Module 8.1 – Criticality Assessment

Criticality assessment considers the importance or urgency of a planned activity, and weighs this against the risks to staff in carrying out the activity. It can be thought of as a kind of cost-benefit criticallity risk ass modelanalysis. It starts by looking at the dangers faced by the beneficiaries and the consequences for them of either doing or not doing the envisioned program. Is the program urgent, important, and life-saving, or simply desirable? This assessment is then weighed against the risks to your own staff, as assessed previously through your SRA process. Consider the statements below made by those who have been directly involved in such decisions.

The first quote is from an evaluation of an incident in which a staff member was killed—raising the concern that criticality assessment was not done.

“…the security of staff cannot be divorced from that of refugees and from the provision of assistance. When programme activities have already been seriously decreased by a reduction of funds and insecurity, the situation must be closely monitored in order to ensure that staff are not left in situations of potential danger where the risks outweigh the benefits to refugees.” – Summary Report of the Inquiry into the Death of One UNHCR Staff Member and the Abduction of Another in Macenta, Guinea on 17 September, 2000

The next quote is from the UNHCR High Commissioner, explaining his removal of international staff from the field in a different instance, in essence, by citing a criticality assessment.

2nd quote

 

 

 

 

 

 

 

As seen in these examples, criticality can involve life or death questions—for both staff and the people you are helping. Careful and dispassionate consideration of all the facts and good judgment are especially important at this stage of your SRA.

Broadly speaking, your criticality assessment can yield three possible outcomes:

  1. Benefits clearly outweigh the risks; undertaking the program/project falls in the category of reasonable risk.
  2. Risks clearly outweigh the benefits; the activity entails unacceptable risk.
  3. The risk may be acceptable, but only with additional mitigating measures. In this case the manager must select and implement appropriate measures designed to eliminate unnecessary risk and manage any residual risk.

For an example of the first outcome (benefits clearly outweigh risks), consider crossing the street for a cup of coffee in a normal, well policed city. It really doesn’t matter that a hot beverage is a non-essential luxury (for most at least), there is simply no (security) reason preventing you from undertaking the activity. This is clearly a “go” scenario, as are most activities in peaceful countries with sufficient law and order.

For an example of the reverse (risks clearly outweigh benefits), consider the case of walking into a live minefield. There is simply no job or project that justifies taking this risk. Even in the extreme instance where another person is trapped in the minefield, possibly even injured, mine experts counsel that the only way to help is to call for assistance and wait for trained experts to clear a path to the victim. To cite an axiom used by firefighters, “don’t bring more victims to the fire.”

If the world only consisted of scenarios like the ones above, the security risk management responsibility would be relatively simple and clear cut. Unfortunately, cases also occur where risk and program benefits must be more carefully weighed against one another.

Consider the following example: it is dark, stormy and foggy outside; roads are covered with ice and visibility is close to zero. You have a sore throat and would like to go to the pharmacy to buy cough drops. Should you go? You might reasonably determine that weather conditions make the roads too dangerous, and cough drops are not absolutely essential—the criticality of your proposed activity does not outweigh the risks. You decide to stay home and drink some tea with honey and lemon instead.

Now, imagine that the weather conditions are exactly as in the situation above, but this time you have a colleague whose appendix has ruptured. If she does not receive immediate medical attention she may die. What will you decide in this case? Perhaps in this instance you will determine that the urgency of the situation now justifies the risk, and drive your friend to the hospital; however, in doing so, you also determine that you will not make a side-trip along the way to the pharmacy for cough drops (eliminate unnecessary risk), and will use only major, well-lit roads, wear seatbelts and drive not faster than 30 miles per hour (manage residual risk).

It must be underscored here that criticality assessment is not a license to justify actions that clearly entail unacceptable risk; as with the examples of minefields and combat zones above, there are cases where no degree of urgency can justify the program. In these cases the security risk management approach urges managers to take the steps that are necessary to ensure the safety of their staff, including stopping the work/project and evacuating to a safer area if needed.

How to do your criticality assessment

Criticality assessment encourages managers to ask the following questions:

  • How great is the risk to staff? What conclusions do you draw from your threat and vulnerability assessments? What is the likelihood and probable impact of an unwanted event occurring? The key to answering these questions, of course, is your risk analysis and risk matrix.
  • How urgent are the activities envisioned? Here, you will be considering the nature of your work/project, which you have most likely considered in detail in non-security contexts. Are they life-saving, very important, or only desirable? If you have not thought of this question before now, you may want to consider using the tools you have learned to conduct a risk assessment from the beneficiaries’ points of view. This can help clarify the urgency of the needs and criticality of projects designed to address those dangers.

scales imageWhat are the short, medium and long-term consequences of work/project suspension?

Remember that one of the results may be increased risk to staff upon eventual return if the local community members feel they were abandoned. A huge loss of potential earnings for the company also.

What are the programmatic consequences of a security incident occurring?

Often an incident will cause the area to be declared “off limits” indefinitely, or until further detailed assessments and/ or assurances from the host government are forthcoming.

In summary, criticality analysis is a process of weighing the benefits of projects against their risks. It does not produce absolute, right-or-wrong answers, and it cannot be used to provide justification where risk is clearly unacceptable; however, it can help clarify thinking, expose strengths and weaknesses in an argument, and provide support for a decision entailing reasonable risk once it is taken. Criticality analysis is an important step in the due diligence of a Security Risk manager.