Internal controls and risk management
Counterterrorism & risk management frameworks

Internal controls are key elements of risk management frameworks. They include processes to assess, mitigate and monitor risks. Organisations can embed internal controls throughout the programme cycle and as part of its overall governance structures and reporting systems.
Internal control systems can be characterised as follows:
- Preventive: measures such as anti-diversion policies to ensure aid reaches its intended beneficiaries.
- Corrective: measures such as internal checks to establish whether counterterrorism-related risks have arisen during the programme cycle.
- Directive: measures such as counterterrorism policies that give staff clear guidance and establish red lines in relation to counterterrorism risks.
- Detective: monitoring measures such as spot checks to review whether staff have complied with counterterrorism requirements.
The following section examines various internal controls and approaches to the management of risks associated with counterterrorism measures. It includes the following components:
Developing a counterterrorism policy
Counterterrorism policies are intended to ensure that staff comply with relevant counterterrorism measures while maintaining adherence to the humanitarian principles. They can articulate an organisation’s mandate, and reiterate its commitment to the humanitarian principles, International Humanitarian Law (IHL) and other laws and measures. They may include an overview of the measures the organisation has put in place to address concerns about the diversion of humanitarian assistance, including to designated terrorit groups (DTGs). See an example counterterrorism policy here.

English: Example counterterrorism policy
Arabic: Example counterterrorism policy
French: Example counterterrorism policy
Developing a counterterrorism policy
Who is responsible for developing a counterterrorism policy?
- A member of senior management should be the focal point for managing this undertaking
- Departments at headquarters and the field level should be tasked with providing inputs to the draft policy and reviewing it
- Inputs from a legal adviser should be sought
What is included in a counterterrorism policy?
How are counterterrorism policies developed and implemented?
How often are counterterrorism policies revised?
Developing an NSAG engagement policy
Non-state armed groups (NSAGs) are present in most contemporary armed conflicts. In some contexts, NSAGs are designated as terrorist groups by the UN, the EU or by host or donor governments. Humanitarian organisations may engage with NSAGs, regardless of whether they are DTGs, for various purposes, including to negotiate access to populations in need of assistance.
To manage risks related to engagement with NSAGs who may be designated terrorist groups (DTGs), some humanitarian organisations have developed policies for NSAG engagement that consider counterterrorism measures. These policies can help avoid the transfer of risk onto field-based staff by ensuring that staff have clear organisational guidance and support when engaging with these groups.
NSAG engagement polices should consider three specific kinds of counterterrorism measures: counterterrorism clauses in grant agreements, the potential criminalisation of humanitarian action, and sanctions. See an example NSAG engagement policy considering counterterrorism risks here.
This content was developed in collaboration with Geneva Call. Geneva Call is a humanitarian organization working to improve the protection of civilians in armed conflict. Geneva Call engages NSAGs to encourage them to comply with the rules of war. More information about the organisation’s work can be found here.
Developing an NSAG engagement policy that considers counterterrorism issues
Rationale and internal considerations
- What is the purpose of the organisation’s engagement with NSAGs? For example, an organisation that delivers humanitarian assistance may be concerned about indirect terrorist financing or violation of sanctions regimes, while an organisation working to promote IHL may be more concerned about the impact of material support laws on their work.
- How does the organisation safeguard the humanitarian principles in its engagement with NSAGs? How might the principles be challenged during engagement with NSAGs? For example, is there a risk to the organisation’s independence through potential interference in beneficiary selection?
- What are the red lines in the engagement? Under what conditions would the organisation consider discontinuing engagement?
- What are the possible reputational risks for the organisation engaging with NSAGs? How can these risks be mitigated and managed?
- Do internal policies and procedures account for risks to staff emanating from national and international legislation? What are the potential consequences if the organisation engages with an NSAG that is designated as terrorist by the host government, on both its operations and its staff? What are the consequences if the organisation does not engage?
- Does the organisation track which staff members are negotiating with NSAGs? How does the organisation document negotiations processes? How is relevant data and information stored and protected?
