Master Thesis
within the Framework of
the postgraduate studies „Geographical Information Science & Systems“
(UNIGIS MSc) at the Centre for GeoInformatics (Z_GIS) at the Paris Lodron_University Salzburg
„ Geographical Information System based Security Information and
Security Risk Management for United Nations field missions”
by
Dipl. Ing. Herbert Wischnitzki
U1208, UNIGIS MSc 2005
To obtain the academic title
„Master of Science (Geographical Information Science & Systems) – MSc(GIS)“
Supervisor:
Ao. Univ. Prof. Josef Strobl
Khartoum, 01 January 2006
Disclaimer / Erklärung
The results presented in this thesis are based on my own research. All assistance received from other individuals and organizations has been acknowledged and full reference is made to all published and unpublished sources used. This thesis has not been submitted previously for a degree at any Institution.
Ich versichere, diese Master Thesis ohne fremde Hilfe und ohne Verwendung anderer als der angeführten Quellen angefertigt zu haben, und dass die Arbeit in gleicher oder ähnlicher Form noch keiner anderen Prüfungsbehörde vorgelegen hat. Alle Ausführungen der Arbeit, die wörtlich oder sinngemäß übernommen wurden, sind entsprechend gekennzeichnet.
Khartoum, 30 July 2007 DI Herbert Wischnitzki
Summary
Summary
Over the past decade, threats against the safety and security of United Nations personnel have escalated. Faced with expanding humanitarian operations, increasing security concerns and rising staff numbers and costs, the United Nations stands on the threshold of change. It is no longer enough to maintain the status quo. The United Nations Management System must develop innovative ideas and technology-driven procedures allowing them to manage security more efficiently and affordably than ever before.
This paper describes a security information management effort for United Nations field missions based on a Geographical Information System. Moreover, it evaluates the proposed system against the current United Nations Security Information and Security Risk Management System. The study focused on the United Nations Security Management System and security aspects of the humanitarian emergency operation in the Darfur region of the Republic of Sudan. The vast geographic area, the volatile and complex security situation and the extensive presence of humanitarian aid workers, who are exposed to a variety of threats and occupational hazards in their work, provide an ideal environment to evaluate the extent to which the current United Nations Security Management System could benefit from a security orientated Geographical Information Management System.
The study combined different opinions derived from professional experience in the security field and included a general threat assessment of the humanitarian emergency operation in Darfur. All available information sources relevant to the security of humanitarian staff and operations were assessed and incorporated into the GIS based Security Information Management effort through processing data and linking relevant databases to the GIS application. Furthermore, the GIS was further utilized for security
risk assessments and management through analyzing datasets and modeling different scenarios by using geo-processing tools.
The study argues that the Geographical Information System provides an excellent environment where security related information with a spatial context can be effectively collected, stored, analyzed, and presented. A Geographical Information System contains a wide variety of tools available to the security professionals, enhancing their understanding of complex situations, performing relevant spatial queries and analysis and visualizing outcomes.
List of Figures
Figure 2.1: Map of the Republic of Sudan ………..5
Figure 2.2: WFP assistance in Darfur 2004 – 2007 ……….8
Figure 4.1: Risk assessment methodology flow chart………14
Figure 4.2: Risk Matrix reflecting four levels of risk ………16
Figure 4.3: The Security Risk Management Model ………..19
Figure 5.1: Homeland security management effort with GIS ………26
Figure 5.2: Hot spot analyses with crime mapping software ……….27
Figure 5.3: Advantages of GIS based security information management in Darfur …….29
Figure 6.1: Sources of insecurity and threat events to humanitarian agencies in Darfur .39 Figure 6.2: Access data base entry from ‘Armed Combatant’...………44
Figure 6.3: Map Security Incidents Chad Dec 2005 – Jan 2007………...52
Figure 6.4: Geographical presentation of landmine / UXO victims August 2006 ………62
Figure 6.5: UNJLC road data entry form ………..64
Figure 7.1: Analysis / Determining threat level for armed faction ………68
Figure 7.2: Migration corridor / nomad population density ……….71
Figure 7.3: Security Levels in West Darfur ……….. 79
List of Tables Table 4.1: Likelihood level of Risk ………..15
Table 4.2: Impact level of Risk ……….16
Table 4.3: Definitions of ‘Level of Risk’ descriptors ………...20
Table 6.1: Sources of Insecurity and related information sources ………40
Acronyms and Abbreviations
AOR Area of Responsibility
AU African Union
CAR Central African Republic DPA Darfur Peace Agreement
DPKO Department of Peacekeeping Operations FAO Food and Agriculture organization GIS Geographic information system HIC Humanitarian Information Center
IASMN UN Inter-Agency Security Management Network IDP Internally displaced person
JEM Justice and Equality Movement NGO Non Governmental organization NRF National Redemption Front
SAST Security Assessment and Support Team - WFP SLA Sudanese Liberation Army
SRM Security Risk Management
UFDR Union des Forces Démocratiques pour le Rassemblement
UN United Nations
UNJLC United Nations Joint Logistics Centre UNMAO United Nations Mine Action Office
UTM Universal Transverse Mercator
UXO Unexploded Ordinances
VAM Vulnerability Assessment Mapping WFP World Food Programme
WGS 84 World Geodetic System 84 WGS 84
Table of Contents
Disclaimer / Erklärung ………..I Executive Summary ………..II List of Figures ………..IV List of Tables ………IV Acronyms and Abbreviations ………...….V Table of Contents………. ………VI
1. Introductions….……….... 1
1.1. Background ………...………... 1
1.2. Scope and purpose of the study……….... 1
1.3. Study methodology ……….. 2
2. Study Area ……….4
2.1 Geographic location……….……... 4
2.2 History of the current conflict……….. .5
2.3 Humanitarian Profile……… .6
3. UN Security Management System….………. ……… 9
3.1 Changing operating environment for the UN and humanitarian agencies………... .9
3.2 United Nations Security Management System and Structure……… …10
4. Risk Assessment and Management ……….. 12
4.1 Quantitative Risk Assessment ……….... 12
4.2 Qualitative Risk Assessment ……….... ..13
4.2.1 Risk Management Process based on Risk Ranking……….. 14
4.2.2 Establish the Context ………....14
4.2.3 Identification of Threats ……… ...15
4.2.4 Assessment of the Likelihood………...…….. …..15
4.2.5 Assessment of Impact……….…. ….17
4.2.6 Determining the Risk Level……….………..16
4.2.7 Management of Risk……….………….………17
4.2.8 Review and Monitor ……….………17
4.3 United Nations approach to Security Risk Assessment and Management………..18
4.4 Security Risk Assessment and Management in Darfur……… ……...22
5. Security Information Management efforts with GIS ……….. 22
5.1 United Nations Security Information Management System ………...22
5.2 Potential of a GIS based Security Information Management System……… 23
5.3 Commercial and Government Security Management efforts with GIS………….. 24
5.4 Potential of a GIS based Security Information Management System for Darfur... 28
5.5 Evaluation of Security Management efforts with GIS ………31
