Tag Archives: ANSI/ASIS PSC.1-2012

The Value-Add of the ICoCA: A ‘Strong Sword’

What is the ‘value-add’ of the ICoCA? That question surfaced occasionally at the margins of the successful annual meeting of the International Code of Conduct Association, the Swiss-based non-profit association that brings together industry, civil society, and governments to promote responsible, rights-respecting provision of private security services. The question of the ‘value-add’ is in reference to what additional benefits accrue to private security companies (PSCs), who are members of the ICoCA and submit themselves to its certification, monitoring, and grievance requirements, over solely gaining certification to the management systems standards for private security operations. To remind readers of this blog, certification to those standards – ANSI/ASIS PSC.1: 2012 and ISO 18788: 2015 – as well as submission of additional human rights-related information is currently the route to gaining ICoCA certification. PSCs hire third-party certification bodies to audit them to the management standards for which they receive a certificate.

To my mind, the ‘value-add’ of the ICoCA seems obvious. The global governance literature, which examines collective efforts (with and beyond states) to address world-wide problems, speaks to the value of multi-stakeholder initiatives. Among other things, multi-stakeholder governance ensures that relevant voices are heard, improves transparency, encourages innovative and effective solutions to problems, and generally increases the perceived legitimacy of an initiative. Yet, skeptics do not seem convinced.

Then I ran across a book chapter that I think makes a clear case for the ‘value-add’ of the ICoCA. The chapter, “The International Organization for Standardization as a Global Governor: A Club Theory Perspective,” by Assem Prakash and Matthew Potoski appears in the volume Who Governs the Globe? edited by Deborah D. Avant, Martha Finnemore, and Susan K. Sell. The ICoCA and the management system standards, ANSI/ASIS PSC.1 and ISO 18788, are examples of “clubs” created to address problems which states alone cannot or will not govern. They promise to deliver to club members and external parties certain positive benefits. For club members, the biggest benefits are better internal management, which can result in cost savings and risk mitigation, and improved reputation, which can attract clients. External parties, whether clients of the member companies or other stakeholders, can be assured that member companies are living up to ‘beyond-compliance’ standards.

That seems fairly obvious. But the problem with clubs is that they can lead to collective action dilemmas. Two in particular stand out: recruitment, i.e. attracting adequate numbers of participants, and shirking, i.e. ensuring that participants meet the club’s requirements. Attracting an adequate number of PSCs, especially small and medium sized ones, has been an ongoing discussion within the ICoCA. The chapter does not offer insights on how to do this, but it does discuss the value of a large membership in terms of realizing the branding benefits that accrue to PSCs who join the club. Clubs gain high levels of participation by “offering affordable standards which firms can profitably adopt.” However, participation should not be traded off against the stringency of standards. Prakash and Potoski warn that for club members to gain reputational and other benefits, external parties need to view clubs as credible in terms of their commitment to high standards accompanied by effective enforcement.

This brings us to the second collective action dilemma, shirking. How does one ensure that the standards members commit to are actually upheld? Simply put, through monitoring and enforcement. However, not all monitoring and enforcement programs, which the chapter dubs “swords,” are created equal. There are “strong swords,” which require third-party audits, public disclosure, and sanctioning mechanisms, “medium swords,” which necessitate third-party audits and public disclosure, and “weak swords,” which only require auditing. Prakash and Potoski, using the environmental standard ISO 14001 as a case study, argue that ISO 14001 is an example of a “weak sword club,” because ISO “is not known to sanction shirkers aggressively, and the absence of public disclosure of audit information weakens stakeholders’ ability to sanction shirking.”

Readers probably see where I am going with this. Like ISO 14001, ANSI/ASIS PSC.1 and ISO 18788 by themselves are “weak sword clubs.” In contrast, the ICoCA requires member PSCs to submit themselves to field-based monitoring, provide self-reporting, and participate in the grievance process. If companies do not do so, they can be sanctioned up to expulsion. The ICoCA also provides public annual reporting. The ICoCA is a “strong sword club.” If PSCs want to accrue all the reputational benefits, and associated commercial benefits, of participating in clubs meant to demonstrate their adherence to the law and human rights norms, then they need to be part of a “strong sword club.” The ICoCA is currently the only available “strong sword club” for the private security industry.

Continued progress in operationalizing responsible private security: ICoCA holds annual meeting

With a new tagline on its promotional materials, “bringing together industry, civil society and governments to promote responsible private security services and respect for human rights,” the International Code of Conduct Association (ICoCA) held its Annual General Assembly in Geneva last week. Human Analytics, an observer to the ICoCA, attended and as we have done in past years (2015; 2016) wanted to share updates from the meeting with readers of our blog.

Jamie Williamson, the new Executive Director of the ICoCA who now heads the nine-person Secretariat, kicked off the meeting with a review of the past year. Membership in the three pillars of the ICoCA is steady or growing. In the government pillar, seven governments continue to participate. As part of its concerted communication, outreach, and development strategy, the ICoCA is having bilateral conversations and working through international forums, like the Montreux Document Forum, to increase state participation. One welcome development was the European Parliament’s passage of a resolution this year recommending that the European Commission issue guidelines to use ICoCA-certified private security companies (PSCs) for EU contracts and urge member states to use participation in the ICoCA as a consideration in their public procurement decisions. The industry pillar currently has 101 members headquartered in 35 countries. Budget numbers, beyond revealing that the Association is on sound financial footing, indicate that the make-up of the industry pillar may be changing. More recently the strongest increases in membership have come from outside the US and UK, and membership dues from small and medium sized PSCs reflect a growing share of the Association’s revenues. The civil society organization (CSO) pillar also has become more geographically diverse. As a result of the ICoCA’s field-based review mission to Nigeria in August, which also supported the Association’s ongoing efforts to establish and maintain civil society “monitoring networks” in various regions of the world, four new African CSOs applied for ICoCA membership.

If one thing became clear from the meeting, the ICoCA is continuing to systematically operationalize its key procedures – certification, monitoring, and complaints – which enable it to exercise oversight of its member PSCs’ implementation of the International Code of Conduct for Private Security Service Providers (ICoC). With the changing composition of its member PSCs, one ongoing concern has been facilitating the access of small and medium sized PSCs to ICoCA-certification, while at the same time maintaining high standards in line with the ICoC’s human rights and humanitarian law requirements. This is a discussion that continues to occupy the Board and Secretariat, but in the interim an important resolution was passed that would allow for a two-year Transitional Membership beginning in April 2018, thereby allowing PSCs more time to work towards attaining certification while actively participating in the monitoring and complaints processes of the Association. PSCs seeking a transitional status must agree to meet certain substantive and procedural benchmarks, yet to be developed, during that period to evidence their concerted efforts to obtain certification. Currently, ICoCA-certification requires that land-based security providers first evidence a third-party certification to security operations management system standards, either ANSI/ASIS PSC.1 or ISO 18788. Seventeen member PSCs have applied for ICoCA-certification and nine have received it. Discussion at the meeting revolved in part around the costs associated with implementing and auditing to the management standards, and whether they may pose a barrier to ICoCA-certification for some PSCs.

Steps taken to develop the monitoring and complaints functions of the ICoCA in the past year are central to its efforts to evolve its oversight capacities. As noted, a field mission to Nigeria, in which six member PSCs participated, was an important step in further developing the Association’s remote monitoring capacities. It allowed engagement of member PSCs in their operating environments, assisted with the development of SOPs for field-based reviews, and helped to refine performance and compliance indicators. This mission focused in particular on practices of subcontracting, training, and selection and vetting of personnel. The latter has also been the focus of a pilot to develop operationally-oriented questions to facilitate PSCs in meeting their Company Self-Assessment reporting requirements. An on-line platform was created to allow companies to submit this information securely. Developing SOPs for receiving and processing complaints was another key effort this past year. Currently, a guidance for PSCs is being finalized, with the support of DCAF (Geneva Centre for the Democratic Control of Armed Forces), to aid companies in establishing fair and accessible grievance procedures. It is expected to be launched at the end of November.

