SRMC LEVEL 6 Annex A to ATHE Level 6 Award in Security Risk Management Consultancy Related Units Unit 1 - Security Risk Management Frameworks Unit 2 - Security Consultancy Process Unit 3 - Travel Risk, Journey Management and Evacuation Planning Unit 4 - Organisational Resilience Unit 5 - Information and Cyber Security Unit 6 - Crisis Capability & Response Unit 7 - Organisational Behaviour & Management Scope of Work The Organisation The NGO is an international social business and charity providing safe abortion and contraception services to millions of women every year worldwide. Our goals are to eliminate needless death and disability due to unsafe abortion and to provide access to contraception to the more than 214 million women worldwide who want to use contraception but cannot access it. We have offices in 37 countries and provide services in a diverse range of countries from here in the UK to high threat environments like Afghanistan, Pakistan, Yemen and fragile states across Africa and Asia. Security Risk Requirement We take the security of our 12,000+ employees globally very seriously. Our activities entail risks, and we are seeking a security partner who can support our work with pragmatism and an appreciation of the environments where we work. We wish to award a long-term contract to an established risk and security firm that has significant experience in working in fragile states and working with not-for-profit and local organisations. We would expect these services to adequately address the following critical risk areas as minima: 1. Design, planning, implementation, and support to risk mi ion for staff who travel internationally (either from our London support team or our regional locations) to provide technical assistance to our country programmes or attend international conferences and meetings. This will include: a. Sourcing and providing regular, current, and accurate updates on security situations affecting our country programmes to inform the approval of team member travel and itineraries, and to inform travelers of risks. . The design and delivery of travel safety and security training for all staff with travel responsibility SRMC? LEVEL 6 Annex A to ATHE Level 6 Award in Security Risk Management Consultancy SRMC? LEVEL 6 Annex A to ATHE Level 6 Award in Security Risk Management Consultancy 2. Design, implementation, monitoring, and maintenance of risk mitigation in supporting staff serving on long term assignments in country programmes and our senior national staff (including national Country Directors). Our in-country leadership, both nationals and expatriates, face diverse security risks based on the nature of our work and the wider risks from crime that are prevalent in some locations. They also sometimes receive threats to their security associated with investigations they are pursuing into employee misconduct, fraud, and bribery. The risk mitigation measures would include but not be limited to: a. Briefings for our staff pre-assignment or in-country on personal security and awareness. This will include not only requirements for taskings and work- related activities but also security in domestic and off duty locations and during leisure time. Implementation, management, and response services for 24/7 global emergency contact support system Planning, implementation and management of the provision and support for international medical and travel insurance for travelling staff. Design, implementation, monitoring and maintenance of risk mitigation in supporting all countries to maintain relevant and current security plans for country operations. Mitigations will be focused on planning for and ensuring accountabilities for security protocols and pragmatic action plans to react to security events. These will include but not be limited to: a. Hibernation protocols b. Emergency contact and communication systems, c. Responses to political violence, civil unrest, and terror events shock, such as a political coup or election violence. This provision will be based on the establishment and resourcing of appropriately trained, equipped, and supported response personnel and functions, available on a 24/7 basis to match our global requirements across varied and multiple time zones, Provision of risk mitigation and wider organizational risk advice in relation to these specific security challenges: Information and cyber security Organisational resilience risks including business continuity, incident, and crisis management. Economic, fraud and financial risk Physical and protective security for high-risk senior teams Strategic risk assessments on new country entry (or entry into new regions within a country) Governance, compliance risk implications of CSR and ESG impacting activities. g. Insider and personnel security risks 6. Undertaking a complete review of our current security framework, protocols, and processes to ensure that they are robust, flexible, practical, and appropriate for our working environments and culture of the organization. The review will provide evidenced based recommendations for improvement and a framework for the successful provider to undertake further development of revised strategies, plans and protocols for the NGO's security and risk capability. d. Natural disasters and climate events Risk Compliance NGOs have a number of risk and compliance requirements that we must follow in order to maintain our status as a non-profit organization and comply with legal and regulatory The selected partner wil be reqiredto enstre that Country Directors are kept frameworks. The successful partner will ensure compliance in the following areas: proactively updated about evolving threats and advised on relocation, evacuation or other responses commensurate to risks, threats and impacts. Management information and update activities will also include advice to our in- country security advisors (located in about 40% of our countries) to ensure they are current and activities they undertake. informed, and to improve the quality of their contribution to the country programme. 