6. Establishing a GIS based Security Information System ……….36
6.1 Threat Environment in Darfur ……….39
6.1.1 Clashes between armed factions ………...41
6.1.2 Tribal conflicts……….. ………45
6.1.3 Militia attacks on civilians……… ………50
6.1.4 Conflicts in Sudan/Chad/CAR border area between rebels/regular forces. ..51
6.1.5 Crime……….55
6.1.6 Terrorism ……….. ………56
6.1.7 Civil disorder……….. ………..59
6.1.8 Political obstruction of humanitarian operations ………..60
6.1.9 Landmines and Unexploded Ordinance ………61
6.1.10 Road conditions……….. ………63
6.1.11 Health and environmental threats………. ..65
6.2 GIS used for Security Incident Management ………. 66
7. Geo-processing for Security Risk Analysis and Security Management……. ……67
7.1 Clashes between armed factions……. ………67
7.2 Tribal conflicts……….………68
7.3 Militia attacks on civilians…... ………70
7.4 Conflicts along Sudan/Chad/CAR border between rebels/regular forces ………...71
7.5 Crime……… …...………72
7.6 Terrorism……… ……….73
7.7 Civil disorder………... ………74
7.8 Political obstruction of humanitarian operations………..…...75
7.9 Landmines and Unexploded Ordinance ………..75
7.10 Road conditions………. ………76
7.11 Health and environmental threat…... ………77
7.12 Establishing Risk Levels…………... ………79
8. Conclusions and Recommendations ……….80
8.1 Conclusions………. ………80
8.2 Constraints of a Security Management effort with GIS ………..82
8.3 Potential for further development………84
9. Bibliography ………87
1. Introduction
1.1. Background
Over the past decade, threats against the safety and security of United Nations personnel have escalated. Until 2002 it was generally perceived that the greatest threat to United Nations operations was to personnel who might be in the wrong place at the wrong time, and security activities were mainly focused on reducing accidental and collateral damage. However, with the 2003 attack on the United Nations head quarters in Baghdad this perception has changed significantly. The symbols of neutrality and impartiality that the United Nations (UN) has depended on throughout the post-war years as the primary mantle of protection and security seem no longer to be respected. Ensuring the safety and security of UN staff and assets in humanitarian operations has emerged as a main challenge. Since 2003 aid agencies’ security management systems have been subjected to unprecedented levels of review and more than $100 million is estimated to have been spent on improving the security arrangements of the UN and other humanitarian organizations. Faced with expanding humanitarian operations, increasing security concerns and rising staff numbers and costs, the UN stands on the threshold of change. It is no longer enough to maintain the status quo. The UN Management System must develop innovative ideas and technology-driven processes that allow them to manage security more efficiently and affordably than ever before. While the United Nations has revised its security management system and structure the question arises, whether the current security information and security risk management system can be further enhanced by implementing Geographical Information Systems (GIS) technology to keep operations and staff safe and secure.
1.2. Scope and purpose of the study
The Evaluation of the current UN Security Information and Security Risk Management System and potential development by utilizing GIS covers the emergency mission in the Darfur region of Sudan. Faced with the escalating humanitarian crisis of 2003, all UN agencies scaled up their humanitarian assistance in Darfur, which resulted
in it becoming the largest emergency operation in history. The vast geographic area, the volatile and complex security situation and the extensive presence of humanitarian aid workers who are exposed to a variety of threats and occupational hazards in their work, provide an ideal environment to evaluate the extent to which the current UN Security Management System could benefit from a security orientated GIS.
The purpose of this study is to explore and determine whether a GIS is a useful tool to support the UN Security Information Management system and whether it can be used for security risk assessments. GIS technology used in similar settings addresses many of these crucial issues by providing a framework for integrated solutions and visualizing geographically analyzed data. A GIS provides a wide range of powerful tools to store and analyze data and has the potential to quickly generate information on patterns, trends and relationships between multiple sets of data which might help in answering complex questions in a volatile environment. The newly created information might be of value to security professionals and security decision makers to better understand factors that can negatively influence operations and outcomes and make informed judgments concerning the extent of actions needed to reduce risk. The intention is to integrate all available and relevant data and utilize a GIS for security risk analyses and queries. The database will be centralized and will incorporate both general topographic vector data and security related information such as, deployment of armed factions, tribal lands, migration corridors, land use / cover derived from satellite images etc. In addition an internal security database, containing all security incidents will be linked to the GIS database and will contribute essential information.
1.3. Study methodology
The methodology adopted in carrying out the study comprised several steps. It commenced with a general threat assessment of the complex humanitarian emergency operation in Darfur and brought together different opinions derived from professional experience in the security field. It continued by summarizing and investigating all available information sources of relevance to security of humanitarian staff and
operations. The following methods in gathering and assessing security related data and sources were employed:
Comprehensive briefings, meetings and discussion with security professionals of different UN entities and security focal points of Humanitarian organizations.
Interviews with security and government officials of the Darfur states.
Study of security aspects of the humanitarian operation and information sources by reviewing all relevant documents made available such as security databases, security assessment report and security trend analyses.
Intensive field visits of humanitarian agencies throughout Darfur.
The next step included establishing a Geographical Information System and incorporating all available security related information by processing and importing data as well as linking relevant databases to the GIS. The GIS was further utilized for security risk assessments and management by processing datasets to meet particular requirements and by modeling different scenarios using geo-processing tools. Tools were employed in accordance with specific methods for analyzing and assessing risk. Maps were generated showing different security risk levels and indicating specific security concerns. For security risk assessments smaller sub study areas were selected allowing for exploring and analyzing security issues in more detail and providing security professionals with valuable information to understand security aspects and evaluate the appropriateness and effectiveness of the mitigating measures. The study was completed by an evaluation of a United Nations Security Management effort with GIS, the suitability of utilizing it for Security Risk Assessment and with a comparison against the current United Nations Security Information Management System.