The at times technical and time-consuming work of developing policies, SOPs, guidance, on-line tools and the like indicate that the ICoCA is maturing and moving into a new phase as a multi-stakeholder initiative. In looking to the year ahead, the ICoCA must ensure that what may be the beginning of a trend becomes institutionalized, namely growing its membership in a way that reflects the global nature of the industry and its impacted populations. To do this effectively the Association will need to continue its concerted strategic outreach program and must recognize the dynamic nature of the industry and ensure that all the relevant stakeholders are brought to the table to include key private sector clients of the industry. Perhaps most essentially, as some member PSCs now have a few years of experience under their belts in implementing the Code, this is an opportune time to share best practices and identify where challenges in meeting human rights requirements remain and opportunities for collaboration, to include with observers and other stakeholders, exist to develop human-rights-based implementation tools.

ICoCA Takes Important Steps to Fulfill its Mission

icoca-agaLast Thursday the International Code of Conduct Association (ICoCA) made significant advances toward fulfilling its purpose to promote the responsible provision of security services and ensure respect for human rights and international and national laws. At the ICoCA’s Annual General Assembly in Geneva, Switzerland, members of the multi-stakeholder organization voted to pass provisions that will allow private security companies (PSCs) to receive certification evidencing their adherence to the International Code of Conduct for Private Security Service Providers, as well as passing two procedures related to reporting, monitoring, and performance assessment and complaints. Thus the ICoCA has put into place all the key procedures foreseen in the Articles of Association that underpinned the founding of the organization. In addition, member due increases agreed upon by participating PSCs, governments, and civil society organizations will provide funding for additional staff to undertake these new oversight functions.

According to a statement on ICoCA certification issued by the Board, after completing a pilot for certification using ANSI/ASIS PSC.1 and updating its guidance to PSCs for submitting additional human rights related information, the Secretariat is ready to begin certifying member PSCs. An amendment to the Articles of Association was passed extending the deadline for achieving certification to September 30, 2018. Concerns about the accessibility of certification to ANSI/ASIS PSC.1, a quality assurance and risk management standard that is a prerequisite of ICoCA certification, remain. The Secretariat plans to survey member PSCs to better assess whether there are barriers to ANSI/ASIS PSC.1 certification and will pilot ways of improving access to certification. More interestingly, the ICoCA is proposing a role for itself in improving oversight of certification bodies accredited to certify PSCs to ANSI/ASIS PSC.1 through activities such as the provision of guidance on assessor competencies, interpretation of the Code, and training. This could go a long way in allaying concerns about the transparency of auditing by for-profit certification bodies paid for by PSCs. However, the success of this new oversight capacity will hinge on effective engagement with certification bodies. Fortunately, a number of them participate as observers to the ICoCA.

The ICoCA Article 12 procedure on reporting, monitoring, and assessing performance and compliance was successfully passed by members. To enable these oversight requirements, the Board will develop indicators on all elements of the Code, beginning with the provisions on the use of force, apprehending persons, prohibition of torture or other cruel, inhuman, and degrading treatment or punishment, and training of personnel. Participants at the meeting stressed the importance of prioritizing the development of indicators in areas where PSCs experienced human rights related challenges, such as workplace rights issues. In preparation for field-based reviews – which can be undertaken if the review of available information or a human rights risk assessment has identified a need for further monitoring, if there is a request from an ICoCA member, or if exigent circumstances warrant it – the Secretariat conducted a pilot field-based review in East Africa with the participation and support of three member companies. The pilot focused to screening and vetting and training of personnel. In addition, the ICoCA plans to conduct outreach to external stakeholders to create a network of contacts and sources of information in key areas of member companies’ operations.

The ICoCA Article 13 procedure on receiving and processing complaints was also affirmed by members. The creation of effective complaints and grievance mechanisms has posed a challenge for a number of multi-stakeholder initiatives, and the ICoCA has set itself apart from the rest with this new procedure. The Secretariat will now be in a position to offer member PSCs advice on how to improve their grievance mechanisms to meet the provisions of the Code. Should the Board determine that a complaint cannot be appropriately addressed by a company-level grievance mechanism or that the mechanism of a member PSC does not meet the requirements of the Code, the Secretariat can use its good offices to recommend external mediators or provide information regarding alternative grievance mechanisms that may provide effective remedy for complainants.  Should a complaint potentially rise to the level of a criminal activity, the ICoCA may report that violation to one or more competent authorities for possible investigation and prosecution of the crime.

Overall, the ICoCA is in a state of good organizational health, with strong finances, significant staffing, and active participation of PSCs, governments, and civil society organizations. The ICoCA currently has 98 member PSCs, with additional new applicants being processed in a timely fashion. Significantly, the geographical diversity of those applicants is increasing, although the greatest number of member PSCs remain U.S. and UK companies. This diversity may continue to grow in light of planned outreach and efforts to identify and address any barriers to certification. However, it remains to be seen what impact the agreed upon dues increases will have on membership numbers. Undoubtedly, with only six governments currently involved, greater participation of States, as both regulator and clients of the industry, would be preferable. To that end, the Secretariat continues to engage with the States participating in the Montreux Document Forum. The 17 civil society participants are located across four continents, and the creation of the above mentioned network may serve to grow the diversity in this pillar as well.

This Annual General Assembly represents an important turning point for the ICoCA. It is now in a position to fulfill its mission and promote the responsible, rights-respecting provision of security services. Finding agreement in a multi-stakeholder setting is never an easy task, and the ICoCA has come a long way in a respectable amount of time. If these procedures are implemented as planned, the ICoCA is poised to truly be an exemplary multi-stakeholder initiative.

New Standards for CBs Certifying Private Security Companies to ANSI/ASIS PSC.1 and ISO 18788 Open for Public Comment

Readers, who have been closely following standard setting for private security companies (PSCs), may be interested in opportunities to comment on two new standards for Certification Bodies (CBs) certifying PSCs to ANSI/ASIS PSC.1-2012 and ISO 18788-2015 – the two leading management system standards for PSC operations. The United Kingdom Accreditation Service (UKAS), the British organization responsible for accrediting CBs, has opened a public comment period until August 31 for the UKAS Guidance for Certification Bodies Certifying the Management Systems of Private Security Companies against ANSI/ASIS PSC.1: 2012 or ISO 18788: 2015. Its American equivalent ANAB (ANSI-ASQ National Accreditation Board) has released Accreditation Rule 40 (AR 40).* The Guidance and AR 40 apply to CBs seeking accreditation to assess and certify PSCs’ security operations management systems built on ANSI/ASIS PSC.1-2012 and/or ISO 18788. ANAB’s public comment period is open until September 5.

Although serving similar purposes, it is interesting to note the differences in approach taken by UKAS and ANAB. UKAS states that it will accredit CBs to certify to ANSI/ASIS PSC.1-2012 and/or ISO 18788 using ISO 17021-1. ISO 17021 is the International Organization for Standardization’s generic Conformity Assessment standard for CBs providing audit and certification of management systems. The Guidance does note that it provides guidance on ISO 17021-1 and ANSI/ASIS PSC.2-2012, but it does not explicitly state that it requires CBs to adhere to ANSI/ASIS PSC.2 for accreditation purposes. By way of reminder to readers, ANSI/ASIS PSC.2-2012: Conformity Assessment and Auditing Management Systems for Quality of Private Security Company Operations provides requirements and guidance for conducting conformity assessment of ANSI/ASIS PSC.1-2012. It is a sector specific standard based on ISO 17021. In contrast, ANAB’s AR 40 states that ANSI/ASIS PSC.2-2012 is a required document. The length of UKAS’s Guidance, in particular the extensive detailing of auditor/audit team competences, is likely a result of failing to explicitly make ANSI/ASIS PSC.2 a required document. ANSI/ASIS PSC.2 already covers in depth required competences, and unlike the Guidance also discusses the needed training and experience of auditors as well as requirements for screening and vetting auditors. One thing is certain, all three documents make it clear that auditors must have a wide variety of skills relevant to assessing the responsible provision of security services in complex environments, to include human rights expertise.

Another strong point of ANAB’s AR 40 is the useful Annex at the end, which compares and contrasts the requirements of ANSI/ASIS PSC.1-2012 and ISO 18788. While the two management system standards are very similar, there are differences of which auditors need to be aware. ISO 18788 cites the UN Guiding Principles on Business and Human Rights as a normative reference. This has resulted in some stronger human rights provisions in ISO 18788. For example, human rights risk analysis is now a clearly articulated requirement. In addition, there are a few new requirements that were not in ANSI/ASIS PSC.1-2012 related to apprehension and search and operations in support of law enforcement. That being said, the Annex is a surface comparison of requirements, and auditors will need to do a comparative deep-dive to capture the nuances in terms of improvements to ANSI/ASIS PSC.1-2012 that found their way into ISO 18788.

