Regulating Humanitarian Governance: Humanitarianism and the `Risk Society'

This research advances the critical literature of humanitarian governance by demonstrating how ‘risk management’ is reproduced within the governance and regulatory structures of humanitarian institutions and, crucially, how it distorts patterns of emergency assistance coverage. Focusing on the impact of post-disciplinary forms of control, it reveals how humanitarian resources are disciplined by banks’ responses to regulatory changes initiated by the adoption of counterterrorist financing legislation designed to counter flows ofmoney to terrorists. This has resulted in the systematic shedding of NGO customers and the routine blocking of their international transactions—known as derisking. In an effort to limit this, NGOs have adopted a ‘precautionary approach’ to managing risk in their own activities, limiting their ability to reach some of themost vulnerable populations and curtailing innovation. Furthermore, the impact of this on the governance and structure of the humanitarian system has spread beyond contexts of conflict into situations more conventionally labelled as natural disasters such as drought, enabling the exercise of new techniques of power over significant parts of the humanitarian system.


Introduction
Calculations of risk permeate much of what humanitarian agencies routinely do (Mackintosh & Duplat, 2013;Schneiker, 2018) but academic study has neglected its impact on humanitarian institutions and governance. Attention has instead concentrated on the typology of the risks of violence to humanitarian workers (Fox, 1999;Stoddard, Harmer, & Haver, 2006), risk considerations in humanitarianism's defensive procedures and architecture (Bruderlein & Gassmann, 2006;Duffield, 2010;Lacy, 2008;Smirl, 2008;Van Brabant, 1998) and the interaction of beneficiary risk and vulnerability (Daniels, Kettl, & Kunreuther, 2006;Wisner, Blaikie, Cannon, & Davis, 2007). Yet relatively little attention has been paid to how 'risk management' permeates the governance and rationalities of humanitarian institutions and, crucially, how it intrudes on humanitarian programming and the resulting patterns of emergency assistance coverage.
Specifically, the impact of state responses to 9/11 on the global banking system and its relationship to the humanitarian system necessitate precisely such thought. There is already considerable work (Keatinge, 2014;Mackintosh & Duplat, 2013) that details the ways in which banks have responded to the post-9/11 regulatory efforts regarding counter-terrorist financing (CTF) and how states have legislated in ways that co-opt financial institutions into quasi-regulatory roles with regard to the humanitarian community. Profound uncertainty about how these new CTF laws should be interpreted, soaring regulatory fines imposed on banks for breaching the rules, combined with statements and directives from national and international regulatory bodies such as the Financial Action Task Force (FATF) identifying the not-forprofit sector generally as particularly vulnerable to abuse by terrorists, has established within the financial sector a global pattern of risk aversion to this type of business. This is labelled as 'derisking,' the most visible manifestation of this being the 'shuttering' (closing down of) NGO accounts. This has impacted seriously the operations of humanitarian organisations and also brings into question the continuing viability of core humanitarian principles, predicated on access based solely on need.
This article charts three of the main ideas that emerge from the sociology of risk (the 'precautionary principle,' the impossibility of managing risk and the role 'risk' plays in shaping global governance) before mapping these onto the empirical findings of research conducted on humanitarian responses to the Syrian civil war. The findings firstly establish the scale of derisking before evaluating whether bank derisking has led to the adoption of a precautionary approach amongst NGOs and created subjects able to be governed through the manipulation of risk. They also establish the extent to which 'risk' has been 'manageable' in terms of humanitarian and CTF outcomes. This illuminates the ways in which risk management thinking has reshaped humanitarian priorities and governance.

The Sociology of Risk's Big Ideas
The sociology of 'risk' has increasingly become concerned with the consequences for state-society relations of managing risk; illustrated by Michael Power's assertion that not only are we living in a "Risk Society" where we are now concerned with the "risk management of everything" (Power, 2004). This literature emphasises how considerations of risk have reshaped social institutions with a major strand drawing upon Beck's assertion of a 'second modernity' in which we are "increasingly occupied with debating, preventing and managing risks that it itself has produced" (Giddens, 1999). Describing this as "reflexive modernisation," Beck identifies a novel process in which society constantly reflects on a growing tide of feedback information, resulting in compulsive self-monitoring that itself generates both novel surveillance technologies and also manufactures new perceptions of risks. This has reoriented security calculations away from a traditional vocabulary of "deterring foes or defending against identifiable and acute threats" towards an emphasis on "prevention, probabilities, possible future scenarios and managing diffuse risk" (Corry, 2012). Similarly, protracted projects such as the 'War on Terror' have resulted in the far-reaching expansion of the precautionary principle into security matters through the adoption of modes of preventive war and the wholesale diffusion of "risk-management techniques like registration, screening and profiling" in other modes of governance (Beck, 1999).
While the findings across this broad literature are diverse, three ideas have emerged as especially prominent: that there exists a widespread and wary approach towards an uncertain future (often described as the 'precautionary principle'); that this fosters significant change in both organisational behaviour and state society relations; and, finally, the existence of a profound uncertainty as to whether risk can be managed through rational regulatory means. Let's take each of these in turn.
