Proprietary Framework · MNS Consulting · NGO Security

QA-CSRF™
Conflict Systems
Research Framework

Quanta Analytica Conflict Systems Research Framework™ · Registered Methodology

An operational framework purpose-built for conflict systems research and NGO security risk management in volatile, fragile, and high-risk environments. QA-CSRF™ integrates ISO 31000:2018 risk principles, INSSA SRMP-C competencies, and a structured toolkit — PESTELS, CAF 2.0, and CARVER — to produce decision-ready outputs: risk registers, contingency plans, security protocols, and field-level SitReps.

ISO 31000:2018 aligned INSSA SRMP-C compliant NGO security risk management Fragile & conflict-affected environments Do No Harm · CHS · ISO 27001
Explore the Framework Integrated Tools Sudan Case Study
00
Overview
ISO 31000:2018
Risk Management Principles
INSSA SRMP-C
NGO Safety & Security Competencies
CHS
Core Humanitarian Standard
Do No Harm
Conflict-Sensitive Programming
ISO 27001
Information Security & Data Protection

From Conflict Theory
to Operational Risk

QA-CSRF™ was developed through MNS Consulting's partnership work with Lladner Business Systems' Global Development & Risk Management Division and first presented through ARAC International Inc. It originated as an academic Conflict Systems Research framework — drawing from sociology, psychology, economics, and systems analysis — and was systematically upgraded into a field-operational risk management tool.

The upgrade replaced conceptual typologies with quantified scoring, narrative analysis with structured analytic tools, and generic resolution strategies with ISO-aligned risk treatment plans carrying defined controls, monitoring cycles, and escalation thresholds. The result is a framework that retains the theoretical depth of conflict systems analysis while producing the practical outputs that NGO field teams, security managers, and programme donors actually need.

Who It Serves

International and national NGOs, humanitarian operators, INGOs, donors, and implementing partners operating in fragile states, active conflict zones, post-conflict transition environments, and any context where security risk management and conflict analysis must be integrated — not siloed.

What It Produces

  • Risk registers with likelihood × impact scoring
  • CARVER asset criticality assessments
  • Contingency and evacuation plans
  • SitReps with indicators and escalation thresholds
  • Conflict actor and stakeholder maps (CAF 2.0)
  • Macro context scans (PESTELS)
  • Ethics and data protection compliance records

The Core Distinction

The academic Conflict Systems Research framework teaches what conflict is. QA-CSRF™ structures how to manage it in practice. The former is the foundation; the latter is the operational system built on it. Both are embedded within QA-CSRF™ — theoretical rigour and field-level practicality are not traded off against each other.

01
Framework Phases

Six Operational Phases

ISO 31000 cycle · iterative by design

QA-CSRF™ is organized as a six-phase iterative cycle aligned to ISO 31000:2018. Each phase has defined inputs, methods, and outputs. The cycle does not terminate — it repeats as the conflict environment evolves, with monitoring data from Phase 6 feeding back into Phase 1 context establishment.

