Tag Archives: ICoCA

The Value-Add of the ICoCA: A ‘Strong Sword’

What is the ‘value-add’ of the ICoCA? That question surfaced occasionally at the margins of the successful annual meeting of the International Code of Conduct Association, the Swiss-based non-profit association that brings together industry, civil society, and governments to promote responsible, rights-respecting provision of private security services. The question of the ‘value-add’ is in reference to what additional benefits accrue to private security companies (PSCs), who are members of the ICoCA and submit themselves to its certification, monitoring, and grievance requirements, over solely gaining certification to the management systems standards for private security operations. To remind readers of this blog, certification to those standards – ANSI/ASIS PSC.1: 2012 and ISO 18788: 2015 – as well as submission of additional human rights-related information is currently the route to gaining ICoCA certification. PSCs hire third-party certification bodies to audit them to the management standards for which they receive a certificate.

To my mind, the ‘value-add’ of the ICoCA seems obvious. The global governance literature, which examines collective efforts (with and beyond states) to address world-wide problems, speaks to the value of multi-stakeholder initiatives. Among other things, multi-stakeholder governance ensures that relevant voices are heard, improves transparency, encourages innovative and effective solutions to problems, and generally increases the perceived legitimacy of an initiative. Yet, skeptics do not seem convinced.

Then I ran across a book chapter that I think makes a clear case for the ‘value-add’ of the ICoCA. The chapter, “The International Organization for Standardization as a Global Governor: A Club Theory Perspective,” by Assem Prakash and Matthew Potoski appears in the volume Who Governs the Globe? edited by Deborah D. Avant, Martha Finnemore, and Susan K. Sell. The ICoCA and the management system standards, ANSI/ASIS PSC.1 and ISO 18788, are examples of “clubs” created to address problems which states alone cannot or will not govern. They promise to deliver to club members and external parties certain positive benefits. For club members, the biggest benefits are better internal management, which can result in cost savings and risk mitigation, and improved reputation, which can attract clients. External parties, whether clients of the member companies or other stakeholders, can be assured that member companies are living up to ‘beyond-compliance’ standards.

That seems fairly obvious. But the problem with clubs is that they can lead to collective action dilemmas. Two in particular stand out: recruitment, i.e. attracting adequate numbers of participants, and shirking, i.e. ensuring that participants meet the club’s requirements. Attracting an adequate number of PSCs, especially small and medium sized ones, has been an ongoing discussion within the ICoCA. The chapter does not offer insights on how to do this, but it does discuss the value of a large membership in terms of realizing the branding benefits that accrue to PSCs who join the club. Clubs gain high levels of participation by “offering affordable standards which firms can profitably adopt.” However, participation should not be traded off against the stringency of standards. Prakash and Potoski warn that for club members to gain reputational and other benefits, external parties need to view clubs as credible in terms of their commitment to high standards accompanied by effective enforcement.

This brings us to the second collective action dilemma, shirking. How does one ensure that the standards members commit to are actually upheld? Simply put, through monitoring and enforcement. However, not all monitoring and enforcement programs, which the chapter dubs “swords,” are created equal. There are “strong swords,” which require third-party audits, public disclosure, and sanctioning mechanisms, “medium swords,” which necessitate third-party audits and public disclosure, and “weak swords,” which only require auditing. Prakash and Potoski, using the environmental standard ISO 14001 as a case study, argue that ISO 14001 is an example of a “weak sword club,” because ISO “is not known to sanction shirkers aggressively, and the absence of public disclosure of audit information weakens stakeholders’ ability to sanction shirking.”

Readers probably see where I am going with this. Like ISO 14001, ANSI/ASIS PSC.1 and ISO 18788 by themselves are “weak sword clubs.” In contrast, the ICoCA requires member PSCs to submit themselves to field-based monitoring, provide self-reporting, and participate in the grievance process. If companies do not do so, they can be sanctioned up to expulsion. The ICoCA also provides public annual reporting. The ICoCA is a “strong sword club.” If PSCs want to accrue all the reputational benefits, and associated commercial benefits, of participating in clubs meant to demonstrate their adherence to the law and human rights norms, then they need to be part of a “strong sword club.” The ICoCA is currently the only available “strong sword club” for the private security industry.