1. Legal compliance: NGOs must comply with all applicable laws and regulations related to their operations, including tax laws, employment laws, and laws governing the Financial management: NGOs must maintain accurate financial records, prepare Provision of direct risk management and resolution actions in situations of acute regular financial statements, and ensure that their funds are used for the intended crisis, including staff kidnapping, medical emergency or terror attack, or external purposes. SRMC? LEVEL 6 Annex A to ATHE Level 6 Award in Security Risk Management Consultancy 3. Anti-fraud measures: NGOs must have internal controls in place to prevent and detect fraud, including policies and procedures for handling cash and financial transactions. . Transparency and accountability: NGOs must be transparent about their activities and finances, and must be accountable to their stakeholders, including donors, beneficiaries, and the general public. Risk management: NGOs must identify and manage risks associated with their activities, including risks related to safety, security, and reputational damage. Data protection: NGOs must comply with data protection laws and regulations, including protecting the personal data of their beneficiaries, staff, and other stakeholders. Ethical conduct: NGOs must maintain high ethical standards and avoid conflicts of interest, including ensuring that their activities do not support terrorism, money laundering, or other illegal activities. These are just some of the risk and compliance requirements that NGOs must adhere to. The specific requirements may vary depending on the country and activities undertaken. Consultancy Attributes To meet the risk mitigation needs we require the selected provider to demonstrate the following attributes: 1 Experience and expertise: The security consultancy firm should have experience in providing security services to NGOs and a proven history of success in implementing security programs in high-risk environments. Multidisciplinary team: The security consultancy firm should have a team of professionals with diverse expertise, including security risk assessment, crisis management, training, and technology. Adaptability and flexibility: The security consultancy firm should be able to adapt its services to the specific needs and context of the NGO, including the type of programmes, the geographical location, and the local culture. Understanding of NGO operations: The security consultancy firm should have a deep understanding of the operational constraints and challenges faced by NGOs and be able to provide tailored security solutions that fit our needs. . Strategic thinking: The security consultancy firm should be able to provide strategic guidance to us on security risk management and develop long-term security plans that align with the organization's objectives. SRMC? LEVEL 6 Annex A to ATHE Level 6 Award in Security Risk Management Consultancy 6. Availability and responsiveness: The security consultancy firm should be available 24/7 to respond to security incidents and provide timely support and advice to us. Accountability and transparency: The security consultancy firm should adhere to high ethical and professional standards and be transparent in its communication with us on all risk and security matters. Training and capacity building: The security consultancy firm should have experience in providing training and capacity building programs to NGO staff on security risk management, crisis management, and emergency response. Technological proficiency: The security consultancy firm should be proficient in the use of technology to support security operations, such as risk management software, crisis management tools, and security monitoring systems. . Cost-effectiveness: The security consultancy firm should provide cost-effective solutions that maximize the NGO's resources while maintaining exacting standards of security. SRMC LEVEL 6 SRMC LEVEL 6 Annex B to ATHE Level 6 Award in Security Risk Annex B to ATHE Level 6 Award in Security Risk Management Consultancy Management Consultancy Related Units This document supports and is part of the Global Security Framework (GSF) that consists of Unit 1 - Security Risk Management Frameworks policies, protocols, an Essential Security Plan (ESP) and a Resource planning section, as illustrated in Figure 1. Unit 2 - Security Consultancy Process Unit 3 - Travel Risk, Journey Management and Evacuation Planning Unit 4 - Organisational Resilience Unit 5 - Information and Cyber Security Policies Protocols ESP Resources Unit 6 - Crisis Capability & Response Unit 7 - Organisational Behaviour & Management Emergency Number Essential Security Security Manager Resources Package Guidance Security Policy Security Crisis Management Policy Minimum Global Security Framework mme Security Standards Evacuation ESP Templates: The NGO, through our advocacy and activities globally, aims to raise awareness about the Welcome Pack Repatriation of Training Importance of women's sexual health, to promote policies that support women's access to Deceased Threat Levels Materials quality healthcare, and to advance the rights and well-being of women worldwide. To achieve Context Analysis our aim and to protect our assets, our actions and plans are based on, and guided by, our Psychosocial & Team Risk Assessment Member Care Standard Operating Security Policy. Job Security Code Procedures Frameworks This security policy document outlines the measures, protocols, and guidelines that the NGO of Conduct security