1 Phase I
Context Establishment
PESTELS macro scan · CAF 2.0 actor mapping
Every risk assessment begins with a thorough understanding of the environment in which the organization operates. Phase 1 deploys PESTELS to scan the macro context — Political, Economic, Social, Technological, Environmental, Legal, and Security dimensions — and CAF 2.0 to map the full actor and stakeholder landscape including armed groups, state actors, civil society, community leaders, and international entities. The output is a structured context picture that gives all subsequent analysis a grounded, sourced baseline. Without this foundation, risk identification in Phase 2 operates on assumptions rather than evidence.
PESTELS CAF 2.0 Stakeholder mapping Environmental scan
2 Phase II
Risk Identification
Threats to people · systems · data · operations
Using the context established in Phase 1, Phase 2 systematically identifies the risks facing the organization, its personnel, its implementing partners, and the communities it serves. Risk categories include physical security threats to staff and assets, operational disruption risks, partner compliance and reliability risks, information and data security risks, and reputational risks arising from association with conflict parties. Identification is structured — not a brainstorm — using conflict mapping and the actor profiles built in CAF 2.0 to ensure that every credible threat source is traced to a corresponding organizational exposure.
Conflict mapping Threat identification Exposure analysis Partner risk profiling
3 Phase III
Risk Analysis
Likelihood × Impact scoring · CARVER assessment
Phase 3 quantifies the risks identified in Phase 2. Each risk is scored on a calibrated Likelihood × Impact matrix to produce a risk level that can be compared, prioritized, and communicated consistently across the organization. Simultaneously, CARVER scoring is applied to critical assets and operational systems — evaluating Criticality, Accessibility, Recuperability, Vulnerability, Effect, and Recognizability. CARVER scoring translates qualitative threat assessments into prioritized protection plans grounded in the actual operational profile of the organization, not generic threat typologies. The combination of risk matrix scoring and CARVER assessment gives field security managers and programme leadership a unified, quantified picture of the organization's risk exposure.
Likelihood × Impact matrix CARVER scoring Asset criticality Vulnerability mapping
4 Phase IV
Risk Evaluation
Risk ranking · ethical risk filters · decision thresholds
The quantified risk scores from Phase 3 are evaluated against the organization's risk appetite, programme priorities, and ethical obligations. This phase does not operate on risk scores alone — it applies ethical risk filters drawn from Do No Harm principles, the Core Humanitarian Standard, and conflict-sensitive programming frameworks. A risk that scores low on a standard likelihood × impact matrix may still require immediate treatment if it carries significant harm potential for conflict-affected communities. Evaluation also sets the decision thresholds: the risk levels at which specific responses are triggered, including escalation to leadership, programme redesign, or operations suspension.
Risk ranking Do No Harm filters CHS compliance Decision thresholds
5 Phase V
Risk Treatment
Mitigation · contingency · evacuation · deterrence
For each evaluated risk, Phase 5 produces a treatment plan specifying the chosen response — mitigation, transfer, acceptance, or avoidance — along with the specific controls, responsible parties, timelines, and resource requirements. For high-severity risks, treatment plans include contingency protocols and, where necessary, evacuation and hibernation procedures. Deterrence measures are specified for threat sources that are influenced by organizational posture, visibility, and acceptance strategies. All treatment plans are documented in the risk register with sufficient detail for handover, audit, and donor reporting. Phase 5 is where analysis becomes action.
Risk register Contingency protocols Evacuation planning Acceptance strategies Controls documentation
6 Phase VI
Monitoring & Review
Iterative updates · trend analysis · ethics checks · SitRep cadence
QA-CSRF™ does not produce static documents. Phase 6 establishes the monitoring architecture that keeps risk assessments current as the conflict environment evolves. This includes the SitRep cadence — the frequency and format of situational reporting — and the indicator and escalation threshold system that tells field teams and leadership when a risk profile has changed materially. Trend analysis tracks whether the risk environment is stabilizing or deteriorating. Ethics checks ensure that treatment plans remain compliant with Do No Harm and CHS obligations as circumstances change. Data protection reviews under ISO 27001 principles ensure that sensitive information remains secure throughout the programme lifecycle. Phase 6 feeds its outputs back into Phase 1, completing the iterative cycle.
SitRep cadence Indicators & thresholds Trend analysis Ethics compliance review ISO 27001 data review
02
Integrated Tools

The Analytical Toolkit

Four instruments · one integrated system

QA-CSRF™ integrates four purpose-selected analytic tools, each covering a distinct analytical requirement. Together they give the framework its quantitative backbone and ensure that every phase is grounded in structured, reproducible analysis rather than narrative judgement alone.