2. Study area
The study focused on the United Nations Security Management System and security aspects of the humanitarian emergency operation in the Darfur region of the Republic of Sudan.
2.1. Geographic location
The Republic of Sudan is situated in Northern Africa and is bordered by Egypt to the north, the Red Sea to the northeast, Ethiopia and Eritrea to the east, Kenya, Uganda and the Democratic Republic of the Congo to the south, the Central African Republic and Chad to the west, and Libya to the northwest. Sudan is the largest country in Africa with a total area of 2,505,810 sq km and lies between latitudes 3 ° and 23 ° N and longitude 21° and 39° E. The capital city is Khartoum. Other major urban centers include Port Sudan, Kosti, Kasala and El Obeid. The Republic of Sudan is divided politically into 25 states. Sudan has an estimated population of 39 million people (CIA, 2007), comprising more than 500 tribes. The official language is Arabic, but more than 130 languages and dialects are spoken throughout the country. Islam (70 %) is the predominant religion, particularly in the North, while Christianity is more prevalent in the South.
The Darfur region is located in the west of Sudan and borders Libya, Chad and the Central African Republic to the west. It is divided into three states South, West and North Darfur. The state capitals and main urban centers are Nyala (South), Geneina (West) and El Fasher (North Darfur). Darfur covers one fifth of the area of Sudan comprising 510,888 square kilometers about the same size as France (Figure 2.1). Large areas to the north are part of the Sahara desert. The remaining terrain to the south is generally flat and is made up of plateaus some 700 to 1,000 meters above sea level and contains few mountain ranges. Among them, the largest is the volcanic mountain range of Jebel Marra located in the central part of Darfur rising to between 1,500 and 2,000 meters. The United Nations (UN) generally cites population figures of about 6.5 million for Darfur before the war broke out in 2003 based on the 1993 national census and an estimated yearly population growth of approximately 2.4 per cent. Some 80 different tribes and ethnic groups have been recorded in Darfur.
! !
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
Figure 2.1: Map of the Republic of Sudan
2.2. History of the current conflict
The Darfur region has been torn apart by civil war since early 2003, when two armed opposition groups the Sudan Liberation Army (SLA) and the Justice and Equality Movement (JEM) took up arms against the government. These groups represented agrarian farmers who are mostly non-Arabized black African Muslims. The rebels claimed years of political, economic and social marginalization of the region as reason for the rebellion and accused the government of Sudan of oppressing black Africans in favor of Arabs. The strife has been mainly between agriculturalist non-Arab African and pastoralist Arab tribes and hence the Sudanese government blamed competition over scarce resources for the erupted conflict. While Darfur had long experienced localized
Juba Nyala
Kasala
South Darfur
S u d a n
Nile
Kusti
Rumbek
Torit Yambio
Aweil El Fasher Geneina
El Obeid
Malakal
0 300 Kilometers
Khartoum Port Sudan
Kadugli North
Darfur
West Darfur
Egypt Libya
Eritrea
Ethiopia Central
African Republic Chad
Democratic Republic of
Congo Uganda Kenya
Red Sea
Wadi Halfa
Marawi
White Nile
Blue Nile
violence exacerbated by ethnic tension and competition over scarce resources and had been the scene of sporadic clashes between farming communities and nomadic groups in the past, traditional dispute resolution mechanism broke down and the conflict violently escalated in 2003. The government of Sudan faced with a serious deficit regarding military capabilities in Darfur exploited the existing tension between different tribes and responded to the rebellion by arming and increasing support to local tribal militias, which have come to be known as the "Janjaweed"1. Their members were composed mostly of black African Muslims who herded cattle, camels, and other livestock. Violence and broken ceasefires continued throughout 2004 and 2005 despite intermittent peace talks and the presence of an African Union (AU)2 protection force from August 2004. Peace talks in Abuja (Nigeria) in May 2006 led to a split of the SLA into two factions and to the signing of the Darfur Peace Agreement between the main SLA group and the government of Sudan. Other groups opposed to the peace deal continued the rebellion and the conflict in Darfur intensified shortly after. As a response to the escalating crisis in Darfur, the Security Council, on 31 August 2006 authorized the transition of the AU force to a larger more robust UN peacekeeping force in Darfur consisting of up to 17,300 military personnel and up to 3,300 civilian police by its resolution 1706. The government of Sudan agreed to the UN resolution in November 2006, pending clarification of the size and details of the peacekeeping force. In June 2007 Sudan has approved the deployment of a hybrid, compromise force of African Union and United Nations personnel to Darfur.
The African Union element will be the mainstay of the hybrid operation, command and control structures will be provided by the UN.
2.3. Humanitarian profile
Sudan is considered a developing country and ranks 141 in the 2006 Human Development Index 3 and Sudan remains, in World Bank terms, a highly indebted poor country. The Darfur region has always been a neglected area in terms of government led
1 The Janjaweed is a term that means ‘devil on horseback’. Originally it was a term to define a highway robber, riding a horse or camel, carrying a gun or a rifle.
2 The African Union is an organization consisting of fifty-three African States, established in 2001. A main goal is to bring an end to intra-African conflicts. (Wikipedia, 2007)
3 The Human Development Index compiled by the UNDP is a comparative measure of life expectancy, literacy, education and standard of living for countries worldwide.
development and has the lowest infrastructure regarding schools, health facilities, roads or development projects. In terms of life expectancy, mortality of women and children, nutrition, literacy, access to clean water, Darfur ranks among the least developed regions in any international comparison (UNDP, 2007). Statistical figures concerning Sudan are rough guesses, since statistics are out of date and national institutions have not carried out proper data collection and statistical analyses. Thus, the reality could be worse than international reports portray. Darfur is described as one of the worst humanitarian disasters of our time. The UN estimates that the civil war has led to the death of 400,000 civilians in Darfur since 2003. Almost 2 million people have become displaced, living in Internally Displaced Person (IDP) camps mainly around the larger population centers.
