Internal controls and risk management

Counterterrorism & risk management frameworks

Internal controls are key elements of risk management frameworks. They include processes to assess, mitigate and monitor risks. Organisations can embed internal controls throughout the programme cycle and as part of its overall governance structures and reporting systems.

Internal control systems can be characterised as follows:

  • Preventive: measures such as anti-diversion policies to ensure aid reaches its intended beneficiaries.  
  • Corrective: measures such as internal checks to establish whether counterterrorism-related risks have arisen during the programme cycle.
  • Directive: measures such as counterterrorism policies that give staff clear guidance and establish red lines in relation to counterterrorism risks.
  • Detective: monitoring measures such as spot checks to review whether staff have complied with counterterrorism requirements.

The following section examines various internal controls and approaches to the management of risks associated with counterterrorism measures. It includes the following components:

Developing a counterterrorism policy

Counterterrorism policies are intended to ensure that staff comply with relevant counterterrorism measures while maintaining adherence to the humanitarian principles. They can articulate an organisation’s mandate, and reiterate its commitment to the humanitarian principles, International Humanitarian Law (IHL) and other laws and measures. They may include an overview of the measures the organisation has put in place to address concerns about the diversion of humanitarian assistance, including to designated terrorit groups (DTGs). See an example counterterrorism policy here.

Developing a counterterrorism policy

Who is responsible for developing a counterterrorism policy?

  • A member of senior management should be the focal point for managing this undertaking
  • Departments at headquarters and the field level should be tasked with providing inputs to the draft policy and reviewing it
  • Inputs from a legal adviser should be sought

What is included in a counterterrorism policy?

  • The principles and mandate to which the organisation is committed
  • An overview of the laws that bind the organisation, which may include IHL, domestic laws in the countries where it is registered and operates, and sanctions
  • The principles and commitments of staff members, such as ethical behaviour and anti-diversion
  • An overview of the measures the organisation has in place to provide principled humanitarian assistance, such as robust project cycle managemet (PCM), codes of conduct with oversight mechanisms, anti-corruption procedures, financial and procurement controls and procedures for the selection of partners and staff
  • A statement of red lines that if crossed would constitute a breach of the policy

How are counterterrorism policies developed and implemented?

  • The policy should be developed in a consultative, collaborative process to ensure it addresses the main issues that staff confront and guarantees buy in and acceptance among staff members
  • A robust roll-out plan should be established, which includes awareness raising and staff training on how to adhere to the policy
  • Staff should be provided with written guidance on the policy in an accompanying explanatory note that gives further detail of due diligence procedures, relevant handbooks and SOPs
  • Focal points to whom staff can turn with questions or to seek advice when dilemmas arise should be identified
  • Control and oversight mechanisms, such as a reporting mechanism for violation of the policy, should be developed

How often are counterterrorism policies revised?

  • Authoritative statements of principles and ethics, signed and endorsed by senior management, should generally not be revised
  • Other policy elements may need to be revised as counterterrorism measures evolve and their impact on principled humanitarian action changes

Developing an NSAG engagement policy

Non-state armed groups (NSAGs) are present in most contemporary armed conflicts. In some contexts, NSAGs are designated as terrorist groups by the UN, the EU or by host or donor governments. Humanitarian organisations may engage with NSAGs, regardless of whether they are DTGs, for various purposes, including to negotiate access to populations in need of assistance. 

To manage risks related to engagement with NSAGs who may be designated terrorist groups (DTGs), some humanitarian organisations have developed policies for NSAG engagement that consider counterterrorism measures. These policies can help avoid the transfer of risk onto field-based staff by ensuring that staff have clear organisational guidance and support when engaging with these groups. 

NSAG engagement polices should consider three specific kinds of counterterrorism measures: counterterrorism clauses in grant agreements, the potential criminalisation of humanitarian action, and sanctions. See an example NSAG engagement policy considering counterterrorism risks here.

