Chapter 2: Assessing risk: threats, vulnerabilities and capacities

Purpose:
Understanding the concepts of threats, vulnerability and capacity in security.
Learning how to do a risk assessment.

Risk analysis and protection needs

Human rights defenders’ work can have a negative impact on specific actors’ interests, and this can in turn put defenders at risk. It is therefore important to stress that risk is an inherent part of defenders’ lives in certain countries.

The issue of risk can be broken down in the following way:

Analyse main stakeholders´ interests and strategies -> Assess impact of defenders´ work :on those interests and strategies -> Assess threat against defenders -> Assess :vulnerabilities and capacities of defenders -> Establish Risk

In other words, the work you do as a defender may increase the risk you face.

  • What you do can lead to threats
  • How, where, and when you work raises issues about your vulnerabilities and capacities.

There is no widely accepted definition of risk, but we can say that risk refers to possible events, however uncertain, that result in harm.

In any given situation, everyone working on human rights may face a common level of danger, but not everyone is equally vulnerable to that general risk just by being in the same place. Vulnerability - the possibility that a defender or a group will suffer an attack or harm - varies according to several factors, as we will see now.

An example:

There may be a country where the Government poses a general threat against all kinds of ::human rights work. This means that all defenders could be at risk. But we also know ::that some defenders are more at risk than others; for instance, a large, well ::established NGO based in the capital will probably not be as vulnerable as a small, ::local NGO. We might say that this is common sense, but it can be interesting to analyse ::why this happens in order to better understand and address the security problems of ::defenders.

The level of risk facing a group of defenders increases in accordance with threats that have been received and their vulnerability to those threats, as presented in this equation :

RISK = THREATS x VULNERABILITIES

Threats represent the possibility that someone will harm somebody else‘s physical or moral integrity or property through purposeful and often violent action . Making a threat assessment means analysing the likelihood of a threat being put into action.

Defenders can face many different threats in a conflict scenario, including targeting, common crime and indirect threats.

The most common type of threat – targeting - aims to hinder or change a group's work, or to influence the behaviour of the people involved. Targeting is usually closely related to the work done by the defenders in question, as well as to the interests and needs of the people who are opposed to the defenders´ work.

Defenders may face the threat of common criminal attacks, especially if their work brings them to risky areas. Many cases of targeting are carried out under the guise of being ‘ordinary’ criminal incidents.

Indirect threats arise from the potential harm caused by fighting in armed conflicts, such as ‘being in the wrong place at the wrong time’. This applies specially to defenders working in areas with armed conflict.

Targeting (targeted threats) can also be seen in a complementary way: Human rights defenders may come across declared threats, for example by receiving a death threat (see Chapter 3, for how to assess declared threats). There are also cases of possible threats, when a defender close to your work is threatened and there are reasons to believe that you might be threatened next.

A summary of kinds of threats:

-Targeting (declared threats, possible threats): threats due to your work -Threats of common criminal attacks -Indirect threats: Threats due to fighting in armed conflicts.

Vulnerabilities

Vulnerability means the degree to which people are susceptible to loss, damage, suffering and death in the event of an attack. This varies for each defender or group, and changes with time. Vulnerability is always relative, because all people and groups are vulnerable to some extent. However, everyone has their own level and type of vulnerability, depending on their circumstances. Let’s see some examples:

  • Vulnerability can be about location. For example, a defender is usually more vulnerable when s/he is out on the road during a field visit than when s/he is at a well known office where any attack is likely to be witnessed.
  • Vulnerabilities can include lack of access to a phone or to safe ground transportation or to proper locks in the doors of a house. But vulnerabilities are also related to the lack of networks and shared responses among defenders.
  • Vulnerabilities may also have to do with team work and fear: A defender that receives a threat may feel fear, and his/her work will be affected by fear. If s/he has no a proper way to deal with fear (somebody to talk to, a good team of colleagues, etc) chances are that s/he could makes mistakes or take poor decisions that may lead him/her to more security problems.

There is a combined check-list of possible vulnerabilities and capacities at the end of this chapter.

Capacities

Capacities are the strengths and resources a group or defender can access to achieve a reasonable degree of security. Examples of capacities could be training in security or legal issues, a group working together as a team, access to a phone and safe transportation, to good networks of defenders, to a proper way of dealing with fear, etc.

In most cases,
vulnerabilities and
capacities are two sides of
the same coin.

For example:

Not knowing enough about your work environment work is a vulnerability, while having this knowledge is a capacity. The same can be said about having or not access to safe transportation or to good networks of defenders.

(There is a combined check-list of possible vulnerabilities and capacities at the end of this chapter).

The risk created by threats and vulnerabilities can be reduced if defenders have enough capacities (the more capacities, the lesser the risk).