Counterterrorism clauses in grant agreements
Sanctions
Criminalisation of humanitarian action
Due diligence
Due diligence encompasses a range of activities undertaken to ensure that humanitarian assistance reaches affected populations. When entering into an agreement or contract with another party, such as an implementing partner, due diligence includes assessing the robustness of its systems and its ability to carry out the relevant activities within the limits of an organisation’s acceptable level of risk.
Due diligence can involve both internal and external-facing policies and measures designed to obtain assurance of a potential partner’s capacity and capability to deliver assistance and to comply with donor requirements, including those related to counterterrorism. Reviewing a potential partner’s policies, systems, processes and past performance can lead to a more informed partnership that identifies, accounts for, and takes the appropriate measures to mitigate risks. A partnership assessment checklist could help guide an organisation’s decision on whether to pursue a potential partnership.
Conducting due diligence with prospective partners
What is the purpose of conducting partner due diligence?
- Explore opportunities for working together and identify areas for cooperation in the delivery humanitarian programs
- Ensure a possible partner organisation has effective systems and operational procedures in place
- Understand the acceptability and reputation of partner with communities and local authorities
- Assess whether a potential partner poses a financial, reputational or programmatic risk to an organisation’s operations and/or a protection risk for beneficiaries
- Confirm that the partner is not listed in any excluded party list due to linkages with criminal or political activity, terrorism or diversion of funds
- Confirm that the partner has the internal capacity to comply with all clauses influencing and included in any possible agreement, including those related to counterterrorism
What areas could a partner due diligence assessment cover?
What can an organisation examine to determine if a prospective partner’s values are in line with its own?
How can an organisation implement due diligence policies and practices?
Human resources policies
Humanitarian organisations should ensure they institute human resources policies, including transparent and fair recruitment protocols, and communicate these clearly to staff. Human resources policies are a key part of organisation-wide risk management approaches and, as such, can help mitigate counterterrorism-related risks and reassure donors. Human resources policies include rules for recruiting, training, appraising, remunerating, disciplining and dismissing staff. Humanitarian organisations frequently include them in staff contracts as a legally binding set of obligations that both parties are expected to observe.
Codes of conduct are another important element of human resources policies. Codes of conduct establish standards of behaviour for an organisation and its staff. They commonly reflect a commitment to the humanitarian principles, mitigating the likelihood of compromising them.
Codes of conduct are non-binding, but they are often included in staff contracts, in which case they become a set of obligations that must be observed. Some organisations provide training and written guidance to staff on how to put their codes of conduct into practice. Codes of conduct may also include control and oversight mechanisms, such as disciplinary proceedings and whistle-blowing facilities.
Reviewing and developing human resources policies
What should be considered when reviewing or developing human resources policies?
- Recruitment: Does the human resources policy and the recruitment procedures it governs ensure the most suitable and best-qualified candidates are selected, having undergone reference and employment verification and other checks?
- Staff development: Does the human resources policy stipulate a plan to develop staff members’ skills and improve the knowledge they require to do their job and progress in the organisation?
- Discipline: Does the policy establish clear procedures and rules for censuring staff members who violate the organisation’s rules and regulations?
- Appraisals: Does the policy detail how and how often such assessments take place?
- Duty of care: what steps does the organisation take to ensure the health, safety and wellbeing of staff.
Who is responsible for human resources policies?
What should an organisation consider when implementing human resources policies?
How can an organisation implement human resources policies?
How often are human resources policies revised?
Anti-diversion policies
Humanitarian organisations have anti-diversion policies to mitigate the likelihood of assistance being diverted from affected populations. They may include:
- Measures to limit the likelihood of fraud and corruption
- Procedures to regulate financial management
- Guidance on access negotiations
- Measures to reinforce an organisation’s policies in areas such as training, information sharing, disciplinary investigations and monitoring
Reviewing and developing anti-diversion policies and practices
What should a review include?