While perhaps not the most exciting reading material, both the Guidance and AR 40 are key documents not only for CBs and their auditors, but also for PSCs seeking certification to ANSI/ASIS PSC.1-2012 and/or ISO 18788. They can assist PSCs with grasping the certification process, understanding what elements of a management system auditors will assess, and providing a sense of the type of competences to look for in a CB.

* For purposes of disclosure, Human Analytics’ Rebecca DeWinter-Schmitt served on the Committee of Experts that drafted AR 40.

ICoCA Opens Pathway to Certification for Private Maritime Security Companies

It is now possible for Private Maritime Security Companies (PMSCs) to receive independent, third party certification to the International Code of Conduct for Private Security Service Providers (ICoC) via the International Code of Conduct Association (ICoCA). On Friday of last week, the multi-stakeholder ICoCA announced the release of a recognition statement for ISO 28007-1: 2015 Ships and marine technology – Guidelines for Private Maritime Security Companies (PMSC) providing privately contracted armed security personnel (PCASP) on board ships (and pro forma contract), ISO 28007 in short.

(Readers of Human Analytics’ Human Rights in Complex Environments blog may remember that we reported in February on the ICoCA’s release of an ISO 28007 draft recognition statement for public comment. The compilation of those comments is available here.)

As with the ICoCA recognition statement for the land-based security standard, ANSI/ASIS PSC.1-2012: Management System for Quality of Private Security Company Operations (PSC.1), the ISO 28007 recognition statement is accompanied by an Annex A analyzing the gaps between ISO 28007 and the ICoC and an Annex B summarizing the additional information, related to the human rights and humanitarian law requirements of the ICoC, that PMSCs must supply to the ICoCA. Unlike PSC.1, which has the ICoC as a normative reference, ISO 28007 did not and the gaps are not insignificant. (Despite some improvements in the human rights content of the ISO 28007 standard as it evolved from a PAS to an ISO guideline.) In addition to the failure of ISO 28007 to include human rights in PMSCs’ risk assessment process, four areas evidence the greatest number of gaps, namely requirements regarding employment policies, incident reporting practices, training programs, and grievance mechanisms.

Beyond this additional information, PMSCs must provide to the ICoCA the scope of their certification to ISO 28000 Specification for security management systems for the supply chain (the ISO standard that is actually auditable by certification bodies and to which ISO 28007 provides additional guidance), any non-conformities identified during the auditing process, corrective action plans, and details on their Human Rights Risk Assessment process. Only certificates lent by certification bodies accredited by recognized national accreditation bodies will be accepted by the ICoCA. Currently MSS Global and Lloyd’s Register Quality Assurance Limited are the only accredited certification bodies to audit to ISO 28000/28007. Both were accredited by the UK Accreditation Service.

Although more information will be forthcoming in terms of how the ICoCA will process certifications, the organization is poised to play an important role in increasing respect for human rights in the private maritime security industry. While the UK Accreditation Service has released guidance for certification bodies auditing to ISO 28000/28007, which clearly states that human rights competence is a must for auditors, this has limited effect in light of the weak human rights provisions in ISO 28007. Auditors can only audit to what is in the standard. Therefore, by gathering this additional human rights related information, the ICoCA can contribute to raising the bar by scrutinizing what human rights due diligence measures PMSCs have in place to identify, prevent, mitigate and account for how they address their adverse human rights impacts.

However, when assessing the information submitted to it by PMSCs, the ICoCA should draw on the expertise of its membership, to include organizations in the civil society pillar, such as Oceans Beyond Piracy/One Earth Future Foundation. As comments submitted by Oceans Beyond Piracy indicate, there are specificities to maritime security provision, to include differences in human rights risks and regulatory environments, that are not well-captured by the ICoC, which was drawn up with land-based security in mind. This is why the ICoC (Article 7) foresaw “the development of additional principles and standards for related services, such as… the provision of maritime security services,” beyond those already in the ICoC. Furthermore, as comments from MSS Global and two ICoCA member companies indicate, the scope of any ISO 28000/28007 certificate will also need to be scrutinized to ensure that it captures operations, beyond the Indian Ocean and High Risk Area, where human rights risks may be equally, if not more so, relevant to any PMSC’s compliance with the ICoC. Should the ICoCA be able to muster such informed scrutiny, and should PMSCs be willing to subject themselves to it, it is foreseeable that there will be an increase in PMSCs respect for human rights.

Certifying Private Security Companies’ Human Rights Performance: Not All Certificates Are Created Alike

http://hrbrief.org/2016/05/certifying-responsible-private-security-companies-assessing-implementation-transparency-disclosure-provisions/
http://hrbrief.org/2016/05/certifying-responsible-private-security-companies-assessing-implementation-transparency-disclosure-provisions/

A growing number of private security companies (PSCs) providing security services overseas to the U.S. Department of Defense (US DoD) and U.S. Department of State (US DoS) are becoming certified by third party auditors as a means of demonstrating their adherence to international human rights and humanitarian law standards. However, newly released research by American University Washington College of Law’s Dean’s Fellow David Sebstead indicates significant inconsistency in PSCs’ adherence to standards based on publicly available information. In his Human Rights Brief article, Certifying Responsible Private Security Companies: Assessing the Implementation of Transparency and Disclosure Provisions, Sebstead found that certification may not be enough to assure clients of PSCs and the public that they are fulfilling their human rights responsibilities.

The increased use of PSCs in the wake of the Iraq and Afghanistan conflicts, and associated concerns about their human rights impacts, led to the emergence of a transnational governance framework comprised of declarations, codes of conduct, and management standards to ensure more effective governance and oversight of PSCs. A central component of this governance framework is the ANSI/ASIS PSC.1 – 2012 Management System for Quality of Private Security Company Operations (ANSI/ASIS PSC.1). A quality assurance and human rights risk management standard, its creation was funded by the US DoD. Currently, the US DoD requires the PSCs it utilizes to demonstrate compliance to it, or a related International Organization for Standardization standard (ISO 18788), which was based on ANSI/ASIS PSC.1. One way of demonstrating compliance is for a PSC to hire a certification body to audit its conformance to PSC.1, for which it receives a certificate.

Similarly, the US DoS requires its overseas security contractors also to demonstrate compliance with ANSI/ASIS PSC.1, and to be a member in good standing of the International Code of Conduct Association (ICoCA). The ICoCA is a multi-stakeholder initiative, comprised of governments, PSCs, and civil society organization and headquartered in Geneva, which assures that its member PSCs adhere to the International Code of Conduct for Private Security Service Providers (ICoC). The ICoC details international human rights and humanitarian law responsibilities of PSCs operating in complex environments. The ICoCA certifies its member PSCs, and currently the only route to certification is by evidencing certification to ANSI/ASIS PSC.1 by an accredited certification body in addition to providing human rights information in particular related to the PSC’s human rights risk assessment process.

Examining 13 PSCs that have received ANSI/ASIS PSC.1 certification, Sebstead found fairly significant discrepancies in their conformance to the management standard. He rated the 13 PSCs on their demonstrable conformance to four requirements of ANSI/ASIS PSC.1 which would necessitate that PSCs share publicly information about their adherence to the standard. These included the scope of their certification, which indicates the parts of the PSC’s operations that were actually audited by a certification body; their statement of conformance, the public commitment by management to respect applicable national and local laws and human rights; the availability of a grievance mechanism, which allows third parties to submit complaints to companies when they do not meet their human rights commitments; and the communication of their human rights risk assessment process.

Aggregating these four public facing components of demonstrable conformance to ANSI/ASIS PSC.1, Sebstead created an overall score of effective implementation of these components for the 13 PSCs ranging from poor (0) to very good (3). No PSC received a perfect score, but in the top three places were Garda World Consulting at number one, Aegis Defense Services and Britam Defence tied for second place, and Edinburgh International and Oliver Group tied for third place.

Disaggregating the data for a moment, what does this information tell us? Regarding the certificate scope, six of the 13 PSCs simply posted their certificates to their websites. Yet many did not provide enough information to determine the extent of their certification. In other words, some large, multinational PSCs lay claim to a PSC.1 certification, but do not share publicly exactly which parts of their operations have actually been subjected to a third party audit. Nine out of 13 companies scored well on their statements of conformance, although surprisingly a few were weak on making explicit their commitment to respect human rights. PSCs were also inconsistent in terms of the quality of their grievance mechanisms, with only six out of 13 actually providing a detailed procedure explaining to those who submit complaints the process for addressing those complaints.

