Faith Based INGO and the other for a government owned development organisation. Opinions expressed below are his alone and do not derive from official policy of his former organisations.

Weaponising Development Assistance

The situation is not close to normalising in Syria. Well in advance of whatever tenuous peace will be agreed upon eventually, we can be nearly certain there will be ongoing state and non-state interference. It will remain a hazardous place for INGO staff, and will continue to be viewed as a source of potential extremists keen to inflict damage in European, American, Australian etc cities. In a triumph of hope over experience, it can be reasonably predicted that the usual suspects (USAID, DFID, EU, DFAT, CIDA) will be throwing vast sums at development organisations to ‘do stuff’ in Syria with a view to reducing the security threat back home and perhaps even encouraging refugees to return to their homes.

The ultimate strategic risk management failure of the last two decades within the Humanitarian and Development sectors is the mis-allocation of aid spending towards security objectives, with the willing participation of INGOs, the UN and for-profits. The evidence is clear from Iraq and Afghanistan (and other smaller, lower profile examples) that when one funds development projects for security objectives, one achieves neither development nor security. Are we going to learn the lessons from the past, or enter into Faustian Pacts all over again in Syria?

A Pact with the Devil (a deal with the Devil or a Faustian bargain), is an agreement with Evil, in the form of the Devil, often (as in the story of Faust) with the paradoxical intention of achieving a higher Good that is otherwise obstructed. The nature of an agreement is a risky accommodation, so at the crux of objections to such a thing are questions–what has the person making the agreement traded to the Devil; can the person avoid being trapped or corrupted; does the agreement strengthen the Devil; is the greater Good compromised, and still unachievable?

Faust’s pact with Mephisto (about 1840), by Julius Nisle.

These failures are expensive. As this report from 2013 describes, the situation was no better in Iraq (noting this was written before the advent of ISIL/ISIS) and evaluates the wastage at US$60b. When wastage is rounded off to the nearest billion, AND there is barely any improvement in development AND the security situation is demonstratively worse, tax-payers would be forgiven for succumbing to populist appeals to slash aid budgets. And it is now 2017 – those numbers would be much higher by now.

Implementing for the government donors were UN/INGO/for-profit/faith-based and government owned development organisations implementing the ‘Build’ phase of now discredited COIN (Counter-Insurgency) strategy; namely Shape, Clear, Hold, Build. Organisations were achieving multiples of their usual global turn-over in Afghanistan alone. Hundreds of smaller organisations were created to hastily implement projects for USAID, DFID, AUSAID, CIDA etc etc. The sector professionalised and grew, careers were made, and organisations greatly expanded. While the money flowed Iraq and Afghanistan were becoming more secure and developed. The Faustian Pact held.

But it did not last, and look at where Syria and Iraq are now. How are INGOs perceived now compared to before 2003? To paraphase Sarah Palin, ‘How’s that impartiality and neutrality stuff going?

With the benefit of hindsight it is easy to criticise the organisations responsible for taking the money and tipping so much fuel onto the fires of Afghanistan and Iraq. But now we know better. As a result of poor risk assessments, poor planning and greed, the sector has a serious credibility crisis. Concepts of neutrality and impartiality are almost gone and now we must think ahead to how donors will understand the problem in Syria. What will belligerent donor governments do next? How much will they spend?

Why do major donor governments do this, and what does this mean for the rest of us?

Governments – or at least the well-intentioned apparatchiks working within them – are not malicious. They honestly believe a ‘Whole of Government’ or ‘Comprehensive Approach’ to complex problems  will reduce duplication, provide clearer policy formation and result in a higher impact. Better ‘bang for the buck’. And because fewer and fewer OECD governments actually do anything, much of the implementation for the aid component is outsourced to for-profit or not-for-profit humanitarian and development organisations. In their minds it is a clear win-win. So we can’t always just blame the bureaucrats and let off the hook the seasoned veterans in the humanitarian and development sectors who willingly went along with it.