234,000 Sudanese refugees are estimated to be living in camps in neighboring Chad. The civil war resulted in villages and infrastructure being destroyed and in a massive depletion in the environmental resources upon which Darfur’s livelihoods depend. In 2003 the UN addressed the humanitarian crisis in Darfur, launched a humanitarian appeal and established together with a collection of non-governmental organizations (NGO) the largest humanitarian mission in the world. The emergency operation has been constantly expanded until 2005 to respond to the needs of IDPs and the local population affected by violence. Beside the United Mission in Sudan (UNMIS) all major UN agencies have established and increased their presence in Darfur to get adequate capacity on the ground.
Major and minor international NGOs have also deployed staff and resources to support the humanitarian emergency operation. There are over 13,000 international and national staff members in Darfur, employed by some 80 NGOs and the 12 United Nations Agencies (UNMIS, 2007).
Remarkable is the humanitarian assistance provided by the United Nations World Food Programme (WFP)4 as the largest humanitarian organization on the ground delivering food to about 2.7 million people a month in some of the most remote and difficult areas in 2007. WFP responded to the emergency by utilizing assets of the already existing emergency operation in South Sudan and by launching a specific Darfur
4 WFP is the largest international food aid organization in the world and the United Nations frontline agency in the fight against global hunger. WFP operations aim to save lives in refugee crises and other emergencies; improve nutrition and quality of life of the world’s most vulnerable people at critical times.
emergency mission in 2004. Further population displacement due to increased insecurity coupled with a poor 2004/2005 harvest resulted in increased beneficiary numbers to a total of 3.25 million people in 2005. WFP and its partners assisted an average 2 million people a month in 2005 and an average of 2.5 million in 2006. Since the onset of the Darfur emergency operation in April 2004, more than one million metric tones of food have been distributed (Figure 2.2). Due to food assistance provided by WFP malnutrition has been cut in half since its height in mid-2004 and mortality rates have fallen to well below emergency levels (WFP, 2007).
Figure 2.2: WFP assistance in Darfur 2004 - 2007 (Source: WFP, 2007)
3. UN Security Management System
3.1. Changing operating environment for the UN and humanitarian agencies Following the significant increase in global insecurity over the past years and its impact on staff and assets of the United Nations the UN Security Management System was revised in 2003 to meet the changing operational requirements. In the past the UN security arrangements were designed to deal mainly with criminal threats and random or accidental acts of violence. In recent years conflict situations have become much more violent and staff members of the United Nations and international agencies have become more exposed to security risks. This increased exposure to risks can be explained by the changing operational objectives and methods of humanitarian organizations. Increased competition among UN agencies for operational outreach in areas of high insecurity and the blurring of mandates requires the UN to send staff to provide assistance in situations of open warfare and hostility. Although the overall number of traditional international conflicts has decreased since the early 1990s, the remaining and emerging conflicts often take place within failing or collapsed states (UN NEWS CENTER,2007). The fragmentation of states, with its various manifestations such as warlordism and ineffective government control over territory and people contributes to the complexity of conflicts. Furthermore increased and easy access to small arms has had a significant impact on both the political and security environments of ongoing conflicts and resulted in the creation of armed militias and criminal gangs engaging in warfare with other groups and government forces or committing banditry. The globalization of terror movements and the spread of religious and fundamentalist ideologies targeting western governments and institutions have also largely contributed to increased insecurity of humanitarian staff. The United Nations as well as many international agencies are closely linked to and depend on large donors, such as the United States and the European Union, who themselves pursue political agendas and thus relying on the principle of independence has been increasingly problematic. The deliberate bomb attack on the UN headquarters in Baghdad in 20035 showed that the UN has become a target of choice and that security measures had to be
5 The Canal Hotel Bombing in Baghdad, Iraq occurred on August 19, 2003 resulting in 22 people being killed and over 100 being wounded. The blast targeted the UN headquarters in Iraq.
radically altered to meet the new challenges. The UN had to cope with these emerging threats and new uncertainties by reforming the UN Security Management System and by developing strategies to preserve the integrity of their programs and remain impartial and amenable to all parties to the conflict. The reform of the UN Security Management System was initiated in 2004 by the establishment of the Department of Safety and Security (UNDSS) led by an Under Secretary General to enhance the security of all UN civilian personnel. It combined three previously separate UN entities responsible for security and safety of staff, the Office of the Security Coordinator, UN Security and Safety Services, and the civilian security component of the Department of Peacekeeping Operations. Additional amendments included a significant increase in the number of security officers both at head quarters and in the field, enhanced procedures for and increased capabilities in threat and risk assessment, operational support, upgrading of operating security standards as well as training on safety and security for UN staff.
3.2. United Nations Security Management System and Structure
The current structure of the UN Security Management System, stipulated in the UNFIELD SECURITY HANDBOOK (2006) was designed to plan and manage security issues and to ensure that there is a coordinated approach for the protection of UN staff. It comprises various actors and can be divided into a security management system at UN head quarters level and at country levels. At the head quarters level the Under Secretary General for Safety and Security is accountable for overseeing the United Nations Security Management System. He is responsible for all UN security policy and procedural matters and ensures a coherent response by the United Nations system to any emergency situation. He is assisted by the Department of Safety and Security (UNDSS) comprising dozens of security professionals. Tasks of the department include reviewing of duty station security plans, reviewing and approving all Minimum Operating Security Standards (MOSS)6 established by the duty stations, compiling monthly travel advisories and providing security and crisis management training to UN security officials. At country level a Designated Official (DO), appointed by the Secretary-General, is
6 UN duty stations are required to establish and implement a set of minimum-security standards comprising security planning, training of staff, communications and security equipment.
accountable for the security and safety of all UN staff members and the property of the organizations at the respective duty station. The DO has to constitute a Security Management Team (SMT), comprising all heads of UN agencies and funds to ensure that security is managed and coordinated in an integrated manner on an inter-agency basis. A senior UNDSS official at the duty station is appointed the Chief Security Advisor. This position is directly accountable to the Under Secretary General for Safety and Security and is the principal advisor to the DO and the SMT on security related issues. UN agencies might employ security professionals to advise country representatives regarding issues specific to the operations of that agency and at the same time also support the DO and the UN Security Management System. Wardens appointed by the DO, complete the UN Security Management Structure and facilitate the coordination of security arrangements and ensure a proper implementation of the security plan in a predetermined zone. Non-governmental organizations, implementing partners of United Nations agencies operate in the same environment. They are exposed to the same threats and subjected to the same treatment in complex emergencies. Thus, the UN Security Management System was expanded to NGOs on condition that a memorandum of understanding with the UN is signed. NGO representatives have been included in the SMTs at duty stations and as such as have full access to security related information.
