Security Policy

Global Security Framework

The NGO, through our advocacy and activities globally, aims to raise awareness about the importance of women's sexual health, to promote policies that support women's access to quality healthcare, and to advance the rights and well-being of women worldwide. To achieve our aim and to protect our assets, our actions and plans are based on, and guided by, our Security Policy.

This security policy documentoutlinesthe measures, protocols, and guidelines that the NGO will undertake to ensure the safety and security of its assets, employees, and stakeholders. The document is designed to provide the basis for a comprehensive and effective framework for managing security risks and threats, and to ensure that the organization is prepared to respond to any security incidents that may occur.

The security policy document providesguidanceon a range of security issues. Itoutlinesthe roles and responsibilities of different stakeholders, including security personnel, employees, and third-party partners, and specifies the procedures and protocols that they are expected to follow.

This security policy document is a critical component of our security strategy, as it provides a clear and consistent framework for managing security risks and threats. By implementing the measures and protocols outlined in the document, we can ensure that assets, employees, and stakeholders are protected from harm and that we can respond effectively to any security incidents that may occur.

B-1

Annex B

This document supports and is part of theGlobal Security Framework(GSF) that consists of policies, protocols, an Essential Security Plan (ESP) and a Resource planning section, as illustrated in Figure 1.

Figure 1 - The Global Security Framework (GSF)

The GSF is our basis and framework for our security management approach to a complex and challenging risk landscape, and the essential foundation component of our overall strategic, tactical, and operational planning. The security policy, GSF, ESP, and associated plans, protocols and procedures are to be followed by all NGO staff, employees, venture, and contractor partners, and are subject to regulatory management for compliance and audit by the NGO Compliance Team.

B-2

Annex B

Introduction and Policy Purpose

NGOs have to work in risk locations for a variety of reasons. Firstly, NGOs often operate in areas where there is a high level of need for humanitarian or development assistance, such as in conflict zones or in areas affected by natural disasters. These locations may be inherently dangerous due to ongoing violence, instability, or lack of basic infrastructure and services, which can pose significant risks to the safety and security of our staff. We need to plan for operating in challenging locations because we believe in having a positive impact on the global female community. We want to support marginalized or vulnerable populations who are particularly affected by conflict, natural disasters, or poverty. In these cases, we need to consider additional risks to ensure that we can provide critical support and assistance to thosewho need it most. We have a moral obligation to support women's sexual health andwellbeing and to advocate for human rights and social justice in areas where these are under threat. In such cases, we may need to face additional risks to ensure that we can fulfil our mission and contribute to positive social change.

The NGO is a member of Accountable Nowand as such has signed up to that organization's12 Commitmentswhich encompass our core behaviours and expectations.

B-3

Annex B

Figure 2: The 12 Commitments (https://accountablenow.org/)

Because we work in countries with differing security environments, we have a duty of care to keep our team members safe and secure. Effective security and safety management plans, policies and processes, effectively managed and implemented, allow us to deliver our services in benign and hostile environments. The purpose of the Policy is to support our team members to deliver sexual and reproductive health services across the world, while minimising the risks to individuals and the organisation.

Scope

The Security Policy laid out in this document applies globally to all team members, country programmes and dependents of international assignees.

Our Risk Tolerance

The NGO is not risk-averse; because of the nature of our business we must be prepared and capable in managing risk and its consequences rather than allowing those risks to halt our activities. Risk tolerance does not mean that we accept all risks and dangers, but that we recognise that these are inevitably linked to our work; and that where possible our work must continue in areas and times of need.

Our mission, services and operating locations inherently involve risk exposure and threats of various types and at different levels. When risk exposure is extreme, the physical impact on our team members may be significant and potentially fatal. Naturally, this does not mean that we tolerate such risks as a routine approach; and our risk decisions will always take account of our mission and programme objectives, as well as the impact of other strategic factors (e.g. impact of key relationships, donor interests). Most importantly we must consider the safety and security of our people and of those that we seek to help and support.

When Sexual and Reproductive Health unmet needs are high, we may accept a higher level of risk; with additional and commensurate risk mitigations in place before committing assets'on the ground'. However, when working in situations that are difficult to interpret, unpredictable and highly volatile, we may not accept a higher level of risk. Our risk owners, the Executive Team, will decide on a case-by-case basis whether the specific programme objectives and intended outcomes justify accepting the assessed level of risk. Such decisions will consider all of the general mission requirements and aims of the NGO as well as the general, specific and current intelligence and risk information from verified and reliable sources that will allow them to take and direct informed actions.