The result is a dramatic contraction of humanitarian space. As Laurent Saillard argues well;

Most NGOs and UN agencies forgot or refused to even consider that they were in fact actively participating in the implementation of the Counter-Insurgency Strategy supported by the coalition, and that this could be the main cause of the increasing challenges their were facing. It was easier to blame armed actors for their involvement in activities traditionally implemented by aid agencies than to look critically at what the aid community had become in the Afghan context. The underlying issue had in fact little to do with the involvement of armed actors in aid delivery. On the contrary, it was the new role of the aid community and its ambiguous – not to say schizophrenic – behaviour that were responsible for how humanitarian actors in the country were now being perceived.

Don’t misunderstand me – not every donor inspired project in a complex environment is necessarily a [very] slow motion train wreck waiting to happen. There is wheat among the chaff and it is here and at this point that INGO/UN/Development organisation staff, staff families, the general public, private donors and above all beneficiaries need to retain their faith in the senior leadership group of their organisation to approach the ‘funding opportunity’ carefully.

Before committing the organisation to its next extended period of safe rooms, HEAT trainings, car-bombs, burn-out and organisational reputation shredding, the board and senior management must ask themselves a few questions. Among many others:

  • What is the Humanitarian or Development (not security/political) problem for which the proposed intervention is a solution?
  • Is the proposed Project SMART*?
  • Are we good at operating in complex emergencies?
  • Let’s pause to remind ourselves of our Mission, Mandate and Values, and ask: do the proposed project delivery methodology and outcomes conform?
  • Who has an interest in project success, and who has an interest in project failure?
  • Is the proposed donor a belligerent in any conflict, and does this project support their security objectives?

*Specific – target a specific area for improvement.
Measurable – quantify or at least suggest an indicator of progress.
Achievable – state what results can realistically be achieved, given available resources.
Responsible – specify who will do it.
Time-related – specify when the result(s) can be achieved.

Two Challenges: Rising Aid Skepticism and Rebuilding Syria

With aid budgets everywhere under ever more scrutiny, and the politics within donor nations moving towards populism, the ‘Aid Industry’, or the ‘Aid-Industrial Complex’ must look deep within itself to maintain its popular legitimacy and viability. Humanitarian and development professionals can no longer rely upon a steady stream of funding for a sector that is supposed to be working towards its own redundancy. It clearly isn’t.

Secondly, it is a matter of time that the situation will evolve in Syria so that it will be considered safe enough for the larger INGOs and UN Agencies to set up offices, locate expat staff there full time, and throw themselves into the humanitarian, development, economic, cultural and environmental catastrophe that is Syria. We all wish them and the Syrian people well in what will be a long and challenging task. The bulk of the millions they will be receiving will be donor funds from the usual donor nations and multi-lateral organisations with an eye to political outcomes associated with mass migration and terrorism. We know this.

This is not necessarily a bad thing. Organisations need to start preparing for the inevitable Faustian Pact now in order to be ready for the quick risk assessments that must be conducted prior to accepting donor funds from belligerent nations in Syria. SMART, once again:

  • Specific – Not a generally worded motherhood statement describing all and nailing down nothing. What exactly must the project achieve?
  • Measurable – Would a terror incident back in the home country reflect poorly on project outcomes? If local projects are successfully implemented, and refugees keep moving, is the project a failure?
  • Achievable – Are the time, scope and costs allocated for this project realistic
  • Responsible – Do we have the skills, and are we shouldering responsibility for outcomes for political and security outcomes?
  • Time-related – When will the project be finished, and what does ‘finished’ look like?

Many projects will be well designed and employ donor funds to unambiguously work with host communities to rebuild shattered lives. The Projects will be SMART, be preceded by comprehensive Risk Assessments with Mission, Mandate and Values at the core, and have a defined end-point. Others will not.

We hope the senior management of government donor organisations learn from recent history and resist the clarion call for ‘Whole of Government’ responses this time around. And if they fail we entrust the senior leadership of the larger humanitarian and development organisations to approach ‘opportunities’ to ‘fill the pipeline’ in Syria with a Risk Management approach. Millions depend on you to get it right.


If there are any questions arising from this post, please do not hesitate to do so in the comments section below. You are also invited to sign up for email notifications of future posts on this site.

RM4HD Email Subscription Form

Please enter details below.

