How an International NGO Achieved Duty of Care Compliance Across 3 Country Offices

An international humanitarian organization operating across three country offices in high-risk regions faced a problem that most NGOs recognize but few have solved: how to meet their duty of care obligations to staff when the security information available to them is consistently 12-24 hours behind ground-level reality. Their staff were making daily movements -- to field sites, partner offices, government meetings, and community locations -- based on threat assessments that reflected yesterday's conditions, not today's.

In 2025, the organization adopted Region Alert's local-language monitoring to supplement their existing security management framework. Within four months, the system proved its value in a specific incident where 14 hours of advance warning prevented staff from traveling into an area that erupted in violent protest. More broadly, it transformed their daily security management workflow from reactive situation reports to proactive, evidence-based movement decisions.

This case study examines the organization's journey from compliance gap to demonstrable ISO 31030 compliance, including the specific incident, the daily workflow, and the lessons for other humanitarian organizations operating in challenging environments. The organization has been anonymized at their request.

The Duty of Care Challenge for International NGOs

Duty of care is not an abstract legal concept for organizations that deploy staff to high-risk environments. It is a concrete obligation, codified in employment law, organizational policy, and international standards, that requires employers to take reasonable steps to protect their people from foreseeable harm. For NGOs operating in conflict zones, fragile states, and regions with elevated security risks, meeting this obligation requires access to timely, accurate, and actionable security information.

ISO 31030, published in 2021, established the first international standard specifically for travel risk management. It requires organizations to maintain "current and relevant threat and hazard information" for all locations where staff operate, to conduct risk assessments before travel, and to have systems in place for monitoring and communicating emerging threats during travel. For NGOs with field offices in multiple high-risk countries, these requirements translate into a demanding operational reality: you need to know what is happening in every location where your staff are present or traveling, and you need to know it in near-real-time.

The organization in this case study had three country offices with a combined 87 staff members -- a mix of international and national personnel -- making regular movements to field sites, partner organizations, government offices, and community locations across regions with active conflict, civil unrest, and criminality. Their existing security management system relied on three information sources:

A global risk consultancy providing weekly situation reports in English, supplemented by ad-hoc alerts for major incidents. These reports were well-researched but typically reflected conditions as of 48-72 hours prior. They covered national-level developments competently but lacked granularity at the sub-national and community level where staff movements actually occurred.

UNDSS advisories and security briefings from the UN Department of Safety and Security, which provided the framework for security phases and travel restrictions. These advisories are valuable but cover broad geographic areas and are not tailored to the specific movement patterns of individual organizations.

Staff self-reporting from national staff with local knowledge and community connections. This was often the most timely source of ground-level intelligence, but it was unsystematic, dependent on individual relationships, and difficult to document for compliance purposes.

The Problem with English-Language-Only Intelligence

The root cause of the organization's intelligence gap was linguistic. All three country offices operated in regions where the dominant languages of daily communication -- on social media, in local news, on community radio, in market discussions -- were not English. The security reports they received were produced by English-speaking analysts who relied on English-language media, translated government statements, and English-language social media. This created a structural delay: events happened and were discussed locally in the local language, then were picked up by regional media, then were reported by international outlets, and finally appeared in the English-language situation reports that reached the organization's security managers.

For many types of security events, this delay is measured in hours. A protest that begins in a provincial city after Friday prayers generates immediate discussion on local-language social media and community Telegram channels. It might be reported by local FM radio within an hour. Regional media might cover it within 2-4 hours. International wire services, if they cover it at all, might file a report 6-12 hours later. The English-language situation report from the consultancy would include it in their next weekly update -- potentially 3-7 days after the event.

For an NGO security manager making movement decisions for staff who travel daily, this timeline is inverted from what they need. They need to know about the protest before their staff drive through the area where it is happening, not days later in a weekly summary. The cost of ignoring local-language signals is not an abstract risk -- it is the specific risk that staff will be in the wrong place at the wrong time because the security information available to them did not include what local communities already knew.

Implementing Local-Language Intelligence Monitoring

The organization began working with Region Alert in mid-2025, configuring monitoring packages for each of their three country offices. The setup followed a structured approach designed specifically for NGO security management requirements:

Geographic coverage mapping. For each country office, Region Alert mapped the organization's operational footprint: office locations, regular field site destinations, travel corridors between locations, and partner organization sites. This produced a set of geographic areas requiring continuous monitoring, typically 8-15 specific locations per country office plus the corridors connecting them.