It should be clearly understood, therefore, that we are neither uniformly risk tolerant or risk- averse, but rather we take an informed and dynamic approach to risk management based on multiple, sometimes competing and challenging influencing factors. Our focus will always be to protect our people primarily, and our assets, through risk mitigation, keeping our risks as

B-4

Annex B

low as reasonably practicable. 'Practicable' is not interchangeable with 'possible'; whichmeans that although in some situations reducing risk to the lowest possible level may be an option, it may affect our practicable ability to complete the mission. In such cases, the decision-making process based on effective information flow and communication are essential for success. Our detailed consultation and communication plans are designed to ensure that decision processes are timely and as fully informed as they can be.

Our Security Strategies in the Humanitarian Settings

Protectionis our primary security strategy. We will put in place protective physical, personal, information and governance measures when required to ensure that risks are mitigated tothe lowest practicable level. The risks to our personnel are not confined to 'in-country'activity, although that is the main focus of our overall security strategy. Therefore, we take a holistic view with the understanding that risks can be physical or virtual and that security breaches that do not directly involve deployed and in-country personnel can have significantdamaging impacts. Therefore 'protection' can involve risks from cyber and informationmanagement issues to those from violence or natural disasters.

We seek to maximise acceptance from the communities in the areas of our programme operations by maintaining transparent, dignified and respectful relations with them. As such our secondary security strategy is to gainAcceptancefrom not only the communities that we support but also their local, regional and national governments, agencies, businesses and influencing actors. However, this acceptance can rarely be gained or guaranteed from all of the stakeholders mentioned or at all levels, which requires us to adopt other, additional and supplementary security strategies. These may be used in isolation but in most cases will be part of a multi-level approach to meet the risk and dynamic and local, current challenges.

Low-profileactivity is our tertiary security strategy. In general, we will only conduct high profile operations when Acceptance and Protection are in place and guaranteed to acceptable risk levels. The maintenance of low-profile approaches can avoid drawing unwanted attention from armed groups, criminals, or other actors who may perceive us as a threat or target. By not taking a high-profile approach, we can avoid being perceived as taking sides in a conflict or being aligned with a particular political agenda. This can help to build trust with all parties involved and complement the Acceptance strategy. A low-profile approach can also help us to gain access to hard-to-reach areas or communities that may be sceptical about external aid.

Our fourth and final level of approach isDeterrence, used when we cannot gain acceptance, cannot protect ourselves and are actively targeted. We will always seek non-armed deterrence options first. When working in conflict locations, we seek to obtain negotiated access from key actors in a conflict. However, this is not always possible, and we may choose to work in areas where that access and acceptance is not guaranteed. Because of this there may be a need to ensure that potential adversaries will perceive the risk of targeting us to

B-5

Annex B

outweigh the potential rewards. Deterrence is our final layer of strategy as it does acknowledge that our people will be operating in potentially dangerous situations. Decisions on taking the Deterrence approach will be heavily dependent on thorough risk assessment and careful consideration, as it raises our profile and therefore has the potential in itself to draw attention to our activities.

Armed Security

Where we are explicitly targeted or threatened, programme activities and presence in the area may be reduced or ceased. Only where the Deterrence strategy level is in place would we be seeking to use high profile protection, including armed security. In order not to associate ourselves with any armed group or with the use of violence we do not normally use armed guards, armed escorts and armed protection of transport, residences or other premises. We will not participate in armed or military convoys or use the services of any armed forces-including government or non-government armies, UN bodies, militias or armed private security services. Also, we will not accept the integration of military personnel on humanitarian mission into our programmes or the transportation of military personnel (armed or unarmed) in our vehicles or premises, unless injured and thus non- combatants.

Although this is our policy approach and preference not to operate in armed, military or similar support contexts we recognise that in exceptional circumstances there will be some compromise necessary in order to meet our primary Protection strategy or Deterrence profile. The decisions to use such armed support will only be approved by the Executive Team based on advice and requests from country teams and careful consideration of the risk impacts.

Threat Levels

We use a threat level system to fully identify the threats in each country programme. This allows our people in all areas of the NGO to have a clear indication of the risk type and the assessed reason for the allocation to a particular level. The allocation of a level is used to inform our planning and implementation of safe and security activity.