The precautionary principle idea results from the challenges of managing what Beck characterises as ultimately incalculable but high-consequence threats to life and security and the corresponding framing of governmental responses by what have been variously described as logics of "pre-emption" (e.g., Cooper, 2006;Derrida, 2003) or the 'precautionary principle.' Risk management rationalities are also frequently portrayed as promoting a danger-averse strategy of containment, long-term management and the building of governance-capacity through a "precautionary risk dispositive" (Diprose, Stephenson, Mills, Race, & Hawkins, 2008). Consequently, several writers point to the role of risk in broadening processes of securitisation. Coker (2002), echoed by Rasmussen (2006), for example, both describe the precautionary principle and anticipatory defence not simply as mutual analogies but as a single strategic doctrine. Similarly, de Goede draws attention to the role 'pre-emptive security' in strategic calculations resulting in the invasion of Iraq in 2003 but also highlights how it became apparent much more widely, especially in efforts to curtail terrorist financing (de Goede, 2008).
While these ideas have clearly penetrated the fields of security studies, they transform several conventional notions. 'Threat,' for example, the possibility of direct and immediate harm, is intentionally swollen to encompass the conditions for the possibility for harm. Equally, notions of territorial defence and deterrence also become far broader concerns for the management of increasingly unbounded risks and uncertainty, with profound implications particularly for previously tightly focused collective security organisations such as NATO (Rasmussen, 2001).
Furthermore, risk is imagined as a chronic and permanent condition. This approach is a key feature of a re-imagined modernity that functions through appearing to make a seemingly unpredictable and unruly future calculable. Whereas, theoretically, threats can be countered effectively, risks cannot. They are an imagined and permanent fixture of an uncertain future, leading some to conclude that in a "risk society there is no such thing as perfect security" (Rasmussen, 2006) as even when risks fail to materialise their potential remains. Similarly, if a risk materialises as a 'real' and harmful event it does not dissipate once finished as the memory will continue to shape the imaginary of the future and, if anything, only validate the possibility of future risks. In this way risk always haunts the future in ways that threats do not, leading to the resolute orientation of organisational risk calculations towards curbing future possibilities.
Risk is also inextricably bound up with notions of power and governance by constructing processes, people, or things politically in terms of their potential risks. Giddens explains that the idea of risk "is bound up with the aspiration to control and particularly the idea of controlling the future" (Giddens, 1999). Undoubtedly, both its definitional and conceptual ambiguity (Bhimani, 2009) and the process of defining it create opportunities for elites to establish and exercise power. Drawing on roots in the organisational studies literature, where theorising power has long been a core preoccupation (Alvesson & Deetz, 2006;Clegg, 2006;Knights & Roberts, 1982;Lukes, 2005;Munro, 2000), risk literature consistently identifies sources of power as located in the ways in which risk management is instrumentalised to create or sustain power structures by institutions, professions, or individuals (Miller & Rose, 2010). Equally from a Foucauldian perspective, managing risk is a constitutive practice of neo-liberal governmentality that is able to legitimise and structure the control of institutions and individuals at arm's length. It provides a "way of organizing reality, disciplining the future, taming chance and rationalizing individual conduct" (Aradau & van Munster, 2007). Other writers, especially those inspired by Bourdieu and Foucault, dispense with rationalist risk instrumentalization as a modernist tool for sharing 'risk' and calculating insurance premiums, reconfiguring it instead as a mode of governmentality, a technology through which institutions manufacture and harness unease in order to legitimise their role in the provision of security and protection (Bigo, 2002). For these writers, governing through the articulation and naming of risks results in a mushrooming of populations under the control of governments and subject to disparate forms of surveillance, monitoring and profiling (Aradau & van Munster, 2007). Implicit within this pessimistic vision is the piecemeal, cumulative and excessive growth of governmental power built on a combination of legitimating logics that blend biopolitical modes of control, calculations of risk and security thinking.
Furthermore, risk management is ubiquitous with all social domains imagined as requiring management through analogous techniques and instruments. Ericson, Doyle, and Barry (2003) extend this logic , arguing that risk thinking promotes an economically rational decisionmaking model that leads to neo-liberal notions of rationality colonising increasingly diverse social, economic and political domains and bending the dominant logic of each to an 'economic' rationality. This argument paints risk management as an expansionary and normatively prescriptive rationality.
The complicity of risk management in creating subjects that are capable of being governed is where we can see the greatest crossover with some humanitarian scholarship. Foucauldian ideas have been powerfully resonant within the works of writers including Fassin (2012), Pandolfi (2002), McFalls (2010) and, most prominently, Duffield (2014), who each emphasise how humanitarian technologies and institutions are used by northern states to render populations in the global south as governable. Risk management as a mode of extending the north's capacity to govern is consistent with this. By constructing both the distant and formerly ungovernable 'victim' populations, especially those under the control of proscribed non-state armed groups, and the humanitarian organisations that seek to sustain them as manufacturers of societal risk, it is possible for the global north to render both as real and governable. Constructed in this way, they can be wilfully steered through political and bureaucratic action, making real Foucault's idea of governing populations and economies rather than territories or moral communities (Foucault, 2003).
