CHAPTER 10 SECURITY RISK MANAGEMENT IN HOSTILE ENVIRONMENTS: COMMUNITY-BASED AND SYSTEMS-BASED APPROACHES

In recent years, there has been a growing dialogue around community-based and systems-based approaches to security risk management through the introduction of top-down and bottom-up knowledge acquisition. In essence, this relates to knowledge elicited from academic experts, or security subject-matter experts, practitioner experts, or field workers themselves and how much these disparate sources of knowledge may converge or diverge. In many ways, this represents a classic tension between organisational and procedural perspectives of knowledge management (i.e. top-down) versus more pragmatic and experience focussed perspectives (i.e. bottom-up). This chapter considers these approaches and argues that a more consistent approach needs to address the conflict between procedures and experience, help convert field experience into knowledge, and ultimately provide effective training that is relevant to those heading out into demanding work situations. Ultimately, ethics and method are intricately bound together in whichever approach is taken and the security of both staff and at-risk populations depends upon correctly managing the balance between systems and communities.


INTRODUCTION
The last two decades have seen a rise in security issues around the world. In the wake of growing insecurity, organisations have looked to improve their security risk management frameworks, developing concepts which originated in the health and safety field to deal with more pressing risks such as terrorist acts, abduction, and piracy. Risks that were previously exclusive to the battlefield are now prevalent in situations affecting a range of overseas workers, from frontline humanitarian workers, oil and gas executives, media reporters and journalists, government officials, business travellers, and even regular tourists. For example, research indicates that one in five humanitarian workers experienced intentional violence (Buchanan & Muggah, 2005) and that this high rate supported Claus's (2011Claus's ( , 2015 observations that humanitarian organisations face more risks than other sectors. The literature on security studies has traditionally focussed on states as the main actors (Browning & McDonald, 2011). Security studies as an academic field have neglected the individual as a viewpoint, attempting to understand broader security issues on why states go to war and how military power is projected (Buzan & Hansen, 2009). A shift in this approach occurred at the end of the Cold War in 1991 with the emergence of critical security studies, which shifted the focus to individuals, considering human rights, effects of non-state conflict (such as terrorism), and the effects of criminal activity (Williams, 2013).
Early academic sources in humanitarian security began to appear in the late 1990s when three articles were published in the journal Humanitäres Völkerrecht (International Humanitarian Law), discussing security practices within the United Nations, the International Committee of the Red Cross, and humanitarian nongovernmental organisations in general (Connelly, 1998;Dind, 1998;Van Brabant, 1998a, respectively). The articles addressed the changing nature of what they termed the 'humanitarian space', or the environments in which humanitarian programmes occur, stating that there was an increase in attacks against humanitarian workers.
This prompted the first statistical review into humanitarian worker deaths (Bolton et al., 2000). The study concluded that attacks against humanitarian workers were on the rise caused by an increase in conflicts between non-state actors, such as rival militias, and lawlessness as the main driver (Bolton et al., 2000). However, there was a greater range of risks that workers were exposed to, such as being caught in the crossfire between warring groups, landmines, abduction and kidnapping, and crime related to lawlessness, such as muggings and carjacking (Bolton et al., 2000;Martin, 1999).
An important document was released in 2000 titled Good Practice Review 8: Operational Security in Violent Environments (Van Brabant, 2000). This built on earlier work by Van Brabant (1998a), Martin (1999), and through consultation with a range of humanitarian sector staff, to pose a new model for security management. This document was the first true work to draw together thinking in the sector (Harmer & Schreter, 2013). It emphasised the need for humanitarian organisations to take more responsibility for staff security, provide training to ensure staff are prepared, as well as foster the acceptance of the organisation's presence and work with the communities they help (Van Brabant, 2000). This created the community-based approach as a school of thought within the sector (Brunderlein & Grassmann, 2006).

APPROACHES TO SECURITY RISK MANAGEMENT
The impetus to change security management in the sector led to the development of community-based and systems-based approaches (Brunderlein & Grassmann, 2006). The community-based approach views security from the bottom-up, with the individual humanitarian worker and their unique perspective as the focal point, while the systems-based approach is top-down, which puts security advisors and their procedures at the centre of design and implementation (Schneiker, 2015).