Finally, the most important means for a PSC to address its human rights impacts is to first undertake a human rights risk assessment process to identify its potential and actual impacts. However, only seven of 13 PSCs made any mention of having any type of human rights risk assessment process in place. While this does not preclude the possibility that they may actually be assessing human rights risks related to their operations, it would seem important to demonstrate publicly that they take their human rights due diligence responsibilities seriously.

As Sebstead rightfully points out, “embedding a commitment to respect human rights in management systems is an important first step, but adequately identifying and mitigating actual human rights impacts on the ground in host states where PSCs operate is essential.” The “black box” of certification needs to be opened up to better understand what types of methodologies and metrics are being used by certification bodies when they seek evidence of conformance to the human rights components of ANSI/ASIS PSC.1. Here the ICoCA can play a greater role as it can request information from its member PSCs about their certifications. Clearly, the ICoCA is already moving in this direction by requiring additional human rights related information from PSCs with an ANSI/ASIS PSC.1 certificate. But it would help strengthen the robustness of the system if not only there were more assurances about the consistency of the quality of ANSI/ASIS PSC.1 certificates, but also more transparency in terms of both the embedding of human rights commitments into policies and processes and the outcomes of those commitments on actual respect for human rights.

 

New Report Provides an Insider Perspective on the International Code of Conduct Process

DCAF Report coverA new report, Towards an International Code of Conduct for Private Security Providers: A View from Inside a Multistakeholder Process, by Anne-Marie Buzatu of the Geneva Centre for the Democratic Control of Armed Forces (DCAF) provides a first-hand account of the process that led to the development of the International Code of Conduct for Private Security Service Providers (ICoC) and its accompanying governance and oversight mechanism, the ICoC Association (ICoCA). Ms. Buzatu representing DCAF, along with members of the Swiss Government and the Geneva Academy of International Humanitarian Law and Human Rights, formed the team of “neutral facilitators” that shepherded into existence this landmark multi-stakeholder initiative. Attaining consensus among stakeholders from private security companies, governments, civil society organizations, and other interested parties consulted during the process was no easy task. As Ms. Buzatu rightfully points out, the neutral facilitators in this case did everything to make that possible, from logistical project management and drafting of texts to building trust and mediating disputes among stakeholders.

The report covers a lot of historical ground. It begins by describing the circumstances at the time that gave impetus to the ICoC effort. In particular, in the wake of the wars in Iraq and Afghanistan and the accompanying rapid increase in the use of PSCs, it became clear that there were governance gaps at both the national and international levels that had to be addressed to ensure effective oversight and accountability for private actors with the potential to use force. There was also a growing recognition that PSCs operating globally in complex environments raised complicated jurisdictional issues, which no one state could address on its own. New forms of innovative governance at the cross-sections of the national and international and public and private would be required. Hence the emergence of the ICoC/ICoCA as exemplars of “co-regulation” i.e. regulatory approaches that bring together public and private actors and “combine the advantages of an international-level multistakeholder governance model with the force of statutory and/or contractual obligations.” By embedding adherence to the ICoC and membership in the ICoCA into the contracting requirements of some states and international organizations, this multi-stakeholder initiative is in the process of setting historical precedent in terms of “hardening soft law.”

However, the origins of the ICoC/ICoCA in response to the Iraq and Afghanistan wars and the ICoCA’s current inclusion of only state clients of PSCs, makes one wonder to what extent this may be an example of “regulating the last war,” to quote Sarah Percy. While insurers and private sector clients of the private security industry, particularly extractive companies, participated in some of the initial consultations on the ICoC and the charter of the ICoCA, in later stages Ms. Buzatu notes they took a “wait and see” approach. Fortunately, efforts are underway to solicit extractive companies buy-in, and the viability and more global applicability of the ICoC will depend on bringing in private sector clients of the private security industry.

Even without private sector clients on board, the ICoC/ICoCA process stands out among other examples of co-regulation for its transparency and multi-stakeholder, consensus-based decision-making. No doubt this was part of the recipe for success as each stakeholder pillar brings to the table different types of expertise and leverage to ensure that the provision of private security also facilitates general human security. PSCs have ground-truth and can best explain how to incorporate international human rights standards into their operations. Governments can give effect to international standards by incorporating them into international and national laws, regulations, and procurement requirements. Finally, civil society can provide insight into how security services are impacting on local populations and serve in a watch dog capacity. A section of the report on “Good Practices and Lessons Learned” cites trust among stakeholders, equally weighted participation, consensus-based decision-making, and transparency as key factors for successful co-regulation; sage advice for other co-regulatory initiatives underway that have at times found themselves struggling with differences among stakeholders. From this perspective, the Voluntary Principles on Security and Human Rights come to mind.

From an insider point of view, it would have been useful to hear more not just about what happened – from the Montreux Document to the ICoC, to the Temporary Steering Committee that drafted the charter for the ICoCA, and now the efforts of the ICoCA to develop procedures for certification, monitoring, and grievance mechanisms – but also how certain compromise positions were reached and why stakeholders took the positions they did.

That being said, one section of the report goes into greater depth detailing the process behind and provisions of the ICoC, which went through three versions before being finalized in 2010. The reader is able to trace from that section key provisions that developed over time, such as the applicability of the Code to complex environments; the need for a multi-stakeholder approach, rather than an industry-led process; the ability to agree about the value of an accompanying International Governance and Oversight Mechanism, but not about its specific contours; and the importance of embedding Code standards into procurement practices.

Another section on the drafting of the charter, later called the ICoCA Articles of Association, which was about two years in the making, also gives a good sense of the extensive, consultative drafting process undertaken by the multi-stakeholder Technical Steering Committee, as well as points of disagreement that had to be addressed and the consensus that was attained. Significantly, the very detailed initial draft of the charter was significantly pared down, leaving it to the ICoCA to develop the specifics of the certification, monitoring, and grievance procedures. During negotiations of the charter, differences in views about membership in the civil society pillar resulted in detailed membership criteria being finalized by the pillar after the launch of the ICoCA. Views also differed on the broad outline of the grievance procedure. In the end, with the exception of an arbitration function, nearly all proposed functions of the grievance procedure – advisory, referral, mediation, special audit, fact-finding, and gatekeeping functions – found their way to some degree or another into the charter.

However, what is not addressed in depth, and indeed shaped the how and why of much of these negotiated outcomes from the ICoC onwards, was the completion of the Department of Defense funded ANSI/ASIS PSC.1 management system standard for private security operations in 2012. The DoD, PSCs, and other interested parties supporting the development of PSC.1 saw it as an operationalization of the ICoC’s principles, as called for in ICoC Paragraph 7 which speaks to the need for “objective and measurable standards for providing Security Services based upon this Code.” Furthermore, once PSC.1 was completed and a pilot project was underway to accredit the first certification bodies and certify the first PSCs, this shaped negotiations on the certification function laid out in the charter of the ICoCA. The Articles of Association Paragraph 11.2.1 state that the ICoCA Board “shall define the certification requirements based on national and international standards and processes that are recognized as consistent with the Code,” and 11.2.4 states that the certification process shall not be “duplicative of certification under Board-recognized national and international standards.” Indeed, certification to PSC.1, along with some additional human rights relevant information, such as the human rights risk and impact assessment methodology used by a PSC, is now the first officially recognized route to ICoCA certification. Yet the relationship between those certification requirements, the field auditing requirements of PSC.1, and the ICoCA monitoring procedure currently under development is still an open matter of discussion.

Is re-hashing these discussions about the relationship between these two co-regulatory efforts a matter of opening old wounds? Not at all. This detailed history of the origins of the ICoC/ICoCA, together with an understanding of the differing views of stakeholders and how those differences were overcome to reach negotiated agreements, is essential background knowledge that amounts to something akin to “founders’ intent.” First, as new members join the ICoCA and new interested parties follow its further development, this history allows them to better grasp the significant strides that were made to get things to where they are today. Revisiting old disputes, or at least not understanding the origins of certain comprises, can hinder forward progress. Second, as ICoCA Board committees move forward with the work of assessing other international and national standards, developing monitoring and performance assessment procedures, and creating a grievance mechanism, it helps to remember the shared vision that drives the overall effort and the consensus that has already been attained. True multi-stakeholder initiatives by their very nature move at a slow pace. But the progress to date with the ICoC/ICoCA, in particular in terms of the commitments the industry has made to establishing an assurance framework with teeth, and the time in which this was achieved, are truly exceptional compared to other co-regulatory efforts. The historical insights offered in this report provide useful foundations for continuing to chart the way forward and increasing the uptake of international human rights standards by the private security industry on a global scale.