The third powerful idea is that of risk's ultimate ungovernability. This can be traced to Ulrich Beck's identification of risks as being constructed through the interaction of reflexivity and technological change resulting in the cascading identification of multiplying risks in an ever-growing set of social domains. Beck conceives of the rationalist idea of the manageability of risk as a veneer covering the reality of chronic and pervasively uncontrollable risk, ultimately warning us that, in a 'world risk society,' "the very idea of controllability, certainty or security-which is so central to first modernitycollapses" (Beck, 1992). In this sense rationalism's claim to be able to control uncertainty dissolves because of, rather than despite, the pursuit of security.
This idea has been popularised by a growing identification of the global financial crisis's roots in the limits of regulatory ability to manage systemic risk (Millo & MacKenzie, 2009). It taps into wider academic and popular debates that challenge the dominant models of economic risk management developed since the 1980s and engage critically with managerial ideologies (Power, 2009). Hence critiques of risk management blend into broader ideas of the failure of the techniques of managerial rationalities, statistico-probabilistic techniques and science generally-suggesting that these might be ineffective or ultimately may in fact reduce societal security (Bijker, 2006).
The mechanisms for this failure have been explored by a number of authors (Huber & Scheytt, 2013;Power, Scheytt, Soin, & Sahlin, 2009) and have focused on the implications of increasing reliance on systems that correspond to images of manageability, and therefore of transparency, accountability and auditability. But efforts to uphold the myths and discourses of manageability divert attention from the pursuit of functionality. In other words, it becomes more important for organisational legitimacy that activities are rendered visibly auditable and capable of being subjected to managerial intervention-and if they cannot be made to conform, they risk becoming literally unthinkable. Rothstein, Huber, and Gaskell (2006) echo this approach, arguing that risk management is firmly rooted in the pervasive logic of reputation and precautionary risk. Facing heightened oversight and accountability, regulatory bodies are pressured to account for "their constrained ability to manage their regulatory objects." With potential 'failure' being inherent in the logic of risk, constructing the subjects of regulation in terms of risk provides a defensible and legitimate procedural rationality for regulators to manage both their regulatory objects and their own growing reputational risks of regulatory failure. This reflexive aspect of risk governance is used to explain the ways in which risk considerations expand the objects and methods of regulation but also the potential for divergences between regulator's declaratory and underlying purposes. An excessive focus on managing the regulatory bodies' own reputational risk may, they argue, result in dealing less effectively with the management of societal risks or those risks for which the regulator was in fact established.

Methodology
These ideas provide a valuable lens through which to analyse the international response to the Syrian crisis and were examined through research conducted in Turkey, Lebanon, the UK and Northern Syria (facilitated by a major European based NGO that did not want to be named as sponsoring this research). Information was collated from interviews conducted in Arabic or English in each of these countries (n= 73) as well as round tables (n = 11) and a survey (N = 297). The typology of NGO types used was developed from a taxonomy identified by INTRAC (the International NGO Training and Research Centre) and ACAPs (Assessment Capacities Project), two major NGO consortia: • Category 1: Small, new Syrian NGOs often community based.
• Category 3: Syrian international non-governmental organisations (INGOs). Larger, more established Syrian NGOs that had expanded their operational reach to more than one additional state suffering from a humanitarian emergency. • Category 4: Islamic INGOs with offices also in Turkey and/or Lebanon. • Category 5: US or European INGOs with programmes in Syria and operating from Lebanon or Turkey regional hubs.
Those NGOs consulted were largely emergency-based commodity and medical services providers. Another strand of the research programme involved interviewing European banks to determine whether the impact of regulatory changes, the risks of fines and the unprofitability of the NGO sector was a factor or the factor in decisions to de-bank NGO customers. The findings are beyond the scope of this article but the evidence strongly suggests they were in fact the major factor in decision-making.

Overview of Findings
The research identified a sustained process of bank derisking resulting in a widespread reduction in the number of banks willing or able to receive payments for NGOs. During interviews, major European banks themselves recognised the powerful and overwhelming effect that regulatory changes and the possibility of fines/reputational damage had on the balance between risks and profitability and the impact this had on their willingness to debank NGOs. NGOs consistently argued that this posed a severe and, in some cases, existential risk (see Table 1). Syrian NGOs of all sizes, but particularly the smallest, were most affected by Turkish bank shuttering. All were affected to varying degrees on at least one occasion and in ways that were not obviously dependent on the institutional 'quality' of the affected organisation. European and North American NGOs also faced considerable challenges with their own domestic banks, but on a lesser scale (but crucially extending to all humanitarian crises where proscribed organisations existed). Consequently, NGO staff deemed the probability of bank derisking as incalculable yet growing, and increasingly difficult to predict but with the potential for severe consequences. The survey revealed that NGOs working on the Syrian crisis have increasingly encountered difficulties receiving, moving and storing money via the formal banking system and that they perceived the situation to be worsening (Table 1). Banks have demanded increasing amounts of information-leading to delays, blockages and occasionally returns of donations, freezing or blocking of accounts and the declination of requests to open new accounts. There was considerable evidence that both client banks and correspondent banks continued to block NGO financial transactions and that Syrian NGOs of all sizes, but particularly the smallest were most affected by correspondent bank delays and bank shuttering in Turkey.
