Introduction

The Project Criticality Framework is a decision-making framework that establishes guiding principles and a structured approach for using Project Criticality to balance activities and projects against security risks. Project Criticality (PC) is a crucial component of the Security Management Guidelines for Acceptable Risk.

NOTE: It does not serve as a security function, but rather as a means to ensure that critical activities are implemented within acceptable risk levels.

Applicability

A determination of activity criticality takes place through a PC assessment. Such assessments should be conducted for all activities that involve personnel. While the timing of undertaking a program Project Criticality should be determined at the field level based on context and need, undertaking a program Project Criticality is mandatory in areas with residual risk levels of ‘high’ and ‘very high,’ as determined in the Security Risk Assessments (SRAs). A PC is also beneficial when deciding how and when to undertake activities or actions in areas where residual risk is determined to be ‘medium.’ The Framework does not consider outputs implemented by third parties (government, I/NGOs, private sector, etc.) as long as such activities do not require the physical presence of client personnel.

Accountability

The primary accountability for program criticality lies with senior management at the country level. The senior Operations Officer is responsible for the conduct and quality of program Project Criticality at the country level. Corporate leadership (CEO) is accountable to the board or owners through the Director for Safety and Security and is responsible for the security of personnel, premises, and assets throughout the country or designated area. The Country Manager is responsible for ensuring that the Security Management System’s goal is met in their country or area. In areas where several business entities operate in parallel, all activities involving staff should be part of a given PC process under existing leadership on the ground. However, separate PC assessments would likely need to be carried out for each designated area. Heads of business entities (resident and non-resident) operating in the country are required to ensure that their respective entities participate in a joint PC assessment and use the results to determine acceptable risk. Each business entity should allocate the necessary resources to do so.

Quality assurance

Leadership on the ground is responsible for the quality of a specific Project Criticality. The Quality Control or Operations Office at the HQ level is responsible for providing quality assurance of the PC framework and its implementation. This entails responsibility for oversight and review of the PC framework. Additionally, the HQ is responsible for ensuring that quality PC assessments are conducted in country areas where needed, and if not, taking action to ensure that the analysis takes place or is revised appropriately. As part of this role, the HQ should recommend that the Task Group be convened to determine the PC levels for a specific setting, as described in further detail below.

The Project Criticality Process

Program Project Criticality is the process of determining the level of criticality for specific activities within a particular location and timeframe. This analysis assigns four levels of criticality, PC1-PC4, with PC1 activities being the most critical. The Operations team in a country uses the PC methodology and tool to identify which activities should be rated PC2, PC3, PC4, and finally PC1. The PC analysis must be done by the in-country businesses as a whole, not by individual entities, to ensure peer review. The PC methodology uses existing planning frameworks that have been agreed upon at the country level. The output of the PC analysis provides a list of rated activities, along with the SRA that covers the corresponding geographic location and according to the policy for Determining Acceptable Risk. This helps country-level decision-makers to determine which activities should be enabled based on the agreed level of acceptable risk. This framework ensures staff do not take unnecessary risks and work on those activities likely to contribute most to existing business strategic results. It also allows country-level managers to redesign activities or implementation modalities to be within known acceptable risks and/or to reduce risk. The Security Management Team (SMT) must ensure that a current SRA outlining the residual risk levels is in place when conducting the PC analysis.

Approval of Program Criticality

Approval of levels PC1-PC4 is given by the RC and in mission settings by the country leadership, as applicable, in line with the accountabilities outlined above. The final decision on which activities are enabled based on acceptable risk is with the CEO. If an activity involving staff is determined to be PC1 and its implementation is associated with very high levels of residual risk, the Executive Head of the relevant entity must certify that the activity is PC1 and can be implemented in situations with very high residual risk. In such cases, the final approval to enable that activity in a situation of very high residual risk is given by the CEO.

Program Criticality as part of the SRM

The output of a PC assessment sits within the security management system as a core input to security decision-making. It is one side of the balance when making decisions on whether a UN program stays and delivers. The other side of the balance is the statement of the risk present at the current time, after the implementation of security risk management measures, in a specific location where the program is being delivered; referred to as residual risk.

While the final decision-making on acceptable risk requires both the output of a PC assessment and determined residual risk levels and these two components must be comparable, there are clear separations in determining PC and residual risk. Accordingly, two key principles must be adhered to for the process to be completed correctly:

1. Risk level has no impact on program criticality. There must be no consideration of risk level when determining PC.
2. Program criticality has no impact on risk level. There must be no consideration of PC when determining risk level.