Second Edition of Briefing Paper “Private Security Standards”

Security standards jpeg

The Human Analytics team is pleased to offer an updated briefing paper comparing and contrasting standards for the provision of private security services. This is the second edition of the briefing paper, “Standards for Private Security Services,” and it contains additional information related to the recently released ISO 18788: 2015 Management System for Private Security Company Operations. The paper also examines three other standards – the Voluntary Principles on Security and Human Rights, the International Code of Conduct for Private Security Service Providers, and ANSI/ASIS PSC.1-2010 Management System for Quality of Private Security Company Operations. Among the issues discussed are the origins of the standards, their relationship to each other, implementation efforts, and recent developments. A chart compares all four standards in terms of their content, scope, assurance mechanisms, and governance. The briefing paper can be downloaded for free here, and is a useful resource for understanding the evolving standards landscape for private security services.

Upcoming Workshop on new ISO 18788 Management System for Private Security Operations

Join Radian Compliance and Human Analytics on Tuesday, November 3, 2015 in Hampton Roads, VA for the DoD – Procurement Technical Assistance Program training on the recently released international standard, ISO 18788 Management System for Private Security Operations. If you are a private security company working for the DoD, DoS, or a commercial entity, this new ISO standard is relevant to you. Supported by the DoD, the purpose of this new standard is to enable consistent provision of security services while maintaining the safety of clients and ensuring respect for human rights and national and international laws in circumstances where the rule of law has been weakened due to human or natural events. ISO 18788 builds on ANSI/ASIS PSC.1 Management System for Quality of Private Security Company Operations.

This 3 hour session runs from 1pm-4pm and presents an overview of ANSI/ASIS PCS.1 as well as ISO 18788. Learn the requirements of the standards. Gain an understanding of how to implement a risk management framework and a human rights impact analysis, both requirements of the standards. Advice will be shared on which standard to adopt and whether to comply of conform to that standard.

In addition to the ISO 18788 workshop, a morning workshop will cover the recently revised and released ISO 9001: 2015 Quality Management Systems. This standard is at the heart of most organizations that want to drive value and quality processes to its customers. The workshop will review the certification and implementation requirements of a quality management system, and will examine how ISO 9001:2015 can integrate with other ISO systems along with supply chain requirements, including those of the Federal Government. With the September 23rd release of the updated standard, this session will also review the changes from the 2008 version. This class is appropriate for those both new to and experienced with ISO 9001. Many PSCs that seek certification to ANSI/ASIS PSC.1 and ISO 18788 also gain ISO 9001 certification in the process.

The workshops cost $75, the proceeds of which go to George Mason University. To register for the workshops visit http://virginiaptap.org/calendar/   On the ‘Center’ Line select Hampton Roads for information and registration.

International Code of Conduct Association Reviews the Past Year and Maps Road Ahead

The International Code of Conduct Association (ICoCA) held its Annual General Assembly meeting on October 8 in Geneva. The ICoCA, established in September 2013, governs and oversees implementation of the International Code of Conduct for Private Security Service Providers and promotes the responsible provision of security services in line with the human rights and humanitarian law commitments laid out in the Code. As was the case at last year’s General Assembly, the Swiss-based multi-stakeholder initiative brought together its members from private security companies (PSCs), civil society organizations, and governments as well as observers to review the achievements of the previous year, discuss remaining challenges, and map next steps. Human Analytics participates as an observer to the ICoCA.

The Secretariat provided an Annual Report for 2014-2015 and addressed progress made to date in key areas. What follows are some highlights from the meeting. With regard to governance, the Secretariat has continued to grow in size and currently has a five person staff. Tasked with, among other things, administering the day to day business operations, overseeing the membership application process, administering the certification procedure, and providing support to the Board as it develops additional procedures, the Secretariat expects to add new staff when the monitoring and complaint procedures are completed. The ICoCA’s twelve member Board has created committees and working groups to assist it with its work, to include growing the size of the Article 12 Development Working Group, which is currently developing the monitoring, reporting and performance assessment procedure.

With the certification procedure recently completed and ANSI/ASIS PSC.1 recognized as the first national standard to serve as a basis for ICoCA certification, the Board is now focusing to monitoring adherence to the Code, one of the core functions of the ICoCA. With financial support from the U.S. government, as a first step the Article 12 Development Working Group is developing performance benchmarks based on the Code. The benchmarks will serve as objective criteria for assessing performance, shape the reporting requirements, and guide the Secretariat and Board’s efforts to monitor member companies remotely and in the field. A few industry members expressed concerns that any requirements under Article 12 must not be duplicative of steps already taken to gain certification to ANSI/ASIS PSC.1. If the time needed to develop the certification procedure is any indication, it will be awhile before stakeholders reach consensus on the procedure for monitoring, reporting, and performance assessment. From the perspective of many civil society organizations, this procedure is core to the ICoCA’s ability to assess the actual impact of security operations on local populations’ human rights. The complaint process will also prove essential to identifying negative human rights impacts, and the Board’s Complaint Process Development Working Group is currently undertaking a comparative study of existing complaints and grievance mechanisms to inform its work.

In addition, the ICoCA is currently piloting ICoCA certification and plans to develop guidelines to assist member PSCs through that process, in particular with regard to the additional human rights related information they must submit. The Board’s Certification Committee, with the new certification procedure and analytical matrix to assess new standards in hand, is completing its review of the maritime security standard ISO 28007-1. This is an important development for maritime security providers, who initially signed on the Code in large numbers. The next standard to be reviewed will be the new ISO 18788. The Secretariat indicated that since ISO 18788 builds on the already recognized ANSI/ASIS PSC.1, there is no reason to believe that the Board would not also recognize ISO 18788 in a time frame that would comport with the first certification bodies becoming accredited to certify to it.

Perhaps somewhat more unexpectedly, a proposal was made by a Swiss company to examine the suitability of the generic ISO 9001 quality management standard for certification to the ICoCA. The request is likely linked to Switzerland’s new law that requires membership in the ICoCA for companies based in Switzerland providing security services overseas or who support the provision of those services, as well as PSCs providing contracted security services to Swiss government agencies overseas and holding companies headquartered in Switzerland with control over PSCs operating overseas. The law’s expansive definition of security services does not match that of the Code which, among other things, has created some implementation challenges. The proposal met opposition, with some fearing that the ubiquitous ISO 9001 certification might result in a watering down of the Code’s requirements, as well as support, with some advocating a pragmatic, stepped entry into the ICoCA for both small and medium sized and non-U.S. and UK PSCs, for whom certification to ANSI/ASIS PSC.1 may not be as readily attainable. The Secretariat committed to examining the factual basis for concerns that certification to PSC.1, and ultimately ICoCA certification, is inaccessible to some PSCs interested in becoming members. The Secretariat stated that it does not want to exclude PSCs committed to the Code based on commercial considerations.

During break-out sessions of the individual pillars and observers, the industry pillar of the ICoCA voted in a new representative, and announced shortly thereafter that Pamela Hosein would join the Board. Ms. Hosein’s company is based in Trinidad & Tobago, and her election to the Board represents an important step in diversifying the Board to reflect the global make-up of member companies. One challenge identified during the meeting was broadening the ICoCA’s membership to include non-U.S. and UK companies. Currently, of the 88 member PSCs, 23 are home in the UK and 15 in the U.S. The remaining 50 PSCs are based in 29 different countries, with the UAE, Pakistan, and Cyprus being the only countries home to 5 or more member PSCs. However, the greatest growth in membership comes from PSCs headquartered outside of the U.S. and UK, and the Secretariat reported that two new applications are pending review and 34 are in process. An uptick in PSC membership should thus occur soon, as the application processing time has been reduced to two weeks.

The civil society pillar has also increased its global diversity, with the 13 civil society organizations at home on four different continents. Unfortunately, the government pillar’s six members (U.S., UK, Switzerland, Sweden, Australia, and Norway) are less geographically diverse. However, there is hope that the recently established Montreux Document Forum, with its 52 governments who have expressed support for the Montreux Document, might serve as a conduit for involving more countries in the ICoCA. The Montreux Document Forum has established an ICoCA Working Group that will liaise with the ICoCA. On a positive note, five of the governments currently participating in the ICoCA recognize in some fashion the importance of adherence to the Code in their regulations and procurement policies. With the Secretariat’s efforts to reach out to other non-state clients of the industry, such as extractive companies via its plans to join the Voluntary Principles on Security and Human Rights as an observer, one can expect continued growing interest among clients of the security industry in the verifiable provision of responsible security services.

