Internal controls and risk management

Developing a counterterrorism policy

Who is responsible for developing a counterterrorism policy?

• A member of senior management should be the focal point for managing this undertaking
• Departments at headquarters and the field level should be tasked with providing inputs to the draft policy and reviewing it
• Inputs from a legal adviser should be sought

What is included in a counterterrorism policy?

• The principles and mandate to which the organisation is committed
• An overview of the laws that bind the organisation, which may include IHL, domestic laws in the countries where it is registered and operates, and sanctions
• The principles and commitments of staff members, such as ethical behaviour and anti-diversion
• An overview of the measures the organisation has in place to provide principled humanitarian assistance, such as robust project cycle managemet (PCM), codes of conduct with oversight mechanisms, anti-corruption procedures, financial and procurement controls and procedures for the selection of partners and staff
• A statement of red lines that if crossed would constitute a breach of the policy
  

How are counterterrorism policies developed and implemented?

• The policy should be developed in a consultative, collaborative process to ensure it addresses the main issues that staff confront and guarantees buy in and acceptance among staff members
• A robust roll-out plan should be established, which includes awareness raising and staff training on how to adhere to the policy
• Staff should be provided with written guidance on the policy in an accompanying explanatory note that gives further detail of due diligence procedures, relevant handbooks and SOPs
• Focal points to whom staff can turn with questions or to seek advice when dilemmas arise should be identified
• Control and oversight mechanisms, such as a reporting mechanism for violation of the policy, should be developed

How often are counterterrorism policies revised?

• Authoritative statements of principles and ethics, signed and endorsed by senior management, should generally not be revised
• Other policy elements may need to be revised as counterterrorism measures evolve and their impact on principled humanitarian action changes
  

Developing an NSAG engagement policy that considers counterterrorism issues

Rationale and internal considerations

• What is the purpose of the organisation’s engagement with NSAGs? For example, an organisation that delivers humanitarian assistance may be concerned about indirect terrorist financing or violation of sanctions regimes, while an organisation working to promote IHL may be more concerned about the impact of material support laws on their work.
• How does the organisation safeguard the humanitarian principles in its engagement with NSAGs? How might the principles be challenged during engagement with NSAGs? For example, is there a risk to the organisation’s independence through potential interference in beneficiary selection?
• What are the red lines in the engagement? Under what conditions would the organisation consider discontinuing engagement?
• What are the possible reputational risks for the organisation engaging with NSAGs? How can these risks be mitigated and managed?
• Do internal policies and procedures account for risks to staff emanating from national and international legislation? What are the potential consequences if the organisation engages with an NSAG that is designated as terrorist by the host government, on both its operations and its staff? What are the consequences if the organisation does not engage?
• Does the organisation track which staff members are negotiating with NSAGs? How does the organisation document negotiations processes? How is relevant data and information stored and protected?

Counterterrorism clauses in grant agreements

• Do the organisation’s grant agreements include clauses that prohibit using funds for NSAG engagement for general or specific purposes? Do relevant donors require due diligence steps during such engagement? If necessary, clarification or guidance should be sought internally. Refer to this document for more guidance on reviewing counterterrorism clauses in grant agreements.

Sanctions

• Is the NSAG designated as terrorist by the UN Security Council (UNSC), the EU or by individual states, such as the United States or by the host government? Are high profile members or leaders of the NSAG designated under any of these regimes? It is also worth considering whether the group or its members are sanctioned by regimes that are not necessarily counterterrorism-related, as regardless of their objectives, sanctions can impact the broader legal and policy environment for a humanitarian organisation’s engagement.
• If the answer to either of the above questions is yes:
  > What is the scope of the sanctions and how may they impact the organisation’s operations? Sanction regimes generally do not prohibit contact with DTGs, but asset freezes may require that organisations ensure that funds or dual-use goods are not made available to these groups.
  > Are there any exemptions in the sanction regime or is there a possibility to apply for a license? Exemptions normally require approval by the authority in charge of implementing the sanctions.
  > What are the consequences for violating sanctions regimes for the organisation and for staff members?
  > If staff members have questions about relevant sanctions regimes, who should they approach internally for support and guidance?