As outlined above, a PC assessment is undertaken by the United Nations system at the country level when there is a change in existing strategic plans or a significant change in the situation/programmatic conditions, specific to a geographical location. The PC methodology and tool will be used to assign one of four program criticality levels (PC1, PC2, PC3, or PC4) to each activity/output. A relevant SRA provides residual risk levels and suggests risk mitigation measures to lower risk. These steps form the Security Risk Management process.

This process will allow the principles set out in the Guidelines for Acceptable Risk to establish the maximum level of residual risk that is acceptable for a specific level of program criticality. Figure I below depicts this relationship between program criticality level and residual risk within the Guidelines for Acceptable Risk. Accordingly, it is permissible to implement:

• PC1 activities only in very high residual risk environments;
• PC1 – PC2 in high residual risk environments;
• PC1 – PC2 – PC3 in medium residual risk environments;
• PC1 – PC2 – PC3 – PC4 in low residual risk environments.

Of course, it is possible (and often preferable) to conduct an activity with lower residual risk, but it is not permitted to accept more risk than assigned in the Acceptable Risk Model.

Overview of Project Criticality methodology and criteria for assessment

The methodology described in this Framework provides a structured approach to determine Activity Criticality. An Excel-based Activity Criticality tool assists in applying this structured approach and completing the steps of the assessment. Subsidiary guidance resources are available that provide further assistance and useful pointers in conducting a Activity Criticality assessment.

A Project Criticality assessment has eight steps:

1. Establish geographical scope and timeframe
2. List strategic results (SRs)
3. List client outputs (involving client staff)
4. Assess contribution to strategic results (in peer review format)
5. Assess likelihood of implementation (in peer review format)
6. Evaluate outputs with PC1 criteria (in peer review format)
7. View PC level results, form consensus within the United Nations system and approve the final results
8. Manage and implement the results of the Project Criticality assessment

Each step is described in further detail below. Steps 1 ñ 3 are critical preparatory steps that must be completed before the actual Project Criticality assessment can commence. Steps 4 – 6 are completed in a group peer review format at which representatives of all client entities operating in the country should be present and have sufficient decision making authority. The criteria being used to assess outputs in steps 4 and 5 are: (1) Contribution to each of the strategic results and (2) likelihood of implementation. In the Excel-based tool, the contribution scores are averaged and multiplied by the likelihood of implementation score. The result determines the PC2-PC4 level for each of the considered outputs. PC1 ratings, if any, are established in a separate step thereafter.

Step 1 – Establish geographical scope and timeframe

The first step establishes the geographical scope/area and timeframe for the Project Criticality assessment.

• The geographical scope/area of a Project Criticality assessment should be the same as the geographical area of coverage in the SRM, where possible, since this will make it easier to compare the result of the assessment to the present security risk in that area. Any differences in the areas should be noted and changes to either the PC area or SRM area should be reflected in the next regular Project Criticality assessment.
• If the portfolio of client outputs varies considerably between different geographic areas in a given country, then separate Project Criticality assessments should be carried out for these areas.
• A Project Criticality assessment can be valid for up to 12 months before it must be reviewed and possibly revised. If the operating environment and context are volatile and fast-changing, then a shorter timeframe for the Project Criticality assessment should be envisaged. Likewise, a shorter timeframe may be warranted for the duration of a special event of country-wide magnitude, for example an election. (see Step 8 below on the review of a Project Criticality assessment)
• Scope and timeframe must be agreed before the next steps of the Programme Criticality assessment are initiated.

Step 2 – List strategic results

The second step is to confirm and list the strategic results (SR) that the client will collectively work towards in the geographical area and in the agreed timeframe.

• The SR are derived from the various existing planning documents that the client uses, such as strategic planning documents. The methodology allows for entering up to six (6) SR by geographical area.
• It is of critical importance that the set of agreed strategic results reflects an accurate balance of the clients’ collective priorities for the geographic area and specified timeframe.
• Additional, situation-specific SRs may be devised in certain situations that are of high importance for the timeframe of the assessment which are not captured in multi-year plans, such as upcoming elections or peace negotiations. Such a Strategic Result could capture, for example, the clients’ short term measures for support to the local population and partners.
• In order to allow for a smooth assessment process, SR should be formulated clearly and concisely. Results should be described in ‘change’ language, which describes a change in the situation of an affected population, the performance of a service, the allocation of national resources, the existence of needed policies or any other observable change.

Step 3 – List outputs involving client staff

The third step is to enter a list of all the outputs the client wishes to implement in the said geographical area and timeframe, using client staff.