Syrian NGOs of all sizes, but particularly the smallest, were most affected by Turkish bank shuttering, with all of them affected to varying degrees on at least one occasion (Table 2). However, European and North American NGOs also faced considerable challenges with domestic debanking but on a reduced scale.
The probabilities of correspondent banking delays were highest amongst type 1 and 2 NGO categories, usually the smaller Syrian NGOs with the greatest access to Syrian communities in the more difficult areas-and heavily relied upon by the INGO community to reach Syrian communities (see Table 3).
Delays and challenges with correspondent banking were felt to be increasing faster than the NGO sector's capacity to manage bank behaviour (Table 4, serials 1.1 to 1.4 and 2.5) While the surveys revealed the increasing scale of derisking behaviour the interviews revealed the unpredictable and inconsistent ways in which bank derisking occurred. Even NGOs with well-developed and sophisticated compliance processes argued that they faced a high degree of risk when it came to international financial transactions supporting their Syrian operations. As one NGO Finance director, after having taken me on a laborious tour of the NGO's compliance department, record keeping and forensic accounting processes, explained: We do not understand why transactions are stopped. One week a payment will get through and the next month another identical payment will be stopped. There is the same money-amount, currency, donor  We found examples from all of the interviewees in category 3 (Syrian NGOs with offices in Turkey plus one other state) who made repeated (five or more) and almost identical financial transactions (same donor, same respondent banks, same humanitarian programmes, dollar denominations of approximately $150,000 each) that were treated differently (some rejected, some delayed and some passed immediately)-suggesting a considerable element of randomness in the process. In each case the affected NGO was not informed of the name of the correspondent bank used in the transaction or the grounds upon which the transaction was terminated or delayed nor were they given the opportunity to provide additional documentation or explain their caseeffectively stymieing any redress or enabling adaptations to facilitate future transactions. The unpredictable nature of bank derisking rendered the probabilistic risk to NGOs as incalculable.
Despite considerable efforts to make money transfers auditable, due to the absence of any functioning banks in rebel-held areas of Syria, all NGOs systematically reported that they used the hawala system (Table 5) to transmit larger sums of money for staff wages and items purchased in Syria.
Hawala is a traditional trust-based system of transferring money used in Arab countries and South Asia, in which money is paid to an agent who then instructs an associate in the relevant country or area to pay the final recipient. Hawala is frequently viewed as an informal method of transferring money without physical money actually moving and exists largely outside of traditional banking systems. It is illegal in several jurisdictions. In Syria, several major hawala networks have been coopted by armed actors but elsewhere they serve a vital function in granting access to the unbanked and underbanked populations of the world.
Hence, regardless of the increasing auditability of the formal NGO management processes, all money used in Syria passed through unregulated and largely unauditable channels.
Empirically, therefore, this demonstrates both the scale and perceived incalculability of the bank derisking risk.

Evidence of a Precautionary Approach
But what impact does this enhanced 'risk' of bank derisking has on humanitarian NGOs and, specifically, does decision-making increasingly revolve around the precautionary principle: a danger averse strategy in the face of incalculable but imminent and potentially catastrophic threats?
Many NGOs struggled to disentangle the effects of factors that already restricted programming choices and agency presence in conflict settings: high levels of insecurity, incomplete/inaccurate/missing baseline or current needs assessment information, agency programme preferences, differential links to particular communities, donor preferences, manipulation by armed actors, accessibility of community interlocutors, etc. Interviewees also described institutional incentives that encouraged the clustering of humanitarian agencies in the more accessible and often government-controlled areas, irrespective of underlying patterns of need. Historically, humanitarian programming at a macro or country level tends to follow the coincidence of population concentrations and logistical access, whereas, understandably, the least densely populated and most challenging to reach areas tend to attract fewer programmes. This frequently results in some populations receiving higher per capita levels of assistance than more dispersed groups, even with the same levels of underlying need. Similarly, donors and NGOs often prefer to fund programmes with fewer risks and the potential to reach more recipients, leading to an innate bias towards the more populous and accessible areas. However, interviewees suggested that derisking added an additional factor that amplified this pre-existing bias. They painted a vivid picture of humanitarian organisations in Turkey increasingly anticipating the possibility of bank derisking in their programming decisions and reacting to this with more conservative activities, especially reducing cash elements in programming and activities in areas controlled by proscribed organisations. Syrian NGOs, those with the greatest overall levels of access, were consistently able to identify areas, almost invariably overlapping with areas under the control of (or accessed through areas controlled by) proscribed organisations, that were impossible to reach in ways that conformed to their banks' risk appetites (see Table 6).
Furthermore, (compared with the period until 2014) there was evidence of substantial modification or curtailment of humanitarian activities in these areas (see Table 7).