Community-based, Bottom-up Approach
The community-based approach began to gain traction around the turn of the twenty-first century (Martin, 1999;Van Brabant, 1998a, 1998b, 2000. The approach relies on local communities to trust and support the organisation and their work, thus reducing risks to humanitarian workers (Martin, 1999). As it relies on the community to accept the presence of the humanitarian organisation, it is also referred to as the 'acceptance' approach (Van Brabant, 1998a). In this approach, security is effectively cultivated at the field level (Schneiker, 2015), with the organisational level providing support and resources (Van Brabant, 2000). Successful acceptance also required organisations to gain acceptance from potentially aggressive actors (Van Brabant, 1998b), with organisations needing to 'obtain credible security guarantees' (Brunderlein & Grassmann, 2006, p. 71). Where strong acceptance exists, the community is likely to protect humanitarian workers if possible or warn them of potential danger (Van Brabant, 2000).
With this approach it is necessary for workers to meet with local community members, though doing this they are exposed to possible risks (Van Brabant, 2001). The approach emphasises the need for workers' training, such as on mine awareness, communications, and how to survive an abduction (Bollentino, 2006). Brunderlein and Grassmann (2006) identified four weaknesses with the community-based approach: • The approach relies on the community trusting the humanitarian workers. • Communities can be unaccepting of organisations because of their resentment to the country they are from.
• Communities need to provide security for the humanitarian workers, but in some circumstances cannot provide their own security.
• Relies on individuals who have the necessary experience to build relationships with key stakeholders.
The approach is also reliant on humanitarian workers who can develop relationships with others and build trust (Van Brabant, 2001). The approach requires humanitarian workers to have close relationships with the community and face the same risks they face (Martin, 1999;Schneiker, 2015). This promotes 'emotional decision making' where risks may not be assessed realistically (Daudin & Merkelbach, 2011, p. 7), resulting in workers staying with the community when they should leave (Neuman & Weissman, 2016, p. 16). The context of decision making is therefore extremely complex and humanitarian staff represent a large area of risk themselves, who can take a 'negligent attitude towards their own security' (Brunderlein & Grassmann, 2006, p. 67). The wealth of literature in the field of anthropology, ethnography, and indigenous studies points up the diverse ethical and methodological challenges that can arise when taking such an approach (George, MacDonald, & Tauri, 2020;Iphofen, 2011Iphofen, -2013.

Systems-based, Top-down Approach
The systems-based approach emerged from a review of the 2003 attacks in Iraq, which emphasised the need for more organisational oversight of field security (Ahtisaari, 2003). This approach favours 'top-down' management of security (Schneiker, 2015), focussing on enforcing standardised procedures (Brunderlein & Grassmann, 2006), including manuals, guidelines, and rules (Harmer, Haver, & Stoddard, 2010). Danger is seen as a quantitative measure, relying on mathematics to determine risk levels so that it can be avoided altogether (Neuman & Weissman, 2016). In this way, it replaces the subjective nature of awareness with more scientific methods (i.e. based on empirical approaches) to elicit knowledge from security experts who are used to decide and design procedures (Brunderlein & Grassmann, 2006), and attempting to move away from the gut-feeling responses which were often of importance in the communitybased approach (Harmer et al., 2010). Training focusses on following these procedures, rather than helping staff develop risk awareness (Barnett, 2004).
Unlike the community-based approach, the systems-based approach views security as a functional entity that can be modelled, predicted, and controlled (Collinson & Duffield, 2013;Neuman & Weissman, 2016). In this way, the influence of the individual humanitarian worker is minimised or eliminated (Beerli & Weissman, 2016), as individual decision making is seen as too unpredictable to manage effectively (Daudin & Merkelbach, 2011). Brunderlein and Grassmann (2006) identified four weaknesses to the systemsbased approach: • It relies on the quality of risk assessments and therefore the security intelligence. • It is reactive and based on generic risks and responses, which oversimplifies the complex nature of political, social, and economic risks.
• To be effective, it needs an effective response capability, such as that provided by the military.
• It skews the long-term outlook for programmes, instead of putting more emphasis on immediate security. This rigid nature of security systems, where experts are relied on to provide advice and staff are given rules and procedures to follow, can create a false sense of security where individual responsibility for security awareness is removed (Barnett, 2004;Daudin & Merkelbach, 2011). The role of security experts may give other staff a belief that the experts alone are responsible for security, thus 'everybody's business becomes nobody's business' and overall security capability is reduced (Fast, Freeman, O'Neill, & Rowley, 2013, p. 236). Furthermore, quantifying risk can answer where, when, and how questions, but does not provide answers on why risks occur which further reduces general understanding and awareness (Brooks, 2016).