PESTELS Political · Economic · Social · Technological · Environmental · Legal · Security
PESTELS is the macro-environment scanning tool deployed in Phase 1. It structures the systematic review of seven contextual dimensions that shape the operating environment: Political stability and governance dynamics; Economic conditions including sanctions, resource flows, and livelihood impacts; Social cohesion, community tensions, and demographic pressures; Technological factors including communications infrastructure and cyber risks; Environmental pressures such as climate shocks and resource scarcity; Legal frameworks governing NGO operations, access, and liability; and Security conditions at national, regional, and local levels. PESTELS ensures that the risk identification in Phase 2 is anchored to a comprehensive, structured picture of the environment — not just the security dimension in isolation.
CAF 2.0 Conflict Actor Framework 2.0 — Stakeholder & Actor Mapping
CAF 2.0 is the actor and stakeholder mapping instrument used in Phase 1 and continuously updated through Phase 6. It maps the full landscape of actors in the operating environment — armed groups, state security forces, political entities, community leaders, civil society organizations, international actors, and the communities the organization serves. For each actor, CAF 2.0 captures their interests, objectives, capabilities, relationships to the organization, and potential to generate risk or serve as a protection resource. The 2.0 designation reflects the updated integration of influence and information environment actors — including disinformation sources and narrative actors — alongside traditional conflict parties.
CARVER Criticality · Accessibility · Recuperability · Vulnerability · Effect · Recognizability
Originally developed for military target analysis, CARVER has been adapted within QA-CSRF™ as a defensive asset prioritization tool for NGO security planning. Applied in Phase 3, it scores the organization's critical assets and systems — including personnel, vehicles, communications, data systems, offices, warehouses, and partner relationships — across six dimensions. Criticality assesses how essential the asset is to operations; Accessibility evaluates how easy it is for a threat actor to reach it; Recuperability estimates how long it would take to restore if compromised; Vulnerability identifies specific weaknesses; Effect measures operational impact if lost; and Recognizability gauges how identifiable the asset is to potential threat actors. CARVER scores guide protection prioritization and mitigation investment decisions.
ISO 31000 Cycle Risk Management Principles & Guidelines
ISO 31000:2018 provides the governance architecture for the entire QA-CSRF™ framework. It ensures that risk management is iterative, structured, and aligned to internationally recognised principles: integration with the organization's broader governance; structured and comprehensive coverage; customization to the specific context; inclusive engagement of stakeholders; human and cultural sensitivity; dynamic response to change; best available information; and continual improvement. ISO 31000 alignment is not simply a credential — it shapes the architecture of the six-phase cycle, the documentation requirements, and the review cadence. It also ensures that QA-CSRF™ outputs are credible to institutional donors and governance bodies that require evidence of structured risk management practice.
03
Framework Comparison

Academic Foundation vs.
Operational System

Complementary · not competing

QA-CSRF™ was built on the academic Conflict Systems Research framework — not as a replacement, but as an operational transformation of it. Understanding the relationship between the two is essential to understanding why QA-CSRF™ is structured as it is. The academic framework teaches what conflict is. QA-CSRF™ structures how to manage it under operational conditions.

Dimension Academic CSR Framework QA-CSRF™ (Operational)
Purpose Conceptual understanding of conflict types and dynamics Structured operational risk management for NGO field use
Primary tools Conflict mapping, tree diagrams, typologies PESTELS, CAF 2.0, CARVER, ISO 31000 cycle
Output type Conceptual analysis, academic reports Risk registers, contingency plans, SitReps, security protocols
Quantification Minimal — qualitative and descriptive Likelihood × Impact scoring + CARVER numerical assessment
Ethics framework Implied through empathy and values language Formalized — Do No Harm, CHS, ISO 27001, conflict-sensitive programming
Primary audience Students, researchers, conflict studies programmes Field security managers, NGO leadership, programme donors
Operating environment Controlled academic or training contexts Fragile states, conflict zones, humanitarian operations
Donor reporting Not designed for it Outputs directly applicable to institutional donor risk reporting requirements
Iterative cycle Sequential, not explicitly iterative ISO 31000 iterative cycle with monitoring feedback loop

Together: CSR Framework = "the theory and typologies." QA-CSRF™ = "the applied risk management system." One teaches what conflict is; the other structures how to manage it in practice.

04
Applied Case Study

QA-CSRF™ Applied:
Sudan, September 2025

Live framework application

The following demonstrates QA-CSRF™ applied to a live conflict environment. Sudan in September 2025 represents one of the most complex active humanitarian crises globally — combining active armed conflict, mass displacement, ethnic violence, famine risk, and contested international mediation. This case study walks through the framework's seven analytical steps as applied to that environment.

Sudan — North Darfur / El Fasher
Reference date: September 2025
Active conflict environment

Situation Snapshot

The war between the Sudanese Armed Forces (SAF) and the Rapid Support Forces (RSF) continues with El Fasher under prolonged siege and catastrophic civilian impact, including acute child malnutrition and mass displacement.
Financial Times · UNICEF
Humanitarian needs remain extreme: 20.9 million people targeted for aid in 2025, displacement surpassing 10 million, with multiple areas crossing or projected to cross famine thresholds.
OCHA · IPC Info · UNICEF
Credible investigations document ethnic cleansing and crimes against humanity in Darfur. UN human rights findings describe deliberate targeting of civilians, including Masalit communities.
Human Rights Watch · OHCHR
Allegations of external resupply to the RSF remain under scrutiny by UN experts and NGOs, with denials from the UAE. International mediation tracks (Jeddah, Geneva) remain fragmented and stalled.
Reuters · The Guardian · Amnesty International · The Washington Institute

Step 1 — Conflict Definition

An intrastate, multi-theater civil war begun April 2023 between SAF and RSF, now characterized by urban sieges, ethnic targeting in Darfur, and nationwide economic collapse with mass displacement and food insecurity. Current epicenter: El Fasher, North Darfur — a tipping point for both Darfur and national famine risk.