There are 5 threat levels:

Very Low

Low

Medium

High

Very High

Each characterises the level of threat in a country or in parts of a country based on the following key factors:

1. Crime risk (physical harm, assault, robbery, rape, murder, burglary, theft,B-6

Annex B

vandalism, fraud, embezzlement, information, scams, and identity theft)

Terrorism risk

Travel risk (travelling to, from and within countries)

Conflict risk (collateral damage, war crimes, targeting vulnerable groups and

civilians)

Political and ideology risk (regime change, opposition, or hostility towards our

mission or those we support)

Abduction risk

Natural disaster risk

Health and disease risk

Threat local and contract information and intelligence analysis, and approved by the Country Director, Global Security, and the Regional Director. Countries will be assessed for their threat level and those that are assessed to be at High or Very High threat level must complete threat level exercises for their geographic operational locations. This means that the full and detailed assessments for the impact of threats on our people and assets are to be conducted by Global Security, who are to recommend action to the Executive Team and prepare deploying and deployed personnel for operations in the affected environments. Our threat levels are used for internal communication and understanding. Whilst they are validated against UN, government and private intelligence organisations, they are not linked to them and neither support nor endorse the policies or methods of those entities This is to ensure independence and to reflect our specific concerns rather than wider national and generic threats.

Duty of Care

For us, Duty of Care refers to the legal obligation of an individual or organization to take reasonable measures to prevent harm or injury to others. It is a common law concept that is based on the principle that everyone has a responsibility to ensure that their actions, or lack of action, do not cause harm to others. In order to meet their duty of care, individuals and organisations must take reasonable steps to identify and address any potential risks or hazards that may cause harm to others. This includes providing appropriate training and supervision, maintaining safe and secure activities, and ensuring that products and services are safe and fit for purpose. To ensure that we fully achieve our legal duty of care across our range of activities, we are committed to providing differing levels of safety and security management for different duty bearers.

The Executive Teamsets the duty of care policy through the Global Security Framework, all branches, subsidiaries and affiliates are required to provide the duty of care as described below:

International and national team members

B-7

levels are determined through a threat level template which is completed based on

Annex B

As an organisation we commit to inform team members of threats and measures to prevent and mitigate risks. We will inform team members of their safety and security responsibilities and obligations.

We will manage the safety and security of team members working in their home environments during working hours.

We will manage the safety and security of team members working internationally during and outside of working hours.

We will provide robust security measures and where appropriate and possible, insurance.

We will provide International Assignee team members with pre- and post- deployment medicals (physical, resilience and travel health consultations).

We will provide all team members with access to psychosocial support following traumatic incidents.

We will provide access to threat level appropriate safety, security and first aid training.

We will ensure that all team members are able to freely decline the risk entailed in a country programme, when they feel that the work poses an unreasonable level of risk, by asking to not travel to a country programme, not travel to areas within the programme, or be withdrawn from an area or a country programme. However, if the risks are constant, or personal withdrawal is likely to be frequent or long- term, we will undertake a review between the team member and their line manager to determine an appropriate course of action which could include assessment as to whether employment in that position should continue, in line with organisational procedures.

The use of armed guards, armed escorts and armed protection may be considered in certain exceptional situations and in line with our Protection and Deterrence risk strategy options. These exceptions must be approved by the Director International Operations and only on the authority of the Executive Team. Country Directors may authorise the short-term use of armed protection without Director International Operations approval ONLY in situations where there is an immediate threat to the safety of team members and where armed protection is necessary to avoid violence or physical harm to team members and where prior approval not possible due to the nature of the circumstances.

Consultants and Individual Contractors(CIC)B-8

Annex B

As an organisation we commit to assessing the safety and security management capabilities of CIC; and where capacity or capability is low, provide appropriate travel briefings, guidance and support. We will provide a Welcome Pack to all CIC travelling to our programmes and inform them of recommended and required safety and security training.

Sub-awardees

As an organisation we commit to conducting a rapid due diligence review of safety and security policies, protocols and practices of potential sub-awardees prior to contractual agreement ensuring that contracts with sub-awardees clearly explain the necessity for appropriate safety and security policies, protocols and practices.

