NGO Duty of Care in High-Risk Countries: 2026 Field Guide
Your NGO duty of care program gets tested on ordinary days, not just crisis days.
A field coordinator lands in a capital city where protests were peaceful last week. By nightfall, the airport road is blocked, mobile internet is intermittent, and your local team is making decisions with partial information. Nobody has done anything wrong, but your systems are either ready for this moment or they are not.
That is why NGO duty of care needs to be operational, specific, and rehearsed.
Aid Worker Security Database data shows the scale of exposure. Its published 2024 summary reports 633 major incidents affecting aid workers, with 387 killed, 308 injured, and 138 kidnapped. Those numbers are not abstract. They translate into staffing gaps, suspended programs, legal exposure, and real human trauma.
Why NGO duty of care feels harder in 2026
Corporate travel programs and humanitarian field programs share the same legal principle: if you deploy people, you owe them a reasonable standard of care. The difference is context.
NGOs often operate where:
- Governance is weak or contested
- Medical care is limited outside major cities
- Road travel is the default for last-mile movement
- Security incidents can evolve faster than official advisories
- Teams include staff, contractors, and volunteers with uneven training
Now add funding pressure, donor reporting timelines, and remote-first management structures. You can see why many organizations end up with policy documents that look solid but fail under field stress.
The baseline: ISO 31030 is a useful operating frame
ISO 31030 is not a silver bullet, but it gives NGOs a strong structure for travel risk management: governance, risk assessment, controls, communication, and post-trip review.
If you already have a formal policy, ask a blunt question: Can a country director use it at 10:30 p.m. during a communications blackout?
If the answer is no, you need an operational rewrite.
For a practical baseline, map your field process to your existing duty of care governance and documentation standards, then align your controls with your travel workflow. If you need a starting point, see HAAVYN’s guidance on duty of care.
Three real-world incident patterns that keep repeating
1) Rapid conflict escalation and emergency extraction
Sudan in April 2023 is still one of the clearest examples. Foreign governments and organizations ran emergency evacuations out of Khartoum as fighting intensified. Reuters reporting from that period described large multi-country evacuation operations, including Saudi Arabia evacuating over 5,000 people of around 100 nationalities by late April.
The lesson for NGOs is simple: evacuation capability is a design choice, not a heroic improvisation.
Questions to test now:
- Do you have pre-authorized evacuation triggers by province, not just by country?
- Can you move both international and national staff under the same decision framework?
- Does your comms plan still work when staff lose mobile data?
2) Urban violence and criminality in politically fragile settings
In several high-risk markets, teams are now more exposed during predictable routines than during named crisis events: airport transfers, cash handling days, and movement between guesthouses and project sites.
This is where many NGOs over-focus on strategic risk and under-invest in daily movement controls.
What works better:
- Route discipline with timed check-ins
- Hardened transport vendor standards
- No-exception movement windows after dark in red zones
- Incident logging that captures near-misses, not only major events
3) Road movement as the biggest unglamorous risk
Road crashes remain a leading cause of serious injury globally. WHO’s road traffic fact sheet reports approximately 1.19 million deaths per year, with a disproportionate burden in low- and middle-income countries.
Most NGO programs are road-dependent. If your duty of care model treats road risk as a transport admin task, you are underestimating your highest-frequency hazard.
The practical playbook for NGO duty of care
Build risk tiers that match field reality
Country-level ratings are too blunt. Build at least three layers:
- Country tier - strategic exposure, insurance implications, evacuation posture
- Subnational tier - city, corridor, district, border-crossing conditions
- Task tier - what the person is actually doing: meeting, distribution, inspection, overnight transit
Use those layers to drive controls automatically. Avoid ad hoc exceptions.
Treat national staff protection as a first-class duty of care issue
Many organizations still have stronger process for expatriate travelers than for national teams. That is a legal and ethical blind spot.
