S1E14 – In the fourteenth episode of ICoCA’s podcast series we talk to Mike Blythe, Chief Operating Officer at Risk and Strategic Management, Corp (RSM). With a background in the military, Mike has decades of experience helping humanitarian actors with their security needs and recently completed a PhD on the topic. We ask him about his research and what his experience working with humanitarian agencies and NGOs has taught him about how the sector approaches risk, resilience and security.
This podcast was originally published September 14, 2021
Welcome to today’s podcast, the 14th episode in the series Future Security Trends Implications for Human Rights. I’m Chris Galvin, and today I’ll be in conversation with Mike Blythe, Chief Operating Officer at Risk and Strategic Management, Corp, otherwise known as RSM. Mike has decades of experience helping humanitarian actors with their security needs, and today I’ll be talking to him about resilience within international aid and development, helping humanitarians realize responsible security. So, Mike, welcome to the podcast, thanks for sparing your time to join us. Could you get us started by first telling us a bit about yourself and about the work of RSM?
I’m delighted to be supporting any efforts in order to develop resiliency within the humanitarian aid and development sector. I’ve literally just completed my doctorates with a focus on organizational resiliency within the humanitarian aid and development space. I’ve been fortunate enough to have a career spanning security and risk management, and in the last decade or so, focusing on the higher level of strategic organizational resilience. Our organization supports about 800 humanitarians around the world. We hold the USAID Party Liaison Security Operations Programs in both Nigeria and South Sudan. The focus of those missions is to support both USAID and other donor-funded activities in addressing complex risks within those environments.
Our organization conducts organizational audits at the higher level to look at all forms of risks and at the local level also looking at activity or locational risks. We’re also a policy writing organization, writing to a range of ISO standards, and then we implement that knowledge through training, whether it’s through instructor-led training, e-learning, exercising, or video games. We hold a range of external accreditations ranging from the Institute of Leadership Management, City and Guilds, ASIS, INSSA, Disaster Ready, and HRCI. And we’re keen to ensure that external parties validate the quality of our content. We also provide consultants embedded or part-time and deployable in order to support the community in addressing complex risks.
Fantastic. Now look, you told us that you’ve just finished a PhD on humanitarian aid and development sector resilience. I want to hear more about that. So, can you define for us what you mean by resilience and tell us what prompted you to focus on this issue, particularly as it relates to humanitarian aid and the development sector?
Absolutely, resilience is a polysemic concept or term that actually doesn’t have a firm meaning within the humanitarian space. That makes structuring an organization resilient approach, both within an organization and more widely within the sector, quite problematic because there’s nothing for security practitioners or risk portfolio owners to hang their hat on. It means different things to different people. Organizational resiliency, from my perspective, is addressing all forms of risk, whether they are security-related safety or whether they span into anti-terrorist financing, child safeguarding, fraud, corruption, reputational risk, crisis, and communications. Fundamentally, it is anything that could harm people’s operations, assets, facilities, information, the business interests of the humanitarian organizations, or more critically, the hard-won reputation. And so, it is basically dealing with the multifaceted threats, the humanitarians may face when seeking to support the beneficiary community.
So, you mentioned the beneficiary community there. Does this extend to them as well?
It does. Interestingly, in my research, and I was fortunate to be supported by many actors within the humanitarian space who brought a wealth of experience. What was transparent within the research was there are significant studies and research on how societies and communities need to be resilient against natural threats, disease, or human-made conflict. And indeed, the donors also have research focusing on how they need to address resiliency from the donor perspective. But, there was a gap in the literature and research on how the implementing partners needed to address complex risks and organization resiliency for themselves. Others have done substantive research and excellent papers on security risk management and touched upon areas such as ISO 31,000 for risk assessments. But no one has yet fully tackled the requirement for bringing risk within a unified structure and addressing all forms of risk to protect the interests of the organization and I feel that is a gap that hopefully I’ve made one small step towards addressing.
Well, we’re working closely with GSIF, they do great work and actually, that’s how we got connected as well. So, good to hear your referencing then. Now you’ve mentioned that the organization, RSM, has helped hundreds of NGOs with operations in hostile and complex environments with their security and resilience needs. What do you think the sector does well at in ensuring responsible security provision that respects human rights and humanitarian law? And where do you see room for improvement?