Donors

As an organisation we commit to understanding donor duty of care requirements and implementing the necessary procedures and mitigations to achieve the requirements

Roles and Responsibility

To ensure that this Policy is effectively implemented and that we are compliant with all legislative and duty of care requirements and obligations the responsibilities for security and risk management within the organisation follow.

Country Directorsare responsible for:

Ensuring that the programme fully meets duty of care requirements and operates in accordance with the Global Security Framework

Maintaining an up-to-date Essential Security Plan (ESP)

Meeting the minimum security standards specified in their country and as detailed

in their ESP.

Resourcing safety and security activities, including personnel and equipment

through appropriate identification of need and utilizing organisational funding

applications.

Ensuring all team members and visitors are briefed on context, threats, and security

rules within 24 hours of arrival or employment.

Ensuring all team members in Very High threat level countries are briefed on and

complete proof of life forms.

Reporting all security incidents and 'near-miss' incidents in accordance with the

Security Incident Reporting Protocol (SIRP)

Regional Directorsare responsible for ensuring the region fully meets duty of care requirements and operates within the Global Security Framework

Global Securityare responsible for:

Maintaining and updating the Global Security Framework

B-9

Annex B

Disseminating the Global Security Framework to all support offices and country programmes

Providing security technical assistance to country programmes

Ensuring all team members and visitors to High and Very High threat level countries

are briefed on security risks pre and post travel.

Ensuring all team members visiting Very High threat level countries (and where the

abduction threat is considered highly elevated) are briefed on and complete proof

of life forms.

Setting and assessing minimum security standards

International Programmes Support Directoris responsible for:

Ensuring that the Global Crisis Management Team is convened as necessary.

Reducing, suspending, or terminating programme activities when safety and security risks are considered too high or if risk minimising measures are considered

unacceptable.

Director International Operationsis responsible for deciding when team members can return after an international evacuation based on intelligence, advice and guidance from Global Security

Evacuation

All team members that are not in their country of origin or at their normal duty station are entitled to evacuation and support for that evacuation until returned to a place of safety. The decision to evacuate is binding for all team members entitled to evacuation. If any of these team members refuse to evacuate, they do so on the understanding that their employment contract is immediately terminated, and the organisation no longer has a duty of care to that team member.

The decision to evacuate can be made by a Line Manager in that location, the Country Director, the Regional Director, Director International Programme Support Director or the Director International Operations The decision to evacuate cannot be overruled by line management, except where the more senior line manager determines that the evacuation would expose the team to greater danger than remaining in the current location.

The evacuation of team members at their normal duty station will only be considered in cases where their work has placed them in danger and is at the discretion of the Country Director.

Where an evacuation is deemed necessary but there is no possibility of evacuating all team members, those who are deemed to be at the highest risk will be given priority, based on a recorded risk assessment by the Country Director.

Team members may only return to an area post-evacuation following a full security risk assessment and on receipt of an updated Essential Security Plan. The decision to return after

B-10

Annex B

a domestic relocation is made by the Country Director. The decision to return after an international evacuation is made by the Director International Operations

Abduction

The Global Crisis Management Team provides advice and expertise in the handling of abduction guided by the primary objectives of ensuring the safety of the individual abductees and their release.

Global Security promotes preventive measures and means in high threat areas.

We will not pay ransoms or concede to other demands from groups that threaten employees in order to obtain the release of abducted team members.

We will not facilitate ransom payments on behalf of others, including family members.

Policy Statement

The following statement affirms that this Policy applies to the NGO and is applicable throughout, and that detailed plans are the responsibilities of the nominated levels and roles throughout the organisation:

"This Policy applies to the NGO and is applicable throughout. It is the responsibility of all employees, volunteers, and stakeholders to adhere to the principles and guidelines outlined in this Policy.

Detailed plans for the implementation of this Policy, including specific responsibilities and timelines, will be developed by the nominated levels and roles throughout the organisation. Each level and role has a duty to ensure that their specific responsibilities are met in accordance with this Policy."

B-11

Using the above annex information regarding an NGO can you carryout a compare and contrast exercise against the ISO31000:2018 and COSO risk management framework.

please include the following:

question: Demonstrate the use of ISO 31000 risk management principles in a Security Risk Management context within an organisation (NGO above)

should contain the following importance of a risk management structure, strategy and process is well expressed with the effectiveness and reasons for its use given with working examples. An effective evaluation of the links between the ISO framework and security risk management needs for the NGO has been conducted