Although this trend was less pronounced amongst INGOs, many of these worked through local NGOs (who were impacted and sometimes obscured the ways in which they continued to work in these areas). An NGO's financial controller told me that "we know our bank will  Perception of organisation self-limiting in hard-to-reach and besieged areas 20% 15% 57% 20% 11% (% answering 'yes') not let us move money for these areas so we do not." A senior staff member from one Syrian INGO reported that "our organisation has never worked in those areas. There is too much risk. As we became bigger, we talked [about it]. We know it would be a problem with banks and donors. We still do not work in these places." I identified 11 organisations of all sizes (from categories 1 and 2) that privately admitted to making these sorts of strategic choices and a further 6 who variously obfuscated records or substituted in-kind deliveries for cash elements. Of the five category 2 NGOs interviewed, all claimed to work mainly or significantly outside of these areas but admitted to obfuscating reporting for donors by stressing work outside of the difficult areas but diverting some of the resources to help in the most desperate of besieged communities. "This is a big risk for us. We are not allowed. But what do [should] we do? There is no choice." In effect their own version of the humanitarian imperative compelled them in the most severe situations into a twilight zone of illegality.
Managing reputational risk was also a major factor in decision-making. Significant numbers of INGO and Syrian NGO interviewees confirmed their unwillingness to work directly or transparently in areas under the control of proscribed organisations specifically because of concerns that this would damage their reputation through listing on commercial risk management databases used by banks to calculate risk exposure, such as Thomson Reuters World Check (TRWC) or its equivalent. There was significant concern amongst NGOs that such blockages arose from appearing on consolidated watchlists of the type maintained by TRWC (there are others including RiskScreen KYC Global but only TRWC was specifically mentioned in interviews) and routinely used by bank compliance departments. The TRWC database maintains records containing details on 2,2 million persons who have in common that they are considered Politically Exposed Persons or 'heightened risk individuals' and organisations to help to identify and manage financial, regulatory and reputational risk. Despite its widespread usage the database has not been without controversy.
The BBC Radio 4 programme HSBC, Moslems and Me reported finding information in World-Check based on Wikipedia entries, biased blogs and state-backed news agencies. There have also been a number of cases of benign organisations being wrongly listed.
One senior NGO staff member privately told us that "we cannot work there [the areas under proscribed organisation control]. We will be listed and not able to work in Turkey or Syria." Another indicated that they feared even being mentioned on these lists-they "can mean the death of a humanitarian organisation working in Syria", he claimed (referring to derisking).
The numbers affected by these choices were considerable. According to UN estimates in mid-2016 the Assad government forces besieged 200,000 people in Eastern Ghouta, Daraya, Zabadani and Madaya; ISIS 200,000 people in Deir ez-Zour; and diverse ranges of militia, including the former al-Nusra Front, had a further 12,500 in Fu'a, Kefraya and Idlib. Interviewees reported that the southern suburb enclave outside of Damascus was especially problematic. These had been surrounded by Syrian military forces and sectarian progovernment militias and the besieged neighbourhoods (including Yelda, Babbila, Beit Sahm, al-Qadam Yarmouk and Hajar al-Aswad) were also controlled by a patchwork of armed groups including ISIS, the former al-Qaeda affiliate Jabhat al-Nusra (now Hay'at Tahrir al-Sham), as well as various other armed opposition groups. Areas under the control of Hezbollah were reported as difficult but not impossible to reach from Lebanon, but again respondents argued that the imposition of anti-money laundering and CTFs legislation's 'strict liability' approach had created a further 'chilling effect'causing their organisations to resist supporting these communities in all but the most compelling of circumstances. The 'risk' of goods or funding being diverted to proscribed organisations, causing reputational damage to the NGO and triggering catastrophic bouts of bank derisking clearly reinforced conservatism in humanitarian programming. The precautionary approach arose from the incalculability and imminence of derisking plus its potentially catastrophic impact on access to financial institutions.

Creating Subjects Capable of Being Governed through Risk
9/11 created new opportunities for states to define threats and their attendant risks. The FATF, the central institution of the global financial regulatory regime, clearly identified the NGO community as 'particularly vulnerable' to manipulation by terrorist entities. One of its influential recommendations (Recommendation 8) identified NGOs collectively as possessing "characteristics that make them particularly attractive to terrorists or vulnerable to misuse for terrorist financing" (FATF, 2008). This conclusion was driven by concerns that NGOs would divert funds, affiliate with proscribed organisations, contribute to recruitment, be manipulated by terrorists or established as fund raising sham organisations. Hence, humanitarian NGOs were clearly designated as providers of risk and subject to risk management.
Some states exploited this. Turkey, host to the main humanitarian effort into Syria, opportunistically utilised risk management to manage the humanitarian system's priorities and align them with its own strategic interests. Turkey, overwhelmed by the scale of the humanitarian crisis, initially embraced the international aid effort despite a tradition of distrust for both civil society and outsiders operating in the country. It provided the largely autonomous humanitarian system with considerable latitude, relaxing numerous bureaucratic requirements and turning a blind eye to many NGO practices (Heller, 2017). This began to change as Syria's emergency transformed into what appeared to be an indefinite commitment and Turkey's own domestic security became far more uncertain. Conflict reignited with Kurdish insurgents and jihadists became more active on both sides of the Turkish-Syrian border. At the same time the NGO community grew, with both new Syrian NGOs and INGOs expanding their presence in, and operations from, Turkish border towns.