Risk = threats x vulnerability / capacities

In summary

Summary:

In order to reduce risk to acceptable levels - namely, to protect - you must:

  • Reduce threats;
  • Reduce vulnerability factors;
  • Increase protection capacities.

Risk is a dynamic concept that changes with time and with variations in the nature of threats, vulnerabilities and capacities. This means risk must be assessed periodically, especially if your working environment, threats or vulnerabilities change. For instance, Vulnerabilities can also increase if a change of leadership leaves a group of defenders in a weaker position than before. Risk increases dramatically with a clear and present threat. In such cases, it is not safe to try to reduce risk by increasing capacities, because that takes time.

Security measures, such as legal training or protective barriers, could reduce risk by reducing vulnerability factors. However, such measures do not confront the main source of risk, i.e. the threats, nor the will to carry them out, especially in situations where perpetrators know they are likely to go unpunished. All major interventions in protection should therefore aim to reduce threats, in addition to reducing vulnerability and enhancing capacity.

An example:

A small group of defenders are working on land property issues in a town. When their :work starts affecting the local landowner’s interests they receive a clear death :threat. If you apply the risk equation to their security situation, you’ll see that :the risk these defenders face is very high, above all due to the death threat. If you :want to reduce that risk it is probably not the moment to start changing the locks on :the door of their office (because the risk is not related to a break-in at the :office), nor the moment to buy a cell phone for each defender (even if communication :might be important to security it is unlikely to be enough if there is someone coming :to kill you). In this case, a more relevant strategy would be to work on networking :and generating political responses to directly confront the threat (and if that is :unlikely to be effective quickly the only way to reduce the risk significantly might :be to reduce the defenders exposure, perhaps by moving away for a while – being able :''to relocate to a safe place is also a capacity).

Vulnerabilities and capacities, as well as some threats, may vary according to gender and age. You therefore need to break down your findings accordingly.

Vulnerabilities and capacities assessment

Designing a vulnerability and capacities assessment for a given group (or person) involves defining the group itself (a community, collective, NGO, individuals, etc), the physical area where it is located and the time line (your vulnerability profile will change and evolve over time). Then you can proceed to assess vulnerabilities and capacities, using Chart 3 at the end of this chapter as a guidance.

Please note: The vulnerabilities and capacities assessment must be seen as an open-ended activity aimed at building on existing information to maintain an accurate picture of a constantly evolving situation. When assessing capacities, it is important to establish what the actual current capacities are instead of listing potential, desirable ones.

Coping and response strategies

Defenders and groups under threat use different coping strategies to deal with the risks they perceive that they face. These strategies will vary a lot depending on their environment (rural, urban), the type of threat, the social, financial and legal resources available, etc.

Most coping strategies can be implemented immediately and in response to short term objectives. They will therefore function more like tactics than as detailed response strategies. Most strategies also respond to individual people’s subjective perceptions of risk, and could at times cause the group some level of harm, especially if the strategies used cannot be reversed.

Coping strategies are closely related to the type and severity of threat and to the group’s capacities and vulnerabilities.

When thinking about security and protection you must take into account both your own and other people’s coping strategies. Reinforce the effective ones, try to limit harmful ones and try to respect the remaining ones (especially coping strategies linked to cultural or religious beliefs). Some coping strategies:

  • Reinforcing protective barriers, hiding valuables.
  • Avoiding behaviour which could be questioned by another actor, especially if control of the territory where you are working is under military dispute.
  • Going into hiding during high risk situations, including in places that are difficult to access, like mountains or jungle, changing houses, etc. Sometimes whole families go into hiding, and sometimes just defenders. Hiding could take place at night or go on for several weeks, and might involve no outside contact.
  • Looking for armed or political protection from one of the armed actors.
  • Suspending activities, closing down the office, evacuating. Forced migration (internal displacement or as refugees) or going into exile.
  • Relying on “good luck” or resorting to “magic” beliefs.
  • Becoming more secretive, including with colleagues; going into denial by refusing to discuss threats; excessive drinking, overwork, erratic behaviour.

Defenders also have access to response strategies. These can include issuing reports to publicise a specific issue, making allegations, staging demonstrations, etc. In many cases these strategies do not amount to a long term strategy, but respond to short term needs. In some cases the response strategies might even create more security problems than those they were intended to address.

When analysing coping and response strategies, take the following into account:

  • Sensitivity: Can your strategies respond quickly to individual or group security needs?
  • Adaptability: Can your strategies be quickly adapted to new circumstances, once the risk of attack is over? A defender may have several options available, for example to either hide or to live at other people’s houses for a while. Such strategies may seem weak or unstable, but often have great endurance.
  • Sustainability: Can your strategies endure over time, despite threats or non-lethal attacks?
  • Effectiveness: Can your strategies adequately protect the people or groups in question?
  • Reversibility: If your strategies don’t work or the situation changes, can your strategies be reversed or changed?