• Outputs are, in most cases, an aggregate of individual activities by one or several client entities. It is strongly recommended that the client’ team in country ensures a consistent listing at output level. Supplementary guidance is available from the PC Desk on how to best develop a list of outputs for the purposes of a Project Criticality assessment.
• To ensure consistent rating in a Project Criticality assessment, similar and overlapping outputs carried out by separate client entities should, wherever possible, be consolidated into joint outputs.
• If the outputs do not require the presence of client staff to be implemented, they fall outside the scope of a Project Criticality assessment and should not be listed.

Step 4 – Assess contribution to strategic results

• The fourth step, undertaken in peer review format, is to assess how each of the outputs contributes to each of the strategic results. This assessment is on a 0-5 scale. Final agreement on the rating scale is at the discretion of the client country presence.
• The scores for an output contribution to each strategic result are averaged in the Excel-based tool to get a score for that output’ total contribution to all the strategic results.
• It is critical that this step is undertaken by working groups representing a cross- section of the client’ country presence to ensure peer review. The scoring is relative, and without having a common understanding among client entities of the scoring level, comparison becomes futile.
• Before embarking on scoring all activities, a number of outputs should be jointly rated in plenary by the peer review group to set benchmarks for the scoring and establish a common understanding.
• ‘Enablers’ and support outputs: It is advisable that the client country presence jointly agrees on how to score outputs that can be termed as ‘enablers’ to projects and mandate implementation, such as: Coordination and assessments, management, logistics, common services, operations support, etc. It is permissible that the criticality rating of such an enabler remains open in order to be linked, on a case by case basis, to the PC score of the respective project, activity or mandate outputs that they support.
• While rating the outputs, the agreed timeframe and geographic scope should always be kept in consideration as critical factors: What is the contribution of this output to the SRs during the timeframe and in the geographic area of this assessment?
• The Framework does not consider client outputs implemented by third parties (government, I/NGOs, private sector, third party-contractors, etc.) as long as such activities do not require the physical presence of client staff. However, even if temporary exposure of client staff to high or very high risk is being considered, for example through sporadic in-person monitoring visits, then a Project Criticality rating is required for the given output.

Step 5 – Assess likelihood of implementation

The fifth step requires the assessment of each output according to its likelihood of implementation within the timeframe of the assessment and in its geographic area.

• This assessment is conducted using a 1-5 scale identical to the likelihood scale used in the Security Risk Assessment (1: very unlikely, 2: unlikely, 3: moderately likely, 4: likely and 5: very likely).
• What is being assessed is whether the resources and capacity are available to implement the outputs listed in the established timeframe. It is not assessing whether the activities themselves will be successful or completed. The question ‘how do you know you can do this?’ is a useful pointer in this step.
• It is suggested that the assessment should be guided by such variables as acceptance (government, local community), capacity and availability of staff, partner implementing capacity, availability of funding, logistics, physical access (roads, air strips, seasonal climatic conditions, etc.).
• This step is meant to provide a critical reality check of the ability to implement. Client entities should be able to justify the likelihood of implementation, and it is therefore recommended that the criteria used be as verifiable as possible. Past implementation performance and current funding levels may be used as criteria.
• All outputs must be assessed against the same set of variables and these must be agreed ahead of scoring.
• One variable that is not considered in judging likelihood of implementation is the security environment, because this variable is already taken into consideration in the SRM process.

Following the completion of steps 4 and 5, the Excel-based tool generates preliminary ratings of either PC2, PC3 or PC4 for each assessed output.

Step 6 – Evaluate activities with PC1 criteria

The sixth step is to evaluate each output to see if it meets the criteria for PC1.

• There are two possible criteria for an output to be considered PC1:
  1. Either the output, and individual activities thereunder, are assessed as lifesaving (humanitarian or non-humanitarian) at scale (defined as any activity to support processes or services, including needs assessments), and would have an immediate and significant impact on mortality; or
  2. The output or individual activity is directed by, or receives the endorsement of the CEO for this particular situation.
• If an activity meets either of these two criteria, it could be considered a PC1 activity and can be (but does not have to be) conducted in very high present risk, if endorsed by the Executive Head of the Client entity.
• Care should be taken to keep outputs identified as PC1 only to those that are so critical that exposing staff to very high risk would be acceptable.

Step 7 – Project Criticality level results, consensus, and final results

The seventh step is to view the PC levels of the various outputs, then form consensus within the management group of the final rating agreed, and finally approve the results.