From 2014, Turkish authorities placed pressure on NGOs to formally register with the state. However, the humanitarian community faced byzantine bureaucratic processes: confusing procedures, long administrative delays and what were felt to be arbitrary and inconsistent decisions. One NGO director stated that: Some Syrian NGOs were rejected and were not told why, others had to wait months for their permits and couldn't register for bank accounts in the meantime. Others were given six-month, one year, 18-month, two year or five-year permits. We could not understand what was going on.
One senior UN official, interviewed on condition of anonymity for both himself and his agency, suggested that this: Was seen by some as Turkey returning to its old ways of doing bureaucratic business but there was a new suspicion that this was also a restoration of its traditional distrust of foreigners and a political effort to gain control of the aid flowing into Syria.
An INGO country director concluded that the ambiguity and absence of transparency of the process as a whole was also viewed as a way of maintaining pressure on the NGO community to acquiesce. A Syrian NGO Director based in Istanbul argued that "they don't want us to speak out about them. If we are not registered, they can close us down whenever they want…and we cannot complain about them and what they do." The growth in the formal regulation of NGOs was accompanied by increasing controls on the movement of NGO staff across the Turkish-Syrian border. From the middle of 2015, Turkey imposed increasing restrictions on NGO cross-border activities, initially limiting the number of staff able to cross into or out of Syria to seven and subsequently reducing this further to five and restricting the site of their crossing to the checkpoints at Bab al-Hawa and Kobane. Turkish officials interviewed for this project indicated that these measures were intended to prevent the flow of foreign fighters into Syria rather than shape the humanitarian effort. But it adversely impacted both the effectiveness of the aid effort and also the auditability and transparency of humanitarian programmes in Syria.
The gradual imposition of such restrictions compounded the already limited access due to high levels of insecurity (especially in ISIS-controlled areas) and forced even Syrian NGOs to rely increasingly on remote management. This itself had consequences both for accountability relationships and the transparency of aid flows. One NGO director complained that "how am I able to monitor my projects if I cannot see them? I have to be transparent but I cannot even see. How can this work?" Several NGO directors complained "you cannot have [both] transparency and big restrictions on crossborder staff movement" while one especially vexed NGO director argued that this "makes it more difficult to talk to banks and let them know we are able to manage where the money gets to in Syria." This was felt to restrict their ability to limit aid diversion, navigate the politics of the numerous political groups and competing armed actors or being manipulated by claimants to leadership positions-further encouraging a precautionary approach to programming risk.
The Turkish authorities maintained a regime of NGO regulation that manufactured incalculable bureaucratic risks, encouraging forms of self-regulatory (or precautionary) behaviour on the part of NGOs in order to avoid antagonising the Turkish authorities. By effectively entrenching NGO vulnerability it created an imminent risk to NGOs that the Turkish authorities could close down any NGO that transgressed the political appetites of the Erdogan administration.
Syrian NGOs based in Turkey also faced widespread debanking by Turkish banks as well as problems accessing money already transferred from abroad, particularly when the Syrian organisation used 'Syria' or 'Sham' (referencing 'Damascus' and its environs) in the title. One Turkish-registered, Syrian-staffed NGO, reported how they were debanked and were then unsuccessful in gaining access to banking services for several months until they changed their name and logo, ensured that their trustees were known as secular rather than religious personalities and changed their organisational logo to one that did not provide any form of indication that this was an Islamic or Syrian NGO. At least seven Turkish-registered, Syrian-staffed NGOs, with offices in Istanbul reported that even after changes to organisational names, logos, a secularisation of trustees and senior officials as well as Turkish registration they were unable to predictably access money already in their Turkish accounts.
The exercise of power through risk management was also manifest less obviously. Syrian NGOs with the least problems in terms of bank derisking were a group of six who enjoyed strong sub-contracting relationships with major European NGOs themselves funded by European states. This category emerged during the Syrian crisis and increasingly adopted western and largely secular governance models and western modes of transparency and managerial control. All had made very visible and significant changes to their financial accountability and governance arrangements in response both to advice from the donor NGO and in anticipation of future problems with their banks. The donor INGO invariably held the smaller organisation to the same transparency and governance standards as they too were held by their state donors and regulatory bodies, suggesting a cascade of common professional standards of accountability and transparency. In effect, considerations of risk rendered the Syrian NGOs as subjects of managerial and auditing logics and reduced the ability of several to provide assistance in areas where programme auditability was not possiblecritically the areas under the control of proscribed organisations. Despite the legitimising role played by these processes in upholding the myth of manageability, within Syria all of this category of NGOs utilised precisely the same informal and opaque money transfer systems used by the smaller and less process-driven organisations and therefore shared many of the same underlying risks of financial diversion and manipulation (see Table 5). In effect, the myths of transparency and accountability, and the creation of subjects capable of being audited, failed to address the real underlying risks of financial diversion once money passed into Syria.