Source identification. For each geographic area, Region Alert identified the local-language information sources where security-relevant information would first appear: community Telegram channels, local FM radio stations, vernacular social media accounts, local news portals, and community leader networks. The source list for each country office typically included 40-80 individual sources across 2-4 local languages.

Alert classification. Alerts were configured at three levels aligned with the organization's existing security management framework: FLASH (immediate threat to staff safety, requires immediate action), WATCH (emerging situation that may affect operations within 24 hours), and ADVISORY (development requiring awareness but not immediate action). Each alert level triggered a defined response protocol within the organization's security management plan.

Daily briefing workflow. Each country office receives a structured daily briefing at 06:00 local time, covering overnight developments, current threat landscape, and a 24-hour forward look across all monitored locations. Security managers review the briefing before the day's movement decisions are finalized. This daily briefing became the documented evidence base for ISO 31030 compliance -- a daily record of threat assessment informing operational decisions.

The Incident: 14 Hours of Advance Warning

Four months after implementation, the system proved its value in a specific incident that the organization's security director later described as "the moment that justified the entire investment."

On a Thursday evening, Region Alert's monitoring flagged a cluster of signals from local-language Telegram channels and social media in a provincial city where the organization had a partner office. Community leaders and local activists were discussing plans for a major protest the following day, triggered by a local government decision that had generated significant anger in the community. The posts included specific details: the gathering point, the planned march route, the organizations involved, and -- critically -- rhetoric suggesting that the protest had a high probability of turning violent, with references to previous confrontations with security forces at the same location.

At 19:00 Thursday evening, Region Alert issued a WATCH alert to the country security manager, with translated excerpts, geographic mapping showing the planned protest route in relation to the organization's partner office and the road corridor that staff used to reach it, and an assessment that the protest had a HIGH probability of turning violent based on the rhetoric in local-language channels and the historical pattern of security force responses at that location.

At 06:00 Friday morning, the daily briefing elevated the situation to FLASH status based on overnight developments: additional Telegram posts confirmed large-scale mobilization, a local FM radio station had broadcast a call to action, and several posts referenced weapons and confrontation with police. The briefing recommended that no staff travel to or through the affected area.

The country security manager cancelled all staff movements to the partner office and the surrounding area for the day. Two international staff members who had been scheduled to travel to the partner office for a meeting were redirected to alternative activities at the country office. Three national staff members who lived near the protest route were advised to work from home.

By mid-morning Friday, the protest had turned violent. Security forces used tear gas and live ammunition. Several buildings in the commercial district near the partner office were damaged. The road that staff would have used to reach the office was blocked by burning barricades. The first English-language media report appeared at 14:00 -- approximately 19 hours after the initial local-language signals were detected, and 8 hours after the daily briefing that informed the movement cancellation decision.

The Daily Briefing Workflow: From Intelligence to Decisions

Beyond single incidents, the more significant impact of local-language monitoring was the transformation of the organization's daily security management workflow. Before Region Alert, the security manager's morning routine consisted of checking email for UNDSS advisories, scanning international news headlines, and calling national staff for informal situation updates. It was ad hoc, undocumented, and dependent on individual initiative.

After implementation, the workflow became structured and auditable:

06:00 -- Daily briefing delivered. The Region Alert daily briefing arrives in the security manager's inbox covering all monitored locations. It includes: overnight incidents (if any), current threat levels by location, emerging situations requiring monitoring, and a 24-hour forward assessment. Each section includes source citations and confidence levels.

06:30 -- Security manager review. The security manager reviews the briefing and cross-references with any UNDSS advisories, staff reports, or other intelligence received overnight. Decision points are identified: are there locations where planned staff movements should be modified, delayed, or cancelled?

07:00 -- Movement decisions communicated. The security manager communicates any movement restrictions or modifications to relevant staff, with brief rationale. For routine days with no elevated threats, the communication confirms that planned movements are cleared based on the morning assessment.

Throughout the day -- Flash alerts. If a security event develops during the day, Region Alert delivers flash alerts directly to the security manager. These trigger the organization's existing crisis management protocols for staff check-in, movement freeze, or evacuation as appropriate.

End of week -- Documentation. The accumulated daily briefings, flash alerts, and movement decisions form a documented record of the organization's security management activities. This record directly addresses ISO 31030's requirement for documented threat monitoring and risk-informed decision-making.

