SRA Instructions

Step-by-step instructions to help you conduct a Security Risk Assessment (SRA).

Overview

The steps of the SRA process are:

  1. Context Assessment (i.e., understand the big picture).

  2. Identify and list the specific threats in the operational area.

  3. Describe each threat.

  4. For each threat, list the vulnerabilities and existing mitigation measures.

  5. Assess the likelihood and impact of each threat to the organisation (based on the above).

  6. Plot the threats according to their risk level (likelihood x impact) in the risk matrix.

  7. Identify (additional) mitigation measures that are needed (to reduce the risk if necessary)

  8. Complete the Security Risk Register (SRR).

The steps are explained in more detail below.

 
 

STEP 1: Context Assessment

This step (also known as the Situational Assessment) involves doing some research to understand the general context and threats before getting into the specifics.

This step is especially important when you are assessing a new area. If you are already very familiar with the area, you can go directly to step 2.

We recommend noting down the threats as you go (with pen and paper or on a computer). We also recommend that you do your research in three parts to make sure you cover all the basics:

  1. External Factors: Start by learning as much as you can about the country and area. Read up on its people, politics, geography, criminality, disasters, infrastructure, health facilities, etc. This information is usually easy to find in travel books and online.

  2. Internal Factors. Find out as much as you can about your organisation’s activities, operations and teams. You need a good understanding of who is doing what, where and why before moving on to step 2. This information is normally available on request from your colleagues and organisation.

  3. Actors and Relationships: The activities and actions of other actors often impact our safety and security, so it is important to find out who they are, what they are doing and why. Other actors may include national government agencies, security forces, armed groups, U.N. agencies, NGOs and other Red Cross Red Crescent Societies working in the area. Some of this information can usually be found in previous versions of the security plan and on-arrival briefings, but can also be researched online.

By the end of this step…

You should have a good understanding of the context and made a preliminary list of threats that could impact the organisation and its operations and staff.

 
 

STEP 2: Identify and List the Specific Threats

Work as a group to identify all the threats in your operational area. The threats should be noted in column 1 of the security risk register.

Tips:

  1. Identify threats as specifically as possible, not general ones. For example, “crime” is too general, while carjackings and pickpockets are specific. Specific risks are usually easy to plot on a map. Risks that apply to the whole area, such as recurring earthquakes, or political unrest should be listed at the top of the map.

  2. Consider using a big map. In our experience, one of the easiest and fastest way to identify all the threats in a given area is to put a big map on a table and highlight all the locations and routes you might use. Then list the threats at each location and along each route. Make sure to include security threats (ex: carjackers at site 1) and safety/weather threats (ex: icy mountain roads on route 2 from Nov-April).

  3. Remember road, weather, disease and terrain-related threats. In insecure areas, we have a tendency to focus on security threats and can easily forget important safety and health threats.

  4. Once you are done, compare your list to a standard threat list, to see if you missed anything.

By the end of this step...

You should have a complete list of the threats and entered them into column 1 of the security risk register (If you’re not familiar with security risk registers, take a look at an example in step 7 below).

 
 

STEP 3: Describe the Threats

Starting at the top of your threat list, describe each threat (using the 5Ws). This information goes in column 2 of the security risk register.

This step is important because it helps the group develop a shared understanding of each threat.

The 5Ws and Vulnerability:

  • Where is the threat? For example, is it along a certain road, in a specific area or does it affect the whole area? This is when a map is useful.

  • What/Who is the source of the threat? For example, is it caused by a specific group(s), by some geographic features (ex: landslides), or by physical objects (ex: electrical wiring).

  • When does it occur? Are more frequent or severe at a certain time of the day (ex: crime at night), year (ex: flooding in winter), or around a certain event (ex: elections)?

  • Why does it occur? For example, why do abductions occur? Is it because they are looking to sell kidnapped individuals on the illegal market? Because they are planning to demand a ransom? Is it politically motivated? Usually, there is more than one motive.

In many cases, you will not know the answers to all of these questions at first. That is okay! Identifying gaps in our “security awareness” is valuable information. Just make sure to note down information gaps and update the SRA once you have the answers.

By the end of this step...

You should have a short paragraph describing each threat (using the 5Ws),

 
 

STEP 4: Describe Vulnerabilities and Mitigation Measures

Starting at the top of your threat list, discuss “how vulnerable are we to this threat and why?” For example, are we more vulnerable to this risk in a certain location or at certain times? Are some personnel more vulnerable due to aspects of their identity? Or due to a lack of proper equipment, training or information? (This goes in column 3 of the security risk register).

Then list the mitigation measures you already have in place. Our vulnerability is often tied to the mitigation measures we may or may not have in place. (This goes in column 4 of the security risk register).

By the end of this step...

You should have a short paragraph describing our vulnerabilities to each threat, and a short description of the mitigation measures that are already in place for each threat. This information goes in column 3 and 4 of the security risk register.

 
 

STEP 5: Assess Impact and Likelihood

Use the definitions below to determine the likelihood and impact of each risk on your list. The definitions help define security risk more consistently across IFRC operations.

Important! Assess the risk (likelihood and impact) in relation to our personnel, assets operations, not the general risk to the overall public.

 

Impact Definitions

  • Critical: Death, severe injury, loss of vital equipment, cancellation of activities

  • Severe: Severe injury, possible death, loss of important equipment, major disruption to activities

  • Moderate: Injury, loss of equipment, delay in activities

  • Minor: Possible injury, possible equipment loss, limited delay in activities

  • Negligible: Minor disruption to activities

Likelihood Definitions

  • Certain or imminent: Will occur or is actively occurring

  • Highly likely: Has a very high probability of occurring

  • Likely: Has a high probability of occurring

  • Possible: Has a reasonable probability of occurring

  • Unlikely: Is unlikely to occur to Red Cross Red Crescent staff members or volunteers

By the end of this step...