Criminalisation of humanitarian action

• Has the organisation identified and mapped how the organisation and staff could be impacted by relevant criminal laws related to counterterrorism? Local staff members may be particularly exposed to risks related to host-country counterterrorism legislation. The following elements should be considered in such a mapping:
  > The national legislation of the host state, the state of registration of the organisation, the states of nationality of staff, donor states and third states with broad extraterritorial offences.
  > The jurisdictional links required. For example, is there a requirement for a link of nationality of staff, or of registration of the organisation?
  > The typical offences that could lead to the potential criminal responsibility of staff, include the following: prohibition of indirect financing of terrorism, material support laws, designated area offences that prohibit presence in areas of designated terrorist activity and the prohibition of broad forms of association with DTGs.

Conducting due diligence with prospective partners

What is the purpose of conducting partner due diligence?

• Explore opportunities for working together and identify areas for cooperation in the delivery humanitarian programs
• Ensure a possible partner organisation has effective systems and operational procedures in place
• Understand the acceptability and reputation of partner with communities and local authorities
• Assess whether a potential partner poses a financial, reputational or programmatic risk to an organisation’s operations and/or a protection risk for beneficiaries
• Confirm that the partner is not listed in any excluded party list due to linkages with criminal or political activity, terrorism or diversion of funds
• Confirm that the partner has the internal capacity to comply with all clauses influencing and included in any possible agreement, including those related to counterterrorism

What areas could a partner due diligence assessment cover?

• Areas covered in a due diligence assessment will vary based on the specific situation, needs and context. Some of the domains to consider reviewing in a partnership due diligence assessment include:
  > Basic background and history
  > Mission and values
  > Governance
  > External engagement, influence, and reputation
  > Organisational capacity
  > Operational capacity
  > Financial capacity
  > Logistical capacity

What can an organisation examine to determine if a prospective partner’s values are in line with its own?

• Human resources policies and codes of conduct
• Preventing Sexual Exploitation and Abuse (PSEA) , criminal, and unethical activity policies
• Corruption and conflict of interest policies
• Counterterrorism policies and procedures
• Stated commitments to the humanitarian principles and a do-no-harm approach

How can an organisation implement due diligence policies and practices?

• Organisations can conduct due diligence assessments with the prospective partner by collecting information directly
• Organisations can collect information from other sources (e.g. other organisations that work with the prospective partner)
• Organisations can request a prospective partner complete a self-assessment; this should be used in tandem with the organisation’s own due diligence assessment
  

Reviewing and developing human resources policies

What should be considered when reviewing or developing human resources policies?

• Recruitment: Does the human resources policy and the recruitment procedures it governs ensure the most suitable and best-qualified candidates are selected, having undergone reference and employment verification and other checks?
• Staff development: Does the human resources policy stipulate a plan to develop staff members’ skills and improve the knowledge they require to do their job and progress in the organisation?
• Discipline: Does the policy establish clear procedures and rules for censuring staff members who violate the organisation’s rules and regulations?
• Appraisals: Does the policy detail how and how often such assessments take place?
• Duty of care: what steps does the organisation take to ensure the health, safety and wellbeing of staff.

Who is responsible for human resources policies?

• Senior management, in consultation with the human resources department, is responsible for developing, reviewing and ensuring implementation of human resources policies
• The legal department should also be consulted during their development

What should an organisation consider when implementing human resources policies?

• How to recruit, dismiss, remunerate, train and appraise staff
• How to develop a staff member’s skills for their role
• How to discipline staff members for violations of the organisation’s policies

How can an organisation implement human resources policies?

• Human resources policies should be clearly communicated to all staff
• Relevant training should be available to staff
• A confidential complaints or feedback mechanism should be put in place

How often are human resources policies revised?

• There is no set schedule for doing so, but many organisations revise their human resources policies periodically or during a change in the organisation’s circumstances
  

Reviewing and developing anti-diversion policies and practices

What should a review include?

• There are no standardised anti-diversion policies, but they tend to address:
  > Fraud: Deception, for example by falsifying records to exaggerate the number of staff employed or beneficiaries covered by a project, to result in financial or personal gain
  > Embezzlement: The misappropriation of goods or funds for financial or personal gain
  > Corruption: Dishonest or fraudulent conduct by those in power, typically involving bribery; the aim of anti-corruption policies, including those on whistleblowers, is to ensure staff act ethically
  > Money laundering: The concealment of the origin of money obtained from criminal, terrorist or other illegal activities
  > Access: The methods by which an organisation engages with armed groups and negotiates humanitarian access

Who is responsible for developing and reviewing anti-diversion policies and practices?

