Now that you have drawn the map of stakeholders in protection, determined the field forces, assessed your risk, recognised your strategies already in place, and established your global strategy, it should not be difficult to draft a security plan.

Security is complex and the combination of several factors. Some must always be present. Others can be added when needed. Together they constitute the security plan.

They need to be implemented at an individual, organisational and inter-organisational level.

How to proceed? Here is a process in just a few steps:

1 - Components of the plan. A security plan is aimed at reducing risk. It will therefore have at least three objectives, based on your risk assessment: - Reducing the level of threat you are experiencing; - Reducing your vulnerabilities; - Improving your capacities.

A security plan should include day-to-day policies, measures and protocols for managing specific situations. Day-to-day policy and measures for routine work

- Permanent advocacy, networking, codes of ethics, culture of security, security management, etc. - Permanent measures, to ensure that routine work is done in accordance with security standards

Specific situation protocols:

- Preventive protocols: for example on how to prepare a press conference or a visit to a remote area - Emergency protocols for reacting to specific problems, such as detention or disappearance.

The more day-to-day policies and measures that are implemented, the more the specific situation protocols will work.

Some examples:

- if a permanent set of policies and measures on information manage- ment is implemented, an office raid (emergency) will have less impact than where none existed - if a permanent set of policies and measures on public relations is implemented, an early warning triggered by an attack against a HR defender will be more likely to elicit a reaction from key stakeholders, achieving the objective set by the defender in the event of an attack.

To achieve the latter, the security plan will include permanent advocacy with duty-bearer and key stakeholders. It will need a permanent ethical behaviour policy operating in all aspects of the organisation’s work, as well as the individual/organisational/inter-organisational levels. - in the event of a detention, if a permanent plan is in place including policy on the ethical behaviour of individuals, then personal breaches of common law may reasonably be excluded as a cause and the emergency protocol can be implemented. Of course, common law infraction could be a pretext, but the organisation’s lawyer will know what to do. Furthermore, the detained defender will know that steps are being taken and can recite them to themselves almost to the actual timeline and try and stay calm (psychological impact), knowing that outside action has started. There is no need to challenge the authorities and expose oneself to more risk than what s/he is already undergoing.

• in case of field missions into dangerous areas, relevant key stakehold- ers will have been previously informed and will be on standby until the team comes back safely.

2 - Responsibilities and resources for implementing the plan. To ensure that the plan is implemented, security routines must be integrated into daily work activities: - Include context assessment and security factors routinely into your schedule - Register and analyse security incidents - Allocate responsibilities - Allocate resources, i.e. time and funds, for security.

3 - Drafting the plan - how to begin. If you have done a risk assessment for

a defender or organisation, you might have a long list of vulnerabilities, several

kinds of threats and a number of capacities. You can’t realistically cover every- thing at the same time. So where should you begin? It’s very easy:

• Select a few threats. Prioritise the threats you have listed, be they actual or potential, using one of these criteria: the most serious threat - clear death threats, for example; OR the most probable and serious threat - if organisations similar to yours have been attacked, that is a clear potential threat against you; OR the threat which corresponds most to your vulnerabilities - because you are more at risk due to that specific threat. - List your relevant vulnerabilities. These vulnerabilities should be addressed first, but remember that not all vulnerabilities correspond to all threats (see example below) - List your relevant capacities.

Example

of selection process leading to the drawing up of a security plan:

The leader of a defenders’ organisation (whether rural or urban) has received serious death threats. The organisation carries out the risk assessment of the threat and lists its vulnerabilities and capacities

In conclusion, the organisation decides to implement the following security measures: secure all cupboards, fit iron bars to protect the office windows, pur- chase new cell phones for the members most at risk and publicly decry the death threats.

In general, the point is to ask and demonstrate how each measure is going to contribute to reducing the specific risk (in other words, how it is going to increase the security related to the specific risk)?

So: how are all these measures going to actually reduce the specific death threat against the leader? (Of course, they might address the global security of the organisation but this is not the right time to deal with it).

Ask yourself: What is the likelihood of the death threat being carried out at the office knowing that there are people around? Does the leader need to be at the office to be killed? The threatened leader will not always be at the office. So, there are other many other vulnerabilities, such as leaving the office alone late at night, or travelling to isolated areas, ignoring security measures whilst at home...

Although securing cupboards is important, it will not reduce the threat and vul- nerabilities to the leader. The same goes for the iron bars on the windows. What could they do against a sniper and or a grenade?

How is a cell phone going to reduce that risk? (what can actually be done with a cell phone to prevent someone from killing the leader?)

It may be more useful to reduce the leader’s exposure while commuting from home to the office or at weekends. These are the vulnerabilities that need to be addressed first as they are far more relevant to such a threat.

If the process selection is correct and you are in a position to address the selected threats, vulnerabilities and capacities in your security plan, you can be reasonably be sure that you will be able to reduce your risk from the right starting point.

Please note that this is an ad hoc way of drafting a security plan. There are more “formal” ways to do it, but this method is straightforward and makes sure you take care of the most urgent security issues - provided your risk assessment is correct - and end up with a “live” and “real” plan at the end: that is the impor- tant part of security. (Please see the end of this Chapter for a detailed list of pos- sible security plan components which you can also use when assessing your risks.)