The primary responsibility for the protection of United Nations personnel lies with host Governments (UN FIELD SECURITY HANDBOOK, 2006). Taking into consideration the volatile environment the UN is operating in; host governments have not always been able to fulfill their responsibility. Therefore the UN Security Management System is challenged to plan for and take necessary action for the protection and security of their staff members. Security professionals internationally recruited by UNDSS and UN agencies play an important role in the UN Security Management System. The SMT is a decision making body but professional expertise is provided by those security professionals. Security professionals prepare Security plans, conduct Security risk assessments, and liaise with host government security authorities. Further responsibilities include advising the SMT with regard to the safety and security of staff members, all aspects of security management, and crisis readiness and preparedness at their respective duty stations.
4. Risk Assessment and Management
Risk management is defined as the process of identifying and assessing risk and developing strategies to reduce risk to an acceptable level. It is a systematic, analytical process to consider the likelihood that a threat will harm an asset or operation and to identify actions that reduce the risk and mitigate the consequences of such events.
(STONEBURNER ET AL., 2002). Risk management provides decision makers with information needed to understand factors that can negatively influence assets and operations and make informed judgments concerning the extent of actions needed to reduce risk. It provides a basis for establishing appropriate policies and selecting cost- effective techniques to implement these policies. (GAO,1998).
The goal of risk management is to reduce the impact of risk to an acceptable level and to make contingency arrangements. A zero risk level is not attainable and risk management does not imply that risks are prevented or avoided completely. Risk management rather aims at achieving an acceptable level of risk within the constraints of feasibility, practicality and cost. (BRUCE , 2005). The risk management methodology comprises three main phases: risk identification, risk assessment (analyses) and risk management. (STONEBURNER ET AL., 2002). Many different approaches to risk assessment as the analytical part of the risk management process have been developed but these can be basically broken down in two main types: a quantitative and qualitative risk assessment.
4.1. Quantitative Risk Assessment
In quantitative risk analysis real numbers are assigned to all elements of the risk analysis process. These elements include monetary costs such as asset values, safeguarding costs, or business impact damage. It also employs precise probability percentages for quantifying the likelihood of threats.
A variety of formulas have been designed to calculate the monetary cost of risk and risk reduction techniques. The most commonly known and understood formulas are
the Single Loss Expectancy (SLE) and the Annual Loss Expectancy (ALE) methods.
They are mathematically expressed as:
Single Loss Expectancy (SLE) = Asset Value (AV) x Exposure Factor (EF) Annual Loss Expectancy (ALE) = SLE x Annualized Rate of Occurrence (ARO) The Single Loss Expectancy (SLE) is defined as the expected monetary loss from the occurrence of a risk on an asset. In this formula the monetary assigned asset value will be multiplied by the amount of damage that would most likely be endured if a specific threat became realized. This value will then be multiplied by the annualized rate of occurrence (ARO), which is the number of times this threat would most likely be realized in a 12-month period. The quantitative risk method is rarely used due to the unreliability and inaccuracy of data. In most cases it is difficult to assign correct quantitative values to the elements. For instance is the expected loss is hard to establish.
There are also hardly accurate probability databases available and thus probability can not be precisely calculated.
4.2. Qualitative Risk Assessment
The qualitative assessment approach is by far the most widely used method for analyzing risk. It is used when reliable data on likelihood and costs are not available and the potential loss has to be estimated. PELTIER (2005) stated that the quantitative risk analysis has two key advantages over using other methodologies:
• It differentiates relative risks to facilitate decision-making.
• And improves the consistency and basis of decision.
Risk Ranking is the most common qualitative methodology to identify, prioritize and manage key risks on operations or assets. Risk is reflected in a Risk matrix and is defined in more subjective and general terms such as high, medium, and low. The Risk Matrix comprises impact / consequence and likelihood axis. The combination of an impact / consequence and likelihood range provides an estimate of risk or a risk ranking.
(GAO, 1998).
4.2.1 Risk Management Process based on Risk Ranking
There are a number of different risk management methods based on risk ranking, however the fundamentals are common and the risk management process can be broken down into the following phases, illustrated in the figure below.
Figure 4.1: Risk assessment methodology flow chart
4.2.2 Establish the Context
The risk management process begins by defining the key objectives and scope of the risk Management Process. It is important to set goals and identifying any potential barriers or impediments to the implementation of the process.
4.2.3 Identification of Threats
The primary focus of this phase is collecting and analyzing data on threats and potential vulnerabilities. All threats arising from the environment have to be included and evaluated. Different methods are used and different sources of information are accessed to identify potential sources of threat against a given asset or activity. Information that has to be collected includes the source of each risk, when, where, why and how it is likely to occur, who might be involved and what the consequences might be, etc.
4.2.4 Assessment of the Likelihood
There are many complicated and complex ways of trying to assess the probability of risk occurrences depending on specifics of assets and operations assessed and based upon various factors. Determining the probability requires a thorough knowledge of the business activities, taking into account the employees or mission exposure to accidents and incidents. Moreover location specific threat information from different sources and historical data such as frequency of past occurrences have to be considered.
The likelihood will be expressed in likelihood levels. Each level is assigned a numerical value ranging from lowest probability to highest probability. The below categories and definitions based on a four scale rating for likelihood are widely used:
L
Liikkeelliihhoooodd LLeevveell ((LL)) LiLikkeelliihhoooodd DDeeffininiittioionn VVaalluuee Low / Improbable May occur only in exceptional circumstances. The threat
source lacks motivation or capability. (0.0 < P ≤ 0.25) 1
Moderate May occur occasionally, possibility of isolated incidents.
The threat source is capable but mitigating controls are highly effective. (0.25 < P ≤ 0.50)
2
High / Probable Is likely to occur, will probably occur in most circumstances The threat source is capable. (0.50 < P ≤ 0.75) 3
LLii
kkee
llii
hhoo
oodd
Very High / Frequent Expected to occur in most circumstances, possibility of repeated incidents. The threat source is sufficiently capable, and mitigating controls are ineffective. (0.75 < P ≤ 1.0)
4
Table 4.1: Likelihood level of Risk
4.2.5 Assessment of the Impact
The impact is assessed by estimating the potential losses or damage including recovery costs that could occur if a threat materializes. The value, sensitivity, and criticality7 of the operations and assets that could be affected have to be identified.
