MSR Part 1: Risk Identification and Assessment
IFRC’s first Duty-of-Care obligation is to identify and assess the security risks to its personnel, assets and to the overall organisation. This requires that managers have access to the information and analysis they need to make informed security risk management decisions. This section outlines the minimum requirements for the identification, assessment and registering of security risks.
Security Risk Assessments (SRA) and Register (SRR)
Description: A security risk assessment is the structured process of assessing security-related risks, from internal and external threats to personnel, assets and the organisation.
Minimum Requirements: Senior Managers must ensure that Security Risk Assessments (SRA), are conducted for all offices and field operations under their responsibility within two weeks of opening an office or start of an operation, unless an exemption (or an exceptional extension) is provided by the Global Security Unit (GSU). SRA must be conducted according to the IFRC SRA process and the outcomes must be reported in the Security Risk Register (SRR). The Senior Manager is responsible for updating the SRR minimum every six months or when the security situation changes, or operations expand into new areas or there are changes in staffing numbers. The GSU reviews and approves the SRR on an annual basis during the GSU MSR compliance process.
Security Phase System
White Phase: Low Overall Risk to IFRC Personnel
Yellow Phase: Medium Overall Risk to IFRC Personnel
Orange Phase: High Overall Risk to IFRC Personnel
Red Phase: Extreme Overall Risk to IFRC Personnel
Description: The IFRC uses a four-phase security phase system across all offices and field operations, as shown on the right. This system serves two main purposes: to quickly communicate overall risk levels to personnel, and to guide managers by specifying the additional security requirements they must implement at each phase. The “Stay Safe” Manager’s manual describes the phases and the requirements and guidelines for each phase. Different operational areas within the same country may have different security phases (and thus different security requirements) if the security situation varies across the country.
Minimum Requirements: Senior Managers must communicate phase changes to personnel immediately and implement the phase-specific security measures, as defined in the Stay Safe Manager’s manual..
Declaration of Phases
The security phases may be implemented in sequential order or as the situation dictates. It is recommended that all changes to phases be made in consultation with the Regional Security Coordinator (RSC).
White Phase & Yellow Phase will be declared by Senior Manager, at his/her discretion. The Regional Security Coordinator (RSC) and the GSU must be notified of this designation.
Orange Phase will be declared by the Senior Manager, in consultation with the Regional Director (via the RSC) and approved by the Head of GSU.
Red Phase will be declared by the Senior Manager, following authorisation from the Regional Director (via the RSC), and approval by the Head of GSU.
A return to lower phase may be implemented by the Senior Manager with respect to Yellow Phase. If Orange and Red Phases have been declared, the request from a Senior Manager to return to a lower phase needs to be approved by the Regional Director and the Head of GSU, in consultation with the Regional Security Coordinator and the Senior Manager.