Incident Contingency Plan Reporting will undertake to ensure the safety and security of its assets, employees, and stakeholders. Crisis Management The document is designed to provide the basis for a comprehensive and effective framework Plan Guidance Abduction Protocol Documents for managing security risks and threats, and to ensure that the organization is prepared to respond to any security incidents that may occur. The security policy document provides guidance on a range of security issues. It outlines the roles and responsibilities of different stakeholders, including security personnel, employees, and third-party partners, and specifies the procedures and protocols that they are expected Figure 1 - The Global Security Framework (GSF) to follow. The GSF is our basis and framework for our security management approach to a complex and This security policy document is a critical component of our security strategy, as it provides a challenging risk landscape, and the essential foundation component of our overall strategic, clear and consistent framework for managing security risks and threats. By implementing the tactical, and operational planning. The security policy, GSF, ESP, and associated plans, measures and protocols outlined in the document, we can ensure that assets, employees, and protocols and procedures are to be followed by all NGO staff, employees, venture, and stakeholders are protected from harm and that we can respond effectively to any security contractor partners, and are subject to regulatory management for compliance and audit by incidents that may occur. the NGO Compliance Team. B-1 B-2SRMC? LEVEL 6 Annex B to ATHE Level 6 Award in Security Risk Management Consultancy Introduction and Policy Purpose NGOs have to work in risk locations for a variety of reasons. Firstly, NGOs often operate in areas where there is a high level of need for humanitarian or development assistance, such as in conflict zones or in areas affected by natural disasters. These locations may be inherently dangerous due to ongoing violence, instability, or lack of basic infrastructure and services, which can pose significant risks to the safety and security of our staff. We need to plan for operating in challenging locations because we believe in having a positive impact on the global female community. We want to support marginalized or vulnerable populations who are particularly affected by conflict, natural disasters, or poverty. In these cases, we need to consider additional risks to ensure that we can provide critical support and assistance to those who need it most. We have a moral obligation to support women's sexual health and wellbeing and to advocate for human rights and social justice in areas where these are under threat. In such cases, we may need to face additional risks to ensure that we can fulfil our mission and contribute to positive social change. The NGO is a member of Accountable Now and as such has signed up to that organization's 12 Commitments which encompass our core behaviours and expectations. Y PR & ) e SRMC? LEVEL 6 Annex B to ATHE Level 6 Award in Security Risk Management Consultancy Figure 2: The 12 Commitments (https://accountablenow.org/) Because we work in countries with differing security environments, we have a duty of care to keep our team members safe and secure. Effective security and safety management plans, policies and processes, effectively managed and implemented, allow us to deliver our services in benign and hostile environments. The purpose of the Policy is to support our team members to deliver sexual and reproductive health services across the world, while minimising the risks to individuals and the organisation. Scope The Security Policy laid out in this document applies globally to all team members, country programmes and dependents of international assignees. Our Risk Tolerance The NGO is not risk-averse; because of the nature of our business we must be prepared and capable in managing risk and its consequences rather than allowing those risks to halt our activities. Risk tolerance does not mean that we accept all risks and dangers, but that we recognise that these are inevitably linked to our work; and that where possible our work must continue in areas and times of need. Our mission, services and operating locations inherently involve risk exposure and threats of various types and at different levels. When risk exposure is extreme, the physical impact on our team members may be significant and potentially fatal. Naturally, this does not mean that we tolerate such risks as a routine approach; and our risk decisions will always take account of our mission and programme objectives, as well as the impact of other strategic factors (e.g. impact of key relationships, donor interests). Most importantly we must consider the safety and security of our people and of those that we seek to help and support. When Sexual and Reproductive Health unmet needs are high, we may accept a higher level of risk; with additional and commensurate risk mitigations in place before committing assets 'on the ground'. However, when working in situations that are difficult to interpret, unpredictable and highly volatile, we may not accept a higher level of risk. Our risk owners, the Executive Team, will decide on a case-by-case basis whether the specific programme objectives and intended outcomes justify accepting the assessed level of risk. Such decisions will consider all of the general mission requirements and aims of the NGO as well as the general, specific and current intelligence and risk information from verified and reliable sources that will allow them to take and direct informed actions. It should be clearly understood, therefore, that we are neither uniformly risk tolerant or risk- averse, but rather we take an informed and dynamic approach to risk management based on multiple, sometimes competing and challenging influencing factors. Our focus will always be to protect our people primarily, and our assets, through risk mitigation, keeping our risks as B-4 SRMC? LEVEL 6 Annex B to ATHE Level 6 Award in Security Risk Management Consultancy low as reasonably practicable. 