Continued progress in operationalizing responsible private security: ICoCA holds annual meeting

With a new tagline on its promotional materials, “bringing together industry, civil society and governments to promote responsible private security services and respect for human rights,” the International Code of Conduct Association (ICoCA) held its Annual General Assembly in Geneva last week. Human Analytics, an observer to the ICoCA, attended and as we have done in past years (2015; 2016) wanted to share updates from the meeting with readers of our blog.

Jamie Williamson, the new Executive Director of the ICoCA who now heads the nine-person Secretariat, kicked off the meeting with a review of the past year. Membership in the three pillars of the ICoCA is steady or growing. In the government pillar, seven governments continue to participate. As part of its concerted communication, outreach, and development strategy, the ICoCA is having bilateral conversations and working through international forums, like the Montreux Document Forum, to increase state participation. One welcome development was the European Parliament’s passage of a resolution this year recommending that the European Commission issue guidelines to use ICoCA-certified private security companies (PSCs) for EU contracts and urge member states to use participation in the ICoCA as a consideration in their public procurement decisions. The industry pillar currently has 101 members headquartered in 35 countries. Budget numbers, beyond revealing that the Association is on sound financial footing, indicate that the make-up of the industry pillar may be changing. More recently the strongest increases in membership have come from outside the US and UK, and membership dues from small and medium sized PSCs reflect a growing share of the Association’s revenues. The civil society organization (CSO) pillar also has become more geographically diverse. As a result of the ICoCA’s field-based review mission to Nigeria in August, which also supported the Association’s ongoing efforts to establish and maintain civil society “monitoring networks” in various regions of the world, four new African CSOs applied for ICoCA membership.

If one thing became clear from the meeting, the ICoCA is continuing to systematically operationalize its key procedures – certification, monitoring, and complaints – which enable it to exercise oversight of its member PSCs’ implementation of the International Code of Conduct for Private Security Service Providers (ICoC). With the changing composition of its member PSCs, one ongoing concern has been facilitating the access of small and medium sized PSCs to ICoCA-certification, while at the same time maintaining high standards in line with the ICoC’s human rights and humanitarian law requirements. This is a discussion that continues to occupy the Board and Secretariat, but in the interim an important resolution was passed that would allow for a two-year Transitional Membership beginning in April 2018, thereby allowing PSCs more time to work towards attaining certification while actively participating in the monitoring and complaints processes of the Association. PSCs seeking a transitional status must agree to meet certain substantive and procedural benchmarks, yet to be developed, during that period to evidence their concerted efforts to obtain certification. Currently, ICoCA-certification requires that land-based security providers first evidence a third-party certification to security operations management system standards, either ANSI/ASIS PSC.1 or ISO 18788. Seventeen member PSCs have applied for ICoCA-certification and nine have received it. Discussion at the meeting revolved in part around the costs associated with implementing and auditing to the management standards, and whether they may pose a barrier to ICoCA-certification for some PSCs.

Steps taken to develop the monitoring and complaints functions of the ICoCA in the past year are central to its efforts to evolve its oversight capacities. As noted, a field mission to Nigeria, in which six member PSCs participated, was an important step in further developing the Association’s remote monitoring capacities. It allowed engagement of member PSCs in their operating environments, assisted with the development of SOPs for field-based reviews, and helped to refine performance and compliance indicators. This mission focused in particular on practices of subcontracting, training, and selection and vetting of personnel. The latter has also been the focus of a pilot to develop operationally-oriented questions to facilitate PSCs in meeting their Company Self-Assessment reporting requirements. An on-line platform was created to allow companies to submit this information securely. Developing SOPs for receiving and processing complaints was another key effort this past year. Currently, a guidance for PSCs is being finalized, with the support of DCAF (Geneva Centre for the Democratic Control of Armed Forces), to aid companies in establishing fair and accessible grievance procedures. It is expected to be launched at the end of November.