During this phase existing and proposed facilities and missions are evaluated to determine vulnerability to specific risks. Consequences can include personnel or public
7 The impact of a loss event, calculated as the net cost of that event. Impact can range from fatal, resulting in a total recapitalization, abandonment to long-term discontinuance of the enterprise (ASIS, 2003).
safety impact, environmental impact, property damage, business interruption, loss of revenue or legal implications. (MATULUCCI &BIRINGER,2007).
The impacts are ranked according to the severity of adverse affects, or the magnitude of a loss if the risk comes to pass. Each level is assigned a numerical value ranging from lowest impact to highest impact. The following categories and definitions and are commonly used a have been described by GOA (1998).
ImImppaacctt LLeevveell ((I)I) ImImppaacctt DDeeffiinniittiioonn (( SSeevveerriittyy ooff CCoonnsseeqquueenncceess)) VVaalluuee
Low Minor or negligible impact, no injury or illness, 1
Medium Notable impact on time, cost or quality, minor injury/ies or illness
2
High Substantial impact on time, cost or quality, severe injury or illness, major system or environmental damage
3
IImm
ppaa
cctt
Severe Threatens the success the projects, fatality, disabling injury/illness, severe environmental damage
4
Table 4.2: Impact level of Risk
4.2.6 Determining the Risk Level
The final step in developing the risk matrix is to translate the tolerability criteria onto matrix. The risk characterization is based on the product of the likelihood of occurrence and the impact severity to create an overall summary and presentation of risk.
4 4 4 8 12 16 3 3 3 6 9 12 2 2 2 4 6 8
LLiikkeelliihhoooodd
1
1 1 2 3 4
11 22 33 44 IImmppaacctt
Figure 4.2: Risk Matrix reflecting four levels of risks
Using numerical values for the likelihood and impact severity of each hazard a matrix (Figure 4.2) can be produced making it more transparent. The different regions of the Matrix are color coded to indicate Minor, Acceptable, Significant and Extreme Risk.
The following definitions have been widely used to describe the risk to operations and assets. The following definitions have been widely used to describe the risk to operations and assets.
Minor Risk: These risks are considered acceptable. No further mitigating actions are required.
Acceptable Risk: No additional controls are required unless they can be implemented at very low cost. Actions to further reduce these risks are assigned low priority.
Significant Risk: Risks have to be lowered to an acceptable level. Risk reduction measures have to be developed and implemented.
Extreme Risk: Risks are unacceptable. Substantial improvements in risk control measures are necessary so that the risk is reduced to a tolerable or acceptable level.
4.2.7 Management of Risk
For each scenario that requires risk reduction, cost-effective options to mitigate or reduce the risk are being developed. According to DORFMAN (2006) there are four basic methods of mitigating risks:
Risk Acceptance by accepting the risk based on a decision that the risk is at a tolerable level and continually monitoring to ensure that any escalation is captured and appropriate strategies are then implemented.
Risk Avoidance by eliminating the cause of uncertainty that first introduced the risk.
Risk Reduction by implementing risk mitigating measures to reduce a risk to an acceptable level by either reducing probability or impact.
Risk Transfer by transferring liability on a third party should the risk occur.
4.2.8 Review and Monitor
The whole risk management process is usually repeated taking into consideration any implemented controls which may detect or prevent potential or undesirable risks and
to reassess the residual risk8. Effective risk management also requires assessing risk continuously and conducting the risk management process periodically to monitor the effectiveness of the risk mitigating measures. The frequency of this review process depends on the specifics or the dynamic of the business activity.
4.3. United Nations approach to Security Risk Assessment and Management After the attack on the UN headquarters in Baghdad in 2003, the UN Secretary- General commissioned an initial investigation into the incident carried out by UN security experts. The investigation was followed by an independent panel on the safety and security of United Nations personnel in Iraq, led by Martti Ahtisaari9. Both investigations arrived at a consistent set of findings and recommendations with respect to UN security arrangements and trigged a major reform of the UN Security Management System. The panel report concluded that the UN Security Management Systems were dysfunctional and provided little guarantee for personnel safety identified a number of constraints and advised on actions to strengthen the UN Security System. Among the measures recommended was the development of an enhanced procedure for security risk assessment and management to mitigate the effects of possible events. Since 2003 the United Nations have made significant progress in strengthening the security of UN personnel in all duty stations.
The UN Inter-Agency Security Management Network (IASMN) decided in 2004 on the adoption of a Security Risk Management (SRM) model developed by UNDSS.
The intention was to enable security officials to identify security risks at a specific duty station and to develop mitigating strategies in accordance with the program needs of the organization to reduce risk to an acceptable level. The focus of UN interest in security risk assessment has been largely on humanitarian loss. The model describes an analytical procedure to security risk assessment and management bearing in mind the specifics of UN field operations. The Security Risk Assessment process comprises eight steps, illustrated in Figure 4.3. During the first three assessment steps relevant information is
8 The level of risk faced by an organization after internal controls have been applied is known as the net or residual risk. It is also known as the organization’s "exposure to risk".
9 Martti Ahtisaari is a former President of Finland and UN diplomat and mediator.
being collected, which is required to analyze and determine the risk. The Program Assessment is an evaluation of the relevance, urgency, needs and implementation methodology of the UN activities in a given environment. The Threat Assessment provides both a general and specific view of the operating environment, together with the identification of those threats that may impact on the UN and its operations.
Figure 4.3: The Security Risk Management Model (Source: Russler, 2004)
The Vulnerability Assessment identifies the strengths and weaknesses of the security arrangements in the environment in which the UN conducts its activities. During the Risk Analyses phase the possible impact on the organization is being determined based on factors and assumptions from previously conducted assessments and combined with the likelihood that particular adverse events will occur. For both analyses the impact and the likelihood of occurrences analyses a five scale rating is suggested and definitions of the descriptors are provided. The final four stages ‘Select Options, Make Decisions, Implement and Review and Monitor` deal with risk management and risk treatment. The steps describe the selection of available options, decision making, implementation of selected options and the review and monitoring of changes to the threats and vulnerabilities.