Jakarta Election: Inequality Strikes Again

By | Indonesia and SE Asia | No Comments

“A Muslim may be the Mayor of London, but a Christian cannot be the Governor of Jakarta.” Popular belief

But is it that simple?

The result of the Gubernatorial election in Jakarta, 19 Apr 17 saw former Education Minister Anies Baswedan soundly defeat the sitting and highly regarded Governor Basuki Tjahaja Purnama, aka ‘Ahok’ to be the new Governor of Jakarta. There has been much attribution of this result to ungrateful, majority Muslim Jakartans foolishly falling in behind the dog whistling of the Islamists against the ethnically Chinese, Christian incumbent. This would be a false or at best incomplete attribution of responsibility for the result.

Jakartans are not dumb. Although the Islamic Defenders Front (FPI) can draw crowds and seemingly had their way in the election, to attribute the electoral thrashing of Ahok to creeping Islamism is like adding 1 and 1 and getting eleven. There is creeping Islamism, and there is lingering anti-‘Chinese’ sentiment and these no doubt played a part. However perhaps we may see these problems of Islamic conservatism and racism as symptoms of a more enduring problem. Inequality.

The World is becoming increasingly unequal, and people everywhere are angry

Pulling the lens back a bit, lets look at populist backlashes that have occurred recently in UK (Brexit), the US (Trump), the possible election of Le Pen as the French President, Australia, the popularity of Putin in Russia, and the list goes on. From the perspective of the comfortable middle class and social/cultural elite, poor people everywhere are seemingly voting against their own interests; voting for fundamentalists and crony capitalists, getting all patriotic and expressing fear and loathing of foreigners. The Jakarta election result fits this global pattern. The reason why a successful, hard working, uncorruptable, ‘doer’ like Ahok received his electoral thrashing is only tangentially relevant to his religion and ethnicity. Many Muslims voted for him, after all. But which ones?

He was over-whelmingly popular with the moneyed classes living in gated communities. Including Muslims and non-Chinese Indonesians. Under his stewardship, and his predecessor Jokowi they had witnessed a discernible improvement in air quality in Jakarta. They were excited at the prospect of proper, modern urban infrastructure; were delighted in the management of drainage that solved the cities annual flooding; and applauded the removal of unsightly and dangerous informal settlements to make way for better planned urban infrastructure. They were especially happy that he was seemingly uncorruptable. And among upper middle class and pluralist cultural elite of all races and religions, he was a vision of the increasingly bright, pluralist and progressive future awaiting Indonesia.

But the poor had other ideas. As did the remnants of the old New Order cadres, business elites and para-military thugs who stand to lose out if Indonesia finally began ascending the Transparency International league table. Oxfam summarises (in Feb 2017) the scale of the inequality challenge well:

The gap between the richest and the rest in Indonesia has grown faster in the past two decades than in any other country in South-East Asia. The four richest men in Indonesia now have more wealth than the poorest 100 million people. Inequality is slowing down poverty reduction, dampening economic growth and threatening social cohesion.

President Jokowi has made fighting inequality his administration’s top priority for 2017. This report shows how he could achieve this by enforcing a living wage for all workers, increasing spending on public services, and making big corporations and rich individuals pay their fair share of tax.

In an excellent article by Ian Wilson posted by New Mandala, the case is made that the recent Gubernatorial election in Jakarta was an opportunity for the poor to express their frustration. And they did, even if it meant a vote against Indonesia’s famous pluralism, and against a sitting Governor widely regarded as hard working, uncorruptible and effective in cleaning up one of the dirtiest cities in the world.

As the dust settles from this result, we wait and see if Jokowi can live up to his promise of being a reformist leader and bridging the inequality gap. But will he be allowed sufficient time and space by his political opposition to bring enough people onside before he is due for re-election in 2019?

Time will tell.

If there are any questions arising from this post, please do not hesitate to do so in the comments section below. You are also invited to sign up for email notifications of future posts on this site.

RM4HD Email Subscription Form

Please enter details below.