The at times technical and time-consuming work of developing policies, SOPs, guidance, on-line tools and the like indicate that the ICoCA is maturing and moving into a new phase as a multi-stakeholder initiative. In looking to the year ahead, the ICoCA must ensure that what may be the beginning of a trend becomes institutionalized, namely growing its membership in a way that reflects the global nature of the industry and its impacted populations. To do this effectively the Association will need to continue its concerted strategic outreach program and must recognize the dynamic nature of the industry and ensure that all the relevant stakeholders are brought to the table to include key private sector clients of the industry. Perhaps most essentially, as some member PSCs now have a few years of experience under their belts in implementing the Code, this is an opportune time to share best practices and identify where challenges in meeting human rights requirements remain and opportunities for collaboration, to include with observers and other stakeholders, exist to develop human-rights-based implementation tools.

ICoCA Takes Important Steps to Fulfill its Mission

icoca-agaLast Thursday the International Code of Conduct Association (ICoCA) made significant advances toward fulfilling its purpose to promote the responsible provision of security services and ensure respect for human rights and international and national laws. At the ICoCA’s Annual General Assembly in Geneva, Switzerland, members of the multi-stakeholder organization voted to pass provisions that will allow private security companies (PSCs) to receive certification evidencing their adherence to the International Code of Conduct for Private Security Service Providers, as well as passing two procedures related to reporting, monitoring, and performance assessment and complaints. Thus the ICoCA has put into place all the key procedures foreseen in the Articles of Association that underpinned the founding of the organization. In addition, member due increases agreed upon by participating PSCs, governments, and civil society organizations will provide funding for additional staff to undertake these new oversight functions.

According to a statement on ICoCA certification issued by the Board, after completing a pilot for certification using ANSI/ASIS PSC.1 and updating its guidance to PSCs for submitting additional human rights related information, the Secretariat is ready to begin certifying member PSCs. An amendment to the Articles of Association was passed extending the deadline for achieving certification to September 30, 2018. Concerns about the accessibility of certification to ANSI/ASIS PSC.1, a quality assurance and risk management standard that is a prerequisite of ICoCA certification, remain. The Secretariat plans to survey member PSCs to better assess whether there are barriers to ANSI/ASIS PSC.1 certification and will pilot ways of improving access to certification. More interestingly, the ICoCA is proposing a role for itself in improving oversight of certification bodies accredited to certify PSCs to ANSI/ASIS PSC.1 through activities such as the provision of guidance on assessor competencies, interpretation of the Code, and training. This could go a long way in allaying concerns about the transparency of auditing by for-profit certification bodies paid for by PSCs. However, the success of this new oversight capacity will hinge on effective engagement with certification bodies. Fortunately, a number of them participate as observers to the ICoCA.

The ICoCA Article 12 procedure on reporting, monitoring, and assessing performance and compliance was successfully passed by members. To enable these oversight requirements, the Board will develop indicators on all elements of the Code, beginning with the provisions on the use of force, apprehending persons, prohibition of torture or other cruel, inhuman, and degrading treatment or punishment, and training of personnel. Participants at the meeting stressed the importance of prioritizing the development of indicators in areas where PSCs experienced human rights related challenges, such as workplace rights issues. In preparation for field-based reviews – which can be undertaken if the review of available information or a human rights risk assessment has identified a need for further monitoring, if there is a request from an ICoCA member, or if exigent circumstances warrant it – the Secretariat conducted a pilot field-based review in East Africa with the participation and support of three member companies. The pilot focused to screening and vetting and training of personnel. In addition, the ICoCA plans to conduct outreach to external stakeholders to create a network of contacts and sources of information in key areas of member companies’ operations.

The ICoCA Article 13 procedure on receiving and processing complaints was also affirmed by members. The creation of effective complaints and grievance mechanisms has posed a challenge for a number of multi-stakeholder initiatives, and the ICoCA has set itself apart from the rest with this new procedure. The Secretariat will now be in a position to offer member PSCs advice on how to improve their grievance mechanisms to meet the provisions of the Code. Should the Board determine that a complaint cannot be appropriately addressed by a company-level grievance mechanism or that the mechanism of a member PSC does not meet the requirements of the Code, the Secretariat can use its good offices to recommend external mediators or provide information regarding alternative grievance mechanisms that may provide effective remedy for complainants.  Should a complaint potentially rise to the level of a criminal activity, the ICoCA may report that violation to one or more competent authorities for possible investigation and prosecution of the crime.