This content was developed in collaboration with Geneva Call. Geneva Call is a humanitarian organization working to improve the protection of civilians in armed conflict. Geneva Call engages NSAGs to encourage them to comply with the rules of war. More information about the organisation’s work can be found here

Developing an NSAG engagement policy that considers counterterrorism issues

Rationale and internal considerations

  • What is the purpose of the organisation’s engagement with NSAGs? For example, an organisation that delivers humanitarian assistance may be concerned about indirect terrorist financing or violation of sanctions regimes, while an organisation working to promote IHL may be more concerned about the impact of material support laws on their work.
  • How does the organisation safeguard the humanitarian principles in its engagement with NSAGs? How might the principles be challenged during engagement with NSAGs? For example, is there a risk to the organisation’s independence through potential interference in beneficiary selection?
  • What are the red lines in the engagement? Under what conditions would the organisation consider discontinuing engagement?
  • What are the possible reputational risks for the organisation engaging with NSAGs? How can these risks be mitigated and managed?
  • Do internal policies and procedures account for risks to staff emanating from national and international legislation? What are the potential consequences if the organisation engages with an NSAG that is designated as terrorist by the host government, on both its operations and its staff? What are the consequences if the organisation does not engage?
  • Does the organisation track which staff members are negotiating with NSAGs? How does the organisation document negotiations processes? How is relevant data and information stored and protected?

Counterterrorism clauses in grant agreements

  • Do the organisation’s grant agreements include clauses that prohibit using funds for NSAG engagement for general or specific purposes? Do relevant donors require due diligence steps during such engagement? If necessary, clarification or guidance should be sought internally. Refer to this document for more guidance on reviewing counterterrorism clauses in grant agreements.


  • Is the NSAG designated as terrorist by the UN Security Council (UNSC), the EU or by individual states, such as the United States or by the host government? Are high profile members or leaders of the NSAG designated under any of these regimes? It is also worth considering whether the group or its members are sanctioned by regimes that are not necessarily counterterrorism-related, as regardless of their objectives, sanctions can impact the broader legal and policy environment for a humanitarian organisation’s engagement.
  • If the answer to either of the above questions is yes:
    > What is the scope of the sanctions and how may they impact the organisation’s operations? Sanction regimes generally do not prohibit contact with DTGs, but asset freezes may require that organisations ensure that funds or dual-use goods are not made available to these groups.
    > Are there any exemptions in the sanction regime or is there a possibility to apply for a license? Exemptions normally require approval by the authority in charge of implementing the sanctions.
    > What are the consequences for violating sanctions regimes for the organisation and for staff members?
    > If staff members have questions about relevant sanctions regimes, who should they approach internally for support and guidance?

Criminalisation of humanitarian action

  • Has the organisation identified and mapped how the organisation and staff could be impacted by relevant criminal laws related to counterterrorism? Local staff members may be particularly exposed to risks related to host-country counterterrorism legislation. The following elements should be considered in such a mapping:
    > The national legislation of the host state, the state of registration of the organisation, the states of nationality of staff, donor states and third states with broad extraterritorial offences.
    > The jurisdictional links required. For example, is there a requirement for a link of nationality of staff, or of registration of the organisation?
    > The typical offences that could lead to the potential criminal responsibility of staff, include the following: prohibition of indirect financing of terrorism, material support laws, designated area offences that prohibit presence in areas of designated terrorist activity and the prohibition of broad forms of association with DTGs.

Due diligence

Due diligence encompasses a range of activities undertaken to ensure that humanitarian assistance reaches affected populations. When entering into an agreement or contract with another party, such as an implementing partner, due diligence includes assessing the robustness of its systems and its ability to carry out the relevant activities within the limits of an organisation’s acceptable level of risk. 

Due diligence can involve both internal and external-facing policies and measures designed to obtain assurance of a potential partner’s capacity and capability to deliver assistance and to comply with donor requirements, including those related to counterterrorism.  Reviewing a potential partner’s policies, systems, processes and past performance can lead to a more informed partnership that identifies, accounts for, and takes the appropriate measures to mitigate risks. A partnership assessment checklist could help guide an organisation’s decision on whether to pursue a potential partnership.  