Risk Management and Staff Safety: Similar But Different

By | Book/Literature Reviews and Standards | No Comments

Risk Management versus Staff Safety

It is still common practice within the Humanitarian and Development sectors to misunderstand ‘Staff Safety and Security’ with ‘Risk Management’. This is understandable for a number of reasons. The field of Risk Management is still evolving. Also, the relatively high exposure to safety and security challenges faced by many organisations in the sector, combined with institutional inertia, mean that Staff Safety understandably has a higher profile and urgency than the adoption of modern Risk Management practice.

The main reason however is the evolution of organisations’ perception of the problem. Formerly, humanitarian operations conducted in areas of conflict could reasonably be understood to be impartial and neutral, demanding and achieving humanitarian space within which to serve the victims of the conflict. Having an ex-military Security Officer made perfect sense, as they could quite readily establish a rapport with armed groups in the area and assist in managing access. They could yell at people in emergencies and ‘get stuff done’. The ‘Security bloke’ profile was a good solution to that problem.

Late for Curfew? Drop and give me 20!

However, since the weaponization of development and humanitarian assistance from 2002 INGOs have been challenged mightily to create and maintain humanitarian space. Often they were working in the same village as the militaries of their donors who were conducting activities similar to those of NGOs for counter-insurgency reasons. There was a need to create and maintain space from all things militaristic. Hence we noticed over the years a move away from ‘Security Officers’ to ‘Safety Officers’, and from there to ‘Risk Manager’. However, it was usually the same guy; lots of pockets in his hard-wearing pants, dark sunglasses, a never-say-die demeanour, an ill-kept beard and tonnes of gadgets. He may indeed have been an excellent Risk Manager, if asked to perform in that role; but it hardly ever happened because all parties misunderstood the term.

After all, what everyone wanted was a MacGyver who was calm in an emergency, could communicate security concepts easily and did not fall asleep in long meetings. “But now we will call him a ‘Risk Manager’ and thus get our much needed security support while not alienating people inside and outside the organisation with a Security Officer”. Meanwhile, genuine risk management challenges remain unaddressed.

Safety, Security and Risk Management Officers are not the same person, and here is why.

Safety Officers – Assists management in the identification and remediation of non-man made hazards in the workplace. Sometimes also known as Occupational Health and Safety Officers, such a focal point will usually have under taken basic training in first aid and fire extinguishers, the need to place signs in hazardous areas, reporting of incidents, the conduct of evacuation drills, and the management of any other sector specific hazard. They are often dual hatted, with their safety role a secondary task.

Security Officers – Assists management in the identification and remediation of man-made threats to operations, from either outside or inside the organisation. Usually focussing on threats associated with, ‘men with guns and bombs’, ‘crime’, ‘KFR’ and ‘mobs’. They will usually bring their qualifications and experience with them from the military or police, ideally in the same context within which the country is operating. They will often assume the ‘Safety’ role described above.

Risk Managers – Assists management in the identification and remediation of ALL obstacles to project success, as well as identifying and exploiting any opportunities. A Risk Manager needs to be across all the organisational objectives and be able to think at least ‘one level up’. That is, if they are a Country Risk Management Officer they need to know and understand the operational and strategic imperatives at the Global or Regional level. The Risk Manager usually has come from within the organisation, and is sufficiently experienced to know and understand those parts of the organisation not his/her specialty. It is this experience that allows the Risk Manager to advise the Senior Management Team on the relative risk presenting itself to different parts of the organisation.

A Not Unprecedented Hypothetical Scenario

In the Office of the Country Director: The Safety Officer recommends that what remains of the budget should be spent on improved lighting for certain areas, a first aid course, and upgraded fire extinguishers. The need, he says, is urgent. Meanwhile the Security Officer (both of whom report to the Head of Admin who has a different barrow to push) argues the money should be spent on enhanced screening of visitors in the office, implementation of a CCTV network, and an extra staff member to watch the screen. The Finance manager intervenes with a plea for a proper safe, as the lockable cabinet is clearly insufficient (and he has not been able to maintain the attention and support of the Security or the Safety Officer). Meanwhile the Programme Manager insists that if she cannot get an extra staff member in to write new proposals there will be no new work in the pipeline and we can all get ready to pack up and go home. And so it goes. We’ve all been there before.

