An analysis of the relationship between security risk management and business continuity management : a case study of the United Nations Funds and Programmes

Abstract

The goal of this research was to investigate the relationship between security risk management and business continuity management and to determine how these two methodologies are applied within United Nations Funds and Programmes. These United Nations (UN) agencies have been established to deliver humanitarian aid, economic and social development and reconstruction activities. The locations where these services are required are typically where security risks are also most prevalent. The staff of the UN, the International Red Cross and other humanitarian and development organisations have traditionally been treated as neutral parties and have not been targeted by belligerent groups. This study revealed that there has been an annual increase in security incidents against aid workers and employees of UN organisations. The changing security landscape worldwide and the increasing demand for aid and development services in especially fragile and post-conflict environments, require organisations working in these areas to maintain a high level of resilience. Their resilience can be strengthened by applying robust security risk and business continuity management methodologies. The study included an examination of the global risk environment as it pertains to UN agencies, as well as key risk management concepts such as risk management, operational risk management, security risk management, business continuity management and organisational resilience. For the purposes of this study, security risk management is defined as the systematic approach to assessing and acting on security risks, while ensuring the safety and security of the organisation's personnel and facilities and ensuring that organisational objectives are achieved. Business continuity is a management process that identifies potential threats to an organisation, it assesses the impact to business operations − should the threats materialise − and it furthermore assists in the development of strategies to continue operations in the event of a disruption. In addition to looking at these concepts individually, the relationship between security risk management and business continuity management was also reviewed. The specific objectives set out to achieve the goal of the study were the following:  Explore the perceptions of UN agencies about the link between security risk management and business continuity management.  Analyse the extent of integration between security risk management and business continuity management processes and oversight.  Make recommendations as to how security risk management and business continuity management can operate in an integrated manner with the goal of increasing the overall resilience of UN agencies. To answer the research questions a qualitative research approach was adopted. This enabled the researcher to collect data through interviewing participants and analysing their feedback. The research focused on UN Funds and Programmes as a sub-set of agencies within the UN family of organisations. Each one of these agencies has a specific mandate, such as providing assistance to refugees, promoting food security, poverty reduction, improving reproductive health and family planning services. They also operate in fragile states as well as in emergency and humanitarian crises situations where the security risks are often higher than in normal developing countries. Eight out of 12 UN Funds and Programmes agreed to participate in the study, including: United Nations Children's Fund; United Nations Relief and Works Agency for Palestine Refugees in the Near East; Office of the United Nations High Commissioner for Refugees; World Food Programme; United Nations Development Programme; United Nations Office on Drugs and Crime; United Nations Human Settlements Programme; and UN Women. Data were collected through conducting semi-structured telephone interviews with the security manager and/or business continuity manager serving in the headquarters of each participating organisation. Findings from the study indicated that security risk management within the UN system has evolved and that security has matured from a purely protective and defensive posture to following a risk management approach. The strength of the UN Security Management System lies in its Security Risk Management Model, which enables a thorough assessment of security risks and the implementation of commensurate mitigating security measures. In contrast to security risk management, the study revealed that business continuity as a management process is a fairly new initiative and has not yet been comprehensively adopted by all UN agencies. When combined, security risk management and business continuity management ensure the safety of staff, maximise the defence of the agencies’ reputation, minimise the impact of events on the agencies as well as their beneficiaries, protect the organisation’s assets, and very importantly, demonstrate effective governance. This can only be done through establishing an organisational risk management model by positioning security risk management and business continuity management within the UN agency’s organisational structure so that they can effectively work together and at the same time allow access to senior management. Good practices and apparent gaps were identified in how these two methodologies are implemented and five specific recommendations were made. The research confirmed the need for both security risk management and business continuity management and the role each function plays to enhance an organisation’s resilience. It also highlighted that while they are two separate management functions, both need to be implemented within a larger risk management framework and need to be closely aligned in order to be effective. The five recommendations are:  Incorporate security risk management and business continuity management functions and responsibilities into the larger agency-wide risk management governance framework.  Expand the scope of business continuity in those UN agencies where it currently sits in the domain of information technology or has not yet been comprehensively implemented across the organisation.  Establish a comprehensive crisis management framework spanning across the whole organisation from their headquarters to country offices.  Develop the capacity to gather risk data across their agency and aggregate the data to view the full spectrum of risks, including security risks and business continuity risks in a holistic manner.  Integrate security risk management and business continuity management processes to enhance their effectiveness. This study contributes to the existing body of knowledge in the field of risk management by gathering relevant information from participating UN Funds and Programmes, comparing the information with other academic sources and drawing conclusions to answer the research questions. While it is expected that each organisation will have its own view on how to implement security risk management and business continuity management, the findings and recommendations as a result of the study present a series of practical recommendations on how the two functions can operate in an integrated manner in order to increase the overall resilience of these UN agencies. Other non-UN organisations working in similar high risk environments could also benefit from the outcomes of the study, as it would allow them to compare their own approaches to security risk management and business continuity management with the information presented in this study.