Overall, the ICoCA is in a state of good organizational health, with strong finances, significant staffing, and active participation of PSCs, governments, and civil society organizations. The ICoCA currently has 98 member PSCs, with additional new applicants being processed in a timely fashion. Significantly, the geographical diversity of those applicants is increasing, although the greatest number of member PSCs remain U.S. and UK companies. This diversity may continue to grow in light of planned outreach and efforts to identify and address any barriers to certification. However, it remains to be seen what impact the agreed upon dues increases will have on membership numbers. Undoubtedly, with only six governments currently involved, greater participation of States, as both regulator and clients of the industry, would be preferable. To that end, the Secretariat continues to engage with the States participating in the Montreux Document Forum. The 17 civil society participants are located across four continents, and the creation of the above mentioned network may serve to grow the diversity in this pillar as well.

This Annual General Assembly represents an important turning point for the ICoCA. It is now in a position to fulfill its mission and promote the responsible, rights-respecting provision of security services. Finding agreement in a multi-stakeholder setting is never an easy task, and the ICoCA has come a long way in a respectable amount of time. If these procedures are implemented as planned, the ICoCA is poised to truly be an exemplary multi-stakeholder initiative.

ICoCA Opens Pathway to Certification for Private Maritime Security Companies

It is now possible for Private Maritime Security Companies (PMSCs) to receive independent, third party certification to the International Code of Conduct for Private Security Service Providers (ICoC) via the International Code of Conduct Association (ICoCA). On Friday of last week, the multi-stakeholder ICoCA announced the release of a recognition statement for ISO 28007-1: 2015 Ships and marine technology – Guidelines for Private Maritime Security Companies (PMSC) providing privately contracted armed security personnel (PCASP) on board ships (and pro forma contract), ISO 28007 in short.

(Readers of Human Analytics’ Human Rights in Complex Environments blog may remember that we reported in February on the ICoCA’s release of an ISO 28007 draft recognition statement for public comment. The compilation of those comments is available here.)

As with the ICoCA recognition statement for the land-based security standard, ANSI/ASIS PSC.1-2012: Management System for Quality of Private Security Company Operations (PSC.1), the ISO 28007 recognition statement is accompanied by an Annex A analyzing the gaps between ISO 28007 and the ICoC and an Annex B summarizing the additional information, related to the human rights and humanitarian law requirements of the ICoC, that PMSCs must supply to the ICoCA. Unlike PSC.1, which has the ICoC as a normative reference, ISO 28007 did not and the gaps are not insignificant. (Despite some improvements in the human rights content of the ISO 28007 standard as it evolved from a PAS to an ISO guideline.) In addition to the failure of ISO 28007 to include human rights in PMSCs’ risk assessment process, four areas evidence the greatest number of gaps, namely requirements regarding employment policies, incident reporting practices, training programs, and grievance mechanisms.

Beyond this additional information, PMSCs must provide to the ICoCA the scope of their certification to ISO 28000 Specification for security management systems for the supply chain (the ISO standard that is actually auditable by certification bodies and to which ISO 28007 provides additional guidance), any non-conformities identified during the auditing process, corrective action plans, and details on their Human Rights Risk Assessment process. Only certificates lent by certification bodies accredited by recognized national accreditation bodies will be accepted by the ICoCA. Currently MSS Global and Lloyd’s Register Quality Assurance Limited are the only accredited certification bodies to audit to ISO 28000/28007. Both were accredited by the UK Accreditation Service.

Although more information will be forthcoming in terms of how the ICoCA will process certifications, the organization is poised to play an important role in increasing respect for human rights in the private maritime security industry. While the UK Accreditation Service has released guidance for certification bodies auditing to ISO 28000/28007, which clearly states that human rights competence is a must for auditors, this has limited effect in light of the weak human rights provisions in ISO 28007. Auditors can only audit to what is in the standard. Therefore, by gathering this additional human rights related information, the ICoCA can contribute to raising the bar by scrutinizing what human rights due diligence measures PMSCs have in place to identify, prevent, mitigate and account for how they address their adverse human rights impacts.