So how does our Country Director reconcile these competing demands? How does she compare apples with oranges in order to allocate scarce resources where they can have the greatest impact? She turns to her Risk Management Officer, asks for a copy of the [recently reviewed] Risk Assessment, passes her eye over the Risk Treatment Plan and allocates the remaining resources to the highest ranked risk mediation measures; instead of to the loudest and most persuasive voice in the room at that time.

This plan was not conjured out of thin air. The Risk Manager has spent his or her time consulting across, and up and down the organisation, conducting information gathering sessions (internally), and benchmarked across similar organisations doing similar things and facing similar challenges in the same place. All to produce a holistic risk assessment particular to that organisation, with those objectives in that place at that time. There is consensus across all units (Programme, Logistics, Admin, Finance, Security etc), everyone accepts their role in the plan and the Risk Manager follows up on behalf of the Country Director.

The profile of such a person? Young or old. Male or female. Probably university educated but not necessarily with sectoral experience (although it helps). Sufficient soft skills to manage emotionally charged meetings attended by stressed managers and practitioners. Process focussed yet with an eye for outcomes. Discretion and a sense of humour. It is possible to find all three roles in the same person, but not necessarily. And merely changing the title of your Security Officer does not make him/her a Risk Manager. And vice versa.

If there are any questions arising from this, please do not hesitate to do so in the comments section below. You are also invited to sign up for email notifications of future posts on this site.

RM4HD Email Subscription Form

Please enter details below.

Risk Management, Standards and Risk – A German Approach

By | Book/Literature Reviews and Standards | No Comments




At a time when submissions are being called for the update of global risk management standards (ISO 31000, globally adopted in 2009) it helps to ask, ‘how global was it, really? Where was it not adopted? Why not?’

Surprisingly, at least initially, one stand out was Germany. We ask ourselves three questions:

  1.  Why did the German Standards authority (DIN) decline to adopt the standard?
  2.  What can we learn from this to apply to the new Global Standards moving forward? and
  3.  Is there anything of relevance to the Humanitarian and Development sectors?

The German perspective is surprisingly relevant to the Humanitarian and Development sectors. As Prof. Dr. Udo Weis, Chairman of DIN (Deutsches Institut für Normung e.V) NA 175-00-04 AA elegantly argues in the interview conducted with TC262, there were two main objections within Germany to adoption of the global standard. The first from Industry and Labour groups, and the second from environmentalists.

But first a side note. In Germany, according to the Professor, the adoption of standards is a form of self-regulation by industry groups. But the stakeholders are much broader and all have a veto. Explicit consensus is a must and was not achieved for ISO31000; hence its non-adoption. Decision making is distributed and consensus based. Sound familiar? If there is anything that defines the internal management and external project work of Humanitarian and Development organisations is that leadership and management is diffuse, there is a strong emphasis on stakeholder engagement, and EVERYONE must be on board before a decision can be implemented.

Back to Germany. The framers of ISO 31000 ‘meant no harm’ when they argued that all aspects impacting on the organisational objectives must be considered, and relative merits balanced in order to achieve the ‘optimal’ result. But it raised more red cards in Germany than a rugby team attempting to play soccer. Staff safety and the environment are never compromised, therefore there can be no ‘balancing’. It is against the law, and in the opinion of RM4HD – rightly so. [Once again, sound familiar? How many times have we heard that ‘staff safety is paramount’ in Humanitarian and Development organisations?] Hence in Germany, the Labour and Industry groups vetoed adoption due to a concern that implementation would undermine the existing regime, enshrined in legislation of self-regulation of Occupational Health and Safety. Prof. Dr. Udo Weis’ summary of the objection by environmentalists speaks for itself, so I am just going to cut it out and paste it right here:

Also, the environmentalists vetoed. They feared that the wording “Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social protection and the protection of the natural Environment” would allow balancing to take place. It should be borne in mind that there are clear limits in the German environmental legislation. There was fear of opening the gates for subordination of environmental protection under financial conditions.

In short, one does not subordinate occupational health and safety and the environment to profit. The interview continues, and it is a good one. It is worth the time to read it.