Nevertheless, the combination of the Turkish authorities' and European NGOs' use of risk management clearly rendered Syrian humanitarian organisations as both real and governable: That is to say, as meaningful entities that could be wilfully steered and subjected to non-disciplinary forms of self-regulation. Equally, con-structing the larger Syrian NGOs as auditable and reflective of myths of manageability enhanced their legitimacy in the eyes of donor states and banks, although it ultimately failed to address the risks of aid diversion once money and commodities had crossed the Turkish border into Syria.

Effectiveness of Humanitarian and Regulatory Outcomes
The declaratory aim of FATF's global financial regulatory framework established post-9/11 was both to make NGO financial transactions more transparent and accountable but also not to "disrupt or discourage legitimate charitable activities." (Statewatch, 2015). Both were explicit objectives. Yet this research indicates that the former objective undermined the latter, resulting from the precautionary approach adopted to mitigate derisking limiting access to the most vulnerable communities and hindering timely and relevant forms of assistance.
A particular challenge was maintaining the relevance of needs assessments conducted (in fluid situations) when money could be unpredictably delayed in the banking system by an average of four to six months. All of the Syrian NGOs in categories 1 and 2 and a quarter of INGOs in category 5 faced significant problems in maintaining the timeliness or relevance of responses in situations of rapid onset need or change in these circumstances (Table 8).
Seasonal projects, particularly those in the context of fluid population movements, appeared to be particularly vulnerable to delays in transfers, e.g., agricultural projects or winterisation kits, as were programmes for very vulnerable communities in besieged or hard-toreach areas. Five category 2 NGOs described at length the impact of these delays on their ability to purchase tools, seeds and agricultural inputs in Syria in time for the planting seasons and during lulls in the fighting. Most of these NGOs sought to adapt to the chronic reduction in liquidity, using combinations of their own resources, engaging in money and commodity swaps with other NGOs and also, in extremis, simply not telling the entire truth on how the assistance actually reaches the populations. However, in the absence of sufficient financial liquidity, most ruthlessly prioritised projects, focusing on the larger population groups in the more stable areas and not responding in others. Whilst in some ways this prioritisation was inevitable, the reality was in fact one of a creeping and ruthless triage.
NGOs also routinely privileged existing partnerships and suppliers, resulting in assistance strategies ossifying along the lines of greatest transparency in delivery chains. In effect, acceptable partnerships and 'legitimate' receipts-rather than the most pressing needsshaped programming decisions. Given the humanitarian systems' reliance on the smaller and most agile organisations' ability to respond to rapid onset needs and fill gaps left by the larger, more unwieldy actors, increasing rigidi- Table 8. Over two years has your concern for bank derisking impacted on your ability to respond to rapid changes in humanitarian need? ties in programming was problematic for the system as a whole. The systematic blockage of aid convoys by belligerent groups also left programme managers with a devil's bargain: Cash was often easier to move into the most difficult areas through the twilight world of hawala banking but was almost impossible to justify to banks (even if donors were largely aware of what was happening). Some accepted the risk of debanking and maintained programming while others switched from cash programming to the provision of food baskets because of the relative ease of accounting. However, because of the impact of checkpoints blocking the passage of commodities, these programmes were often refocussed to areas where needs were less pressing but there was a greater possibility of reaching beneficiaries.
Some of the more established and 'professionalised' Syrian NGOs pursued a different strategy, identifying the hawala operators and supplier companies and partner groups in Syria. The finance director for one confirmed that they maintained lists of and receipts in the hope that this would be sufficient to keep the bank happy. But this approach worked predominantly with larger well-established NGOs who made the geographically most conservative programming choices, and invariably had strong sub-contracting relationships with (particularly) major European NGOs. But even in these cases there were numerous examples of delays and blockages in bank transactions.
The requirement for visibility in the logistics and hawala chains made impossible the rapid adaptation to the humanitarian consequences of tactical changes on the battlefield. For example, the sudden movement of populations brought on by unexpected political accommodations such as the four-cities deal in 2017, the military fall of formerly besieged areas (such as Deir Az Zor in 2017) or the use of chemical weapons precipitating population displacement. These were cited as events that led to turbulence in the hawala and supplier markets and overstretched the Turkish-based NGO community. One programme manager explained: When there is a big change brought about by the war, a community is displaced, we find new money networks or our [suppliers] partners change. We sometimes do not know who we are working with. But the population is desperate. What do we do?
These circumstances required challenging choices between adhering to due diligence procedures (background and identity checks on suppliers and beneficiaries) and responding to sudden onset need.
NGOs, fearing derisking, reduced the cash elements (see Table 9) in programmes, especially in besieged or hard-to-reach areas, resulting in their inability to pay wages for teachers, buy fuel or support microfinance programming. One of the more established and larger Syrian NGOs explained how one of their larger education programmes had been forced to cut the teacher salary component in half and they were considering further cuts. Others, discouraged by the threat of derisking and routine delays/obstructions, shifted away from supporting teachers' salaries to in-kind support such as whiteboards, markers and textbooks. Seven NGO interviewees told us how they had ceased 'orphan sponsorship' in three separate hard-to-reach areas, because of The preferred and first choice in most cases. An opportunity 9% 9% 14% 24% 9% in which the risks can be largely ameliorated problems making regular payments to orphans and vulnerable female-headed families. In one of the hard-toreach areas, the majority of the beneficiaries had moved out of Syria largely due to the inability of NGOs to prevent further and catastrophic impoverishment.