Well, I think the sector has many positives in that it is filled with people seeking to do good work. They’re highly motivated, they’re energized, and they’re seeking to protect the interests of the beneficiary first and foremost, but also their people. And I think over time, there’s a recognition that duty of care standards need to be more aligned to what is seen within other industries and sectors. So, I feel that the sector is full of highly capable individuals and there are small groupings of professionals who work together collaboratively to deal with such incidents as the Afghan evacuations or the Haitian earthquakes more recently. And so, it is very personality-led, and there are some very strong players within the field of security, risk management, and resiliency.
However, one of the gaps is that it is not a unified profession, there are no standards to which organizations can specifically work towards that are recognized by the majority of the sector. There are no defined competency frameworks to which professionals and practitioners need to align themselves into have made headway in terms of defining a competency framework for security, focal points national managers, and regional managers more recently. And that’s great work, but it’s not being embraced by the wider community and therefore it is very much personality-led. It is very much willpower, power versus necessarily design. And of course, security is still struggling to get budget allocations as implementing partners are fearful that their donors may not fund it, and also that it may detract from their win potential within a proposal. And so, the security profession or community is struggling to form itself to have an identity and to share information in a manner that can professionalize resilience and bring about some level of agreed standards and practices.
Just touching on that point of budgets and donor response, do you think it is the case that donors are reluctant to really kind of see proposals with security well written in? Or do you think there is this may resonate with the donor community, that there is a responsibility as donors, that they have a duty of care through the grants that they’re giving out to those beneficiary communities?
I think donors are increasingly aware of the need for resilience and security risk management. I think that they are not necessarily opposed to it and there’s a greater appetite to fund security. I think sometimes there’s a disconnect between potentially the business units and the security departments in terms of articulating the value of security effectively and overcoming the fear that the donors may look at the final bottom line figure and individuals or organizations would lose their opportunity to win the work because of the security costs that are built in with it. Certainly, from the research findings, it was still a fear that baked-in cost would be the first thing to be chopped by the proposal team in order to get the number to a competitive range.
I think part of the findings of the research was the requirement for greater interaction between donors and implementing partners. So the fear of including security was removed and donors recognised the requirement for security more fully across the various missions. I think DfID is doing a good job in terms of requiring a security solution within many of the bids and I think that that is also being seen within many US aid missions, although it’s not consistent. So, in some countries, there is a requirement to include a security plan and a security budget. In other countries, there is no requirement, and therefore organizations are uncertain of when to include security or when not to include security.
I know that some missions are also seeking to disaggregate the technical and associated financial components away from the security solution. So, there is not a part of the selection criteria, but security is treated as a standalone cost. It will be interrogated separately and then viewed as either accurate or inaccurate, but it would not be part of the actual selection criteria within the bid. And I think that would be a healthy response if it could be incorporated across all missions potentially.
Now, you’ve mentioned that sometimes there can be a bit of a disconnect perhaps between the security team within a humanitarian agency and perhaps the programmatic team. I mean, how well-embedded is security? Do you see across the sector and more broadly than that, kind of what trends are you seeing across the sector when it comes to how humanitarians approach security and who within the organization is responsible for the security?
I think the integration of security is improving, and there was certainly substance within the research findings that security and risk were more effectively being spoken across the boundaries of different functions. And there was a recognition that security was an enabler to success versus a hindrance or a cost. But that is still largely informal and based on personalities and the competency and effectiveness and positioning of the security practitioner within the organization. Do they have direct access to the senior leaders? Do they have to go through multiple filters that could either support or hinder their message, as it were?
So, I think that many organizations are embracing security, they are recognizing its value. But of course, ultimately, it’s the awareness of the executive leadership team across the multiple functional areas of what resiliency means of its value and its importance that really drives the success or failure of the approach and if executive leaders are not well read into how resiliency works and how it benefits the organizations, they’re less likely to positively support the security department. So, I think there needs to be a degree of upskilling and awareness building for the executive leadership teams as well as the security departments in terms of the value of resilience. And I also think that the security profession is often fighting fires and so they don’t have time to kind of kick back and really think about how to best articulate the value of organizational resilience in its many forms in the most effective manner to their executive leadership teams and therefore gain buy-in. So, I think, space time, and bandwidth need to be creative for the security departments to better articulate their needs and to make the executive leadership team and therefore, the donors understand that security is not just about gate guards, guns, and armored vehicles. It’s also about thought processes, cultures, practices, standards, and other softer mechanisms by which to address risk.