Human Analytics discusses human rights and PSC.1 at ASIS 2015

ASIS2015Human Analytics LLC recently served as a panel member at the ASIS International 61st Annual Seminar and Exhibits (ASIS 2015) held in Anaheim, CA from September 28th to October 1st. The annual ASIS International event is the security industry’s top educational event and included over five days of exhibits, presentations, and educational sessions to cover emerging developments and topics of importance to the global security industry.

On Monday, September 28th, ASIS International 2015 conducted an educational session to highlight and discuss specific legal, human rights, risk management, and security operation elements of the ANSI/ASIS PSC.1-2012 Management System for Quality of Private Security Company Operations – Requirements with Guidance (PSC.1).

The educational session consisted of a panel moderated by Dr. Marc Siegel of the ASIS International Global Standards Initiative and featured Pete Dordal of GardaWorld International, Lisa DuBrock of Radian Compliance LLC, and James Schmitt from Human Analytics LLC. Material was also presented from leading experts Chris Mayer of the Department of Defense and Dr. Ian Ralby of IR Consilium, LTD. to elaborate on U.S. Department of Defense requirements and legal implications of the standard. Pete Dordal presented an informative case study on GardaWorld’s implementation of the PSC.1 standard, while Lisa DuBrock focused on specific details and considerations of the overall Quality Assurance Management System (QAMS) aspects of PSC.1. James Schmitt completed the presentations by focusing on the significant number of key human rights provisions of PSC.1 and how these relate to private security companies, their clients, and their partners. Dr. Marc Siegel, as the panel moderator, facilitated questions from the audience as well as presenting additional questions related to PSC.1 to the panel members.

As part of its presentation, Human Analytics LLC covered key human rights provisions of the standard to include the requirements and rationale for companies to establish grievance mechanisms for populations impacted by private security company operations, the need and benefit for companies to publicly communicate their Statement of Conformance with the PSC.1 standard, as well as a company’s responsibility to assess human rights risk in their operations, to include their supply chain. A copy of Human Analytics’ presentation can be found here.

The PSC.1 standard is now recognized internationally as the most detailed international risk management framework relevant to security company operations. It is viewed as the industry standard and provides auditable criteria.

The educational session, “ANSI/ASIS PSC.1 Standard: Enhancing Management of Security Operations”, was designed for companies to better understand and successfully implement the new standard which is becoming increasingly required by both public and private sector utilizers of private security companies. “It was so important to see the growing number of companies that are committed to implementing the PSC.1 standard, or have actually done so already,” one participant said after the session. “It is not only the PSCs themselves that have moved to embrace the PSC.1 standard, it is also the organizations and government agencies that utilize PSCs and have made it a contractual requirement.” The session was attended by a number of representatives, to include individuals from private security providers, independent consultants, government, trade association, and industry.

Update: Further Progress Made in Finalizing Certification to ICoCA Using PSC.1

In a previous blog post, ICoCA Releases Draft Certification Procedure for Vote by Members, Human Analytics described the process by which a national or international standard is considered for approval by the International Code of Conduct Association (ICoCA) as the pathway for a private security company (PSC) to gain ICoCA certification. To be approved a standard must be consistent with the principles of the International Code of Conduct for Private Security Service Providers (ICoC). Where there are inconsistencies between a standard and the ICoC, the ICoCA can request additional human rights and humanitarian law related information from member PSCs in order to assess whether their systems and policies meet the requirements of the ICoC. On July 3, the ICoCA Secretariat announced that the General Assembly approved the Certification Procedure with no dissenting votes and 65%+ participation in the vote by members from all three pillars – governments, PSCs, and civil society organizations.

With the Certification Procedure now in place, the Secretariat is undertaking the next step of assessing whether certification of a PSC to PSC.1 – shorthand for the ANSI/ASIS PSC.1-2012: Management System for Quality of Private Security Company Operations – meets the requirements of the ICoC. To that end the ICoCA Secretariat has circulated a Draft ICoCA Recognition Statement for ANSI/ASIS PSC.1 – 2012 along with Annex A: Draft Analysis of ANSI/ASIS PSC.1-2012 against the ICoCA Certification Assessment Framework and Annex B: Draft Certification Additional Information Requirement for PSC.1. These documents are now open for public comment. Compiled comments will be posted to the ICoCA website once the comment period ends on August 24. Thereafter, the Board will review the comments and will vote whether to accept the standard and publish a Recognition Statement for PSC.1. If accepted, the ICoCA will begin processing requests for ICoCA certification beginning in early October. Under the Articles of Association, member PSCs must obtain ICoCA certification within one year of the release of the Certification Procedure, which would be July 2016.

Human Analytics, as an Observer to the ICoCA, submitted the following comment to the Secretariat:

“Human Analytics, as an Observer to the International Code of Conduct Association, welcomes the progress that has been made in approving a Certification Procedure and releasing a Draft ICoCA Recognition Statement for ANSI/ASIS PSC.1 – 2012 and accompanying Draft Annexes. This represents an important step forward in enabling the ICoCA to exercise its governance and oversight functions. Furthermore, Human Analytics is pleased to see that the ICoCA recognizes the importance of harmonizing the International Code of Conduct with recently developed and emerging national and international standards applicable to the private security industry, in particular the UN Guiding Principles on Business and Human Rights and the ISO 18788 Management System for Private Security Operations – Requirements with Guidance.

The Annex A: Draft Analysis of ANSI/ASIS PSC.1-2012 against the ICoCA Certification Assessment Framework is a valuable document for clarifying where the ICoCA sees a limited number of inconsistencies between the ICoC and PSC.1, which informed the additional information requirements laid out in Annex B. However, when undertaking such comparisons, it is useful to bear in mind the nature of the two documents and their inter-relationship. The drafters of PSC.1 saw the standard’s purpose in the operationalization for implementing PSCs of the human rights and humanitarian law principles and commitments detailed in the ICoC through a risk and quality assurance management system process. In other words, PSC.1 turns the principles of the ICoC into business practice standards.

Furthermore, the Montreux Document and the ICoC form the normative foundations of PSC.1. This has a number of implications. When PSCs establish the framework for their management system, as detailed in section 5.1 of PSC.1, the management system “shall incorporate and adopt the legal obligations and recommended good practices of the Montreux Document relevant to PSCs and the guiding principles of the ICoC.” In other words, all requirements of the ICoC must be met for a company to be certified as in conformance with PSC.1. According to accredited certification bodies, audits are undertaken with PSC.1 as well as the ICoC in hand.

Finally, the provisions contained in the Guidance, while reflecting “should” rather than “shall” statements, are nonetheless significant both for PSCs and their auditors. For PSCs, the Guidance provides further information on how to interpret and understand the standards’ requirements, as well as additional detail on possible means to tailor implementation of those requirements to a particular company’s operating context. For auditors, the Guidance offers additional information not only on how to interpret the requirements, but also on what to look for when gathering evidence of conformance.

The most significant identified inconsistency between the two documents is with regard to the Human Rights Risk and Impact Assessment (HRRIA). While technically not a term appearing in either the ICoC or PSC.1, the ICoCA has rightfully identified an adequate HRRIA process as essential to identifying, preventing, mitigating, and addressing human rights risks linked to security operations. A HRRIA requirement is also an important step toward harmonizing the ICoC with emerging national and international consensus on the type of human rights due diligence any company should undertake, and in particular when operating in complex environments.

However, Human Analytics has some concerns with regard to the HRRIA checklist. First, it is unclear how the Secretariat will evaluate a written risk assessment model or process against this checklist. What is proposed here would appear to amount to a desk-based review of a company’s self-reported policies and may not provide a fuller view of what actually happens in practice. Second, the substantive questions relating to internal controls and policies and prohibitions contained in the ICoC amount to a restatement of the ICoC’s key provisions formulated as a list of questions on whether or not the HRRIA considered these provisions. Checklists lend themselves to tick the box exercises.