RELATIONSHIP BETWEEN TOP-DOWN AND BOTTOM-UP APPROACHES
The community-based and systems-based approaches should, in theory, be complementary to each other (Brunderlein & Grassmann, 2006): effective riskanalysis can inform when community-based approaches are safe to implement, which allows staff to build acceptance which in turn provides greater access to information to inform risk-analysis (Bollentino, 2008). However, the communitybased approach has not been largely adopted by many organisations (Brunderlein & Grassmann, 2006) and is poorly supported by literature or studies of how it works in practice (Bollentino, 2008;Grassmann, 2005). Not long after it was proposed, the attacks in Iraq occurred, which prompted many organisations to believe that the community-based approach did not work (Grassmann, 2005). The attacks revealed the difficulty in building acceptance, which is critical for the community-based approach, as it is required from all parties, including those who are potential aggressors (Van Brabant, 2001). There are some countries where this is not possible however (Collinson & Duffield, 2013) since in some contexts there are groups that promote anarchy and do not want humanitarian organisations helping the local community (Childs, 2013;Egeland, Harmer, & Stoddard, 2011). As with the ongoing conflict in Syria, extremist groups explicitly seek a lack of stability and promote violence. Such conflicts are likely to continue worldwide, which are typified by guerrilla warfare, terrorism, and a rise in lawlessness, meaning the groups from whom acceptance is needed are likely to be opposed to humanitarian goals (Burkle, 2005;Fast & Wille, 2010;Kaldor, 2012). This presents a considerable challenge to the ethical demands of ethnographic and indigenous research.
Arguably the community-based approach cannot be effective with humanitarian work, which has become increasingly politicised (Bollentino, 2008;Brunderlein & Grassmann, 2006;Duffield, 2014;Fast et al., 2013). Duffield (2014) discusses how many humanitarian organisations have started to move away from impartial approaches, in which assistance is given to all based on their need, even where such groups could be partial to and fuelling conflicts. Organisations instead become peacebuilders, planning programmes to bring about an end to conflict (Duffield, 2014). Programmes with such aims are often better funded by donors, which also include government institutions, which limits what community groups the funding can support and ultimately makes humanitarian aid political in nature (Egeland et al., 2011;Fast et al., 2013), therefore limiting how effective the community-based approach can be.
Considering both the politicisation of aid as well as the perceived need to professionalise security, the sector has largely adopted systems-based approach over a community-based approach (Claus, 2011;Collinson & Duffield, 2013;Daudin & Merkelbach, 2011;Egeland et al., 2011).
The systems-based approach allows investment in a central system which can be implemented in other communities, while the community-based approach means investment is in one local area (Brunderlein & Grassmann, 2006;Childs, 2013). Investment into local acceptance is seen as financially risky as the approach does not always ensure security (Collinson & Duffield, 2013). Furthermore, the systems-based approach also allows an organisation to document how it meets its legal Duty of Care obligations; or their obligations to take necessary measures to protect staff (Kemp & Merkelbach, 2011). Organisations are becoming more aware of their legal obligations in comparison to before the 2003 attacks (Kemp & Merkelbach, 2011;Klamp, 2007) and implement systems to protect their staff and reputation, which in turn allows them to compete for further funding (Bollentino, 2008).
Lastly, the systems-based approach is easier to achieve as a strategy (Neuman & Weissman, 2016), where management can mark progress by identifying what measures have been implemented and how many staff have received training (Barnett, 2004). The measures implemented are also more objective at keeping staff safe (Daudin & Merkelbach, 2011;Schneiker, 2015), whereas communitybased approaches are subjective in their effect on improving security (Brunderlein & Grassmann, 2006). Therefore, the systems-based approach is preferred to the community-based approach in terms of finance, documenting legal obligations as well as management oversight.
Another explanation is that a disparity exists between what field workers and security experts believe is necessary to ensure operational security (Adams, 2003;Barnett, 2004;Brunderlein & Grassmann, 2006;Collinson & Duffield, 2013;Daudin & Merkelbach, 2011). Where this conflict in knowledge management exists, staff are likely to follow their own understandings and beliefs over the instruction of security experts, either passed through training or through procedures (Brunderlein & Grassmann, 2006;Daudin & Merkelbach, 2011). Issues in knowledge mismanagement can mean that systems implemented to keep staff safe are not followed, staff are ill-prepared for the environments they deploy to and the organisation is unable to achieve its goal. This conflict highlights an area of significance not yet fully explored in the literature.