In addition the IASMN agreed on a general risk rating implemented by the UN Security Management System which should proved guidance to mission leaders involved
in security decision making. It uses one-word descriptors to describe levels of risk.
Definitions of these descriptors are provided in the table below.
Table 4.3: Definitions of ‘Level of Risk’ descriptors (Source: Russler, 2004)
The approach suggested by the UN is very detailed and similar to the general Risk Assessment method described under Section 4.2.1 (Risk Management Process based on Risk Ranking). The methodology is robust and effective and has been used for Security Risk Assessments at head quarters and country level. However the UN Security Management System still lacks a comprehensive implementation of the SRM model at field level. BRUDERLEIN & GASSMANN (2006) state that although the UN and other international agencies have undertaken major efforts to improve the safety and security awareness of their personnel they remain poorly prepared to adequately assess and manage risks in highly insecure environments. There is an apparent incongruity between the operational experience accumulated within each agency and the lack of standardized approaches to security management. Similar concerns were expressed in a press statement in 2007 by the Group of 7710 and China stating that there is still a need for setting clear criteria for determining security needs and clear standards for threat and risk assessment on a world wide basis, which can justify the additional requirements of the Department to ensure that it is able to respond to any emergency.
10 The Group of 77 was established 1964 by seventy-seven developing countries. It is the largest intergovernmental organization of developing states in the United Nations, to articulate and promote their collective economic interests within the United Nations system.
4.4. Security Risk Assessment and Management in Darfur
At Darfur State levels UN Security Policies and practices are reviewed every four to six months by the Security Management Team implementing largely the SRM model guidelines. It is a general security risk assessment identifying wide ranging threats, vulnerabilities based on UN activities and reflecting a broad security trend for each Darfur state. Due to the large size of the Darfurs and the complex political and socio- economical situation the security environment changes frequently and rapidly. Security incidents or emerging threats generally don’t impact on the whole Darfur region and the level of risk and threats vary from one place to the other. Thus, the humanitarian operation in Darfur requires Security Risk Assessments of smaller areas but more frequently. Primary responsibility for Security Risk Assessments rests with UNDSS and UN Agency Security Professionals. A survey conducted by the author showed that UNDSS Professionals in Darfur don’t apply the methodology suggested by IASMN and use a rather simple approach to Security Risk Assessments. While information on prevailing security threats is gathered on the ground by UNDSS teams, a systematically approach to Security Risk Analyses is missing. The final risk assessment report is similar to an essay including mainly observations made during the assessment process. The report lacks a comprehensive risk analyses and detailed actions recommended to manage and treat the risk. Faced with enormous difficulties in reaching the huge number of beneficiaries and the lack of UNDSS personnel in Darfur resulting in insufficient security risk assessment capacities on the ground, the WFP established a Security Assessment and Support Team (SAST), comprising security professionals in 2005. A Security Risk Assessment Methodology similar to the SRM model was developed and implemented throughout the Darfur region. Relevant security related information is gathered and security risks at a specific location are identified and communicated, along with appropriate solutions. WFP Security has developed tools to facilitate conducting their Security Risk Assessments, such as questionnaires and standard report formats. These tools help ensure a consistent and standardized approach throughout the WFP/UN Security Management system. The final Security Risk Assessment report is presented to the SMT and used as decision support tool.
5. Security Information Management efforts with GIS
5.1. United Nations Security Information Management System
Security incidents suffered by humanitarian organizations are often due to faulty appraisals of local security conditions. Most agencies admit that they have insufficient knowledge of the contexts in which they operate and that they lack local networks and information sources. The UN Security Management System stipulates that a UNDSS Professional is the principal advisor to the SMT and as such is accountable for the security information management at the respective duty station. Responsibilities include liaising with security officials of the host government, collecting security related information, logging incidents, conducting analyses and producing summary reports on the main security incidents occurring in the duty station on a monthly basis for UNDSS New York and the SMT. In addition the UNDSS Officer has to produce a report reviewing the major security trends in the country containing also indications of likely security trends at the end of each year. The UN Security Policy Guidelines require that Security Risk Assessments be performed prior to any significant change in a facility or operation, after a serious security incident, or whenever a new significant risk factor is identified. Such Security Risk Assessments constitute an essential element of the work of UNDSS Professionals. The Security Management Team (SMT) determines when conditions are appropriate, approves and appoints a security risk assessment mission consisting at a minimum two professional security officers led by a UNDSS Officer.
Security Risk Assessments include collecting, interpreting and analyzing security information from various sources. The assessment mission has to identify and advise the SMT on areas off limits or where there are security restrictions in place. Based on the assessment conclusions and recommendations the SMT decides on the Security category of the specific area (UN SECURITY OPERATIONAL MANUAL, 1996). The current UN Security Management System lacks funding resulting in not having sufficient UNDSS Professionals in the field to cover effectively all volatile areas where UN operates. The existing challenges for the UN such as inter-agency competition for and overlapping mandates requires it to get engaged in breaking emergencies before the risks have been assessed properly. Few UN agencies and most NGOs don’t have the resources to employ
security professionals or develop a sufficient depth of security expertise among their staff. Field staff is supposed to take snap decisions daily, for example whether to send a truck convoy or send a humanitarian evaluation mission into an unknown or barely assessed area.
It appears that there is a requirement for an enhanced security information management system that would facilitate easy access and would allow security analyses and risk assessments to be conducted efficiently and effectively. Much of the data required for daily operations, security risk assessments or security emergencies is already available but stored on isolated drives and thus is useless unless it can be accessed.
Having security related information up to date and available immediately is crucial when conducting security risk assessments or dealing with emergencies and would allow a quick and efficient response to emergency calls in stressful situations / circumstances.
The current practice in the field is that UNDSS and UN Agency Security Professionals are maintaining incident logs. The format varies from Microsoft Excel spread sheets, Microsoft Access databases to Lotus Notes based solutions. Incidents are stored without being geo-referenced. Security Analyses and Security Risk Assessments are conducted by UN Security Professionals and reports are prepared and shared among UN, UN Agencies and NGOs. Information is stored in a report format (Microsoft Word), without being integrated into a proper database management system and without being linked to a digital map. Often relevant information might be available but stored on different share drives, by different units and agencies, and thus can not be found swiftly or can not be accessed by all relevant key players. Having the capability to integrate information from various sources and areas where humanitarian organizations operate geo-referenced on top of digital maps would be of great importance and would enhance operational capabilities and readiness.