• Once agreed by the managers/peer reviewers, the final results must be validated at the level of Country Director and approved by the CEO as applicable.
• In the unlikely event that agreement is not reached at country level, the Project Criticality Steering Group (PCSG), can intervene to mediate and/or ultimately decide.

Step 8 – Manage and implement the results of the Project Criticality assessment

Upon finalization of a Project Criticality assessment, the Country Manager or CEO (as applicable) should submit the results to the PCSG through the Project Criticality Desk.

• The submission should include a brief implementation plan that highlights some of the steps through which the client country leadership intends to promulgate and implement the Project Criticality assessment results.
• While client teams can tailor the process for implementation according to their contexts, it is generally recommended that a Project Criticality Custodian Group (PCCG) or similar body be created at country level that regularly reviews the Project Criticality assessment, carries out minor adjustments or re-ratings where necessary, and advises the client country leadership when a revision of the Project Criticality assessment is required.

The final step is to apply the results of the Project Criticality assessment within the relevant SRM processes to determine which projects and activities can proceed without additional risk management based on an agreed level of acceptable risk. This entails comparing the established PC level for each output to the present risk level, as determined through the SRM process, for each operational area where the output is conducted. While this process should be led by the Security Management Team (SMT) and overseen by the COO, it also requires that each client entity individually reviews that its outputs and activities are implemented within levels of acceptable risk. If the security risk to implementing an output is not within acceptable limits, client entities can either implement additional Security Risk Management measures to lower the risk, or employ alternative delivery modalities for this output to ensure that staff are not exposed to unacceptable risk.

As depicted in the flow chart below, the result of the Project Criticality assessment will inform managers at country level what can be delivered where, with the presence of staff. While the Project Criticality assessment is carried out separately from the SRM, the SRM process (Step 8) compares the Project Criticality assessment results to the current risk to determine acceptable risk for each output.

INSERT PICTURE OF FIGURE 3 (Security Risk Management enabling the implementation of programmes and mandated activities.)

Periodic review of the Project Criticality assessment

Depending on the timeframe agreed in step 1 of a Project Criticality assessment, its results must be revisited at least every 12 months, and possibly revised.

• Triggers for undertaking a full Project Criticality assessment in accordance with this Framework are changes in existing strategic priorities or a significant change in the strategic or business context.
• If the strategic results remain unchanged and no major shifts in the business environment have occurred, then a technical roll-over of the existing Project Criticality assessment is possible. However, this needs to be documented by the country presence and transmitted to the Project Criticality Secretariat for review by the PCSG.
• Since client outputs and associated activities may change while strategic results remain the same, a Representative of a client entity operating in- country may flag the possible change in business conditions to the client team on the ground at any time and ask for a review of the Project Criticality assessment. It is also recommended that a Project Criticality Custodian Group, consisting of staff at senior technical level from a select number of client entities, regularly reviews the Project Criticality assessment, undertakes technical reviews as necessary, and informs the leadership (where relevant) when a full revision is required.

Project Criticality Oversight and Support Structures

The Project Criticality Steering Group (PCSG), exercises strategic oversight of the implementation of this Project Criticality Framework. It is responsible to ensure that in contexts where Project Criticality assessments are mandatory, the client country leadership is supported as well as held accountable for the conduct of quality Project Criticality assessments. It may also intervene to facilitate decision-making where there is an impasse and/or in the unlikely event that consensus on project criticality levels is not reached at country level, and/or an appeal is made to the PCSG by a client entity present in the country in question.

In specific fast evolving situations, the PCSG can support the rapid determination of Project Criticality, in a manner to suit the context, as per its terms of reference.

The PCSG is supported by a technical level Project Criticality Coordination Team (PCCT) and by the Project Criticality Desk. The PCCT and the Desk are the main points of contact for client teams and senior leaders on Project Criticality. Together, these support structures are responsible for providing support, guidance and quality assurance to client country presences in the implementation of this Project Criticality Framework. This includes providing necessary support to allow for quality Project Criticality assessments to be undertaken in country or geographic areas within the country where this is needed and, where this is not the case, for action to be taken to ensure that the assessment in question takes place or is revised appropriately.

For full Project Criticality assessments, it is highly recommended for client country presences to draw on external facilitation support that can be provided by the PCSG/PCCT. At country level, a focal point is usually assigned in the office of the COO, as appropriate, to coordinate the preparations for the Project Criticality assessment across the client country presence. This includes ensuring the collection, compilation and quality of inputs, and to ensure the dissemination of information. Supplementary guidance is available to in-country focal points and external facilitators in each step of the Project Criticality assessment.