Set explicit parity rules:
- Same incident reporting channels for all staff categories
- Same medical escalation thresholds
- Same crisis communication cadences
- Same post-incident support access
When constraints force different controls, document why and what compensating measures are in place.
Put decision triggers in writing before the incident
Good teams do not debate first principles during a fast-moving event.
Define triggers in advance, such as:
- Curfew declared in city of operation
- Airport access roads blocked for a defined period
- Confirmed targeted violence within a defined radius
- Communications outage beyond a set duration
For each trigger, tie a default action: shelter-in-place, route change, task suspension, relocation, or extraction initiation.
Fix your communication architecture
During incidents, communication fails in predictable ways. Plans often assume stable internet and immediate management availability.
Minimum standard for high-risk operations:
- Primary channel (secure messaging)
- Secondary channel (SMS/voice fallback)
- Tertiary channel (satellite or radio protocol where needed)
- Pre-assigned communication ownership by shift
If you cannot run this architecture with current tools, you need a mobility platform upgrade. HAAVYN’s secure mobility workflow is one model to benchmark against.
Run after-action reviews that actually change behavior
Most post-incident reviews become narrative reports. Useful, but insufficient.
Your review should produce:
- One process change
- One training change
- One technology or data change
- One owner and deadline per change
No owner means no improvement.
A 30-day upgrade plan for risk and operations leaders
If your program is mature, this is a tuning exercise. If it is not, this is where to start.
Week 1: Diagnostic
- Map current travel and movement workflows against ISO 31030 controls
- Identify where approvals, tracking, and incident response break in practice
- Pull 12 months of near-miss and incident data
Week 2: Control redesign
- Create subnational and task-based risk tiers
- Define trigger-action matrix for top 10 operational scenarios
- Set minimum transport and accommodation standards by risk tier
Week 3: Rehearsal
- Run a two-hour tabletop on sudden urban unrest
- Run a communications blackout drill
- Validate welfare check timings and escalation routes
Week 4: Governance and reporting
- Assign control owners across security, HR, operations, and country leadership
- Add duty of care KPIs to monthly executive reporting
- Confirm insurance assumptions against real operating patterns
Then repeat the cycle quarterly.
The board-level question you should be ready for
When an incident happens, leadership will ask one question in different words: Were we reasonably prepared?
A strong answer is never “we had a policy.” A strong answer is:
- We assessed this risk at country and subnational level
- We implemented proportional controls
- We trained people on those controls
- We monitored compliance and corrected gaps
- We can evidence every step
That is what defensible duty of care looks like.
Final thought
NGO work will always involve uncertainty. Duty of care is not about removing all risk. It is about proving your organization can make disciplined, humane decisions under pressure while protecting the people who deliver your mission.
If you are rebuilding your travel and field safety model this quarter, start with the controls that influence daily movement and incident decision speed. Those are the ones that save lives and protect your organization when the pressure hits.
FAQ: NGO duty of care in high-risk countries
What is NGO duty of care in practical terms?
It is the organization’s responsibility to identify foreseeable risks, implement reasonable protective controls, train people, and respond effectively when incidents occur. In practice, that means risk-tiered planning, communication protocols, movement controls, and documented decision-making.
Is ISO 31030 mandatory for NGOs?
ISO 31030 is guidance, not a binding law in most jurisdictions. Still, it is widely used as a benchmark for what “reasonable” travel risk management looks like. Using it helps demonstrate a structured, defensible approach.
Should NGOs use the same standards for national and international staff?
Core duty of care principles should apply to everyone. Controls may differ by context, but organizations should be explicit about parity, rationale, and compensating measures to avoid ethical and legal blind spots.
What is the most overlooked duty of care risk for field teams?
Road movement is often under-managed relative to its frequency and severity. Organizations that tighten driver standards, route controls, and check-in discipline usually reduce exposure quickly.
How often should NGOs test incident response plans?
At minimum, quarterly for high-risk operations, plus immediate testing after major changes in threat profile, staffing, or operating geography.