HRRIAs are a relatively new tool for identifying and managing human rights risks, and to date there has been limited standardization and agreement on best practice. Therefore, in keeping with Article 12.4 of the Articles of Association, which states that the ICoCA shall promote industry best practices, the ICoCA could help advance rights-respecting conduct of PSCs by supporting the development of sound HRRIA processes and tools specifically geared toward the needs of the private security industry and the rights-holders and other stakeholders affected by its activities. In developing such tools, the ICoCA could consider drawing on the expertise not only of its member PSCs, who have already undergone PSC.1 certification, but also of other companies in other sectors operating in complex environments, who have undertaken HRRIAs, as well as the various organizations – legal, academic, consulting, and not-for-profit – that have substantive knowledge of and first-hand experience with conducting HRRIAs.”

The Viability of Multi-stakeholder PSC Regulation

Individuals that follow the regulation of Private Security Companies (PSCs) will be particularly interested in Dr. Sorcha MacLeod’s recently published article, Private Security Companies and Shared Responsibility: The Turn to Multistakeholder Standard-Setting and Monitoring through Self-Regulation-‘Plus’.

MacLeod focuses on both the merits and questions concerning recent international multi-stakeholder initiatives related to PSC standards, certification, and oversight, specifically the Montreux Document, the International Code of Conduct for Private Security Providers (ICoC), the  International Code of Conduct Association (ICoCA), and ANSI/ASIS PSC.1-2012 Management System for Quality of Private Security Company Operations  (PSC.1), deliberately walking through each of these efforts and the intended role and interrelated nature of each.

Taken together she deems these multi-stakeholder processes for regulation of PSCs the “self-regulation-plus” approach because of the involvement of not only industry, but also states and civil society organizations.  However, MacLeod concludes, among other points, that this approach “is not the definitive solution.” In the end she feels that unless several cited issues with the current approach are adequately addressed “the likely effectiveness of the ICoC and ICoCA human rights model as applied through a standard such as PSC.1” remains an open question.

It is in the interest of all – the PSC industry itself, as well as the states, commercial enterprises, and NGOs that utilize PSCs – to have effective and universally accepted standards, certification, and oversight frameworks. MacLeod’s stated significant concerns (listed below with comments) with the new PSC regulatory mechanisms should be reviewed carefully and taken into consideration by each of the three member pillars of the ICoCA (states, industry, civil society) as well as by the commercial and NGO entities that utilize PSCs. The latter are not well represented in the state-client focused ICoCA.

State involvement and support. The ICoCA oversight mechanism must be perceived as strong and functional. In the United States, conformance with the PSC.1 standard is now required by the Department of Defense for all contracted private armed security overseas and the Department of State has recently stipulated in its largest protective services solicitation that each bidder must confirm compliance with the requirements set forth in PSC.1 (as well as demonstrate that it is a member in good standing with the ICoCA).  In the United Kingdom, the Foreign Commonwealth Office has stipulated PSC.1 compliance for overseas contracted security services. MacLeod questions how the ICoCA, with its focus to the state clients of PSCs, can be extended to the other commercial and NGO clients of PSCs.

Ability to deal with non-certified and rogue PSCs. Furthermore, MacLeod queries how the ICoCA can contend with non-certified PSCs. She makes the case for states to weigh in to encourage PSC clients in the NGO and commercial sectors to use only ICoC compliant PSCs.

Scope of the certification. MacLeod recommends that clients of certified PSCs know the scope of their PSC’s certification. Is the company globally certified to the PSC.1 standard or is the scope of the certification limited to a specific operating unit or geography?

Auditor competence. MacLeod stresses that certifying auditors must be competent in human rights. The human rights elements in PSC.1 are significant and require the use of auditors with suitable expertise. Additionally, it can also be argued that it is essential that PSCs draw upon human rights expertise themselves if they are to fully and adequately develop, implement, and sustain the human rights components of the PSC.1 standard. Failing to sufficiently develop, implement, and sustain the human rights risk management provisions of the PSC.1 will be corrosive to the credibility of the PSC’s certification as well as a significant undermining factor in demonstrating their responsibility to respect human rights and prevent adverse impacts.

Human Rights Impact Assessments. MacLeod highlights the current lack of clarity on how a PSC should assess human rights risk and impacts and what tools they should use to do so. She is spot on here. While PSC.1 does not explicitly require PSCs to conduct human rights risk and impact assessment (HRRIA), human rights is a specified component of the risk assessment process. As part of the risk assessment process, PSCs have the opportunity to conduct an HRRIA to identify specific human rights risk exposure and develop the processes to address each risk. PSC.1 also requires the establishment of a complaint and grievance mechanisms with external stakeholders. An effective HRRIA conducted with the cooperation and involvement of the local impacted community can greatly facilitate this process. HRRIAs are an imperative part of the overall risk assessment process and should be conducted as part of every pre-deployment survey or advance party at the tactical and operational level. Like security, human rights risk mitigation is most effective when it is developed and integrated at the initial project planning stage and not implemented as a “bolt on” or reactionary activity.

Client awareness, education and training. This certainly requires a greater awareness effort and MacLeod rightfully argues that the effectiveness of PSC.1 certification will be dependent upon the extent to which all clients, government, commercial, and civil society, understand the certification process. The ICoCA, with its multi-stakeholder three-pillar approach, can, and undoubtedly will, be instrumental in this regard.

By identifying areas of perceived potential weakness with the multi-stakeholder process as it currently now stands, MacLeod goes a long way in spotlighting the specific areas that must be addressed in the short term if a credible and viable “self-regulation-plus” PSC industry regulatory mechanism is to continue for the long term.

 

New ISO Standard for Private Maritime Security Companies Reflects Some Progress on Human Rights

In a previous Human Rights in Complex Environments blog, we argued that the ISO/PAS 28007:2012 Ships and marine technology – Guidelines for Private Maritime Security Companies (PMSC) providing privately contracted armed security personnel (PCASP) on board ships (and pro forma contract) – ISO/PAS 28007 in short – could not be described as a “security and human rights” standard. At the time, the Publicly Available Specification was being developed into a full ISO standard. That standard, ISO 28007-1: 2015, is now completed and available. While some improvements have been made in terms of clarifying the human rights responsibilities of PMSCs providing armed security on board ships, shortcomings remain.

What ISO-28007-1 is and is not

ISO 28007-1 suffers from a bit of an identity crisis. It is a set of informative guidelines for organizations implementing ISO 28000: Specification for security management systems for the supply chain. In other words, it is additional guidance for organizations wanting to assure security in their supply chains, which is different from the management of private security operations and the responsible provision of armed security services – something that standards like ANSI/ASIS PSC.1:2012 Management system for quality of private security company operations – Requirements with guidance (PSC.1) and its accompanying guidance specific to private maritime security, ANSI/ASIS PSC.4-2013: Quality Assurance and Security Management for Maritime Private Security Companies – Guidance (PSC.4), do explicitly address. While the Introduction to ISO 28007-1 states that, “[i]n effect, ISO 28000 is a risk-based quality management system for the security of operations and activities conducted by organizations,” in reality ISO 28000 is not a quality management system and the word quality appears nowhere in the main body of ISO 28000.

Furthermore, it should be noted that ISO 28007-1 is specific to the provision of security services on board ships. The evolving industry is largely unaddressed by the standard, and it does not cover newer activities, such as offshore installation protection, littoral work, and seismic survey work, which are more likely to put PMSCs in a position where human rights might become an issue.

Improved human rights provisions

As noted in our previous blog, human rights were almost wholly absent from the ISO/PAS 28007. The Universal Declaration of Human Rights (UDHR) was not listed as an informative document in the bibliography, and in the entire standard human rights were only correctly referenced twice: once in conjunction with health and safety stating that the organization should have guidelines for disciplinary offenses involving human rights abuses, and the second time to state that the organization should develop procedures to identify applicable international law to include human rights obligations. While the UDHR still is not referenced in the bibliography and the term international human rights law appears nowhere in the ISO 28007-1, the Introduction now explicitly references the UN Guiding Principles on Business and Human Rights (UNGPs), which reflect the current international norm for responsible business conduct with relation to the human rights impacts of companies. Specifically, the Introduction states: “Organisations seeking to be certified to this International Standard should respect the human rights of those affected by the organisations [sic] operations within the scope of this International Standard, including by conforming with relevant legal and regulatory obligations and the UN Guiding Principles on Business and Human Rights.” This is a marked improvement over the ISO/PAS 28007. However, choosing to reference the UNGPs only in the Introduction and not integrating them and elaborating on their relevant provisions in the main body of the guidance weakens the expectation that companies conform to the UNGPs. The drafters could have cited the UNGPs as a normative reference, as was done with the ISO 18788 Management system for private security operations – which is the international standard based on PSC.1 – but that path was not taken. Furthermore, the definition provided of the UNGPs is incomplete and only discusses the human rights responsibilities of companies, i.e. Pillar II, and not the accompanying human rights obligations of States and the need for both States and companies to provide effective access to remedy for victims of human rights abuses linked to economic activities.

