Home > Consultancy and training > Safety and security > Security management and duty of care audits

Security management and duty of care audits


“We have greatly appreciated the way that Open Briefing has taken the time to really understand us and our needs. They are always very responsive to all our questions and inquiries, and provide above and beyond what we have contracted them to do.”
Judy McCallum, Executive Director, Life & Peace Institute

An evidence-based security management and duty of care audit from Open Briefing will:

  • Map your current security management system
  • Identify the gaps in your system in documentation and delivery
  • Develop an action plan to address weaknesses in the system
  • Help you meet your duty of care obligations

Open Briefing uses an adapted version of the Security Audit process developed by the European Interagency Security Forum (EISF) and extended with additional duty of care modules based on community best practice. We deliver a flexible and tailored approach to audits underpinned by our deep understanding of risk and international experience in NGOs large and small. The four stages of a security audit from Open Briefing are:

The audit process
The audit process

Stage 1: Initiate

We will work with you to understand your needs and agree the most appropriate elements of security management and duty of care to audit your organisation against. From this we develop a system map consisting of the core modules, several optional modules and any custom-built modules across four themes: governance and accountability, resourcing, policies and procedures, and response and learning. Audits usually include the eight core modules and four optional modules (though further modules can be included at additional cost).

Note that the safeguarding and do no harm, wellbeing and resilience, and information security modules are high-level, security management related assessments, which will identify and trigger recommendations for dedicated audits in those areas if required.

System map
System map

Within each of these modules sits between two and four components, each of which consists of a standard and several indicators of that standard being achieved. We have developed these standards and indicators from legal precedents and community good practice. These become the agreed building blocks for the audit of your organisation.

Stage 2: Assess

We will gather evidence for the audit from several sources, including:

  • Document review (policies, handbooks, etc.)
  • Workshops with risk owners and risk managers
  • Interviews with key stakeholders, including those who are risk exposed as well as partners, funders and other relevant parties
  • Online survey of all staff

Using a RAG traffic light system (see audit dashboard below), we will record whether you are meeting each indicator and each standard. We will do this for both intent and implementation, i.e. we will assess what is written down in policies and handbooks and assess what staff are actually doing.

Stage 3: Report

We will provide you with a detailed findings report and gap analysis, including summary audit dashboards for intent and implementation based on the agreed system reference map.

Example audit dashboard
Example audit dashboard

We will clearly explain in non-technical language the changes that your organisation should make in order to meet the standards that we are auditing you against. This will include recommendations for policies and procedures, further audits, and staff trainings. We will also include a summary of the key threats and opportunities that your organisation faces with regards security management and duty of care as well as recognise those areas where your organisation is doing well.

Stage 4: Next steps

We will work with you to map out the next stages of developing a revised security risk management framework for your organisation and embedding it within your working practices and staff team. We can also provide additional support, such as a crisis management simulation, a retained security risk management consultant or ongoing training to ensure that your organisation stays secure and continues to meet its duty of care obligations.

Security management and duty of care audits for charities and other NGOs from a non-profit providerClick To Tweet

A security audit will usually take several weeks to complete, but it varies depending on the size and complexity of the organisation being audited. Please contact us to discuss your needs.

“Yes, they are skilled, competent and help you think in new ways; but expertise alone isn’t what creates change. Open Briefing built positive and engaging relationships between our staff, our leadership and themselves. We felt comfortable in engaging, asking questions, making mistakes and figuring things out together. I want this experience for every organisation. Thank you Open Briefing.”
Gus Hosein, Executive Director, Privacy International


Open Briefing is a certified social enterprise and a member of
the International NGO Safety and Security Association and CIVICUS