Conducting due diligence with prospective partners

What is the purpose of conducting partner due diligence?

  • Explore opportunities for working together and identify areas for cooperation in the delivery humanitarian programs
  • Ensure a possible partner organisation has effective systems and operational procedures in place
  • Understand the acceptability and reputation of partner with communities and local authorities
  • Assess whether a potential partner poses a financial, reputational or programmatic risk to an organisation’s operations and/or a protection risk for beneficiaries
  • Confirm that the partner is not listed in any excluded party list due to linkages with criminal or political activity, terrorism or diversion of funds
  • Confirm that the partner has the internal capacity to comply with all clauses influencing and included in any possible agreement, including those related to counterterrorism

What areas could a partner due diligence assessment cover?

  • Areas covered in a due diligence assessment will vary based on the specific situation, needs and context. Some of the domains to consider reviewing in a partnership due diligence assessment include:
    > Basic background and history
    > Mission and values
    > Governance
    > External engagement, influence, and reputation
    > Organisational capacity
    > Operational capacity
    > Financial capacity
    > Logistical capacity

What can an organisation examine to determine if a prospective partner’s values are in line with its own?

  • Human resources policies and codes of conduct
  • Preventing Sexual Exploitation and Abuse (PSEA) , criminal, and unethical activity policies
  • Corruption and conflict of interest policies
  • Counterterrorism policies and procedures
  • Stated commitments to the humanitarian principles and a do-no-harm approach

How can an organisation implement due diligence policies and practices?

  • Organisations can conduct due diligence assessments with the prospective partner by collecting information directly
  • Organisations can collect information from other sources (e.g. other organisations that work with the prospective partner)
  • Organisations can request a prospective partner complete a self-assessment; this should be used in tandem with the organisation’s own due diligence assessment

Human resources policies

Humanitarian organisations should ensure they institute human resources policies, including transparent and fair recruitment protocols, and communicate these clearly to staff. Human resources policies are a key part of organisation-wide risk management approaches and, as such, can help mitigate counterterrorism-related risks and reassure donors. Human resources policies include rules for recruiting, training, appraising, remunerating, disciplining and dismissing staff. Humanitarian organisations frequently include them in staff contracts as a legally binding set of obligations that both parties are expected to observe.  

Codes of conduct are another important element of human resources policies. Codes of conduct establish standards of behaviour for an organisation and its staff. They commonly reflect a commitment to the humanitarian principles, mitigating the likelihood of compromising them.

Codes of conduct are non-binding, but they are often included in staff contracts, in which case they become a set of obligations that must be observed. Some organisations provide training and written guidance to staff on how to put their codes of conduct into practice. Codes of conduct may also include control and oversight mechanisms, such as disciplinary proceedings and whistle-blowing facilities.

Reviewing and developing human resources policies

What should be considered when reviewing or developing human resources policies?

  • Recruitment: Does the human resources policy and the recruitment procedures it governs ensure the most suitable and best-qualified candidates are selected, having undergone reference and employment verification and other checks?
  • Staff development: Does the human resources policy stipulate a plan to develop staff members’ skills and improve the knowledge they require to do their job and progress in the organisation?
  • Discipline: Does the policy establish clear procedures and rules for censuring staff members who violate the organisation’s rules and regulations?
  • Appraisals: Does the policy detail how and how often such assessments take place?
  • Duty of care: what steps does the organisation take to ensure the health, safety and wellbeing of staff.

Who is responsible for human resources policies?

  • Senior management, in consultation with the human resources department, is responsible for developing, reviewing and ensuring implementation of human resources policies
  • The legal department should also be consulted during their development

What should an organisation consider when implementing human resources policies?