A number of key points for consideration by risk management professionals in the Humanitarian and Development sectors, partly addressing the questions given above.

Firstly, the humanitarian and development sector professionals interested in Risk Management must move quickly to ensure that the ethics, ethos and values of Humanitarian and Development organisations are explicitly referred to and protected. A litmus test for success would be the adoption of the revised standard by the German mirror organisation, DIN. Last date for submissions is 25 Apr 17.

Secondly, the criticisms often made of management and decision making processes within Humanitarian and Development organisations may not be entirely fair. Or perhaps culturally blinded. Distributed stakeholders, cross-sectoral engagement, adherence to rules and process, protection of key values and consensus across disparate groups and interests can work. Last time I checked Germany was doing OK.

Thirdly, the good Professor’s wonderful quote at the bottom of the interview. “Bad managers manage problems; good managers manage risk.” It just may become my new motto.

In summary, there is a lot we in the Risk Management sector can learn from the German approach, particularly when it comes to the frameworks within which the environment is a stakeholder, flexibility is maintained, decisions are consensus based, ethos and values are protected, the job gets done and no-one gets killed.


Please visit the TC262 website to see what they are up to, and for more information on how to contribute to the global standard review process. Please see the link to the original article here. The text has been cut out and pasted below.

The work of the German organisation DIN may be visited here. We are grateful for the English language option, danke very much. Germans may also contribute to the evolution of Risk management standards in Germany – especially factoring in the needs of development work – by approaching DIN directly.

RM4HD Email Subscription Form

Please enter details below.

Risk Management and ISO 31000 in Germany

Interview conducted for isotc262.  with Prof. Dr. Udo Weis, Chairman of DIN NA 175-00-04 AA, the German mirror committee to ISO/TC 262

Prof. Dr. Udo Weis was trained as a chemist and later earned a MBA in international business. After working for over 15 years in industry, mostly for the electro technical company ABB as vice president for HSE and sustainability, he joined SRH University Heidelberg Heidelberg as a professor for business engineering. He is currently director of the Steinbeis Institute International business and Risk Management in Heidelberg, Germany and CEO of IFNEK GmbH. Prof. Weis has worked for over 25 years in several national and international standardization committees. Prof. Weis you are the chairman of DIN NA 175-00-04 AA, the German mirror committee to TC 262. Can you briefly introduce DIN, Deutsches Institut für Normung e.V., your national standardization organization in Germany, please?

Prof. Weis: DIN is a privately organized non-profit provider of standardization services with nearly 100 years’ experience. More than 32,000 external experts from industry, research, consumer protection and the public sector come together at DIN to develop market-oriented standards and specifications that promote global trade and innovations, assure efficiency and quality, and help protect the environment and society as a whole. More than 70 % of its financing comes from the sales of standards and other technical publications and services offered by Beuth Verlag who is responsible to publish DIN and ISO standards in Germany. Other sources include project funds from industry, public funding and membership fees. In Germany standardization is a form of self-regulation by industry. DIN did not adopt ISO 31000 as a national standard – what were the reasons and what does this mean for German organizations operating nationally and for those operating globally?

Prof. Weis: DIN´s nearly 100 years’ experience is based on several principles. For example, DIN tries to integrate all stakeholders into a consensual consensus in the decisions. On the other hand, DIN’s work also means that no decision can be taken against the explicit will of a stakeholder. Thus, each stakeholder has a veto right.
When the decision was taken whether to adopt ISO 31000 as a German standard, two stakeholder groups raised concerns.
One group objecting was the group were the occupational safety represenatives. One must be aware that occupational health and safety regulations in Germany have a tradition of more than 130 yearswith a system of self-administration of the enterprises, thus independent from government or other norms. There was concern that ISO 31000 might adversely affect the self-administration.
Also, the environmentalists vetoed. They feared that the wording “Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social protection and the protection of the natural Environment” would allow balancing to take place. It should be borne in mind that there are clear limits in the German environmental legislation. There was fear of opening the gates for subordination of environmental protection under financial conditions.
A similar discussion had already taken place when considering the adoption of the ISO 14000 series. In that case the industry saw advantages and a consensus formed for adoption. There was no comparable lobby for the risk management standard and therefore is was not adopted. What is the basis for risk management in Germany and what is its impact?

