Risk Management in Humanitarian International Organisations

Written by Sukru Kagan Surucu

 January 3, 2025

EJIL

The Office of the United Nations High Commissioner for Refugees (UNHCR) held its 75th Executive Committee session from 14 October to 18 October 2024. Among many items on the agenda, the increasing commitment to risk management strategies adopted by the organisation was highlighted both in the opening statements by the High Commissioner and remarks by the Deputy High Commissioner for Protection. These references reiterated the ongoing commitment of the UNHCR to transforming its structure and conduct to have a stronger focus on region-specific, field-dominated concerns and managing risks on the ground more effectively. Reference to risk management by international organisations is not rare in the form of adoption of “enterprise risk management” strategies. Enterprise risk management (ERM) is a holistic risk management agenda that systematically analyses risks that could arise in the operations of international organisations, identifies potential damage and harms that might be faced by the organisation as a result, and creates a particular “risk appetite” which creates a space of operation whereby it is strategically advantageous or tolerable for the organisation to operate. While ERM is a holistic concept, encompassing multiple forms of risk, the international organisations’ literature mainly emphasises financial, operational, or political risks and demonstrates how the introduction of risk management strategies could potentially reshape organisational decision-making, where international organisations are moving away from operating with the clear boundaries set by the legal mandate of the organisation, to adopt more flexible, and potentially expansive operational spaces that are dynamically set by the potential risk appetite, and risk calculation for a particular domain. Hence, the proliferation of risk management strategies could potentially replace the delimitation of the international organisation’s functions by its legal mandate with risk calculations and make the organisation more prone to taking risks potentially engaging in conduct that is conventionally beyond its mandate.

However, the recent statements by the UNHCR demonstrate another facet of ERM beyond organisations being more proactive to engage in financial and operational risks. This aspect, which more strongly exists for humanitarian international organisations, could be identified as “security risk management” (SRM). SRM refers to the management of physical and security risks faced by especially humanitarian international organisations and the determination of the tolerable governance space for these organisations to operate in in the face of these risks and resulting harms. This blog will attempt to focus on this relatively under-researched aspect of ERM and to demonstrate how the dominance of security risk management in decision-making leads to the opposite result, whereby the organisation is more risk avoidant and restrictive, and the mandate is “contracted” in practice, as organisations would inherently operate within a more limited space of governance than that is set by their legal mandate, given the contrastingly limiting nature of SRM within ERM.

International Organisations and Risk Management

ERM has emerged as a significant mechanism in the determination of organisational conduct and decision-making in many international organisations such as WTO and ICANN,  or more comprehensively, with the increasing inclusion of ERM across the UN network since 2006. This raises significant questions for international institutional law scholarship. Most significantly, the centralised position of ERM frameworks in decision-making could potentially denote a move of international institutional law beyond the mainstream functionalism and constitutionalism oriented way of determining the legal order and functions of international organisation, instead underlying how risk management frameworks and relying upon these frameworks by internal actors could constitute an alternative form of lawmaking and lawyering.

This impact was most clearly demonstrated by Van Den Meerssche in the context of the World Bank and the emergence of the risk framework, under the reforms initiated by General Counsel Leroy. There, the ERM framework and the overall adoption of the risk language were used as a means to make the organisation more agile, flexible, and less reliant on rigid legal mandates, creating, justifying and sustaining the legal order and governance space of the World Bank through this more operationally driven risk framework and not on the basis of the legal mandate of the organisation. Van Den Meerssche demonstrates how this paved the way for the World Bank to act in a more expansionist way, making its legal mandate and its limits secondary, as projects were assessed, authorised, legitimised and implemented through the risk framework and the organisation was prone to take more risks, and hence expand its area of operation. It could be suggested that a similar narrative might exist for other international organisations; risk frameworks, dominated by financial and operational risk appetites, could encourage international organisations to take more risks and act more expansively. This could then weaken the primacy of legal mandates, organisational conduct, and legal order as sustained and demarcated by the mandate.

However, beyond the financial and operational risk framework, the security risk management aspect of ERM, which is particularly relevant for humanitarian international organisations, could produce the opposite effect of inherently constraining and limiting the functions and governance space of the organisation. In the remainder of this blog entry, I aim to compare the emergence and primacy of security risk management and other aspects of ERM, and how it could potentially lead to “mandate contraction” as opposed to “mandate expansion.”

Security Risk Management and Discourse of Risk in Humanitarian International Organisations

Humanitarian international organisations often refer to themselves as facing extensive risks as they operate in challenging environments with precarious domestic and regional political situations. Personnel from organisations such as the UNHCR, IOM and ICRC have often referred to working in field operations where they have to balance risks; for example, risk of harm to the staff members of the organisations during operations, risks due to operating in conflict-like situations, risk of political backlash from host countries in the context of operations, and risks faced in the frontlines working with specifically vulnerable communities. This paved the way for the ERM frameworks in such humanitarian organisations to focus more strongly on “security risk management”. This is apparent, for example, in the ERM framework of the UNHCR, where security risk management plays a great role in the categories of risk the organisation will manage. It was also practically visible in the 2020 risk review of the UNHCR, where security-related risks made up the majority of risk categories reported by the organisation. An overview of activities of humanitarian international organisations by Humanitarian Outcomes and the Global Interagency Security Forum (GISF) demonstrates that SRM frameworks in humanitarian organisations are highly prolific, systematised and dominant in the decision-making process. Organisations employ senior risk management directors and personnel and release various guidelines, policies, and handbooks for staff to follow and reshape their conduct. Especially in the UN agencies, such policies have become highly entrenched, with the systematisation of security risk management for humanitarian international organisations under the UN framework in 2003.

It could, therefore, be argued that, as the increased salience of financial and operational risk has been seen to prompt the World Bank to take action beyond its legal mandate, the developing centrality of SRM (and the proliferation of SRM-related tools and actors as detailed above) may also weaken the primacy of humanitarian organisations’ legal mandates in determining their functions and legal order. This could be seen in practice, such as in the UNHCR. One of the main categories of risk that is determined by the UNHCR in its ERM framework is “government relations”. Managing this risk has become a central point in the organisational decision-making, which could be observed in UNHCR’s operation in Egypt, where staff members were only able to process asylum seekers with guarantees to prevent deportation and detention if they had identity cards due to the necessity to balance risks of damaging their relations with the Egyptian government. Similarly, in Mauritania, the UNHCR office excluded certain asylum seekers from the national protection procedure to protect the relationship of the regional bureau with Mauritanian authorities, guided by the necessity of balancing the risk regarding government relations.

Both examples demonstrate that the UNHCR actors were guided by the framework of risk management while exercising their functions, and acting restrictively, even though UNHCR’s mandate offers a broader scope of activities. While the problem of humanitarian organisations limiting their conduct to balance difficult situations on the ground is not new, the systematisation of these approaches under SRM  demonstrates that it could entrench its own organisational culture, similar to the risk management framework in the World Bank. However, these prior examples suggest that this emerging culture would instead revolve around risk aversion, ultimately construing, understanding and implementing the mandate and functions of the organisation more restrictively. While this post does not adopt a particular normative stance towards this, it aims to highlight the necessity for a detailed socio-legal research into humanitarian international organisations with a focus on security risk management frameworks. This could deepen our understanding of potential new modes of constituting the legal order and lawmaking structures of humanitarian international organisations beyond insights provided by mainstream constitutionalist and functionalist approaches.