  • How to recruit, dismiss, remunerate, train and appraise staff
  • How to develop a staff member’s skills for their role
  • How to discipline staff members for violations of the organisation’s policies

How can an organisation implement human resources policies?

  • Human resources policies should be clearly communicated to all staff
  • Relevant training should be available to staff
  • A confidential complaints or feedback mechanism should be put in place

How often are human resources policies revised?

  • There is no set schedule for doing so, but many organisations revise their human resources policies periodically or during a change in the organisation’s circumstances

Anti-diversion policies

Humanitarian organisations have anti-diversion policies to mitigate the likelihood of assistance being diverted from affected populations. They may include:

  • Measures to limit the likelihood of fraud and corruption
  • Procedures to regulate financial management
  • Guidance on access negotiations
  • Measures to reinforce an organisation’s policies in areas such as training, information sharing, disciplinary investigations and monitoring

Reviewing and developing anti-diversion policies and practices

What should a review include?

  • There are no standardised anti-diversion policies, but they tend to address:
    > Fraud: Deception, for example by falsifying records to exaggerate the number of staff employed or beneficiaries covered by a project, to result in financial or personal gain
    > Embezzlement: The misappropriation of goods or funds for financial or personal gain
    > Corruption: Dishonest or fraudulent conduct by those in power, typically involving bribery; the aim of anti-corruption policies, including those on whistleblowers, is to ensure staff act ethically
    > Money laundering: The concealment of the origin of money obtained from criminal, terrorist or other illegal activities
    > Access: The methods by which an organisation engages with armed groups and negotiates humanitarian access

Who is responsible for developing and reviewing anti-diversion policies and practices?

  • Overall responsibility lies with senior management, which should assign responsibility to the relevant departments for implementing practices related to staff training, producing written guidance and carrying out control mechanisms such as audits
  • Field staff have a key role to play in the development of anti-diversion policies and practices, and should be consulted to ensure they are relevant and realistic
  • The legal department should also be consulted

What content should an anti-diversion policy include?

  • A statement of principles and definition of terms
  • Procedures for preventing diversion: standardising and maintaining bank records; standardising accounting practices, such as account codes and donor codes; classifying costs, for example as direct or indirect; ensuring internal controls, including the segregation of duties between staff responsible for procurement, finance, disbursing cash, payroll and liquidations; and financial reporting requirements

How are anti-diversion policies and practices implemented?

  • All staff should receive training on the organisation’s anti-diversion policies
  • All staff should receive written guidance on implementation
  • Control and oversight mechanisms, such as audits, spot checks and regular reports, should be put into place

How often are anti-diversion policies and practices revised?

  • There is no set schedule for doing so, but many organisations revise their anti-diversion policies every few years or if they are found to no longer be fit for purpose

M&E frameworks

Counterterrorism and M&E

Monitoring and evaluation (M&E) serves two purposes for humanitarian organisations. It provides the basis for learning and programme improvement, and it establishes evidence to meet internal and donor-related documentation and reporting requirements. 

Humanitarian organisations should pursue three M&E strategies to mitigate counterterrorism-related risks:

Counterterrorism risks often arise in situations where humanitarian access is already constrained because of the presence of NSAGs who are DTGs. In situations of constrained access M&E processes may be imperfect and there is a risk that some data may not accurate. An accurate assessment of the quality of M&E processes helps to determine how successful an organisation has been in using them to mitigate the risk that resources are diverted to DTGs.

A tool such as the M&E minimum standards can help measure the quality of M&E processes objectively. The minimum standards also provide a concrete way of communicating M&E risks to donors to ensure that all parties are aware of them before a project is implemented.

M&E quality is an important consideration during programme criticality decision making. If the M&E minimum standards indicates that M&E processes will be weak, management should take a programme criticality decision to weigh the potential humanitarian results of the intervention against the associated obstacles and risks, in this case to decide whether it is worth implementing the project if little or no data on its outcomes will be available.

Developing and implementing M&E systems

Do all projects have the following elements of an M&E system?

