NGO Duty of Care 2026: The Legal Checklist Your Board Needs to See

In 2024, an aid worker was killed in South Sudan after her organization failed to brief her on a deteriorating security corridor. The internal review found the threat had appeared in local-language media 72 hours before the incident.

Duty of Care, the legal and ethical obligation to protect employees and contractors from foreseeable harm, is not optional for NGOs operating in challenging environments. Failure exposes organizations to lawsuits, staff attrition, and, worst of all, preventable casualties.

What is Duty of Care?

Duty of Care requires organizations to:

• Assess risks before deploying staff to new locations
• Inform staff about known hazards and security conditions
• Prepare staff with appropriate training and resources
• Monitor conditions during deployments
• Respond effectively to incidents and emergencies
• Support staff during and after challenging assignments

Legal Framework

Duty of Care obligations come from three main sources:

Common Law (UK, US, Commonwealth)

Employers have a common law duty to provide a safe working environment. This extends to overseas assignments and includes the obligation to inform employees of known risks.

Statutory Requirements

• UK: Health and Safety at Work Act 1974
• US: Occupational Safety and Health Act (OSHA)
• EU: Framework Directive 89/391/EEC

Contractual Obligations

Employment contracts and organizational policies may create additional Duty of Care obligations beyond statutory minimums.

Duty of Care in Practice

1. Pre-Deployment Assessment

Before sending staff to any location:

• Review current security conditions and recent incidents
• Assess specific risks based on the role and activities planned
• Evaluate individual staff vulnerabilities (health, nationality, gender)
• Document the assessment and mitigation measures

2. Staff Briefings

All traveling staff should receive:

• Current security situation briefing
• Specific threat information relevant to their assignment
• Emergency procedures and contact information
• Health and medical considerations
• Cultural and legal briefings

3. Ongoing Monitoring

During deployments, organizations must:

• Monitor developing situations in real-time
• Communicate relevant updates to deployed staff
• Maintain regular check-in schedules
• Have protocols for escalating concerns

For a comprehensive framework covering all stages of travel risk management, see our complete Travel Risk Management guide. Organizations should also ensure their programs align with ISO 31030 compliance requirements.

What Are Common Duty of Care Failures?

Five patterns cause most Duty of Care failures:

1. Relying on outdated information: Using travel advisories that haven't been updated in months
2. Ignoring local sources: Missing threats that aren't covered by international media
3. No monitoring during deployment: Staff are briefed before travel but not updated on changing conditions
4. Inadequate documentation: Unable to demonstrate what risk assessments were conducted
5. Language barriers: Missing critical local-language intelligence

Implementing a Duty of Care Program

What Is the Legal Framework for Duty of Care?

Understanding where Duty of Care liability comes from is not academic. It determines what your legal team will need to defend in court if something goes wrong.

Negligence Standard

The core legal test in most jurisdictions is negligence: did the organization fail to take steps that a "reasonable employer" would have taken? This has three components:

1. Foreseeability: Was the risk known or should it have been known? If a threat appeared in local media 48 hours before an incident, a court will ask why the organization did not know about it
2. Proportionality: Were the organization's mitigation measures proportionate to the known risk? Sending staff to a conflict zone with a travel advisory but no daily security briefing fails this test
3. Causation: Did the failure to act cause or contribute to the harm? If the staff member would have been injured regardless of any briefing, the claim weakens. But this is a high bar for the organization to clear

Vicarious Liability

Organizations are liable not just for their own failures but for the failures of their agents. If a country director fails to brief a field team on a known threat, the parent organization is liable. This makes training and oversight of in-country management a critical Duty of Care component.

Contractor and Volunteer Coverage

A common mistake: assuming Duty of Care only applies to employees. In most jurisdictions, organizations owe similar obligations to contractors, consultants, and even volunteers who are under the organization's direction and control. If you send a consultant to a field site and they are injured by a foreseeable threat, you are exposed.

How Does ISO 31030 Alignment -- What It Means for NGOs?

ISO 31030 is the international standard for travel risk management, published in 2021. It is not legally binding on its own, but it establishes the benchmark that courts and insurers use to evaluate whether an organization met its Duty of Care obligations. Here is how it maps to NGO operations.

• Clause 5.2 -- Leadership commitment: Senior management must demonstrate active involvement in travel risk management. A Duty of Care policy that exists on paper but is never referenced by leadership fails this requirement
• Clause 6.1 -- Risk assessment: Organizations must assess travel risks before deployment, considering both the destination and the individual traveler. This includes health conditions, nationality, gender, and role-specific risks
• Clause 7.2 -- Competence: Staff must be trained on the risks they will face and the mitigation measures available. Pre-travel briefings are the minimum; ISO 31030 expects ongoing training for staff in high-risk environments
• Clause 8.3 -- Monitoring: Continuous monitoring of conditions during travel. This is where most NGOs fall short. They brief staff before departure and then have no system for updating them as conditions change
• Clause 9 -- Performance evaluation: Regular review of the travel risk management program's effectiveness. After-action reviews, incident analysis, and program audits

For most NGOs, ISO 31030 alignment does not require a massive overhaul. It requires formalizing and documenting what good organizations are already doing informally -- and adding the monitoring component that most lack.

