Module 24: Creating an Organisational Protection Plan

When planning and facilitating this session, it is important to consistently apply an intersectional lens to each participant's identity and experiences, and their protection needs. Overlapping systems of discrimination and privilege, such as gender, sexual orientation, religion, disability, racial and/or ethnic origin, economic status/class, marital status, citizenship, age and physical appearance, can have a profound impact on human rights defenders' and their communities' perception of and experience with risks and protection.

Facilitator note: this session is designed for HRDs from different organisations in one workshop. If your workshop comprises HRDs from only one organisation, use the formats without any examples for them to work through and increase the time significantly.
 

Introduction: 10 mins

• Most organisations already have a basic protection plan (eg lock the doors of the office, phone a relevant person if there is a problem)
• (Unless all the participants are from one organisation) we will not produce a standard security plan in this session, because every organisation is different and needs a plan for their unique context
  

  Tip

  Create the Organisation Protection Plan with all your relevant colleagues, so it will cover their needs, and they will want to implement it

   

• Your task when you go back to your organisations is to help your colleagues to create a fuller and more relevant version together, based on the risks and threats you face
• All relevant, trusted workers need to be involved in the creation of the plan, otherwise there will be reluctant to implement it, and improve it over time
  

  “If you don’t involve your office cleaner, the cleaner may not know the importance of keeping the emergency escape exit clear of rubbish. If you don’t involve your organisation’s driver, your driver may not realise that you need to be told if a vehicle is following you.”

   

• An external ‘expert’ will not be able to create a plan for you with the same local knowledge you have about risks and threats, and the understanding of how you do your work
• It isn’t difficult to create an Organisation Protection Plan – the tools we already used will be helpful, and the work you put into creating your Personal Protection Plan will be very relevant
• We will use another tool, the SWOT Analysis (Strengths, Weaknesses, Opportunities and Threats Analysis)
• Check which participants already have organisation protection plans, and ask for examples of the good and bad practices associated with them, eg “an expert came and wrote a protection plan for us and it is lying in a drawer and not implemented”

Security plan – the process: 30 minutes

Making a security plan in your organisation – propose the following

1. Discuss: how important is security and why? (You can use the session ‘Understanding security’ to start this discussion)
2. Look at the context in which you receive the threats in your organisation – you can use a SWOT analysis (internal Strengths and Weaknesses, external Opportunities and Threats). Brainstorm the issues, write up the contributions of everyone and then prioritise the most important issues.

   Example:
    

   Strengths in your organisation relating to security	Weaknesses in your organisation relating to security
   Committed staff Senior staff experienced in dealing with threats Existing network of influential contacts, including in government, media, local and international NGOs	Knowledge about dealing with threats not shared in a uniform way No register of security incidents No protection plan
   External Opportunities for protection	External Threats to protection
   Possibility to extend our network to include others: advocacy; legal issues; digital protection and psycho-social support European Union Guidelines on HRDs – possibility to approach Embassies for support	Potential legislation to control funding and activities of NGOs Army and armed opposition groups both issue threats to NGOs working on human rights

3. Agree the three biggest risks and threats, based on the likelihood that they will occur, and the highest impact. You can work more on the other priority risks in the future, but it is best to start with something manageable and not overwhelming.
4. You can use the risk matrix¹, and for each of the risks and threats, invite each worker to identify the probability and impact levels.

   The Risk Matrix

   

   Assessing Impact takes into account physical and psychological harm to members, colleagues and their families, as well as physical loss and damage, to buildings, information and other assets plus damage to reputation.

   Example

   A WHRD working in the Shan State of Myanmar, which was in conflict, explained that her risks were different and higher than those of her male Burmese manager based in an office in the capital. Firstly, as a Shan woman, she could be subject to more harassment by the authorities. Secondly, travelling - by canoe, motorbike and on foot - could take several days and carrying cash for workshops in remote villages was an added risk. Specific security plans involving a cover story, trusted beneficiaries organising the transport, the need to be in a safe place each nightfall, and the distribution of funds in different hiding places were essential.

   This discussion will assist you to see how, depending on intersectionality and situations, risk affects everyone differently. Through discussion you will reach a deeper understanding of situations and perspectives. Work towards mutual agreement of the placing of the risk/threat on the matrix in terms of the organisation, whilst recognising that individual protection plans will need to reflect the higher or lower risks they face in relation to both the risks/threats, and to other colleagues.

5. One by one, go through the highest 3 risks and threats. Consider how you can reduce probability by creating a list of Standard Operating Procedures (SOPs) – what should be done, or what should not be done (see sample protection plan below).
6. Next consider how you can reduce the impact, by creating a Contingency Plan, in case the risk does happen. Some of the elements will also need to go into the SOPs or other organisation plans, eg if a risk/threat is physical attack, it may be the organisation can pay or contribute to health care for staff, and a fund may need to be created, or health insurance purchased in advance.
7. The SOPs and Contingency Plan together are your Protection Plan. This should be shared with new recruits, initially reviewed after 3 months to check compliance, and then reviewed every 6 months or if the context changes.