However, when assessing the information submitted to it by PMSCs, the ICoCA should draw on the expertise of its membership, to include organizations in the civil society pillar, such as Oceans Beyond Piracy/One Earth Future Foundation. As comments submitted by Oceans Beyond Piracy indicate, there are specificities to maritime security provision, to include differences in human rights risks and regulatory environments, that are not well-captured by the ICoC, which was drawn up with land-based security in mind. This is why the ICoC (Article 7) foresaw “the development of additional principles and standards for related services, such as… the provision of maritime security services,” beyond those already in the ICoC. Furthermore, as comments from MSS Global and two ICoCA member companies indicate, the scope of any ISO 28000/28007 certificate will also need to be scrutinized to ensure that it captures operations, beyond the Indian Ocean and High Risk Area, where human rights risks may be equally, if not more so, relevant to any PMSC’s compliance with the ICoC. Should the ICoCA be able to muster such informed scrutiny, and should PMSCs be willing to subject themselves to it, it is foreseeable that there will be an increase in PMSCs respect for human rights.

Certifying Private Security Companies’ Human Rights Performance: Not All Certificates Are Created Alike

http://hrbrief.org/2016/05/certifying-responsible-private-security-companies-assessing-implementation-transparency-disclosure-provisions/
http://hrbrief.org/2016/05/certifying-responsible-private-security-companies-assessing-implementation-transparency-disclosure-provisions/

A growing number of private security companies (PSCs) providing security services overseas to the U.S. Department of Defense (US DoD) and U.S. Department of State (US DoS) are becoming certified by third party auditors as a means of demonstrating their adherence to international human rights and humanitarian law standards. However, newly released research by American University Washington College of Law’s Dean’s Fellow David Sebstead indicates significant inconsistency in PSCs’ adherence to standards based on publicly available information. In his Human Rights Brief article, Certifying Responsible Private Security Companies: Assessing the Implementation of Transparency and Disclosure Provisions, Sebstead found that certification may not be enough to assure clients of PSCs and the public that they are fulfilling their human rights responsibilities.

The increased use of PSCs in the wake of the Iraq and Afghanistan conflicts, and associated concerns about their human rights impacts, led to the emergence of a transnational governance framework comprised of declarations, codes of conduct, and management standards to ensure more effective governance and oversight of PSCs. A central component of this governance framework is the ANSI/ASIS PSC.1 – 2012 Management System for Quality of Private Security Company Operations (ANSI/ASIS PSC.1). A quality assurance and human rights risk management standard, its creation was funded by the US DoD. Currently, the US DoD requires the PSCs it utilizes to demonstrate compliance to it, or a related International Organization for Standardization standard (ISO 18788), which was based on ANSI/ASIS PSC.1. One way of demonstrating compliance is for a PSC to hire a certification body to audit its conformance to PSC.1, for which it receives a certificate.

Similarly, the US DoS requires its overseas security contractors also to demonstrate compliance with ANSI/ASIS PSC.1, and to be a member in good standing of the International Code of Conduct Association (ICoCA). The ICoCA is a multi-stakeholder initiative, comprised of governments, PSCs, and civil society organization and headquartered in Geneva, which assures that its member PSCs adhere to the International Code of Conduct for Private Security Service Providers (ICoC). The ICoC details international human rights and humanitarian law responsibilities of PSCs operating in complex environments. The ICoCA certifies its member PSCs, and currently the only route to certification is by evidencing certification to ANSI/ASIS PSC.1 by an accredited certification body in addition to providing human rights information in particular related to the PSC’s human rights risk assessment process.

Examining 13 PSCs that have received ANSI/ASIS PSC.1 certification, Sebstead found fairly significant discrepancies in their conformance to the management standard. He rated the 13 PSCs on their demonstrable conformance to four requirements of ANSI/ASIS PSC.1 which would necessitate that PSCs share publicly information about their adherence to the standard. These included the scope of their certification, which indicates the parts of the PSC’s operations that were actually audited by a certification body; their statement of conformance, the public commitment by management to respect applicable national and local laws and human rights; the availability of a grievance mechanism, which allows third parties to submit complaints to companies when they do not meet their human rights commitments; and the communication of their human rights risk assessment process.

Aggregating these four public facing components of demonstrable conformance to ANSI/ASIS PSC.1, Sebstead created an overall score of effective implementation of these components for the 13 PSCs ranging from poor (0) to very good (3). No PSC received a perfect score, but in the top three places were Garda World Consulting at number one, Aegis Defense Services and Britam Defence tied for second place, and Edinburgh International and Oliver Group tied for third place.