'Practicable' is not interchangeable with 'possible'; which means that although in some situations reducing risk to the lowest possible level may be an option, it may affect our practicable ability to complete the mission. In such cases, the decision-making process based on effective information flow and communication are essential for success. Our detailed consultation and communication plans are designed to ensure that decision processes are timely and as fully informed as they can be. Our Security Strategies in the Humanitarian Settings Protection is our primary security strategy. We will put in place protective physical, personal, information and governance measures when required to ensure that risks are mitigated to the lowest practicable level. The risks to our personnel are not confined to 'in-country' activity, although that is the main focus of our overall security strategy. Therefore, we take a holistic view with the understanding that risks can be physical or virtual and that security breaches that do not directly involve deployed and in-country personnel can have significant damaging impacts. Therefore 'protection' can involve risks from cyber and information management issues to those from violence or natural disasters. We seek to maximise acceptance from the communities in the areas of our programme operations by maintaining transparent, dignified and respectful relations with them. As such our secondary security strategy is to gain Acceptance from not only the communities that we support but also their local, regional and national governments, agencies, businesses and influencing actors. However, this acceptance can rarely be gained or guaranteed from all of the stakeholders mentioned or at all levels, which requires us to adopt other, additional and supplementary security strategies. These may be used in isolation but in most cases will be part of a multi-level approach to meet the risk and dynamic and local, current challenges. Low-profile activity is our tertiary security strategy. In general, we will only conduct high profile operations when Acceptance and Protection are in place and guaranteed to acceptable risk levels. The maintenance of low-profile approaches can avoid drawing unwanted attention from armed groups, criminals, or other actors who may perceive us as a threat or target. By not taking a high-profile approach, we can avoid being perceived as taking sides in a conflict or being aligned with a particular political agenda. This can help to build trust with all parties involved and complement the Acceptance strategy. A low-profile approach can also help us to gain access to hard-to-reach areas or communities that may be sceptical about external aid. Our fourth and final level of approach is Deterrence, used when we cannot gain acceptance, cannot protect ourselves and are actively targeted. We will always seek non-armed deterrence options first. When working in conflict locations, we seek to obtain negotiated access from key actors in a conflict. However, this is not always possible, and we may choose to work in areas where that access and acceptance is not guaranteed. Because of this there may be a need to ensure that potential adversaries will perceive the risk of targeting us to B-5 SRMC? LEVEL 6 Annex B to ATHE Level 6 Award in Security Risk Management Consultancy outweigh the potential rewards. Deterrence is our final layer of strategy as it does acknowledge that our people will be operating in potentially dangerous situations. Decisions on taking the Deterrence approach will be heavily dependent on thorough risk assessment and careful consideration, as it raises our profile and therefore has the potential in itself to draw attention to our activities. Armed Security Where we are explicitly targeted or threatened, programme activities and presence in the area may be reduced or ceased. Only where the Deterrence strategy level is in place would we be seeking to use high profile protection, including armed security. In order not to associate ourselves with any armed group or with the use of violence we do not normally use armed guards, armed escorts and armed protection of transport, residences or other premises. We will not participate in armed or military convoys or use the services of any armed forces including government or non-government armies, UN bodies, militias or armed private security services. Also, we will not accept the integration of military personnel on humanitarian mission into our programmes or the transportation of military personnel (armed or unarmed) in our vehicles or premises, unless injured and thus non- combatants. Although this is our policy approach and preference not to operate in armed, military or similar support contexts we recognise that in exceptional circumstances there will be some compromise necessary in order to meet our primary Protection strategy or Deterrence profile. The decisions to use such armed support will only be approved by the Executive Team based on advice and requests from country teams and careful consideration of the risk impacts. Threat Levels We use a threat level system to fully identify the threats in each country programme. This allows our people in all areas of the NGO to have a clear indication of the risk type and the assessed reason for the allocation to a particular level. The allocation of a level is used to inform our planning and implementation of safe and security activity. There