It is June 2012. Steve Dennis, an aid worker for the Norwegian Refugee Council (NRC) is part of the convoy that is escorting the organization’s secretary general through a refugee camp in Dadaab, Kenya, with the purpose to raise awareness on humanitarian operations. While the area has had a difficult history with kidnappings, in the months leading up to the visit waters have been relatively calm. Therefore, management have made the decision not to hire an armed security escort, as this might attract unwanted attention and possibly make the convoy an even more visible target.
Dennis is part of the first car of the convoy, with a local driver that has been hired on that day. They have the task of scouting for suspicious activity and report to the others, so that they can take an alternative route or pull back in the case of an unexpected aggression. However, Dennis and the driver never explicitly agreed to this, nor have they been informed that the United Nations has increased its security risk indicators in the area from 3 to 4, with 5 being the maximum level.
By the time they realize the danger is real, it’s too late. A group of armed kidnappers attacks the convoy, killing the driver of the first car on the spot and severely injuring others, including Dennis who is shot in one of his legs. He is then made hostage, along with three others, and moved towards the border between Kenya and Somalia. Eventually, after four days, he is rescued through an armed operation by the Kenyan government and a Somali militia.
The story of Steve Dennis has become known around the world, especially in the humanitarian sector, because after the tragic incident, he successfully sued the NRC for negligence and won the case, setting an unexpected precedent for aid workers. Dennis received an overall compensation of 465,000 euros, which is still short of the initial claim made by his lawyer. There were dire consequences after the incident that pushed the former employee to take the NRC to court, such as being diagnosed with PTSD and depression, on top of the physical injuries he sustained.
The Oslo District Court, which issued the final ruling, based its conclusions on different points. The way the NRC addressed security risk management, duty of care, and mitigation measures is one of the most relevant. According to the findings of the court, the threat of kidnappings in the area remained high, as it emerges from the United Nations security risk level indicators. Furthermore, internal NRC reports showed that previous risk analyses did in fact acknowledge the threat of kidnappings, to the point that an armed escort was initially hired, only to be cancelled shortly before the visit.
While the NRC claimed that there had been a decrease of kidnappings over time, the court stated that this was not due to a lack of willingness to carry out these actions, but rather to a lack of opportunity. Specifically, the fact that more and more humanitarian organizations had been hiring armed security teams had worked as a disincentive for criminal groups to attempt this type of operations. For similar reasons, VIP visits – such as the one of the NRC secretary general – should have been reduced to a minimum, since high-profile targets are likely to attract attention.
The outcome of risk assessments did not lead to the adoption of coherent measures, revealing a lack of coordination. One further issue was information security. While the visit of a VIP figure should be sensitive information that is shared on a need-to-know basis, the court found that several members of staff and even third parties knew about the operation.
Crisis management also turned to be a problem. One of the most common mantras is that senior leaders should be part of the crisis team, but what happens when the crisis team is affected by the crisis? This was exactly the case with the NRC, where the secretary general, the area manager, the country director and regional director were all part of the convoy. These four key decision makers could not join the crisis team immediately and as a result the NRC had to fly the global security advisor to Nairobi the next day. The court does not mention specific consequences as the result of this delay, but it is possible to comment from a technical point of view that this scenario was far from ideal. It also poses the interesting question (to any organization) of whether key roles and responsibilities are backed up in the crisis team. Who’s going to take the lead if the CEO is unable to operate? How about the security manager or the CIO? In other words, what are organizations doing to grant continuity in crisis management?
It is also worth noting that internal decision making was not subject to challenge, due to a lack of communication. As a general principle, it is important that security and risk experts – this also applies to other resilience roles – are able to maintain their independence from “office politics”. In other words, these technical figures should not have a more or less conscious bias to please executives and reinforce a false sense of security that often leads to bad decisions.
Finally, according to a series of post-crisis reviews, lessons from the event were not embedded or learned. Employees asking for clarification were regarded as troublemakers and provided with incomplete information about the events.
The Dennis case remains an example of negligence in the humanitarian field, but it also has a lot to teach to several organizations across geographical areas and industries. Below are a few discussion points that are worth exploring in industry discussions:
- What is the information-sharing process on the outcome of risk assessments? Is the intelligence reaching decision makers?
- Who is part of the crisis management team? Are the roles and responsibilities transferable or do some members represent a single point of failure?
- Are there internal biases that prevent honest internal dialogue?
- Are lessons being learned from crisis or is a won’t-happen-to-us mindset persistent?
Author: Gianluca Riglietti
If you liked this article, you might enjoy reading this one.