Dealing with risk after doing a risk assessment

Once your risk assessment has been done, you need to look at the results. As it is impossible to measure the “amount” of risk you are facing, you need to establish an understanding of what the level of risk is.

Different defenders and organisations may estimate different levels of risk. What is unacceptable for some defenders can be acceptable for others, and the same can be said for people within the same organisation. Rather than discussing what “must” be done or whether you are prepared for going ahead with it, people’s different thresholds of risk must be addressed: You must find a commonly acceptable threshold for all members of the group.

That said, there are different ways of dealing with risk:

  • You can accept the risk as it stands, because you feel able to live with it;
  • You can reduce the risk, by working on threats, vulnerabilities and capacities;
  • You can share the risk, by undertaking joint actions with other defenders to make potential threats to one defender or organisation less effective;
  • You can choose to avoid the risk, by changing or stopping your activities or changing approach to reduce potential threats;
  • You can ignore the risk, by looking the other way. Needless to say, this is not the best option.

Bear in mind that the levels of risk are usually different for each of the organizations and individuals involved in a human rights case, and that attackers usually tend to hit in the weakest parts, so that you have to pay attention to these different levels of risk and take specific measures. For example, let’s look at a case of a peasant killed by a landowner private army. There may be several organizations and individuals involved in it, such as a group of lawyers from the close-by capital city, a local peasant union and three witnesses (peasants who live in a nearby village). It is key to assess the different levels of risk of each of these stakeholders in order to plan properly for the security of each of them.

Chart 3: Information needed to assess a group's vulnerabilities and capacities

---

Geographical, physical and technical components

COMPONENTS OF VULNERABILITIES AND CAPACITIES

INFORMATION NEEDED TO ASSESS THE VULNERABILITIES OR CAPACITIES OF THOSE COMPONENTS

NOTE: Generally speaking, the information from the heading may show that a given component -explanation underneath- is either a vulnerability or a capacity of a given defender or group of defenders

Exposure

The need to be in, or to pass through, dangerous areas to carry out normal daily or occasional activities.Threatening actors in those areas.

Physical structures

The characteristics of housing (offices, homes, shelters); building materials, doors, windows, cupboards.Protective barriers. Night lights.

Offices and places open to public

Are your offices open to visitors from the general public? Are there areas reserved only for personnel? Do you have to deal with unknown people that come to your place?

Hiding places, escape routes

Are there any hiding places? How accessible are they (physical distance) and to whom (for specific individuals or the whole group)? Can you leave the area for a while if necessary?

Access to the area

How difficult is it for outside visitors (government officials, NGOs, etc,) to access the area, for example in a dangerous neighbourhood? How difficult is access for threatening actors?

Transport and accommodation

Do defenders have access to safe transportation (public or private)? Do these have particular advantages or disadvantages? Do defenders have access to safe accommodation when travelling?

Communication

Are telecommunications systems in place (radio, telephone)? Do defenders have easy access to them? Do they work properly at all times? Can they be cut by threatening actors before an attack?

Components linked to conflict

Links to conflict parties

Do defenders have links with conflict parties (relatives, from the same area, same interests) that could be unfairly used against the defenders?

Defenders’ activities affecting a conflict party

Do defenders´ work directly affect an actor’s interests? (For example, when protecting valuable natural resources, the right to land, or similar potential targets for powerful actors.) do you work on a specially sensitive issue for powerful actors (such as land ownership, for example)?

Transportation of items and goods and written information

Do defenders have items or goods that could be valuable to armed groups, and therefore increase the risk of targeting? (Petrol, humanitarian aid, batteries, human rights manuals, health manuals, etc.)

Knowledge about fighting and mined areas

Do you have information about the fighting areas that could put you at risk? And about safe areas to help your security? Do you have reliable information about mined areas?

Components linked to the legal and political system

Access to authorities and to a legal system to claim your rights

Can defenders start legal processes to claim their rights? (Access to legal representation, physical presence at trials or meetings, etc.) Can defenders gain appropriate assistance from relevant authorities towards their work and protection needs?

Ability to get results from the legal system and from authorities

Are defenders legally entitled to claim their rights? Or are they subjects to repressive internal laws? Can they gain enough clout to make authorities take note of their claims?

Registration, capacity to keep accounts and legal standards

Are defenders denied legal registration or subjected to long delays? Is their organisation able to keep proper accounts and meet national legal standards? Do you use pirate computer software?

Management of information

Sources and accuracy of information

Do defenders have reliable sources of information to base accusations on? Do defenders publicise information with the necessary accuracy and method?