• Overall responsibility lies with senior management, which should assign responsibility to the relevant departments for implementing practices related to staff training, producing written guidance and carrying out control mechanisms such as audits
• Field staff have a key role to play in the development of anti-diversion policies and practices, and should be consulted to ensure they are relevant and realistic
• The legal department should also be consulted

What content should an anti-diversion policy include?

• A statement of principles and definition of terms
• Procedures for preventing diversion: standardising and maintaining bank records; standardising accounting practices, such as account codes and donor codes; classifying costs, for example as direct or indirect; ensuring internal controls, including the segregation of duties between staff responsible for procurement, finance, disbursing cash, payroll and liquidations; and financial reporting requirements

How are anti-diversion policies and practices implemented?

• All staff should receive training on the organisation’s anti-diversion policies
• All staff should receive written guidance on implementation
• Control and oversight mechanisms, such as audits, spot checks and regular reports, should be put into place

How often are anti-diversion policies and practices revised?

• There is no set schedule for doing so, but many organisations revise their anti-diversion policies every few years or if they are found to no longer be fit for purpose
  

Developing and implementing M&E systems

Do all projects have the following elements of an M&E system?

• Results framework: This is a cause-and-effect explanation of a project that predicts how activities and inputs will contribute to the objectives of the intervention. It should include indicators the project will measure to test key assumptions.
• Indicator matrix and monitoring tools:  The former defines each indicator and stipulates how and when it will be measured.  The latter are the questionnaires or other tools used to collect monitoring data.
• Monitoring: The use of the tools and methods described in the indicator matrix to collect and analyse data and determine performance.
• M&E information management: A system to ensure M&E data is maintained and accessible. Such a system may include a results database where indicator performance is tracked; a filing system for reports, distribution lists, photographs and other documents; and a case management database to track beneficiary engagement.  An information management system can support an organisation’s assertion that it knows who received assistance.
• Evaluation plan: Evaluations look at a programme’s longer-term outcomes and impact. All programmes should have an evaluation plan, including a timeframe for evaluations, and their scope, purpose and funding sources.
• Staff: M&E requires enumerators to conduct interviews and collect data among the targeted communities; analysts to convert the raw monitoring data into indicator results and set them in a meaningful context; and management to be accountable for reporting requirements and use of the indicator results to improve programme design. Enumerators and analysts may be dedicated M&E staff or drawn from programme teams.  

What strategies exist to mitigate concerns about M&E quality in areas where counterterrorism risks are a concern?

• Contribution analysis: If it is not possible to measure certain high-level indicators directly, a set of testable logical statements could be developed that demonstrate the programme’s contribution to them. If, for example, an organisation purchases tents and distributes them to people who do not have shelter, and those people use the tents, it can reasonably conclude that the tents have made a positive contribution to protecting the recipients from the elements. Contribution analysis requires a carefully thought-out results framework. Read more about contribution analysis here.
• Triangulation: Using various sources of data about the same indicator reduces the risk of poor quality and potentially misleading data. Photographs of aid distributions help to triangulate beneficiary lists, for example, and focus groups can be used to triangulate outcome indicator surveys. 
• Sample size and randomisation: The careful selection of respondents can produce data and analysis that can be extrapolated to apply to all beneficiaries. Samples need to be sufficiently large, and all beneficiaries must have an equal chance of being included in them. Investing in rigorous and robust sampling methods will greatly increase the quality of M&E data. Read more about sampling here.
• Mobile data capture: If enumerators capture data on a mobile device rather than on paper, records can be time, date and location stamped. This information allows supervisors to confirm that sampling methods were properly implemented and identify other data quality issues. There is also less risk of transcription errors or manipulation because the data-entry step from paper to digital is eliminated. KoBoToolbox is a mobile data capture platform in use among some humanitarian organisations and offers many data capture tutorials.
• Supervision: Remotely managed programmes require more supervision, particularly to ensure M&E quality. Supervisors are needed to oversee data collection, clean data and ensure reporting and results make sense. This means investing in more staff hours and more dedicated staff to review reports and data from the field.
• Feedback mechanism: This provides a way for beneficiaries to submit independent comments on programme performance. Feedback mechanisms are difficult to put in place in areas where access is constrained, but when they can be implemented, they are a powerful way of learning about programme quality and triangulating M&E results. Read more about this in this paper from ALNAP.
• “Independent” monitoring: Bias is always a concern, and a genuinely objective assessment of project performance can be useful. True independence, however, can be difficult to achieve, particularly in areas where access is constrained. Focusing on independence or engaging independent monitors may simply exchange one set of biases that are easier to anticipate for another that is harder to quantify.