CONFLICT OF KNOWLEDGE BETWEEN TOP-DOWN AND BOTTOM-UP APPROACHES
The top-down systems-based approach emphasises the role of the security expert as the knowledge creator, responsible for designing the system and the supporting material for its implementation (Barnett, 2004;Brunderlein & Grassmann, 2006;Burns, Burnham, & Rowley, 2013). In doing so, the knowledge and experience of field workers is neglected (Bollentino, 2008;Buchanan & Muggah, 2005;Neuman & Weissman, 2016). There are three areas where the literature outlines how this conflict in knowledge has a negative impact: a conflict between procedures and what field workers know to be true, the inability to convert experience into knowledge to improve security systems and training being ineffective at improving staff security.

Conflict between Procedures and Experience
Multiple authors note the disregard many field workers have for the security procedures imposed on them to keep them safe (Ahtisaari, 2003;Collinson & Duffield, 2013;Daudin & Merkelbach, 2011;Neuman & Weissman, 2016;Van Brabant, 2000). Daudin and Merkelbach (2011) state that there is a tendency for field staff to only follow rules that reflect their own beliefs and experience. Adams (2003) makes the point that this is a natural behaviour of people, using the everyday example of crossing the road to frame the issue: though the experts designed the system so that people wait until the red light shows before crossing, many people will use their own judgement to see if it is clear and cross even when the light is not red. Adams (2003) used this example to frame his discussion on how people ignore systems where they believe they have a better understanding of the solution 'in context'. Security procedures lose even more buy-in from staff when they do not directly reflect the situation field workers find themselves in (Barnett, 2004;Collinson & Duffield, 2013). One example of this is a rule commonly imposed that prevents those with weapons using organisation vehicles (e.g. People in Aid, 2008, p. 17), so the organisation remains neutral. In reality, if an armed person wants to get into the vehicle the humanitarian workers have no way of refusing them carriage. Though such a rule ignores the local context (Barnett, 2004;Collinson & Duffield, 2013), Beerli and Weissman (2016) state that humanitarian workers are likely to face disciplinary action if rules are broken, rather than be commended for their individual judgement. In one study, such an approach was documented to reduce the reporting of incidents by field staff for fear of losing their jobs (Donnelly & Mazurana, 2017). This reduces the ground-truth-reality of how many incidents occur, weakening a systems approach which is reliant on statistics for risk assessments (Bollentino, 2008).