Intrastate Multi-theater Ethnic dimension

Step 2 — Conflict Types

  • Political and military power struggle — rival armed formations following the collapsed civilian transition
  • Communal and ethnic violence — Darfur, specifically attacks targeting Masalit communities
  • Humanitarian access warfare — siege tactics that weaponize starvation and impede aid delivery

Step 3 — Actor Map (CAF 2.0)

  • SAF — seeks national control, defeat of RSF, international recognition. Leverage: formal sovereignty, Port Sudan, air assets
  • RSF — controls most of Darfur, siege warfare around El Fasher, consolidating territorial leverage. Leverage: territorial control, mobility, alleged external supply
  • Civilians / Taqaddum — seek protection, aid corridors, civilian rule. Low coercive leverage; high moral authority
  • International actors — Jeddah/Geneva tracks stalled; AU–IGAD fragmented. Leverage: aid, sanctions, convening power

Step 4 — Conflict Resolution Menu

  • Consolidate Jeddah and Geneva tracks under AU–IGAD umbrella with explicit civilian transition parameters
  • Operationalize Security Council pressure around El Fasher for verified aid corridors and safe evacuations
  • Support atrocity crime investigations and use targeted sanctions tied to siege behaviors
  • Establish community-level dispute resolution in Darfur with land and restitution mechanisms

Step 5 — Near-Term Priorities & Early Warning Indicators

The following indicators operationalize the conflict monitoring architecture for this environment. Each tracks a specific dimension of the crisis and feeds directly into the SitRep cadence and escalation threshold system.

Siege Dynamics
Frequency and intensity of strikes around El Fasher; market prices; severe acute malnutrition admissions at health facilities.
Humanitarian Access
Monthly convoy pass rates and tonnage delivered vs. planned; deconfliction protocol compliance; hospital and IDP camp incident rates.
Famine Tracking
IPC Phase 4 to 5 shifts at locality level; camp-specific FRC (Famine Review Committee) updates; acute malnutrition trend lines.
Atrocity Risk
UN human rights incident logs; satellite-verified mass-grave detection alerts; targeted community protection requests from civil society.
Mediation Traction
Unified agenda publication; sequencing agreement on ceasefire; verified monitoring architecture establishment.
Supply Chain Integrity
Audit of flight and cargo manifests along the Chad–Darfur axis; embargo compliance summaries from UN panels.

Step 6 — Ethics, OSINT Integrity & Do No Harm

Apply Do No Harm principles rigorously when publicizing locality-level detail that might endanger civilians under siege or expose community informants. Prefer triangulated figures from UN agencies (UNICEF, OCHA), IPC, and organizations with transparent methodologies. Breaking casualty estimates and natural disaster figures are treated as evolving and potentially contested — they are not presented as confirmed until triangulated across at least two independent sources. OSINT collection in conflict environments must be conducted with awareness of surveillance risks for local sources and communities.

Step 7 — Decision-Ready Output for Leadership

Problem clarity: The core dynamic is a SAF–RSF struggle with El Fasher as a tipping point for Darfur and national famine risk. Any NGO operating in North Darfur faces a risk environment defined by active siege warfare, ethnic targeting, weaponized access denial, and a fragmented international response that cannot be relied upon for protection.

Negotiation levers: Consolidate diplomatic tracks; pair ceasefire with monitored access; escalate targeted sanctions tied to siege behaviors. NGO acceptance strategies must be maintained with all parties simultaneously — which, under current conditions, requires explicit neutrality communication and regular actor briefings.

Operational actions: Corridor access, population protection measures, and embargo enforcement are immediately actionable and measurable. Field teams should operate with active hibernation and evacuation protocols, defined escalation triggers, and regular SitRep reporting against the indicator framework above.

Deploy QA-CSRF™

NGO security · conflict analysis · risk governance

If your organization operates in volatile or conflict-affected environments and needs a structured, ISO-aligned security risk management system, MNS Consulting can deploy QA-CSRF™ to your operational context. Engagements are scoped to need — from a single risk register to a full security governance architecture.

Start Advisory Intake Full QA Process™ Quanta Analytica Home

QA-CSRF™ is a proprietary methodology of MNS Consulting. PESTELS, CAF 2.0, CARVER, and ISO 31000 are integrated components used under standard frameworks. Do No Harm and CHS principles apply throughout all engagements.