  • Results framework: This is a cause-and-effect explanation of a project that predicts how activities and inputs will contribute to the objectives of the intervention. It should include indicators the project will measure to test key assumptions.
  • Indicator matrix and monitoring tools:  The former defines each indicator and stipulates how and when it will be measured.  The latter are the questionnaires or other tools used to collect monitoring data.
  • Monitoring: The use of the tools and methods described in the indicator matrix to collect and analyse data and determine performance.
  • M&E information management: A system to ensure M&E data is maintained and accessible. Such a system may include a results database where indicator performance is tracked; a filing system for reports, distribution lists, photographs and other documents; and a case management database to track beneficiary engagement.  An information management system can support an organisation’s assertion that it knows who received assistance.
  • Evaluation plan: Evaluations look at a programme’s longer-term outcomes and impact. All programmes should have an evaluation plan, including a timeframe for evaluations, and their scope, purpose and funding sources.
  • Staff: M&E requires enumerators to conduct interviews and collect data among the targeted communities; analysts to convert the raw monitoring data into indicator results and set them in a meaningful context; and management to be accountable for reporting requirements and use of the indicator results to improve programme design. Enumerators and analysts may be dedicated M&E staff or drawn from programme teams.  

What strategies exist to mitigate concerns about M&E quality in areas where counterterrorism risks are a concern?

  • Contribution analysis: If it is not possible to measure certain high-level indicators directly, a set of testable logical statements could be developed that demonstrate the programme’s contribution to them. If, for example, an organisation purchases tents and distributes them to people who do not have shelter, and those people use the tents, it can reasonably conclude that the tents have made a positive contribution to protecting the recipients from the elements. Contribution analysis requires a carefully thought-out results framework. Read more about contribution analysis here.
  • Triangulation: Using various sources of data about the same indicator reduces the risk of poor quality and potentially misleading data. Photographs of aid distributions help to triangulate beneficiary lists, for example, and focus groups can be used to triangulate outcome indicator surveys. 
  • Sample size and randomisation: The careful selection of respondents can produce data and analysis that can be extrapolated to apply to all beneficiaries. Samples need to be sufficiently large, and all beneficiaries must have an equal chance of being included in them. Investing in rigorous and robust sampling methods will greatly increase the quality of M&E data. Read more about sampling here.
  • Mobile data capture: If enumerators capture data on a mobile device rather than on paper, records can be time, date and location stamped. This information allows supervisors to confirm that sampling methods were properly implemented and identify other data quality issues. There is also less risk of transcription errors or manipulation because the data-entry step from paper to digital is eliminated. KoBoToolbox is a mobile data capture platform in use among some humanitarian organisations and offers many data capture tutorials.
  • Supervision: Remotely managed programmes require more supervision, particularly to ensure M&E quality. Supervisors are needed to oversee data collection, clean data and ensure reporting and results make sense. This means investing in more staff hours and more dedicated staff to review reports and data from the field.
  • Feedback mechanism: This provides a way for beneficiaries to submit independent comments on programme performance. Feedback mechanisms are difficult to put in place in areas where access is constrained, but when they can be implemented, they are a powerful way of learning about programme quality and triangulating M&E results. Read more about this in this paper from ALNAP.
  • “Independent” monitoring: Bias is always a concern, and a genuinely objective assessment of project performance can be useful. True independence, however, can be difficult to achieve, particularly in areas where access is constrained. Focusing on independence or engaging independent monitors may simply exchange one set of biases that are easier to anticipate for another that is harder to quantify.

PCM and counterterrorism risks

PCM guidelines can form one component of a risk management framework for addressing counterterrorism issues, helping organisations to identify, evaluate and mitigate potential risks effectively throughout the different PCM phases. 

This practical guide to PCM and counterterrorism risks draws on content from this toolkit. It outlines the origin and impact of counterterrorism measures and proposes actions for humanitarian organisations to consider throughout the programme cycle to help identify, manage and mitigate counterterrorism-related risks.