That being said, referencing the UNGPs is not the only improvement in the ISO 28007-1’s human rights provisions. Noteworthy are the following additions:

  • The term stakeholders is now used and impacted communities have been added as a relevant stakeholder.
  • As part of the risk assessment process, organizations are advised to carry out meaningful consultation with relevant stakeholders, including those directly affected by their operations.
  • Organizations should have a human rights policy, alongside a Code of Ethics.
  • In addition to minimum age requirements for PCASPs, there is also now a commitment not to employ child labor and referencing of relevant ILO conventions.
  • The provisions on complaints and grievance procedures have been improved and now reference protection of whistle-blowers, procedures to assess effectiveness of complaints and grievance mechanisms, and procedures to protect complainants from retribution.

 

It is also noteworthy that remarks in the definitions section which stated that the International Maritime Organization does not believe that the International Code of Conduct for Private Security Service Providers (ICoC) or the Montreux Document are applicable to maritime security operations were removed. The ICoC and Montreux Document have been added to the bibliography.

Still room for more improvement

While these additions warrant recognition, there is still room for strengthening the human rights provisions of the IS0 28007-1 if it is to truly reflect the UNGPs. Additional improvements should entail:

  • Recommending that organizations carry out a human rights due diligence process, to include conducting a human rights risk and impact assessment to identify, address, and mitigate actual and potential negative human rights impacts.
  • Clarifying that when organizations systematically evaluate and prioritize risk controls, management, mitigation, and treatments that they should prioritize addressing human rights risks based on their scope and severity. Not addressing actual or potential severe human rights risks raises legal liability concerns, and not just considerations of reputation and cost effectiveness. Severe human rights risks linked to an organizations’ operations must be addressed even if risk treatment is not cost effective per se.
  • Adding provisions that explicitly state that negative human rights impacts should be remediated.
  • Using past involvement in human rights violations as a screen for vetting PCASPs.
  • Requiring that PCASPs receive relevant human rights training.

 

Thankfully ISO standards are reviewed on a regular basis, so there will be opportunities in the future to include human rights experts in the review process and address these shortcomings.

The ANSI/ASIS PSC.1-2012 Standard: A comprehensive framework for managing private security company operations

UntitledIn the coming months, numerous private security companies (PSCs) and their clients will bring the requirements and standards of ANSI/ASIS PSC.1-2012: Management System for Quality of Private Security Company Operations (PSC.1) into their contractual and management practices – several private security companies (PSCs) have already done so and many more are beginning. The following discussion points address the context of the PSC.1 standard, implementation, and its applicability to PSCs and their clients.

What is PSC.1 and why was it developed?

Over the last decade, PSCs were implicated in several high-profile incidents while operating in complex environments. These events triggered new multi-stakeholder codes and management standards to provide guidelines to PSCs on responsible business practices. Among these codes and standards, PSC.1 is the most detailed international risk management framework relevant to security company operations. It is viewed as the industry standard and provides auditable criteria.

What is the purpose of PSC.1?

Ultimately, PSC.1 is a quality assurance risk management system that adopts the Plan-Do-Check-Act Model at the core of management systems. PSC.1 provides PSCs and their clients with auditable standards and guidance for the quality of private security operations and the assurance of human rights in conditions where governance and the rule of law have been undermined by conflict or man-made or natural disaster. PSC.1 was designed to integrate with other management systems within an organization (such as, but not limited to, ISO 9001:2008). The PSC.1 standard is based on business and risk management principles. Conformity with PSC.1 communicates to internal and external stakeholders that the PSC is able to manage its safety, security, and legal obligations, as well as respect human rights.

How was PSC.1 developed?

The U.S. Department of Defense funded ASIS International, the largest organization for security professionals, to develop the PSC.1 standard. To create this standard, ASIS worked with the American National Standards Institute (ANSI) and through an inclusive Technical Committee consisting of over 200 individuals from twenty-five counties. Members of the Technical Committee included representatives from PSC clients, PSCs themselves, governments, civil society organizations, and other interested parties. PSC.1 was developed to support the objectives of the Montreux Document On Pertinent International Legal Obligations and Good Practices for States Related to Operations of Private Military and Security Companies During Armed Conflict (released in 2008) and the International Code of Conduct for Private Security Service Providers (released in 2010), by operationalizing their principles into business practice standards. PSC.1 was approved and released in 2012.

What are the industry drivers for PSC.1?

In the United States, both the Department of Defense and the Department of State are developing contractual provisions for PSC.1 compliance. In the United Kingdom, the Foreign Commonwealth Office has already stipulated PSC.1 compliance for overseas contracted security services. This trend is continuing with other countries and organizations that procure PSC services.

Is PSC.1 applicable to my organization?

PSC.1 is applicable to private security service providers – particularly PSCs operating in circumstances with weakened governance where the rule of law has been undermined by human or naturally caused events. PSC.1 is also applicable to PSC clients to conduct due diligence, management oversight, and quality assurance of services retained from PSCs. PSC.1 standards and requirements are also applicable when PSCs provide security advisory or management services and manage subcontracted security services. In this situation, PSC.1 is also applicable to ensure that security services subcontractors also meet the requirements of PSC.1.

How do PSCs establish conformity with PSC.1?

Conformity with PSC.1 begins with the development of a quality assurance management system in accordance with the specific principles and requirements of PSC.1. To do this firms will need to design and implement a quality assurance management system based on the Plan-Do-Check-Act Model, specifically: establish the management system (to include relevant policy, objectives, processes, and procedures), implement and operate the management system, monitor and review the management system, and maintain and improve the management system.

How should PSCs define the scope of their PSC.1 Quality Assurance Management System (QAMS) implementation?

PSCs will need to determine and document the scope of their PSC.1 management system development and implementation. Is initial PSC.1 conformity and certification sought for a single operating unit or enterprise-wide? Is the scope applicable to a specific line of business in multiple geographical locations or scoped to the company’s operations in a designated country? Within the defined scope, how are subcontractor services managed and controlled within the management system? PSC.1 is clear that the organization shall define the scope of the management system “in terms of and appropriate to its size, nature, and complexity from a process of continual improvement.” PSCs will also need to carefully consider and select which operating or business unit will take on the responsibility for leading and sustaining the company’s PSC.1 implementation effort and continuous improvement cycle.

How do PSCs obtain PSC.1 certification?

PSCs seeking to obtain PSC.1 independent, third party certification will need to demonstrate conformity with the requirements of PSC.1. The certification process is conducted through a series of both internal and external audits as detailed in ANSI/ASIS PSC.2-2012: Conformity Assessment and Auditing Management Systems for Quality of Private Security Company Operations. Third party audits are conducted by accredited Certification Bodies or Registrars that can grant certification. Internal and external auditors for PSC.1 conformity must have competencies related to security operations, human rights normative standards, and risk management. PSCs should take note that there are currently only two accredited Certification Bodies to provide third party certification, MSS Global and Intertek. Both are credentialed by the UK Accreditation Service. However, due to reciprocity agreements among International Accreditation Forum members, of which UKAS is one, PSCs located in other countries, such as the U.S., can also gain recognized certifications from these certification bodies.

PSC.1 was specifically conceived and developed to provide PSCs (and their clients) with the detailed guidelines to operationalize the provisions outlined in the International Code of Conduct for Private Security Providers (ICoC), including the requirement for signatory companies to: “(1) establish and/or demonstrate internal processes to meet the requirements of the Code’s principles and the standards derived from the Code; and (2) once the governance and oversight mechanism is established, become certified by and submit to ongoing independent Auditing and verification by that mechanism.” The multi-stakeholder ICoC Association is currently drafting certification procedures, which will likely build on certification to PSC.1 with some added requirements for human rights related information. Thus it should be relatively straightforward for PSCs with PSC.1 certification to also receive ICoCA certification – which is currently a requirement for PSCs based in Switzerland or providing security services to the Swiss government, PSCs serving the UN, and possibly in the near future Department of State security providers.