The ANSI/ASIS PSC.1-2012 Standard: A comprehensive framework for managing private security company operations

UntitledIn the coming months, numerous private security companies (PSCs) and their clients will bring the requirements and standards of ANSI/ASIS PSC.1-2012: Management System for Quality of Private Security Company Operations (PSC.1) into their contractual and management practices – several private security companies (PSCs) have already done so and many more are beginning. The following discussion points address the context of the PSC.1 standard, implementation, and its applicability to PSCs and their clients.

What is PSC.1 and why was it developed?

Over the last decade, PSCs were implicated in several high-profile incidents while operating in complex environments. These events triggered new multi-stakeholder codes and management standards to provide guidelines to PSCs on responsible business practices. Among these codes and standards, PSC.1 is the most detailed international risk management framework relevant to security company operations. It is viewed as the industry standard and provides auditable criteria.

What is the purpose of PSC.1?

Ultimately, PSC.1 is a quality assurance risk management system that adopts the Plan-Do-Check-Act Model at the core of management systems. PSC.1 provides PSCs and their clients with auditable standards and guidance for the quality of private security operations and the assurance of human rights in conditions where governance and the rule of law have been undermined by conflict or man-made or natural disaster. PSC.1 was designed to integrate with other management systems within an organization (such as, but not limited to, ISO 9001:2008). The PSC.1 standard is based on business and risk management principles. Conformity with PSC.1 communicates to internal and external stakeholders that the PSC is able to manage its safety, security, and legal obligations, as well as respect human rights.

How was PSC.1 developed?

The U.S. Department of Defense funded ASIS International, the largest organization for security professionals, to develop the PSC.1 standard. To create this standard, ASIS worked with the American National Standards Institute (ANSI) and through an inclusive Technical Committee consisting of over 200 individuals from twenty-five counties. Members of the Technical Committee included representatives from PSC clients, PSCs themselves, governments, civil society organizations, and other interested parties. PSC.1 was developed to support the objectives of the Montreux Document On Pertinent International Legal Obligations and Good Practices for States Related to Operations of Private Military and Security Companies During Armed Conflict (released in 2008) and the International Code of Conduct for Private Security Service Providers (released in 2010), by operationalizing their principles into business practice standards. PSC.1 was approved and released in 2012.

What are the industry drivers for PSC.1?

In the United States, both the Department of Defense and the Department of State are developing contractual provisions for PSC.1 compliance. In the United Kingdom, the Foreign Commonwealth Office has already stipulated PSC.1 compliance for overseas contracted security services. This trend is continuing with other countries and organizations that procure PSC services.

Is PSC.1 applicable to my organization?

PSC.1 is applicable to private security service providers – particularly PSCs operating in circumstances with weakened governance where the rule of law has been undermined by human or naturally caused events. PSC.1 is also applicable to PSC clients to conduct due diligence, management oversight, and quality assurance of services retained from PSCs. PSC.1 standards and requirements are also applicable when PSCs provide security advisory or management services and manage subcontracted security services. In this situation, PSC.1 is also applicable to ensure that security services subcontractors also meet the requirements of PSC.1.

How do PSCs establish conformity with PSC.1?

Conformity with PSC.1 begins with the development of a quality assurance management system in accordance with the specific principles and requirements of PSC.1. To do this firms will need to design and implement a quality assurance management system based on the Plan-Do-Check-Act Model, specifically: establish the management system (to include relevant policy, objectives, processes, and procedures), implement and operate the management system, monitor and review the management system, and maintain and improve the management system.

How should PSCs define the scope of their PSC.1 Quality Assurance Management System (QAMS) implementation?

PSCs will need to determine and document the scope of their PSC.1 management system development and implementation. Is initial PSC.1 conformity and certification sought for a single operating unit or enterprise-wide? Is the scope applicable to a specific line of business in multiple geographical locations or scoped to the company’s operations in a designated country? Within the defined scope, how are subcontractor services managed and controlled within the management system? PSC.1 is clear that the organization shall define the scope of the management system “in terms of and appropriate to its size, nature, and complexity from a process of continual improvement.” PSCs will also need to carefully consider and select which operating or business unit will take on the responsibility for leading and sustaining the company’s PSC.1 implementation effort and continuous improvement cycle.

How do PSCs obtain PSC.1 certification?

PSCs seeking to obtain PSC.1 independent, third party certification will need to demonstrate conformity with the requirements of PSC.1. The certification process is conducted through a series of both internal and external audits as detailed in ANSI/ASIS PSC.2-2012: Conformity Assessment and Auditing Management Systems for Quality of Private Security Company Operations. Third party audits are conducted by accredited Certification Bodies or Registrars that can grant certification. Internal and external auditors for PSC.1 conformity must have competencies related to security operations, human rights normative standards, and risk management. PSCs should take note that there are currently only two accredited Certification Bodies to provide third party certification, MSS Global and Intertek. Both are credentialed by the UK Accreditation Service. However, due to reciprocity agreements among International Accreditation Forum members, of which UKAS is one, PSCs located in other countries, such as the U.S., can also gain recognized certifications from these certification bodies.

PSC.1 was specifically conceived and developed to provide PSCs (and their clients) with the detailed guidelines to operationalize the provisions outlined in the International Code of Conduct for Private Security Providers (ICoC), including the requirement for signatory companies to: “(1) establish and/or demonstrate internal processes to meet the requirements of the Code’s principles and the standards derived from the Code; and (2) once the governance and oversight mechanism is established, become certified by and submit to ongoing independent Auditing and verification by that mechanism.” The multi-stakeholder ICoC Association is currently drafting certification procedures, which will likely build on certification to PSC.1 with some added requirements for human rights related information. Thus it should be relatively straightforward for PSCs with PSC.1 certification to also receive ICoCA certification – which is currently a requirement for PSCs based in Switzerland or providing security services to the Swiss government, PSCs serving the UN, and possibly in the near future Department of State security providers.