5.2. Potential of a GIS based Security Information Management System
Considering the current constraints within the UN Security Information Management system a logical step forward would be to establish a GIS based Security Information Management System. It would provide easy and immediate access to
relevant data and would strengthen as well as improve operational and strategic decision making related to security. For security emergency managers, a GIS can facilitate critical decision-making by providing required information, quickly and in easy-to-understand formats linked to maps. Recent trends show that UN and humanitarian organizations expand their use of information management technologies in particular of GIS. The Cartographic Section of the Department of Peace Keeping Operations (DPKO) has established GIS units in major United Nations Peacekeeping Missions and GIS has become an increasingly integral part of the organizations’ functioning. The GIS units have established country level GIS working groups among UN agencies, NGOs and host countries to improve the sharing of geospatial data and to enhance operational capabilities (UNNEWS, 2007). A GIS provides an excellent environment where security related information with a spatial context can be collected, stored, analyzed, and presented. It contains a set of tools available to the Security Professionals, enhancing their understanding of complex situations, performing relevant spatial queries and analysis and providing visualization of the results of Security Risk Assessments. A GIS based Security Risk Assessment / Management would consist of repeated querying and cartographic display of results, or it can involve a more formal process called multiple criteria evaluation. In a GIS, numerous relevant data layers can be spatially overlaid and compared. For instance, layers of the political, social, ethnic, land use, crime factors that may impact on the security situation of a certain area can be spatially overlaid and security maps, showing areas ranging from least secure to most secure, indicating recent incidents, emerging conflicts, hot spots, etc. can be generated.
5.3. Commercial and Government Security Management efforts with GIS
Commercial Security Management Systems have experienced some fundamental changes during recent years and emphasize the new approach to information management and the potential of modern information technologies. The availability of powerful, low cost, and quite easy-to-use GIS software and hardware led to the creation of more extensive spatially referenced datasets, resulting in utilizing GIS as an essential tool for vehicle tracking, traffic safety, community policing, threat monitoring and as an easy to use mapping solution. Although GIS software has become more versatile and user
friendly the effective application of GIS varies based on user’s capabilities, availability of current and accurate data and the uniformity of mapping. It is also recognized that working in GIS has become a profession in itself and only GIS-experts that work full time in those products can utilize the full capability and keep up with the complexities of GIS software.
The United States Homeland Security Management Effort with GIS is an excellent example of a GIS application attempted to be utilized for Security Management.
On November 25th, 2002, President George W. Bush signed into law legislation that created a new Homeland Security Department. ‘The mission of the Office shall be to develop and coordinate the implementation of a comprehensive national strategy to secure the United States from terrorist threats or attacks." (Executive Order 13228, October 2001).The intention is to mitigate threats, vulnerabilities, and consequences resulting from acts of terrorism and natural disasters. This effort has involved major new information technologies programs and GIS has contributed significantly to integrating information, organizations, and people. GIS is crucial to Homeland Security as it maintains an extensive collection of relevant data sets and allows integration of all essential information. Respective government authorities such as law enforcement agencies, armed forces, fire brigades, health services, etc provide necessary information.
This type of data sharing, analysis, and graphic representation speeds understanding of an event and improves the decision making process at all levels of response. GIS provides the tools for secure access to these data sets in the event of a local, regional, or national emergency. Homeland Security has three main objectives: protecting life, property, and critical infrastructure. The Homeland security GIS application as the core information system consists of six elements: Risk Assessment, short and long-range Planning, Mitigation, Preparedness, Response, and Recovery (Figure 5.1). In the Planning and Assessment Phase GIS is used to manage a large volume of data needed to identify and locate areas of potential hazards and assess impacts of attacks, emergencies, or disasters.
During the Mitigation Phase measures are determined that reduce the consequences of emergencies on human life, property, infrastructure and the environment. The Preparedness Phase includes activities such as contingency planning, model building, and training to prepare for actual emergencies.
Figure 5.1: Homeland security management effort with GIS (Source: ESRI, 2007)
The Response Phase deals with activities necessary immediately after the catastrophic event such as search and rescue operations, management of life threatening situations or preventing crime and looting within areas that have been devastated. Those measures are planned and realized by various organizations such as fire and rescue services, emergency medical services, police, or local authorities. The application provides emergency responders with critical information upon dispatch or while en route to the incident scene and assists in tactical planning and response. In the Recover Phase GIS is used to organize the information and services with respect to damage and evaluation of sites for reconstruction (ESRI, 2007)
The primary mission of managing Homeland Security with GIS remains the timely dissemination of relevant information to managers during disaster operations and emergencies as well as the enhancement of information services. During emergency situations managers need the right information at the right time to deploy resources, implement evacuation plans, establish medical aid, and manage events as they unfold.
The GIS application can provide that information by producing maps about damage assessments, hazard and risk layers, tables and analyses during disasters and emergencies and can support planning exercises (ESRI, 2007).
Utilizing GIS for crime mapping and analyses is another example for security information management systems based on GIS. Having access to accurate, reliable, comprehensive and pertinent information is crucial for successful crime fighting. Often a variety of data from multiple agencies and sources has to be accessed and processed quickly to determine an effective response (JOHNSON,2005). Dozens of GIS based crime analyses and mapping applications such as Crime Stat (by Ned Levine & Associates), Comstat (by CLEMIS), Crime Analysis Unit Developer Kit (by NLECTC), CASE (Crime Analysis Spatial Extension for ArcGIS 8/9 by NLECTC), Griffin (by Raptor) or GST CrimeMap (by GeoSpatial Technology Inc.) have been developed and implemented by law enforcement agencies worldwide in recent years. Applications include standalone open source software and extensions for professional GIS software. While some years ago paper maps had been used for crime mapping, modern and easy to use GIS software with its improved functionality allows generating and displaying digital maps immediately (Figure 5.2). GIS technology improved the efficiency and speed of analyses by storing, accessing and combining a vast amount of complex location based data. GIS applications provide a growing selection of tools to explore complex apparently unrelated data from multiple sources.
Figure 5.2: Hot spot analyses with crime mapping software (Source: Providence Police Department Olneyville & Hartford, 2007)