Prof. Weis: Risk management really has a broad basis in Germany. In particular, in the KonTraG, a framework law is in force, which obliges companies to assess, record, report, monitor and treat risks. In addition, the annual report of financial statements is a requirement by the tax and financial legislation. Accounting rules and other statutory regulations oblige almost every company to manage risk. Who are the key stakeholders of risk management in Germany?

Prof. Weis: That is a difficult question. As already indicated, risk management is everywhere – and nowhere.
Traditionally, and especially through the revisions of the management system standards, the protective functions in companies such as environmental protection, occupational health and safety, quality, data protection, etc. are the most active stakeholders of risk management. Risk management has also established itself in individual sectors for example in health and safety, health care and the financial sector. The different sectors often have their own models and rules. Unfortunately, these are specific solutions and lack a more comprehensive or company level approach. What are the biggest obstacles for integrating risk management in all organizational activities for managers in Germany?

Prof. Weis: There is a lack of a superordinated understanding of managing risks with specific and partial solutions instead. The nomenclature also plays a role. Contrary to the English-speaking countries, risk is negatively interpreted in the German language and German managers are afraid to deal with the dark side of the business – the risks. It would be easier to overcome these hurdles with formulations such as “positive risk” or “risk and opportunity”. An example is given here. For a long time, risk management in the hospital sector was an unloved child. Since it was renamed “patient safety”, a noticeable progress is apparent. ISO 31000 globally quickly became one of the bestselling and most well recognized standards in ISO. What do you think about the future of the standard – particularly in Germany – and how will it change to adapt to new challenges?

Prof. Weis: I see that the concerns raised by the environmentalists have given way to a more open understanding. One has learned that proactive handling and struggle for the best solution require compromises. The ISO 14000 series is established and environmentalists see the benefits. I expect to see the same with the progress of ISO 45000 for occupational health and safety. However, it should be noted that there is still concern that Germany’s strict national limits and established principles should not be softened by ISO 31000. All members in our national mirror committee  understand that risk has to be managed within legal and other requirements and want this clarified for all stakeholders.
Another point for me is the realization that the uncertainty continues to rise. Through the Internet of Things (IoT) and the increasing digitalization, we need a new approach to manage the challenges of the future and the associated risks. The ISO 31000 family provides the right solutions. What advice can you give to interested parties in Germany who want to offer their input to the work of ISO/TC 262 and DIN NA-175-00-04 AA and who should they address?

Prof. Weis: We are very happy to welcome further members to our mirror committee. In particular, insurance companies, the financial sector, internationally operating companies as well as experts from practice are very welcome. In particular, feedback on drafts are necessary support for the working group. Interested persons are invited to contact me directly or via DIN to indicate their desire to cooperate. Thank you very much!

Prof. Weis: I hope that in the future a saying will be more widely known: Bad managers manage problems; good managers manage risk.

We do not post blogs every day, or even every week. So if you are interested in semi-regular emails from this site as blogs are updated, please feel free to sign up below.

RM4HD Email Subscription Form

Please enter details below.

War on Drugs Indonesia Nigeria

By | Indonesia and SE Asia | No Comments

Proof, as if any more were needed, that no nation has ever or will ever solve its drug problem by shooting its most maligned and exploited victims – the mules. Luckily this time the mule was arrested before his flight to Indonesia where he almost certainly would have earned a death penalty had he been caught there instead.

How desperately poor do you have to be to swallow 1.2kg of hard drugs, only to excrete it at the end of a series of long distance flights? Why are these people executed or given lengthy sentences instead of supported in some way?

In his statement, according to the NDLEA, the suspect said he was offered the sum of $5,000 to smuggle drugs to Indonesia. “I am the only son of my parents. I wanted to invest the money in my clothes business and also commence preparation for my marriage in a bid to settle down,” Mr. Umeme said.

A 33-year-old Nigerian travelling to Soekarno-Hatta International Airport Jakarta, Indonesia, with narcotics has been arrested at the Murtala Mohammed International Airport, Lagos.