And do you see that the security teams themselves are the best messengers for that message? Or perhaps are there other routes, other sources where that message may resonate with senior management?
I think there are other routes and security needs to have advocates within the organization at every level. They all need to understand the value proposition of security and risk management. Of course, the sector is largely unregulated and so there’s no driving requirement, as there would be for, say, health and safety for organizations to aspire to meet a high-reliability status, although that is changing both with scrutiny from donors and society in general and also litigation and reputational harm that’s been seen to impact a number of organizations in the last decade or so. So, I think each executive leader within their respective departments needs to be a positive voice for supporting security, and that can only be gained through understanding what security is seeking to achieve and including it right from the outset, within a proposal process so that security can contribute to the shaping of the approach and therefore an appropriate budget being built in at the same time versus as an afterthought.
What other recommendations do you have for the sector in terms of improving security management and overall resilience? And are there examples, specific examples where you’ve seen this in action and it worked well?
I think the forum groups and associations can play an active part, and they certainly do, and perhaps there are areas for that to be enhanced. I know GISF and INSO collaborating actively and I think that’s a healthy activity to pool knowledge and resources which will exponentially improve the value to both the organizations and those they support. So, I think that is an active process.
I think there should be an effort to standardize what is considered effective resiliency, understanding that there has to be scalability, there has to be a recognition that this is a global community involving millions of organizations from the small NGOs with several staff members up to the mega basic corporations of valued in the multi-billions. There has to be scalability and embracing ISO standards BSI standards or any other standards that people can framework against would be a positive first step. And there has to be a professionalization of the security community. I’m not saying for one instance the individuals are not professional or competent. They certainly are. There is no body of recognized experts currently within the sector that have an authoritative claim over their domain that can then drive standards and enhance practices. There are isolated pockets of professionals who are doing great work, but there is no unified structure that individuals can look for.
In addition, the process of career transitioning is highly disjointed. So, individuals coming from primary career fields, whether they’re military, police, academic or emergency services, or other ill-formed. And so, individuals don’t know what to expect, and don’t know what to aim for. And the employing organizations also don’t necessarily have the metrics to which they can effectively measure and select suitable candidates. And that applies to the onward learning journey as well. There is no defined hierarchy of security professionals that is consistently understood and therefore building a competency framework ensures made headway into this field. But it is ill-formed and therefore individuals don’t know necessarily how to proactively progress within their career and expand and organizations don’t therefore know what to expect from those individuals.
So, I think there’s a lot of work to be done. It’s not insurmountable. It requires coordination between the implementing partner community and the donors because the donors ultimately set the mission and fund it. I think those conversations need to be broadened and deepened. I think forums and associations acting as gravity wells for knowledge and processing that knowledge and articulating it to the community could also potentially add more value than they’re already producing. So, I think, knowledge production and the establishment of effective standards are the underpinning goals that the sector should be aspiring towards.
And just on that knowledge production piece then. So, are you espousing that it would be good to have, say, a professional qualification? I don’t know, an Institute of Chartered Security professionals. I understand that doesn’t exist, would that be a useful thing?
I absolutely think any knowledge is good and not necessarily just within the technical area of expertise, being a kidnap and ransom expert is fantastic, or a security manager or a trainer. These are all good skills to have within your toolkit. But maybe by expanding out the knowledge base, I think security professionals can only be truly effective if they are understanding of the risks and concerns of those they support. So, a security professional should understand anti-terrorist financing. They should understand fraud and corruption or duty of care or family liaison. They should be able to talk with their peers about their risks in order to form a better response. And so, growing out the knowledge base would be particularly useful for the professional. It would make them more credible within their organization. It means that they can speak the language of their peers and they can they can speak across boundaries more effectively and therefore their solutions might be more sophisticated in nature. I think understanding that vocational or skills-based training is very useful. But eventually, they will become a saturation point where the professional will have learned as much as they’re going to learn within the purist field of security. And maybe they want to look beyond security at other areas of competency, whether that’s pursuing an academic career pathway to get some level of degrees or indeed spreading their wings out and getting a degree in something that is not security related but will have some level of benefits such as business management or administration. These are all things that the professional needs to think about rather than being pigeonholed within just the field of security itself.