- There are no standardised anti-diversion policies, but they tend to address:
> Fraud: Deception, for example by falsifying records to exaggerate the number of staff employed or beneficiaries covered by a project, to result in financial or personal gain
> Embezzlement: The misappropriation of goods or funds for financial or personal gain
> Corruption: Dishonest or fraudulent conduct by those in power, typically involving bribery; the aim of anti-corruption policies, including those on whistleblowers, is to ensure staff act ethically
> Money laundering: The concealment of the origin of money obtained from criminal, terrorist or other illegal activities
> Access: The methods by which an organisation engages with armed groups and negotiates humanitarian access
Who is responsible for developing and reviewing anti-diversion policies and practices?
What content should an anti-diversion policy include?
How are anti-diversion policies and practices implemented?
How often are anti-diversion policies and practices revised?
M&E frameworks
Counterterrorism and M&E
Monitoring and evaluation (M&E) serves two purposes for humanitarian organisations. It provides the basis for learning and programme improvement, and it establishes evidence to meet internal and donor-related documentation and reporting requirements.
Humanitarian organisations should pursue three M&E strategies to mitigate counterterrorism-related risks:
- Implement the best M&E system possible in the given context
- Ensure transparency regarding the quality of M&E feasible
- Take considered programme criticality decisions where M&E evidence is absent or weak
Counterterrorism risks often arise in situations where humanitarian access is already constrained because of the presence of NSAGs who are DTGs. In situations of constrained access M&E processes may be imperfect and there is a risk that some data may not accurate. An accurate assessment of the quality of M&E processes helps to determine how successful an organisation has been in using them to mitigate the risk that resources are diverted to DTGs.
A tool such as the M&E minimum standards can help measure the quality of M&E processes objectively. The minimum standards also provide a concrete way of communicating M&E risks to donors to ensure that all parties are aware of them before a project is implemented.

M&E quality is an important consideration during programme criticality decision making. If the M&E minimum standards indicates that M&E processes will be weak, management should take a programme criticality decision to weigh the potential humanitarian results of the intervention against the associated obstacles and risks, in this case to decide whether it is worth implementing the project if little or no data on its outcomes will be available.
Developing and implementing M&E systems
Do all projects have the following elements of an M&E system?
- Results framework: This is a cause-and-effect explanation of a project that predicts how activities and inputs will contribute to the objectives of the intervention. It should include indicators the project will measure to test key assumptions.
- Indicator matrix and monitoring tools: The former defines each indicator and stipulates how and when it will be measured. The latter are the questionnaires or other tools used to collect monitoring data.
- Monitoring: The use of the tools and methods described in the indicator matrix to collect and analyse data and determine performance.
- M&E information management: A system to ensure M&E data is maintained and accessible. Such a system may include a results database where indicator performance is tracked; a filing system for reports, distribution lists, photographs and other documents; and a case management database to track beneficiary engagement. An information management system can support an organisation’s assertion that it knows who received assistance.
- Evaluation plan: Evaluations look at a programme’s longer-term outcomes and impact. All programmes should have an evaluation plan, including a timeframe for evaluations, and their scope, purpose and funding sources.
- Staff: M&E requires enumerators to conduct interviews and collect data among the targeted communities; analysts to convert the raw monitoring data into indicator results and set them in a meaningful context; and management to be accountable for reporting requirements and use of the indicator results to improve programme design. Enumerators and analysts may be dedicated M&E staff or drawn from programme teams.
What strategies exist to mitigate concerns about M&E quality in areas where counterterrorism risks are a concern?
PCM and counterterrorism risks
PCM guidelines can form one component of a risk management framework for addressing counterterrorism issues, helping organisations to identify, evaluate and mitigate potential risks effectively throughout the different PCM phases.
This practical guide to PCM and counterterrorism risks draws on content from this toolkit. It outlines the origin and impact of counterterrorism measures and proposes actions for humanitarian organisations to consider throughout the programme cycle to help identify, manage and mitigate counterterrorism-related risks.