Keeping, sending and receiving information

Can defenders keep information in a safe and reliable place? Could it get stolen? Can it be protected from viruses and hackers? Can you send and receive information safely?

Being witnesses or having key information

Are defenders key witnesses to raise charges against a powerful actor? Do defenders have relevant and unique information for a given case or process?

Having coherent and acceptable explanation about your work and aims

Do the defenders have a clear, sustainable and coherent explanation of their work and objectives? Is this explanation acceptable, or at least tolerated, by most/all stakeholders (specially armed ones)? Are all members of the group able to provide this explanation when requested?

Social and organisational components

Existence of a group structure

Is the group structured or organised in any way? Does this structure provide an acceptable level of cohesiveness to the group?

Ability to make joint decisions

Does the group’s structure reflect particular interests or represent the whole group (extent of membership)? Are the main responsibilities carried out and decision-making done by only one or a few people? Are back-up systems in place for decision-making and responsibilities? To what degree is decision-making participatory? Does the group’s structure allow for: a) joint decision making and implementation, b) discussing issues together, c) sporadic, ineffective meetings, d) none of the above?

Security plans and procedures

Are security rules and procedures in place? Is there a broad understanding and ownership of security procedures? Do people follow the security rules?

Security management outside of work (family and free time)

How do defenders manage their time outside of work (family and free time)? Alcohol and drug use represent great vulnerabilities. Relationships can also result in vulnerabilities (as well as strengths)

Working conditions

Are there proper work contracts for everyone? Is there access to emergency funds? Insurances?

Recruiting people

Do you have proper procedures for recruiting personnel or collaborators or members?

Do you have a specific security approach for your occasional volunteers (such as students, for example) or visitors to your organization?

Working with people or with interface organizations

Is your work done directly with people? Do you know these people well? Do you work with an organization as an interface for your work with people?

Taking care of witness or victims we work with

Do we assess the risk of victims and witnesses, etc, when we are working on specific cases? Do we have specific security measures when we meet them or when they come to our office? If they receive threats, how do we react?

Neighbourhood and social surroundings

Are defenders well socially integrated in the local area? Do some social groups see defenders´ work as good or harmful? Are defenders surrounded by potentially hostile people (neighbours as informers, for example)?

Mobilization capacity

Are defenders able to mobilize people for public activities?

Psychological Components (Group/Individuals)

Ability to manage stress and fear

Do key individuals, or the group as a whole, feel confident about their work? Do people clearly express feelings of unity and joint purpose (in both words and action)? Are stress levels undermining good communications and interpersonal relationships?

Deep feelings of pessimism or persecution

Are feelings of depression and loss of hope being clearly expressed (in both words and action)?

Work resources

Ability to understand work context and risk

Do defenders have access to accurate information about their working environment, other stakeholders and their interests? Are defenders able to process that information and get an understanding of threats, vulnerabilities and capacities?

Ability to define action plans

Can defenders define and, in particular, implement action plans? Are there previous examples of this?

Ability to obtain advice from well informed sources

Can the group obtain reliable advice? From the right sources? Can the group make independent choices about which sources to use? Do you have access to particular organisations or membership status that enhances your protection capacities?

People and amount of work

Do the people or personnel available match the amount of work needed? Can you plan field visits in teams (at least two people)?

Financial resources

Do you have enough financial resources for your security? Can you manage cash in a safe way?

Knowledge about languages and areas

Do you know the languages needed for the work in this area? D you know the area properly? (roads, villages, public phones, health centres, etc)

Access to national and international contacts and media

Access to national and international networks

Do defenders have national and international contacts? To visiting delegations, embassies, other governments, etc? To community leaders, religious leaders, other people of influence? Can you issue urgent actions via other groups?

Access to media and ability to obtains results from them

Do defenders have access to media (national, international)? To other media (independent media)? Do defenders know how to manage media relations properly?

A risk scales: Another way to understand risk

A scales provides another way to understand this concept of risk: This is something we might call ... a “risk-meter”. If we put two boxes with our threats and vulnerabilities on one of the plates of the scales, and another box with our capacities on the other plate, we will see how our risk gets increased or reduced.

Fig. 1

A scale provides another way to understand this concept of risk. this is something we might call a... "risk-meter." If we put two boxes with our threats and vulnerabilities on one of the plates of the scales, and another box with our capacities on the other plate, we will see how our risk gets increased or reduced.

Fig. 2:

The more threats and vulnerabilities we have, the more risk we face.

Fig. 3:

The more capacities we have, the less risk we face. And for reducing the risk, we can reduce our threats and our vulnerabilities, as well as increase our capacities.

Fig. 4:

But ... Look at what happens if we have some big threats: Never mind we try to increase our capacities at that very moment: The scales will show a high level of risk anyway!