Field Experience is Not Converted into Knowledge
Underlying the disparity between procedures and experience is the inability for organisations to utilise staff experience effectively (Bollentino, 2008;Buchanan & Muggah, 2005). The systems-based approach downplays the role of individual knowledge, which is seen as too diverse and incoherent to be of use (Daudin & Merkelbach, 2011). However, those workers who have amassed experience of working in high-risk environments are likely to be able to rectify procedural and training issues and help review the security systems in use (Barnett, 2004;Bollentino, 2008;Buchanan & Muggah, 2005;Collinson & Duffield, 2013;Darby & Williamson, 2012).
Nonetheless, there is an 'inability to institutionalise staff experience' (Bollentino, 2008, p. 265) and a largely ad hoc approach to its use (Burns et al., 2013;Persaud, 2014). Where staff experience has been utilised to improve security, it has been at the expense of formal training: a study conducted on security issues in Darfur found that new workers had not been given basic training and experienced staff had been expected to guide and look after novice workers, even though their experience was from other countries and not necessarily appropriate (Eckroth, 2010).
The need to capture this knowledge is important for humanitarian organisations, which suffer a high staff turnover compared to other lines of work (Richardson, 2006). This has been identified as a general weakness in knowledge sharing across multiple areas in the sector, including security (Darby & Williamson, 2012;Emmens, Hammersley, & Loquercio, 2006;Richardson, 2006). In a study conducted on reasons staff leave, one of the reasons highlighted was not the risk itself but the lack of training and inappropriate preparations to face such dangers (Emmens et al., 2006). Therefore, if experience is not effectively converted into knowledge it cannot be used by humanitarian organisations to improve security training and preparations, which will itself continue causing a high staff turnover and loss of knowledge.

Training is Ineffective at Improving Staff Security
The systems-based approach has reduced training so that it focusses more on how to follow the procedures, rather than how staff can effectively assess and respond to risks themselves (Barnett, 2004;Burns et al., 2013;Persaud, 2014). As such, field-based training is largely replaced with classroom activities (Barnett, 2004;Persaud, 2014) and many staff deploy into the field unprepared (Barnett, 2004), with many not receiving any training at all (Egeland et al., 2011). Furthermore, training has generally become focussed on hard measures, such as how to respond to gunfire, grenades, or minefields (Bollentino, 2006;Daudin & Merkelbach, 2011) at the expense of 'soft' measures, such as communication skills, situation awareness, and leadership which are likely to be more effective in some settings (George et al., 2020;Persaud, 2014). This results in staff being unable to assess the likelihood and risk of harm themselves, nor elicit information from local communities, therefore becoming reliant on their organisation's security experts (Barnett, 2004). This further reduces the ability of those in the field to be able to think dynamically about risk themselves, instead being reliant on the system to protect or guide them (Bollentino, 2008;Daudin & Merkelbach, 2011). In this sense, security becomes seen as a technical problem which can only be solved with technical expertise (Daudin & Merkelbach, 2011) and training becomes introductory in nature (Bollentino, 2006;Brunderlein & Grassmann, 2006).
The difference in view is often made worse when organisations use external suppliers for training, which is increasingly common (Burns et al., 2013;Collinson & Duffield, 2013;Persaud, 2014). These external providers are only able to give generic training which does not draw upon and incorporate staff experience (Barnett, 2004;Persaud, 2014), and the training often excludes any focus on the specific risks workers may face (Brunderlein & Grassmann, 2006;Eastman, Evert, & Mishori, 2016). There has also been a critique of how effective such training is, with security experts varying in experience level, many of whom have experience from military or police roles that do not necessarily translate into the humanitarian context (Persaud, 2014).