are 5 threat levels: Very Low Low Medium High Very High Each characterises the level of threat in a country or in parts of a country based on the following key factors: 1. Crime risk (physical harm, assault, robbery, rape, murder, burglary, theft, B-6 SRMC? LEVEL 6 Annex B to ATHE Level 6 Award in Security Risk Management Consultancy vandalism, fraud, embezzlement, information, scams, and identity theft) . Terrorism risk . Travel risk (travelling to, from and within countries) Conflict risk (collateral damage, war crimes, targeting vulnerable groups and civilians) Political and ideology risk (regime change, opposition, or hostility towards our mission or those we support) . Abduction risk Natural disaster risk Health and disease risk Threat levels are determined through a threat level template which is completed based on local and contract information and intelligence analysis, and approved by the Country Director, Global Security, and the Regional Director. Countries will be assessed for their threat level and those that are assessed to be at High or Very High threat level must complete threat level exercises for their geographic operational locations. This means that the full and detailed assessments for the impact of threats on our people and assets are to be conducted by Global Security, who are to recommend action to the Executive Team and prepare deploying and deployed personnel for operations in the affected environments. Our threat levels are used for internal communication and understanding. Whilst they are validated against UN, government and private intelligence organisations, they are not linked to them and neither support nor endorse the policies or methods of those entities This is to ensure independence and to reflect our specific concerns rather than wider national and generic threats. Duty of Care For us, Duty of Care refers to the legal obligation of an individual or organization to take reasonable measures to prevent harm or injury to others. It is a common law concept that is based on the principle that everyone has a responsibility to ensure that their actions, or lack of action, do not cause harm to others. In order to meet their duty of care, individuals and organisations must take reasonable steps to identify and address any potential risks or hazards that may cause harm to others. This includes providing appropriate training and supervision, maintaining safe and secure activities, and ensuring that products and services are safe and fit for purpose. To ensure that we fully achieve our legal duty of care across our range of activities, we are committed to providing differing levels of safety and security management for different duty bearers. The Executive Team sets the duty of care policy through the Global Security Framework, all branches, subsidiaries and affiliates are required to provide the duty of care as described below: International and national team members SRMC? LEVEL 6 Annex B to ATHE Level 6 Award in Security Risk Management Consultancy As an organisation we commit to inform team members of threats and measures to prevent and mitigate risks. We will inform team members of their safety and security responsibilities and obligations. We will manage the safety and security of team members working in their home environments during working hours. We will manage the safety and security of team members working internationally during and outside of working hours. We will provide robust security measures and where appropriate and possible, insurance. We will provide International Assignee team members with pre- and post- deployment medicals (physical, resilience and travel health consultations). We will provide all team members with access to psychosocial support following traumatic incidents. We will provide access to threat level appropriate safety, security and first aid training. We will ensure that all team members are able to freely decline the risk entailed in a country programme, when they feel that the work poses an unreasonable level of risk, by asking to not travel to a country programme, not travel to areas within the programme, or be withdrawn from an area or a country programme. However, if the risks are constant, or personal withdrawal is likely to be frequent or long- term, we will undertake a review between the team member and their line manager to determine an appropriate course of action which could include assessment as to whether employment in that position should continue, in line with organisational procedures. The use of armed guards, armed escorts and armed protection may be considered in certain exceptional situations and in line with our Protection and Deterrence risk strategy options. These exceptions must be approved by the Director International Operations and only on the authority of the Executive Team. Country Directors may authorise the short-term use of armed protection without Director International Operations approval ONLY in situations where there is an immediate threat to the safety of team members and where armed protection is necessary to avoid violence or physical harm to team members and where prior approval not possible due to the nature of the circumstances. Consultants and Individual Contractors (CIC) SRMC? LEVEL 6 Annex B to ATHE Level 6 Award in Security Risk Management Consultancy As an organisation we commit to assessing the safety and security management capabilities of CIC; and where capacity or capability is low, provide appropriate travel briefings, guidance and support. We will provide a Welcome Pack to all CIC travelling to our programmes and inform them of recommended and required safety and security training. Sub-awardees As an organisation we commit to conducting a rapid due diligence review of safety and security policies, protocols and