ISO 31030 Compliance: Closing the Audit Gap

Six months after implementing the local-language monitoring system, the organization underwent an external audit of their travel risk management program against ISO 31030 requirements. The audit covered all three country offices and examined the organization's ability to demonstrate compliance across the standard's key provisions.

The results represented a significant improvement over the pre-implementation audit:

Clause 6.4 -- Threat and hazard identification. The organization could demonstrate continuous monitoring of threats and hazards across all operational locations, with documented evidence of daily threat assessments incorporating local-language sources. The previous audit had flagged this clause as a gap due to reliance on weekly English-language reports.

Clause 6.5 -- Risk assessment. Daily briefings with location-specific threat levels provided the basis for documented risk assessments prior to staff movements. The incident where staff movements were cancelled based on the protest warning served as a specific case example of risk assessment informing operational decisions.

Clause 7.3 -- Monitoring during travel. Flash alerts demonstrated the capability to monitor and communicate emerging threats during the period when staff are in transit or at field locations. The system's ability to deliver alerts in near-real-time, rather than in periodic reports, directly addressed the standard's requirement for ongoing monitoring.

Clause 8 -- Communication. The structured daily briefing workflow, with documented communication of movement decisions to staff, demonstrated a systematic approach to security communication. The audit noted this as a particular strength compared to the ad hoc communication approach identified in the previous assessment.

Lessons for Humanitarian Organizations

Duty of care compliance requires real-time intelligence, not periodic reports. ISO 31030 and broader duty of care obligations require organizations to make decisions based on current threat information. Weekly situation reports, however well-researched, cannot satisfy this requirement for organizations whose staff make daily movements in dynamic security environments. The transition from periodic to continuous monitoring is the single most impactful step an NGO can take toward demonstrable compliance.

Local-language monitoring fills a specific gap that no other source can. UNDSS, consultancy reports, and staff self-reporting each serve important functions. None of them provide the granular, real-time, location-specific intelligence that comes from monitoring the channels where local communities actually share information. For NGOs operating in environments where the dominant languages are not English, this gap is structural and cannot be closed by adding more English-language sources.

Daily briefings transform security management from reactive to proactive. The shift from "checking news headlines and calling staff" to "reviewing a structured threat assessment at 06:00" changed the entire character of the organization's security management. Decisions that were previously made on incomplete information or gut feeling are now made on documented evidence. This protects staff, and it protects the organization from the legal and reputational consequences of failing to demonstrate reasonable care.

Documentation is compliance. An ISO 31030 audit does not ask whether you knew about a threat. It asks whether you can demonstrate that you had systems in place to know, that you documented what you knew, and that you made decisions based on that knowledge. The daily briefing workflow produces this documentation automatically. Every daily briefing, every flash alert, every movement decision informed by intelligence becomes part of the auditable record.

The cost is proportionate to the risk. For an organization with 87 staff across three high-risk country offices, the cost of local-language monitoring is a fraction of the cost of a single security incident involving staff injury, kidnapping, or worse. It is also a fraction of the cost of the legal liability that arises from failing to meet duty of care obligations. The return on investment is not speculative -- it is demonstrated every time a movement decision is informed by intelligence that would not have been available through English-language sources alone.

Frequently Asked Questions

Does Region Alert work with organizations that have their own security management frameworks?

Yes. Region Alert's monitoring is designed to integrate with existing security management systems, not replace them. Alert classifications can be aligned with the organization's existing framework (whether that is the UN Security Management System, the CHS Alliance framework, or a bespoke internal system). Daily briefings are configured to match the organization's decision-making cycle and distribution requirements.

How does this approach handle multiple languages across different country offices?

Each country office's monitoring package is configured for the specific linguistic landscape of its operational area. Region Alert monitors sources in the local languages relevant to each location -- whether that is Arabic, Hausa, Swahili, French, Dari, or any combination. All alerts and briefings are delivered in English with translated excerpts from source material, so security managers do not need to speak the monitored languages.

Can smaller NGOs with limited security budgets use this approach?

Region Alert offers monitoring packages scaled to organizational size and operational footprint. A single-country office with a defined operational area can be monitored at a cost that is accessible to mid-sized NGOs. The pricing model is based on geographic coverage and source volume, not organizational revenue, so smaller organizations pay proportionally less. The duty of care obligation applies regardless of organizational size -- and so does the value of intelligence that protects staff.