How Does Intelligence Support Duty of Care?

Intelligence is the operational foundation of Duty of Care. Without it, every other component -- briefings, risk assessments, incident response -- is based on stale or incomplete information.

Pre-Deployment: Threat Assessment

Before sending staff to any location, you need current intelligence on the security environment. Not the State Department advisory from 6 months ago. Not the NGO security handbook from last year. Current intelligence -- what happened in the last 7 days, what is likely to happen in the next 7 days, and what specific risks exist for your staff profile (nationality, gender, role).

During Deployment: Continuous Monitoring

This is where most organizations fail. Staff are deployed with a briefing and then receive no updates unless something dramatic happens. Effective Duty of Care requires daily monitoring of conditions in every location where staff are deployed. Local-language intelligence surfaces threats 12-24 hours before English-language media. That lead time is the difference between a proactive relocation and a reactive evacuation.

Post-Incident: Documentation and Learning

When an incident occurs -- even a near-miss -- the organization must document what happened, what intelligence was available, what actions were taken, and what should change. This documentation serves two purposes: improving future responses and providing legal defense if a claim is filed.

Where Do NGOs Most Commonly Fail?

After working with organizations operating across the Caucasus, Central Asia, and Africa, five failure patterns appear consistently.

1. Monitoring gap between HQ and field: Headquarters conducts a risk assessment before deployment. Field staff operate for weeks without updated intelligence. The gap between HQ's assessment and ground reality widens daily. When an incident occurs, it was foreseeable from local sources but invisible from London or Geneva
2. Over-reliance on government advisories: The US State Department and UK FCDO provide useful baseline assessments. They do not provide operational intelligence. A travel advisory that says "exercise increased caution in the Sahel" tells your security manager nothing about the roadblock that appeared this morning on the N1 highway outside Ouagadougou
3. No system for contractor coverage: NGOs routinely deploy consultants and short-term contractors without including them in security briefings, monitoring systems, or insurance coverage. These individuals face the same risks as employees but receive fewer protections
4. Documentation failures: The risk assessment happened. The briefing was given. But nobody documented it. In a legal proceeding, undocumented actions are treated as actions that did not happen. Invest 5 minutes in recording every briefing, risk assessment, and security decision
5. Reactive instead of proactive culture: Staff are trained to respond to incidents but not to anticipate them. The shift from reactive to proactive requires real-time intelligence feeds, not just an incident response plan

What Role Does Real-Time Intelligence Play?

Duty of Care without real-time intelligence is a liability. Static travel advisories go stale within days. Effective monitoring requires:

• Local sources: International news runs hours or days behind local developments
• Multiple languages: Critical information often appears only in local languages. Pashto, Tigrinya, Bahasa
• Continuous monitoring: Situations shift fast; daily briefings are the minimum standard
• Actionable format: Intelligence should tell staff what to do, not just describe what happened

Frequently Asked Questions

Does Duty of Care apply to local national staff?

Yes. In virtually every jurisdiction, Duty of Care obligations extend to all employees regardless of nationality. Local national staff who are deployed to dangerous areas, relocated, or tasked with field activities are covered. The specific obligations may differ -- a local staff member may not need a cultural briefing on their own country -- but the core requirements of risk assessment, monitoring, and incident response apply equally. Organizations that provide lower security standards for national staff than for international staff are exposed to discrimination claims on top of negligence claims.

How often should risk assessments be updated?

For active field operations in high-risk environments, risk assessments should be reviewed weekly at minimum. For stable operating environments, monthly reviews are acceptable. Any significant security event -- a protest, an armed incident, a regulatory change -- should trigger an immediate reassessment regardless of the schedule. The ISO 31030 standard expects organizations to demonstrate that assessments are current, not just that they exist.

What is the minimum acceptable standard for monitoring during deployment?

Daily security briefings for staff in high-risk environments. This is the floor, not the ceiling. The briefing should cover: current security conditions in the staff member's area of operation, any changes since the last briefing, specific guidance for planned movements that day, and emergency contact procedures. For organizations with staff in multiple high-risk locations, a centralized intelligence feed that distributes daily briefings to each location is the most efficient approach.

What Are the Key Takeaways?

• Duty of Care is both a legal obligation and an ethical imperative
• Key elements: assess, inform, prepare, monitor, respond, support
• Organizations must demonstrate they took reasonable steps to protect staff
• Documentation is critical for demonstrating compliance
• Real-time intelligence is essential - outdated information is a liability
• Invest in local-language monitoring to catch threats early