The International Code of Conduct Association (ICoCA) has announced the release of a draft recognition statement in accordance with its certification procedure for ISO 28007-1: 2015 Ships and marine technology – Guidelines for Private Maritime Security Companies (PMSC) providing privately contracted armed security personnel (PCASP) on board ships (and pro forma contract) – or ISO 28007 in short. What is the significance? PMSCs that are members of the ICoCA now have a chance to become ICoCA certified. They will need to evidence their certification by an accredited certification body to ISO 28000 Specification for security management systems for the supply chain, using the additional guidance provided in ISO 28007, as well as provide some additional human rights related information derived from the International Code of Conduct for Private Security Service Providers (ICoC).
As noted in a blog post Human Analytics wrote after the release of ISO 28007 last year, New ISO Standard for Private Maritime Security Companies Reflects Some Progress on Human Rights, the new standard contains some improvements relative to the previous ISO/PAS 28007 (PAS = Publicly Available Specification), which was nearly devoid of any reference to the corporate responsibility to respect human rights. One marked improvement is the insertion of a reference to the UN Guiding Principles on Business and Human Rights (UN GPs) in the introduction, as well as the need for an explicit human rights policy. But the blog also noted that there remain a number of human rights shortcomings in ISO 28007, certainly relative to the expectations of companies laid out in the UN GPs, including the need to undertake a human rights due diligence process, prioritize human rights risks identified though a risk assessment process based on their scope and severity, and remediate negative human rights impacts.
The gaps between the human rights and humanitarian law principles of the ICoC and the requirements and guidelines of the ISO 28000/ ISO 28007 are evidenced in the rather extensive additional human rights related information requirements for ICoCA certification detailed in Annex B to the draft recognition statement. In addition to the failure of ISO 28007 to include human rights in the company’s risk assessment process, four areas evidence the greatest number of gaps, namely requirements regarding employment policies, reporting practices, training programs, and grievance mechanisms. Among some of the key gaps are failures to require an anti-discriminatory employment policy; ensure that passports, travel documents, and identification materials of personnel are only held as long as reasonably necessary; ensure that all employment documents are in writing and in a language understood by personnel; include relevant international and human rights law provisions in reporting requirements; require training on international human rights law; and ensure that grievance mechanisms are publicly available and operate in a fair, prompt, impartial, and confidential fashion. Annex B contains a complete list of gaps.
Topics not mentioned in Annex B, where the ICoCA may want to push for additional information are:
1) ensuring that, in line with the UN GPs, when PMSCs evaluate and prioritize risk controls, management, mitigation, and treatments that they prioritize addressing human rights risks based on their scope and severity;
2) including indications of prior involvement in human rights violations, which in some countries may not be captured in criminal background checks, employment histories, and military and law enforcement service records, in the selection and vetting criteria for personnel and subcontractors, as required in ICoC paragraphs 48 and 51;
3) evidencing that personnel receive mandatory training in reporting requirements related to the types of crimes and human rights violations laid out in ICoC paragraph 22; and
4) ensuring that grievance mechanisms offer effective remedies to victims of negative human rights impacts as foreseen in ICoC paragraph 67 a). The remediation of harms caused by PMSCs’ activities is not addressed anywhere in ISO 28007.
While certainly an opportunity for PMSCs to improve their human rights performance, it will be interesting to see how many of them actually seek ICoCA certification. While nearly half of the original ICoC signatories were PMSCs, at this point many no longer exist – having closed shop after the decline in piracy off the coast of Somalia – or chose not to become transitional members of the ICoCA once it was formed in late 2013. ICoC paragraph 7 foresaw “the development of additional principles and standards for related services, such as… the provision of maritime security services.” The review of ISO 28007 was carried out based on a comparison to the ICoC’s current provisions, and not after consideration of developments in the maritime security industry which may require additional principles and standards to capture the unique nature of the industry’s security operations and human rights impacts. Furthermore, the development of additional principles by the ICoCA for the provision of maritime security was to happen after the establishment of “objective and measurable standards for providing Security Services based upon this Code” and the development of “external independent mechanisms for effective governance and oversight” (to include certification, auditing, monitoring, reporting, and grievance procedures). It is interesting that the ICoCA chose to prioritize reviewing ISO 28007 as a pathway to ICoCA certification ahead of reviewing ISO 18788 (the new ISO standard for private security operations based on the ICoCA recognized ANSI/ASIS PSC.1) and ahead of completing the development of key procedures, such as monitoring and grievance procedures. What remains unclear is whether PMSCs will seek ICoCA certification, or if their clients will require it, without the ICoCA having finalized all of its procedures.
Two developments in the maritime industry, however, do bode well. First, ISO 28007 no longer contains a note that appeared in the previous ISO/PAS 28007, which stated that the International Maritime Organization does not view the ICoC as “directly applicable to the peculiarities of deploying armed guards at sea to protect against piracy since it is written in the context of self-regulation for land companies only.” The ICoC is now referenced in the bibliography. Second, Maersk Group, which includes one of the world’s largest shipping lines, announced in its recent 2015 Sustainability Report that it had undertaken a human rights due diligence process based on the UN GPs for all the business activities of the Group. One area identified as a priority human rights issue for 2016-2017 is the use of security services. The imminent recognition of ISO 28007 provides an opportunity for the ICoCA to lobby the shipping industry and other clients of PMSCs, as well as flag, coastal, and port states, to require that PMSCs adhere to the principles of the ICoC. To be impactful on the larger security industry, the ICoCA must foster compliance with the ICoC principles by all security providers, whether maritime or land-based and whether employed by private or public sector clients.