The issue of whether people and organisations actually follow security procedures and rules is a complex one. It is perfectly possible to have a good security plan, complete with preventive rules and emergency procedures; you can place security high on the agenda at all big meetings, etc, but people may still not follow the organisation’s security rules.
This could seem incredible, given that human rights defenders are constantly under pressure and being threatened. But it happens.
If someone wants to know something about your work, they will not try to find out from the most careful person in the organisation. Rather, they will try to get close to someone who often gets drunk on Saturday nights. Similarly, if someone wants to give your organisation a fright, they probably will not assault a person who has taken all the necessary precautions. Rather, they will probably target someone who is usually quite careless about their own security. Similarly, it could be that a careful person is attacked because the careless person left the door open… The point is also that one person’s carelessness can place everyone at greater risk.
This is why security should be defined as an issue for the whole organisation, in addition to the individuals it involves. If only three out of 12 people follow the security rules, the whole organisation, including those who observe the rules, is put at risk. If the situation improves and nine people start following security procedures, the risk is reduced. But the risk would still be much smaller if all 12 people followed the rules.
Security is an issue
for the whole organisation,
as well as for
the individuals it involves.
Having a good security plan is meaningless unless it is being followed. Let’s be realistic: Many people do not follow the rules or procedures. This lack of compliance amounts to the difference between good intentions and real-life effectiveness. It is nevertheless easier to confront this problem than its possible consequences.
First of all, the word “compliance” carries connotations of submissiveness and docility and should therefore be avoided. People only follow rules which they understand and accept, because they can then make them their own. The key word here is therefore “ownership”.
In order for a security procedure to be followed, everyone in the organisation has to embrace it. This doesn’t happen instantly. In order for staff to embrace a security procedure they must be allowed to participate in drawing it up and implementing it. Training, understanding and acceptance of the procedure are also crucial.
Table 1:
The relationship between individuals and organisations in security terms. KEY
Concept Approach 1: “Everyone must follow the rules!” Approach 2: “The individual and the organisation have agreed on the rules.”
Concept: Approach Approach 1: Rule-focused Approach 2: Based on organisational and personal security needs
Concept: Type of relationship between the individual and the organisation Approach 1: Normative or “paternalistic” Approach 2: Based on dialogue
Concept: Why do we follow the rules? Approach 1: By obligation, to avoid sanction or expulsion Approach 2: To observe an agreement, with room for criticism and improvement (because we agree with the purpose/need, in order to help protect our colleagues and the people we work with/for)
Concept: Responsibility for security Approach: Not shared Approach 2:Shared
Ownership is not just about “following rules”, but about establishing an agreement about the rules that will make individuals follow them because they understand them, see them as appropriate and effective, and feel they have a personal stake in them. For this reason, the rules should also conform to individuals’ moral and ethical criteria and basic needs.
Ownersship is not about simply “following rules”,
but about respecting an agreement between
the organisation and staff regarding security.
In order to maintain the agreement between staff members and the organisation it is important that the individual(s) responsible for security keep others constantly involved through briefings, reminders about aspects of the agreement, and by asking for people’s opinions on how appropriate and effective the rules are in practice.
Such involvement will however be of little value without an organisational culture of security which underpins formal and informal work procedures or programmes.
In summary, the necessary basis for people to observe security rules and procedures can be achieved through the following steps:
There is no prototype of a human rights defender who doesn’t follow security rules. Many people within an organisation often follow some rules but not others, or observe the rules sporadically.
There are many possible reasons why people don’t observe the rules and procedures. To change this and ensure ownership, it is important to establish the causes and find solutions alongside the other people concerned. It will also be useful to distinguish between the different reasons people may have to not follow the rules, because they will vary.
Some possible reasons for not observing security rules and procedures:
Unintentional:
Intentional:
General problems:
Individual problems:
Group problems:
Organisational problems:
Organisational culture is both formal and informal, and must be developed not just in the organisation as a whole, but also in teams. A good organisational culture will show signs such as informal chatting, joking, parties, etc.
Direct monitoring:
Security rules and procedures can be incorporated in general work appraisals and “check-lists”; as well as in meetings before and after field missions, in work reports, on meeting agendas, etc.
Periodical reviews can also be carried out together with the teams in question, of issues such as the safe-keeping of sensitive information, copies and security manuals; of security protocols for visits to the organisation’s headquarters; preparing to go on field missions, and so on.
Indirect monitoring:
Asking people for their views about rules and procedures, whether they are appropriate and easy to follow, etc, can establish whether staff actually know about the rules, whether they have been fully accepted or if there is disagreement which should be dealt with. Staff use of the security manual and any existing protocols and rules can also be reviewed.
It is very worthwhile to compile and analyse along with the people or teams in question, people’s opinions and evaluations of security rules and procedures. This can also be done off the record/anonymously or via a third party.
Retrospective monitoring:
Security can be reviewed by analysing security incidents as they arise. This must be handled especially carefully. Someone who has experienced a security incident might worry that it was their fault and/or that analysis will lead to sanctions against them. S/he might therefore be tempted to conceal it, leaving the incident, or aspects of it, unreported.
Who does the monitoring?
Depending on the way the organisation operates, whoever is responsible for organising security, specific areas of work within security, and managing any security staff, will also be in charge of monitoring security.
1. Establish the causes, find solutions and put them into practice. The list of options in Table 1 above can be used as a guide.
2. If the problem is intentional and only involves one individual, try to...
3. Include a clause about observing security rules and procedures in all work contracts, in order for all staff to be fully aware of how important this is to the organisation.
Some may argue that a discussion of the reasons why people don’t follow security rules is a waste of time, as there are more urgent or important things to be done. Those of that opinion normally think simply that rules are to be followed, full stop. Others are aware that the world doesn’t always work that way.
Whatever your opinion, we now invite you to step back and analyse the degree to which security rules and procedures are being followed in the organisation(s) where you work. The results could be surprising and worth spending time on in order to avoid problems further down the line…