And just to go a little deeper on this, because you do talk about this in your thesis, just looking at the kind of profiles of security professionals, certainly in the humanitarian sector, But I’m sure this applies across other sectors as well. I mean, people come into this from different routes, whether through uniformed military police or just organically within an organization, they land in security roles. Do you see that as a positive or a negative? Is there value in having diversity?
I think there’s absolute value in diversity. In fact, I was surprised not by the findings of the research per se, because I already believed it myself, but by how many individuals from a military background were skeptical about militaries joining the sector? They felt that often, and I’ll coin other people’s terms, that they were knuckle draggers, that they had the wrong characteristics and personality and behaviours, and that they came from an autocratic background. So, there was a recognition of some of the shortfalls of people coming in from the career field that I joined from.
There was also a recognition, however, that those individuals brought significant technical knowledge within the field of security, that they had formalized training, and that they had been crisis tested through either simulations or real-life experiences through what was potentially decades of technical training conducted by the military or police or intelligence services. And these are all good things that were particularly useful during crisis situations where fast autonomous decision-making needed to be made, and where individuals need to be calm and collected under stress and crisis situations. But the military also recognized that academic skills were also important, and those coming from a non-military background brought many benefits and that they had more effective communication skills in some respects, they were better researchers, they were better writers. And I’m not talking about 100%, but by and large, those individuals brought different skills that were beneficial.
And so, part of the research findings was the concept of convergence, where a military primary career point brought certain values that their civilian counterparts or their academic counterparts might want to embrace over time through structured or opportunistic learning. But also, the military needed to kind of shake off the mantle of the uniform and then understand that there were other skills that they were lacking and experiences that they needed to draw upon as well, whether that was an academic pursuit or a softer management approach, or greater IT literacy. And so I think both fields bring value and both have gaps that need to be addressed as well, and it’s only by recognizing that the security professional is going to be able to advance and progress within their field.
I just want to turn finally to the point on standards. This is interesting because ICoCA has its own certification scheme, which is linked to a number of ISO standards and we work with certification bodies, etcetera. But how do you think an organization like ICoCA should be engaging with humanitarian agencies to help them ensure that their own private security providers are responsible companies that respect human rights and international humanitarian law?
Respecting human rights and international law is critical and I know within the extractive industry, for example, they developed voluntary principles that look at protecting individuals from contracted security, whether that was private security or government-hired. Think the community does need to recognize the importance of managing their security subcontractors. They are often the short window to the organization. They represent the organization even if they are vendors or suppliers of a service and the humanitarians cannot escape the damage that will occur if the individuals they hire are inappropriate and behave in a manner that is harmful. There has to be a recognition of scalability, a recognition that within some programs there are no security professionals. There are focal points who may be doing security as a part-time job. They may be a human resource expert or an administrator, and they’re asked to spend one hour a month or an allotted amount of time per month or year looking at security and therefore guard force management all the way up to organizations that may have a highly professional 30-year veteran looking after security who’s going to be more competent and capable in understanding the nuances of guard force management and security requirements.
I think there needs to be a recognition that the vast majority of those practicing security are not necessarily security professionals. And I’m speaking about the focal point community, and thus education needs to be part of the solution as well. And then understanding as well that standards are great, but they don’t always apply as you go through a multinational community. Holding an individual to certain standards in the UK or Europe is an awful lot easier than perhaps holding the same standards to a group working in a less developed nation where education, literacy, and resources may be weak or absent.
That is certainly one of the challenges that we work with our member companies range from large multinationals to small indigenous companies. And yes, international standards – the whole lexicon may be a first foreign, but the challenge is raising standards across the board and so that’s what we work to. But look, Mike, I should say, Dr. Blythe, newly minted PhD, thank you so much for sparing your time with us today and we look forward to keeping connected with you now that we are connected and working with the likes of GISF as well and raising standards across the sector today. Thanks.
The views and opinions presented in this article belong solely to the author(s) and do not necessarily represent the stance of the International Code of Conduct Association (ICoCA).
