Risk Profiling as part of your Duty of Care

Last week Spearfish hosted a Webinar on Risk Profiling as part of your Duty of Care whilst operating in a complex environment.

Last week Spearfish hosted a Webinar on Risk Profiling as part of your Duty of Care whilst operating in a complex environment. As one of the speakers on the panel was I looked at risk profiling from the a security management perspective., i.e. the need to make a judgement on how to keep people safe, typically in medium to high-risk areas. I focused on 3 main areas;

  • Elements to consider. 

  • Factors to apply. 

  • Methods of profiling.  

Elements to consider

There is no strict definition to this, and I would say how we do it might be slightly different to another company.  Quite simply, we are trying to build up a picture of you, and place that into the context of the risk environment you are visiting. What is important to stress is why we are doing this, i.e. this is on the grounds of safety, and the information will only be used for those purposes. That is important to get across, particularly when you are asking for more information that people might be used to giving.  A few elements we consider;

  • Nationality. When we look at individuals, there is an inherent bias in many companies to focus purely on international travellers, as if they have a far higher risk exposure. Why this is can be down to a number of reasons, but a lot is driven by the security industry who have developed products and techniques with this approach baked in.  What we have always seen is that each group may have a different set of risks to manage, but just because you are travelling to a new country, you aren’t necessarily at any more risk that those already there. Quite often it is the reverse.  A Nigerian client driving regularly from Kaduna to Kano may experience a far higher level of risk from kidnap or a road traffic accident than an international consultant spending a week in the Sheraton in Abuja.  But for those measuring the risk outside of the country, this may not be readily apparent. However, CV19 travel restrictions and the increased use of local partners and consultants over the last two years has brought about a conversion of sorts.  We have seen far more clients considering risks to all staff and not just those on the international roster but it remains a work in progress. What we need to ensure that this change becomes permanently locked into our discussions on duty of care, and that common standards apply across your organisation.  

  • Gender. Gender based violence is high on most companies lists of priorities.  Whilst we know its importance, what is less well understood is effective ways to mitigate this when heading into the field. Often, it is not within the company’s ability to completely remove this risk, but it can be avoided by good information and best practice. This is normally based on a contextual understanding of a community and making plans thereof. From a tactical level, we have to understand what we can and can’t change and proceed on that basis. 

  • Experience. The actions you take when working in the field depends hugely on your experience.  It also includes the knowledge of the areas you are operating in. We need to understand this.  Recently Jacob from our team travelled to Jos in Plateau State in Nigeria to visit to two Local Government Areas. What he found out what that there were community tensions and flash points along his route and at each destination.  As a result, he varied his patterns and movements on the ground.  He also timed his visit to coincide with another delegation who were was seen as a force for good. Therefore it is essential to find out a traveller’s understanding of these dynamics, which hugely varies the support they will require. 

  • Religion/ethnicity. Following the above point, it is a simple fact that if I look or behave differently, then I will be noticed.  This might play out in several different ways.  Depending on where you are very much dictates how much this will affect you. If I am in a location where there is a wide variety of different people, e.g. a travel hub such as Nairobi then it won’t be a problem. However, when I transit up to Mogadishu, or perhaps Hargeisa in Somaliland, then I have to understand how my appearance might trigger certain responses from different actors. I also need to understand where there are community tensions.   Sending someone from a particular part of the country or even a different state or region may expose them to risk.  This needs to be understood and managed e.g. by using an acceptance strategy. 

 So, what is the point of profiling? 

Well, it allows you to carry out a more nuanced risk analysis, which makes your work far more effective and credible to the traveller.  It also helps you truly meet your duty of care. It allows you to define your risk scenarios for the mission, adjust your probability and impact scores, and develop robust mitigation plans. If I am assessing the risk of Amit travelling from New Delhi to Lucknow via road, I am looking at factors such as his caste, the areas he is driving through, his experience and timings of the trip. I could extend this to the vehicle he is travelling in, is he self-driving or does he have a driver etc. If I can get to the bottom of all of that, I can then give a really good appreciation of the risk and work out the best plan for him.  

Privacy concerns – individual versus organisation. There are quite legitimate concerns over what a company or consultancy will do with a large amount of personal information.  Whatever you do must be controlled in the right manner, be very clearly understood, and people must know what will happen to the information after the mission. Could other areas of the business access it for purposes that stray outside of Duty of Care?  By having a comprehensive engagement process with those undergoing profiling, you can build trust and then deliver a transparent service. A large element of risk communication is built on trust, i.e. you need to be seen as a credible voice, a reliable partner and that must be maintained at all costs. 

Other factors to consider

Once we have built a profile, we then need to place it into the risk environment. Three things to mention: 

  • Activity. We often talk about ‘doing no harm’ when we describe donor funded activities but what does that really mean. If I visit a community will my presence there create issues for those people after I have gone? How will the permanent team there handle this? Will it create issues for the next traveller in? What if the activity upsets the balance between two communities, or raises the risk for one? These are all questions that need to be answered.  

  • Appetite. Sometimes referred to as tolerance, there is a question of how much risk an organisation is willing to bear.  This must be aligned with the individual as sometimes they can be quite different; it is our job to give a clear-eyed view of what is reasonable to take on. Residual risk will be left after mitigation plans have been developed, and again that needs to fit with expectations, both for the organisation and the individual.  

  • Ability. How to handle the risk, experience versus training. What assumptions are we making about the individual and the organisation’s ability to handle the risk, either due to their training and/or experience. When you dig down into the team composition, are there any weak points, i.e. people who need extra mentoring or support? Is everyone confident and happy, or do they need a little extra time and attention to properly absorb the level of risk they are taking on.  

Methods of profiling

There are two ways to look at this: 

  • Active – gathering on a case-by-case basis. Here at Spearfish we use a Trip Risk Assessment form, which asks for information such as team composition, nationalities, activity to be carried out, mobilisation plan, local contacts, etc. We pull all of this together and score this against risks that we see as relevant to the trip based on our knowledge of the environment. We can build a really good risk assessment but it is time critical and requires local information sources, as well as the required profiling information from the client.  

  • Passive - inference from personal information – photos, passport scans, social media. This we tend to do informally based on the information we have been given as part of the travel approval process but we don’t tend to store or analyse. We don’t look at social media profiles, or try to gather historical information, but there would be merit in developing this line of enquiry, providing it is given freely and for the purposes of keeping people safe.  

Ideally, we want to end up with a blended approach – consensual use of given information purely for the purposes of risk assessment – mixed with open source and company information that we use to validate and expand our understanding of who someone is and how they might fit into a certain set of risk factors.  

In Conclusion

Whatever we do, we need to have a clearly understood framework for the profiling and the purposes behind it. We need output for risk assessment only with the necessary controls in place. There is plenty of more to be done in this area, it is relatively unexploited but has great potential in terms of localisation and providing context specific risk management.