1. Risk management is a crucial process for human rights defenders and organizations. But why exactly is it so important?

(Select all that apply)

2. What are assets from the security perspective?

3. Drag and drop the correct definition next to each corresponding term.

4. You are a human rights defender advocating for land rights in your country. Recently, your organization has been vocal about illegal land grabs, and a powerful local business is unhappy with your work, since you have exposed them in your report. You heard rumors that people connected to the local business have intimidated activists in the past. Your team is now trying to assess the probability of a physical attack against you or your colleagues.

Which factors should you consider?

(Select all that apply)

5. What are the four most common types of risk treatment?

6. Please select an example of a ‘good’ implementation plan for a safety measure. Think about the elements discussed in Module 2.

7. When considering security measures, it is important to understand what they can and cannot achieve. What do you think of this statement about using a Virtual Private Network (VPN):

“When connected, a VPN hides your IP address from the website you are visiting.”

8. After conducting a thorough risk assessment for the upcoming training for LGBTQIA+ activists, you identified the potential risk of ‘Fear of harassment at the venue.’ Based on past experiences of the Balronia Center for Human Rights in organizing events, the likelihood of this occurring is rated as low. However, if it were to happen, the impact on participants would be high.

What measure could be implemented to reduce both the likelihood and the impact of this risk?

9. Is the following statement true or false?

“When seeking external assistance, the management should hand over the responsibility for the risk management process to the external consultants.”

10. A staff member at an NGO working on the prevention of torture was assigned to map individual cases of torture in a particular country, which involved gathering testimonies from victims. As a result of being exposed to these traumatic experiences, the staff member began to experience secondary trauma, known as vicarious trauma. In response, the NGO management decided to reassign the staff member to a different role and assigned the task to another colleague.

Would you agree with the following statement?

“The management acted in a good manner and avoided the risk of a staff member continuing to experience trauma, as they may not have been mentally strong enough to tackle torture cases. It is better to relocate such individuals to other tasks that will have less impact on their psychological safety.”

11. The person responsible to check the implementation of the tasks:

(Select all that apply)

12. The last stage of the risk management process is to repeat it all, but how often should an organization repeat all the stages of the risk management process?

(Select all that apply)

13. A human rights organization has been working on implementing a new security strategy aimed at protecting its staff and sensitive data. The management has tasked a team with executing this plan, with a designated person responsible for overseeing the implementation. After several months of monitoring and reviewing the progress, the evaluator discovers that very little has been achieved. The reasons are clear: responsibilities were unclear, no one was accountable for specific tasks, there were insufficient resources allocated, and the person in charge was overwhelmed and burned-out, unable to follow through on their tasks. Based on these findings, the management needs to make important decisions to address the issues and move forward effectively.

What decisions could the management take based on the information gathered and the evaluation results from this process?

14. A consultant – security auditor was hired to assess organization’s safety and security protocol. As per good practice, the consultant is seeking for the organization’s list of risks. Management of the organization explains that no comprehensive list of assets or risks exists yet.

What should the auditor do?

(Select all that apply)

15. Management has decided to collect information in relation to recent data leakage from their organization. The data leaked has caused quite some issues for the organization, as it exposed identities of some individual HRDs in risky environments that they’re working with. This leakage happened despite the organization having robust security measures in place. Now, for the purpose of analysing the incident, management designated a person to collect information from staff members and review it in order to assess their security measures and amend them accordingly. They provided the designated person with a list of information they would want to receive from the staff members. Amongst other things, the list included information regarding their personal security measures (eg. passwords, 2FA, VPN), recent communication with stakeholders, and recent contacts in case it was necessary to investigate whether data leakage was linked to personal relationship. To prevent any further damage, the management decided to make this process as classified as possible; informing staff members about the leakage only after they review the information and assess what went wrong.

Did the management take the right approach?