Operating with Uncertainty - Contingency Planning and Security Risk Mitigation

Published on: Sun Jun 01 2025 by Ivar Strand

Operating with Uncertainty: Integrating Contingency Planning and Security Risk Mitigation

Introduction

In fragile and conflict-affected states, security is not a static condition but a primary operational variable. For organisations engaged in monitoring, evaluation, or program implementation, any plan that treats the security environment as a fixed constant is designed for failure. The Duty of Care owed to staff, partners, and communities requires a more robust approach.

The central challenge is to move beyond static security protocols and embed a dynamic process of risk mitigation and contingency planning into the core of operational design. The objective is not merely to create a plan for evacuations, but to establish a system that allows operations to adapt, scale down, or pause safely and predictably as the threat landscape evolves. This paper outlines a framework for achieving this integration.

The Flaw in Static Security Models

The conventional approach to security planning in many organisations suffers from several structural flaws. It often separates security from programming and treats risk as a simple binary, leading to operational rigidity.

• The “Go/No-Go” Fallacy. Many operational plans are built around a binary “go/no-go” decision. This fails to reflect the reality on the ground, which is almost always a spectrum of varying risk levels. The operative question is rarely “Can we go?” but rather “Under what specific conditions and with what mitigating measures can we operate effectively and safely?”.
• The Siloed Function. Security is frequently handled as a function separate from programme design and implementation. This is a fundamental error. A security incident—such as the closing of a key transport route or an outbreak of violence—is a programmatic incident. It directly impacts data collection, stakeholder engagement, and the achievement of objectives. Security risk is, therefore, an integral subset of programmatic risk. For us, it is a core management function.
• The Plan as a Static Document. A detailed security plan, printed and placed in a binder, can become obsolete within weeks of its writing. The value lies not in the document itself, but in the living process of continuous risk assessment, scenario planning, and adaptation.

A Framework for Adaptive Operations

A more resilient approach builds contingency planning into the operational architecture from the outset. It treats security as a managed variable rather than an uncontrollable external factor. At Abyrint, we advocate for a system built on a clear, logical progression.

1. Continuous Threat Analysis. A one-time risk assessment is insufficient. The foundation of this framework is a continuous, structured process of monitoring specific, pre-defined indicators. These can range from political developments and social media sentiment to commodity prices and the movement patterns of armed groups. This provides a live, evolving picture of the threat landscape.

2. Pre-Defined Operational Modalities. Rather than a single operational plan, the team designs a spectrum of operational “modalities” or “postures,” each corresponding to a different level of threat. This allows for a predictable, graduated response. A typical set of modalities might include:

   • Modality 1: Permissive. Standard operations with full movement as planned.
   • Modality 2: Constrained. Operations continue but are restricted to secure locations or specific travel corridors, potentially with a reduced team footprint.
   • Modality 3: Remote. Field movement is suspended. All monitoring and engagement shift to remote methods, such as secure phone calls with a network of trusted key informants.
   • Modality 4: Hibernation. All programmatic activity is paused. The focus shifts entirely to the safety of staff and the security of assets, pending an improvement in the environment.

3. Establishing Clear Triggers. The power of the modality system lies in its triggers. Each shift from one modality to another must be prompted by a pre-agreed, observable event. For example, “A credible report of inter-communal violence in a target district will trigger an immediate shift to Modality 3 for that area.” This removes ambiguity and reduces the burden of subjective decision-making during a crisis. The relationship between threats, triggers, and modalities can be codified in a simple matrix.

   This is best visualized in an Exhibit A: The Modality and Trigger Matrix.

4. Advance Logistical and Communications Planning. For each modality to be viable, its logistical and communications requirements must be planned in advance. This includes ensuring access to appropriate vehicles, pre-positioning supplies, and establishing redundant communication systems (e.g., satellite phones) that are tested regularly. This preparation is what enables a swift and orderly transition between modalities.

From Risk Aversion to Risk Management

Integrating contingency planning directly into operational design fundamentally changes an organisation’s posture. It facilitates a shift from simple risk aversion—which often leads to a full stop of activities at the first sign of trouble—to active risk management. This approach allows an organisation to continue its vital work in challenging environments, not by ignoring the risks, but by understanding, anticipating, and mitigating them in a structured manner.

This system is the practical application of the Duty of Care. It provides teams with clarity, reduces anxiety, and builds the institutional resilience needed to operate effectively and responsibly where it matters most. It transforms security from a barrier to entry into a managed function that enables operational continuity.