TNI regularly assesses legal; security; financial; reputational; and operational risks. Overall risks are assessed annually in terms of probability and severity of impact and improved mitigation measures put in place where necessary. An inventory is under development, which will provide the organisation with a comprehensive matrix for monitoring purposes.
Below the key risks addressed in 2019, and identified for 2020 are discussed.
An important risk identified for 2020 is the outbreak of the Covid-19 pandemic. Measures taken to ensure the safety of staff include the closing of the office, allowing staff to work from home, and arranging regular online team and staff meetings until it is officially deemed safe to reopen the office. There are also risks associated with lock-downs during the Corona crisis, whereby most people work from home and often outside of secured computer network systems. Efforts to ensure cyber security awareness continued to mitigate breaches (see more on cyber security below).
In preparation for the reopening of the office, plans have been made to minimize contact risk. These include allowing those who need to travel by public transport or who feel particularly vulnerable or who suspect they may be infected to continue working from home until it is safe to return; arranging shifts to ensure not too many people are in the office at the same time; the provision of appropriate equipment, such as shields between desks, the availability of sanitisers, gloves and masks; and agreement on safety protocols.
No travel or physical events are foreseen for 2020, with most activities going online where possible, or otherwise postponed. All programmes will revise plans and budgets accordingly, in discussion with partners and funders as required. Every effort will be made to minimize the financial impact on TNI, its staff including freelancers, and its partners.
There is some anticipation that the subsequent economic crisis may impact on funders, particularly private foundations that rely on invested capital. Mitigation strategies include diversifying the funding base.
Security and safety
Security and safety remains a key risk to monitor in 2020. There is acute awareness of the growing climate of repression against progressive activists discernible across the world, including against partner organizations. Key risk mitigation measures put in place in this regard in 2019 are elaborated below.
Our Myanmar programme involves people from conflict zones in a deteriorating political context. In 2019, a thorough matrix of risks was developed, which is assessed and updated annually for probability and severity, and includes considered mitigation strategies. Mitigation strategies followed in 2019, for example, included moving meetings to neighbouring countries for the safety of participants. In 2020, local staff will be required to fill in risk assessments for each activity organized.
Data security and safe comunications
A comprehensive Information & Communication Technology (ICT) policy, including data protection, data security and data breach policies and procedures, was adopted in 2019, codifying many pre-existing practices. This was developed with external expert support, and workshopped with staff before being finally approved by the Supervisory Board. Staff are well educated about the need to be compliant with the General Data Protection Regulation (GDPR). This is regularly checked under the responsibility of management staff.
TNI’s Computer Support team regularly educates staff on safe communications, raising awareness of the pitfalls of certain applications and platforms and the merits of others. The team has created a TNI ‘next cloud’ held on a number of servers in The Netherlands which gives remote access shared directories for authorized staff. It has also created a second cloud where documentation may be shared with authorized external parties. The computer support team has also worked with Dutch counterparts in the Fair, Green and Global Alliance to the same end, running workshops with staff to raise awareness, and developing recommendations for changes that should be made in the way data is shared and stored, and communications are conducted.
TNI’s website is hosted on very secure servers with regular back-ups. In consultation with our security conscious web developers, we have worked hard to ensure tni.org is a closed loop site with few easy points of intrusion. Access to the website is limited to a handful of individual staff and administrative access is limited to just two individuals. Nevertheless, TNI’s website came under protracted DDoS attack in 2019, one of many NGO sites targeted around the same time. Our site was down for nearly a month though we were able to run a mirror site within a few days while measures were put in place to put up a permanent shield to fend off the attack and prevent any future such attacks.