Twenty-three interviewees argued that this trend discouraged innovation and more appropriate forms of programming while re-incentivising a return to commoditybased interventions when more differentiated, sophisticated and targeted humanitarian instruments were required. One NGO director lamented that "it is not sensible to provide only food. Communities need more. Relief has to be bigger. It has to do more. We need cash not just food." The irony of this trend was not lost on several interviewees who cited pledges made by humanitarian organisations and donors at the World Humanitarian Summit to increase the proportion of assistance made in cash.

Conclusions
Clearly, risk management has colonised new social relationships in the humanitarian sector and the precautionary principle itself has emerged as a central organising principle of programming. In the name of terrorism's generalized danger, humanitarianism has increasingly been commandeered by more authoritarian and totalizing rationalities. The 'manufactured' risk of bank derisking reflects Beck's original idea that late-modern society manufactures and is preoccupied by new forms of risk and governs these through institutions that struggle to be effective and, perversely, contribute to the propagation of more risk. Most obviously, this has reduced the capacity of NGOs to conduct financial transactions, weakened programming, stifled innovation and counterproductively (from a regulatory perspective) encouraged the use of informal, more opaque and risky money transfer systems such as the Syrian hawala system (which has itself been penetrated by groups with black-market and armed-actor affiliations). These mechanisms are more vulnerable to abuse by terrorists and put staff and volunteers of charities at greater personal risk. The tyranny of risk thinking has also resulted in a dramatic reduction in the willingness and ability of NGOs to provide assistance to communities under the control of proscribed organisations. This echoes the recurring theme of counterproductive outcomes of managing risk found in the risk literature.
Risk logic is not characterised by an existential threat to a valued referent object leading to exceptional measures against external and ungovernable threatening others. Rather, it posits risks (understood as conditions of possibility for harm) to a referent object leading to permanent changes aimed at reducing perceived vulnerability and boosting governance-capacity of the valued referent object itself. It also leads to a logic of overcompensation and the creation of buffers against risk. The focus on the possibility of harm rather than the immediacy of a more quantifiable threat creates a momentum towards a "rationality of zero-risk" (Aradau & van Munster, 2007).
Identifying NGOs as providers of, and subject to, risk has also made them governable in several ways. Firstly, states, particularly Turkey, have been able to manage the risk exposure of NGOs in ways that render them more vulnerable to instrumental and opportunistic control. In terms of systemic and non-disciplinary forms of governance, Syrian NGOs have also been co-opted into subordinate positions in the global humanitarian system via the adoption of modes of professionalism and managerialism that are intended to manage programmatic and fiduciary risk as well as alignment with global financial regulatory policies. These processes legitimise some NGOs (and exclude others) behind myths of managerial competency but potentially render them less able to manage the humanitarian risks to besieged populations.
Empirically, this research identified that patterns of access to life-saving resources are increasingly disciplined both by banks' risk-based responses to CTF regulatory mechanisms and, crucially, the humanitarian communities' own precautionary approach to the risks that these generate. There is a clear pattern of both international and Turkish-based banks retreating from engagement with NGOs functioning in Syria. These effects are concentrated amongst (but not exclusive to) Islamic NGOs working on conflict areas in sanctioned states or where proscribed organisations function. There is also clear evidence of a precautionary risk dispositif arising from bank derisking and permeating humanitarian decision-making. Interviews revealed that the threat of bank account closures had become a major factor in programming decisions-generating a reflex of risk aversion and containment rather than proportionate responses to risks.
The exclusion of particularly the smaller NGOs from financial access also appears to have a disproportionate influence on the risks faced by isolated beneficiary communities. The majority of INGOs subcontract their work to the smaller NGOs. Hence a more cautious approach to their risk tolerance amplifies the effects of derisking on the most vulnerable beneficiary communities. It is ironic that whilst non-Muslim and secular agencies have been forced to rely increasingly on Muslim charities to deliver assistance in places such as Afghanistan, Somalia, Syria and Yemen, it is precisely these organisations that have faced the greatest obstacles to accessing the financial services that make this arrangement possible.
The differential impact on besieged areas also reflects Foucault's (1980) notion that modernity is characterized by a bio-politics of regulatory controls and complexes that express the "power to foster life or disallow it." In this sense, populations under the control of proscribed organisations are governed through the denial of their rescue through humanitarian assistance, a very liberal tyranny. This also parallels Beck's predictions that in a 'risk society' the accumulation of danger-averse strategies in response to incalculable but imminent institution-al and reputational risks necessarily entails an inevitable emergence of a collective risk identity and the formation of communities united by their increasing vulnerability to risk.
In conclusion, risk management itself can therefore lead to the 'risk' that we exclude all that does not conform to a narrow and myopic logic of managerial intervention, thereby undermining the morally universal ethic of humanitarianism.