   PROTECTION PLAN – date and version number
   * Name of organisation:
   * Goal/s of organisation:
   * Key responsibilities with contact details: Security Focal Point, lawyer, doctor etc
   * Purpose of the Protection Plan: eg to ensure all our workers are aware of risks and threats and the measures which must be taken to protect ourselves, our beneficiaries and our work
   * Context of threats and risks:
   * Examples of physical and digital threats and attacks previously experienced by the organisation if appropriate:
   * Specific plans for specific risks for example as below:

   Example	Probability	Probability mitigation measures	impact	impact mitigation measures / Sops
   Arrest	Medium for directors Low for others	Session with lawyer to discuss rights and risk mitigation measures Reduce public activity at sensitive times	Very high or high for women and generally medium for others	Learn lawyer’s number Call lawyer immediately Know your rights
   Burnout	High for Rapid Response Team and Safe House staff, medium for others	Working hours and days reviewed and staff actively encouraged to stop overtime and take leave Regular meetings with managers to discuss work and impact Well-being sessions to discuss coping tools	Medium to high, depending on identity, situation and capacities	Option to take a break Offer support of therapist or support sessions preferred by staff Support to the staff as requested and appropriate
   Hacking	Medium	Install safer software and apps Organise digital protection training for all	High for the organisation if sensitive data revealed	Create information management and storage policy eg: green info is public; amber is internal and red is private and categorise all information types Train all staff on new policy

   1. During discussion, add an Action Plan to your Protection Plan - a list of actions and capacities which are needed, allocating responsibilities, budget and actions as appropriate.

      PROTECTION ACTION PLAN - date
       

      Example	Person Responsible	Budget Allocation	Deadline
      Briefing from lawyer	Director	Pro Bono	End of next week
      Access to a therapist	Human resources manager	Request to donor for next year’s budget	4 months
      Digital protection training	IT Officer	Check if we have contact who can provide free, or cost other options, or devote time in our organisation to go chapter by chapter to Security-in-a-Box	3 months

      An Appendix to your plan, listing the Security Incidents you have experienced and actions taken, will be insightful. Ensure you consider the confidentiality as appropriate of the people concerned, and also whether this section should be widely available or not.

      Finally, your protection plan needs a Security Incident Report Form

      There is an alternative example of an Organisation Protection Plan format here and here

“Yes, but…”: 15 mins

“Now that we have virtually concluded the workshop, this is the time to share any concerns. For example some of you may be thinking, “yes, but this won't work in my organisation because..."

Let's share those.

Facilitator note: If there are just one or two items (an example could be “our director is brave and has a high risk tolerance and doesn't like to follow protection procedures”) these can be discussed in the whole group. If a variety of issues are identified, the trainer can split the participants into groups so more issues are covered, with a report back.

Embedding Protection Planning in Organisations: 15 mins

The creation of the protection plan is only the beginning of protection planning. In some organisations the biggest challenge is ensuring it is implemented.

Ask participants what would help to ensure implementation of the plan and discuss the responses. Also, discussing what would lead to it being ignored ca be insightful.

Some good practices identified by trainers:

• Begin with a general conversation with all staff/volunteers
• Open up the topic of protection so it becomes part of everyone’s work planning and every relevant discussion
• Discuss protection as a journey which develops as you go
• Emphasise that we all make mistakes and create a culture so people can share what they did without recriminations. The opposite – being secretive about risks taken – makes everyone’s risk higher
• Speak individually with some key people who can share diverse experiences at staff meetings (not just you telling people protection planning needs to happen)
• Decide who needs to be part of the protection plan creation (ideally all staff, at the beginning, but if trust is an issue, you will have to consider excluding those who are not working in key positions or whose loyalty may be in doubt)
• Consider a role play, eg of a police raid on the office (ensure that no-one is traumatised by considering personal needs and experiences and forewarning everyone)
• Play a game, with staff/volunteers divided into groups. Each group produces a likely scenario (eg an informer tries to join you; someone’s phone is hacked; your office is attacked by local thugs). Put all the scenarios in a hat and ask each group to pick one and produce a protection plan with mitigation measures. Take feedback and use this as the basis for your plan.
• Appoint a small group (reflecting the diversity of your organisation) to oversee protection issues, with one person as the focal point
• Have a written plan so you can give it to new staff/members
• Update it every 6 months or when the context changes, and refer to it and amend it often, so it is a living document

Resources:

Workbook on Security: Practical Steps for Human Rights Defenders at Risk, Chapter 5

Concluding remarks:

We have now come to the end of the workshop. We hope that everyone has built confidence about producing protection plans and has gained rich insights from the process and from each others’ experiences.

A reminder of some key points:

1. The best protection plans are created by the people who are affected by the threats
2. The risk analysis process should be holistic and identify physical, digital and psycho-social risks and threats plus mitigation measures.
3. There needs to be someone responsible to oversee the implementation of the plans
4. The plans need to be reviewed periodically a) to check their effectiveness and b) when circumstances change
5. Protection planning is essential for defenders to continue their work more safely, and continue to help their communities access their rights.

We will follow up with you in 6 weeks time to offer support and get valuable feedback from you to inform our workshops with HRDs in future.

Closings:

See Openings, Closings and Energisers for some options

¹ Facilitator note: See a fuller description of the Risk Matrix session here: Module 12: Analysing Risk - The Risk Matrix for an Organisation Protection Plan