You should end up with a combination of values for likelihood and impact according to each threat. For example:

  • petty theft: likelihood = likely, impact = minor

  • road accident: likelihood = likely, impact = moderate

  • flooding: likelihood = highly likely, impact = severe

This information will be used in the next step (see below).

 
 

STEP 6: Plot the risks in the matrix

Use the impact and likelihood values from step 4 to plot the risks in the IFRC security risk matrix, as shown below.

SRA2.png

Why do we do this? Using a matrix helps us visualise and prioritise the risks within a given operational area. It also helps us identify risks that exceed the IFRC security threshold (those in orange and red) and that will require additional mitigation (see step 6).

Note! Other organisations may use different matrices with different colours and numbers of boxes, but this one must be used for IFRC assessments.

 

By the end of this step...

All the threats should be plotted in the risk matrix, as shown above, and ranked as follows:

  • Threats in the red area = Extreme Risk

  • Threats in the orange area = High Risk

  • Threats in the yellow area = Moderate Risk

  • Threats in the green area = Low Risk

For example, road accident in the example above is in the orange area of the matrix; therefore road accidents = High Risk.

 
 

STEP 7: Identify (Additional) Mitigation Measures

For each risk, identify the existing and additional measures required to mitigate the risk to an acceptable level (green or yellow).

The mitigation measures should serve to reduce both the likelihood and impact whenever possible.

Threats that fall into the orange and red areas of the matrix (high-extreme risk) are usually deemed above the IFRC risk threshold and require urgent treatment (mitigation measures to reduce the risk to yellow).

It is important that you inform the Senior Field Manager (e.g., country director) and your security advisor if you identify high-extreme level risks through this process (if they are not participating in the SRA workshop).

 
 

STEP 8: Fill-out the Security Risk Register (SRR)

The SRR is the output of the SRA process and contains the key information from steps 1-6 above. It should look like this:

  • Column 1: Threat Name (from step 2)

  • Column 2: Threat Description (from step 3)

  • Column 3: Vulnerability Description (from step 3)

  • Column 4: Existing Mitigation Measure (from step 6)

  • Column 5: Risk Rating (from the matrix in step 5)

  • Column 6: Additional Mitigation Required (from step 6)

Fill out the other parts of the SRR such as the date and names of persons who conducted the assessment. Then, submit it to your management and security for review and follow-up.

At the IFRC, the SRR must be submitted to the Senior Manager (i.e., Head of Country Office) and the Global Security Unit for review and approval.

 

What happens next?

The final step is taken by management and is often referred to as the “risk evaluation” step (according to ISO standards). In brief, the management team will use the information derived from the SRA (and contained in the SRR) to evaluate the risks and decide which risks need to be “treated” (reduced to an acceptable level). Decisions may include:

•  Whether a risk needs treatment;

•  Priorities for treatment;

•  Whether an activity should be undertaken.

In terms of treatment, the IFRC Global Security Unit usually requires that measures be taken to reduce all high or extreme security risks to medium.

Risk treatment measures may include writing new (or updating) procedures and plans, investing in training and equipment, or restricting/avoiding activities or travel in some areas,

These “additional” measures are also captured in the SRR and usually assigned to a manager for implementation within a given deadline (to be recorded in columns 5-9 of the SRR).

 

That’s it!

 
 

We hope you found these instructions useful. We recognise that there are many good ways to conduct SRAs, but we have found that this approach works well - including in emergencies, and at the area, country and regional level.

You can send us your suggestions by clicking the button below.

 

FAQ - FREQUENTLY ASKED QUESTIONS ABOUT SRA

 

What is a SRA?

The Security Risk Assessment (SRA) is the formal process we use to identify and assess the security and safety risks in our working environment as well as the mitigation measures needed to protect our personnel, assets and operations from those risks.

What are the benefits of doing a SRA?

  1. It identifies more risks. Doing a formal SRA usually identifies more risks and better mitigation measures. This helps avoid important gaps in our security management system.

  2. It produces a more realistic risk assessment. A formal SRA usually generates more realistic values (predictions) for likelihood, impact and risk level than informal risk assessments do. This helps us prioritize investments in safety and security.

  3. It helps raise awareness and buy-in among managers, staff and volunteers. The SRA is a group process that helps us gain a more in-depth understanding of the threats that can affect them, and how they can work together to protect themselves. In our experience, staff and volunteers involved in the SRA process tend to be much more involved and supportive of security training and measures.

Why are SRAs obligatory?

SRAs are mandatory for all IFRC offices and operations (as defined in the IFRC Minimum Security Requirements) because they underpin most of our security plans, rules and mitigation measures. Plans and mitigation measures implemented without an SRA tend to have gaps and can result in avoidable incidents.

What are the steps of the SRA process?

The SRA process steps are defined are

  1. Do a context analysis (ie understand the big picture)

  2. Identify and list the specific risks in the operational area.

  3. Describe each risk (using the 5Ws) and vulnerabilities.

  4. Assess the likelihood and impact of each risk.

  5. Plot the risks in the matrix.

  6. Identify mitigation measures for each risk.

  7. Complete the Security Risk Register (SRR).

Where are the findings of the SRA captured?

The deliverable of the SRA process is the Security Risk Register (SRR) and it must be updated yearly at a minimum. All SRR are reviewed annually by the IFRC Global Security Unit as part of the security compliance process.