practices of potential sub-awardees prior to contractual agreement ensuring that contracts with sub-awardees clearly explain the necessity for appropriate safety and security policies, protocols and practices. Donors As an organisation we commit to understanding donor duty of care requirements and implementing the necessary procedures and mitigations to achieve the requirements Roles and Responsibility To ensure that this Policy is effectively implemented and that we are compliant with all legislative and duty of care requirements and obligations the responsibilities for security and risk management within the organisation follow. Country Directors are responsible for: * Ensuring that the programme fully meets duty of care requirements and operates in accordance with the Global Security Framework Maintaining an up-to-date Essential Security Plan (ESP) Meeting the minimum security standards specified in their country and as detailed in their ESP. Resourcing safety and security activities, including personnel and equipment through appropriate identification of need and ing organisational funding applications. Ensuring all team members and visitors are briefed on context, threats, and security rules within 24 hours of arrival or employment. Ensuring all team members in Very High threat level countries are briefed on and complete proof of life forms. Reporting all security incidents and 'near-miss' incidents in accordance with the Security Incident Reporting Protocol (SIRP) Regional Directors are responsible for ensuring the region fully meets duty of care requirements and operates within the Global Security Framework Global Security are responsible for: * Maintaining and updating the Global Security Framework SRMC? LEVEL 6 Annex B to ATHE Level 6 Award in Security Risk Management Consultancy Disseminating the Global Security Framework to all support offices and country programmes Providing security technical assistance to country programmes Ensuring all team members and visitors to High and Very High threat level countries are briefed on security risks pre and post travel. Ensuring all team members visiting Very High threat level countries (and where the abduction threat is considered highly elevated) are briefed on and complete proof of life forms. Setting and assessing minimum security standards International Programmes Support Director is responsible for: Ensuring that the Global Crisis Management Team is convened as necessary. Reducing, suspending, or terminating programme activities when safety and security risks are considered too high or if risk minimising measures are considered unacceptable. Director International Operations is responsible for deciding when team members can return after an international evacuation based on intelligence, advice and guidance from Global Security Evacuation All team members that are not in their country of origin or at their normal duty station are entitled to evacuation and support for that evacuation until returned to a place of safety. The decision to evacuate is binding for all team members entitled to evacuation. If any of these team members refuse to evacuate, they do so on the understanding that their employment contract is immediately terminated, and the organisation no longer has a duty of care to that team member. The decision to evacuate can be made by a Line Manager in that location, the Country Director, the Regional Director, Director International Programme Support Director or the Director International Operations The decision to evacuate cannot be overruled by line management, except where the more senior line manager determines that the evacuation would expose the team to greater danger than remaining in the current location. The evacuation of team members at their normal duty station will only be considered in cases where their work has placed them in danger and is at the discretion of the Country Director. Where an evacuation is deemed necessary but there is no possibility of evacuating all team members, those who are deemed to be at the highest risk will be given priority, based on a recorded risk assessment by the Country Director. Team members may only return to an area post-evacuation following a full security risk assessment and on receipt of an updated Essential Security Plan. The decision to return after B-10 SRMC LEVEL 6 Annex B to ATHE Level 6 Award in Security Risk Management Consultancy a domestic relocation is made by the Country Director. The decision to return after an international evacuation is made by the Director International Operations Abduction The Global Crisis Management Team provides advice and expertise in the handling of abduction guided by the primary objectives of ensuring the safety of the individual abductees and their release. Global Security promotes preventive measures and means in high threat areas. We will not pay ransoms or concede to other demands from groups that threaten employees in order to obtain the release of abducted team members. We will not facilitate ransom payments on behalf of others, including family members. Policy Statement The following statement affirms that this Policy applies to the NGO and is applicable throughout, and that detailed plans are the responsibilities of the nominated levels and roles throughout the organisation: "This Policy applies to the NGO and is applicable throughout. It is the responsibility of all employees, volunteers, and stakeholders to adhere to the principles and guidelines outlined in this Policy. Detailed plans for the implementation of this Policy, including specific responsibilities and timelines, will be developed by the nominated levels and roles throughout the organisation. Each level and role has a duty to ensure that their specific responsibilities are met in accordance with this Policy."