After he tested positive for narcotic ingestion, 89 wraps of narcotics found to be methamphetamine weighing 1.205 kilogrammes were recovered from him, the National Drug Law Enforcement Agency said in a statement on Saturday.

Read the complete, original article here.


ISO 31000 Revision for Humanitarian and Development

By | Book/Literature Reviews and Standards, Travel Safety and Duty of Care | No Comments

Since 2009 ISO 31000:2009 has been the defacto global standard for the majority of professional Risk Management practitioners, across all sectors, worldwide. In the humanitarian and development sectors, uptake of and adherence to industry standard Risk Management theory and practice has been held back by two issues:

  • Resistance to change. Not an uncommon phenomena in publicly funded, or not for profit outfits, and
  • A perception the standard only applies to ‘professional’, for profit businesses and not for NGOs and development organisations in complex environments.
[Nothing could be further from the truth, but we will get to that later.] There is not much we can do about the former. However the time is right for those interested in impacting on the perception of risk management internal to the sector, and the framing of the standard to include the demands of Humanitarian and Development organisations. So, here is a shout-out to all the typists out there willing and able to kick in and advocate for the sector via contributing the update of the standard.

The original call for public submissions went out a while ago, and we still have until late April to get our suggestions in. You can see the original post [courtesy of Alex Dali] and call for submissions on LinkedIn here.

RM4HD will be making its own submission and posting it in due course.

To contribute, here is the link

The draft guidelines can be found here.

Please do click on the link, add your comments, and for those in the sector now is our chance to include Risk Management for organisations:

  • Usually Headquartered in ‘safe’ countries,
  • Spend donor money, and do not make a profit,
  • Are staffed largely by idealists, and
  • Operate in areas where their home countries say people should not go, and hence invalidate the standard travel and work insurances, hazards are high, response capacity is low, and the pressure to perform is extreme.

The last chance to influence global Risk Management standards was over 8 years ago. Do not wait till next time.

We do not post blogs every day, or even every week. So if you are interested in semi-regular emails from this site as blogs are updated, please feel free to sign up below.

RM4HD Email Subscription Form

Please enter details below.


Managing Indonesian Climate Risk

By | Indonesia and SE Asia | No Comments

Some exciting potential developments in one of the most under reported of Indonesia’s renewable energy resources.

Indonesia could be home to new tidal energy projects under plans unveiled today by DCNS Energies and PT AIR.

During a visit to Indonesia by the French President, François Hollande, the firms signed a Letter of Intent that will see them combine their complementary skills and capabilities to analyze and assess the commercial and economic conditions required to build a tidal energy industry. This will allow the two partners to develop a roadmap to ensure the creation of a sustainable Indonesian tidal industry.

DCNS Energies said it will bring its expertise in the development of marine renewable energy projects along with the experience of its subsidiary OpenHydro, the tidal technology company, in designing, manufacturing and installing tidal turbines in various maritime environments. PT AIR will bring its knowledge of the Indonesian tidal environment and of local development process and stakeholders.

“Over the last two years, we have been working closely with PT AIR to assess the most suitable sites for the development of tidal energy projects in Indonesia,” explained Hervé Guillou, CEO of DCNS group. “Today’s signing of the Letter of Intent, is a further step in our cooperation that will allow us to structure our organizations and industrial plans for the creation of a tidal industry in the country, with a high level of local manufacturing content”.

Panji Adhikumuro Soeharto, President Director at PT AIR, added: “Our ambition is to build a local tidal industry with economic and social benefits for Indonesia. In that purpose, our cooperation with DCNS Energies will be a serious asset to convince Indonesian authorities that thanks to its regularity and predictability, tidal energy is an investment that will contribute to fulfill Indonesia’s renewable energy targets as a maritime country”.


Original article: Water Power Magazine

Duty of Care

By | Travel Safety and Duty of Care, Updates from the Field | No Comments

Update March 28, 2017: The United Nations peacekeeping mission in the Democratic Republic of Congo, MONUSCO, confirmed on March 28, 2017, that the bodies of Zaida Catalán, a Swede, and Michael Sharp, an American, were found by UN peacekeepers near Bunkonde in Kasai Central province on March 27.