KNOWLEDGE MANAGEMENT IN SECURITY
The triad of conflict areas highlight fundamental aspects surrounding the mismanagement in knowledge within the two approaches. The shift to the top-down approach has minimised the role of the individual (Beerli & Weissman, 2016) and has made field workers dependent on the security systems, rather than able to think flexibly and independently (Barnett, 2004;Bollentino, 2008;Daudin & Merkelbach, 2011). However, a lack of focus on the knowledge of humanitarian workers has had three marked impacts: • There is a conflict between what workers know to be effective and the procedures in place (Adams, 2003;Collinson & Duffield, 2013;Daudin & Merkelbach, 2011). • Field experience is not converted into knowledge for use within the organisation (Bollentino, 2008;Buchanan & Muggah, 2005;Darby & Williamson, 2012).
When top-down and bottom-up knowledge does not align, the systems in place to support users are weakened (Wilson, 2005). Daudin and Merkelbach (2011) stated that this is the case in the humanitarian sector where there is little input from the field level. They discussed issues around security procedures, stating that there was little input from those on the ground, and therefore the content of the procedures diverges. However, from recent research (Paul, 2018) there is evidence that knowledge, in the form of requirements, converges more than it diverges. This seems to contradict what has been observed in previous research, in which several authors found a misalignment between the organisational and field levels in terms of security thinking (Barnett, 2004;Brunderlein & Grassmann, 2006;Egeland et al., 2011;Martin, 1999;Persaud, 2014;Van Brabant, 2001). Field workers classed as practitioner experts (Burton & Shadbolt, 1995) will have had the opportunity to internalise knowledge, through repeated exposure and experience of utilising security in practical situations (Nonaka & Takeuchi, 1995).
The argument posed in the literature that top-down and bottom-up knowledge does not align may be more relevant for less experienced workers. This is potentially supported through studies on humanitarian worker deaths that show inexperienced workers are more at risk (Bolton et al., 2000;Buchanan & Muggah, 2005;Burnham & Rowley, 2005). Bolton et al.'s (2000) study, which is the only one accounting for length of service, concluded that out of the 382 deaths studied, 31% occurred within the first three months of service, with 17% occurring within the first month, with a median of eight months. This is also backed up by observations and reflections of experienced field workers (Paul, 2018). Further study is needed to identify at what stage field workers adopt and demonstrate more expert skill levels and stop showing qualities identified as those demonstrated by novice workers.
Further research using simulated training scenarios has demonstrated that training in itself was not effective in ensuring novice workers are able to effectively operate in high-risk environments (Paul, 2018). Those who were classed as inexperienced (i.e. less than five years' experience) were not able to effectively apply the explicit knowledge learnt on the day to the scenarios encountered. This largely reflects what is stated in the literature, that training is only introductory, generic, and cannot fully prepare staff for high-risk environments (Brunderlein & Grassmann, 2006;Darby & Williamson, 2012;Egeland et al., 2011;Persaud, 2014).
Organisations sometimes view training as a means of meeting their 'Duty of Care' requirements (Barnett, 2004;Daudin & Merkelbach, 2011;Kemp & Merkelbach, 2011). However, training itself cannot be the end state. This is supported by Claus (2015), an expert on Duty of Care and legal obligations of organisations, who states that organisations are responsible to ensure not only the systems in place but also that staff are effectively trained for the environments they deploy into. Addressing these concerns will allow a better understanding of where knowledge diverges, which in turn would allow organisations to ensure that staff receive the right training to ensure they are prepared for high-risk environments (Claus, 2015). Furthermore, this would allow organisations' Human Resources departments to ensure that only those who are able to demonstrate the required skills are selected for projects in high-risk environments (Darby & Williamson, 2012).
The lack of engaging field workers in developing solutions (Barnett, 2004;Collinson & Duffield, 2013) means that 'bottom-up' community-based knowledge is rarely elicited. Organisations that fail to do this lose knowledge which could improve systems and give them a competitive advantage, either over others or more pertinently for this domain over the problem (Nonaka, 1991;Nonaka & Takeuchi, 1995). This mission-critical information is lost over time in many sectors due to an ageing workforce (Dzekashu & McCollum, 2014). This is even more prevalent in the humanitarian sector due to an above average rate of staff turnover (Balbo, Heyse, Korff, & Wittek, 2015;Darby & Williamson, 2012;Emmens et al., 2006;Richardson, 2006). There is a need to continually capture this knowledge so that it can be passed on through explicit means to other, less experienced workers, who in turn are able to internalise the knowledge and refine it in relation to the problems they might face.

CONCLUSION
This chapter has presented a discussion and critical comparison of communitybased and systems-based approaches to security risk management through the introduction of top-down and bottom-up knowledge acquisition. There is still some debate about how much knowledge elicited from academic experts, or security subject-matter experts, and practitioner experts, or the field workers themselves may converge or diverge. However, it is apparent that a more consistent approach needs to address the conflict between procedures and experience, help convert field experience into knowledge, and ultimately provide effective training that is relevant to those heading out into demanding work situations. Evidently it is not enough to argue for the 'ethical' strength of community-based approaches as promoted by ethnographers and indigenous researchers -ethics and method are intricately bound together in such an approach. It is equally unethical to neglect the organisational responsibilities and the duties of care organisations hold towards staff being placed in critical and risky situations. The security of both staff and at-risk populations depends upon correctly managing the balance between systems and communities.