Disaggregating the data for a moment, what does this information tell us? Regarding the certificate scope, six of the 13 PSCs simply posted their certificates to their websites. Yet many did not provide enough information to determine the extent of their certification. In other words, some large, multinational PSCs lay claim to a PSC.1 certification, but do not share publicly exactly which parts of their operations have actually been subjected to a third party audit. Nine out of 13 companies scored well on their statements of conformance, although surprisingly a few were weak on making explicit their commitment to respect human rights. PSCs were also inconsistent in terms of the quality of their grievance mechanisms, with only six out of 13 actually providing a detailed procedure explaining to those who submit complaints the process for addressing those complaints.

Finally, the most important means for a PSC to address its human rights impacts is to first undertake a human rights risk assessment process to identify its potential and actual impacts. However, only seven of 13 PSCs made any mention of having any type of human rights risk assessment process in place. While this does not preclude the possibility that they may actually be assessing human rights risks related to their operations, it would seem important to demonstrate publicly that they take their human rights due diligence responsibilities seriously.

As Sebstead rightfully points out, “embedding a commitment to respect human rights in management systems is an important first step, but adequately identifying and mitigating actual human rights impacts on the ground in host states where PSCs operate is essential.” The “black box” of certification needs to be opened up to better understand what types of methodologies and metrics are being used by certification bodies when they seek evidence of conformance to the human rights components of ANSI/ASIS PSC.1. Here the ICoCA can play a greater role as it can request information from its member PSCs about their certifications. Clearly, the ICoCA is already moving in this direction by requiring additional human rights related information from PSCs with an ANSI/ASIS PSC.1 certificate. But it would help strengthen the robustness of the system if not only there were more assurances about the consistency of the quality of ANSI/ASIS PSC.1 certificates, but also more transparency in terms of both the embedding of human rights commitments into policies and processes and the outcomes of those commitments on actual respect for human rights.

 

ICoCA Releases Draft Statement Recognizing Private Maritime Security Companies Standard

The International Code of Conduct Association (ICoCA) has announced the release of a draft recognition statement in accordance with its certification procedure for ISO 28007-1: 2015 Ships and marine technology – Guidelines for Private Maritime Security Companies (PMSC) providing privately contracted armed security personnel (PCASP) on board ships (and pro forma contract) – or ISO 28007 in short. What is the significance? PMSCs that are members of the ICoCA now have a chance to become ICoCA certified. They will need to evidence their certification by an accredited certification body to ISO 28000 Specification for security management systems for the supply chain, using the additional guidance provided in ISO 28007, as well as provide some additional human rights related information derived from the International Code of Conduct for Private Security Service Providers (ICoC).

As noted in a blog post Human Analytics wrote after the release of ISO 28007 last year, New ISO Standard for Private Maritime Security Companies Reflects Some Progress on Human Rights, the new standard contains some improvements relative to the previous ISO/PAS 28007 (PAS = Publicly Available Specification), which was nearly devoid of any reference to the corporate responsibility to respect human rights. One marked improvement is the insertion of a reference to the UN Guiding Principles on Business and Human Rights (UN GPs) in the introduction, as well as the need for an explicit human rights policy. But the blog also noted that there remain a number of human rights shortcomings in ISO 28007, certainly relative to the expectations of companies laid out in the UN GPs, including the need to undertake a human rights due diligence process, prioritize human rights risks identified though a risk assessment process based on their scope and severity, and remediate negative human rights impacts.

The gaps between the human rights and humanitarian law principles of the ICoC and the requirements and guidelines of the ISO 28000/ ISO 28007 are evidenced in the rather extensive additional human rights related information requirements for ICoCA certification detailed in Annex B to the draft recognition statement. In addition to the failure of ISO 28007 to include human rights in the company’s risk assessment process, four areas evidence the greatest number of gaps, namely requirements regarding employment policies, reporting practices, training programs, and grievance mechanisms. Among some of the key gaps are failures to require an anti-discriminatory employment policy; ensure that passports, travel documents, and identification materials of personnel are only held as long as reasonably necessary; ensure that all employment documents are in writing and in a language understood by personnel; include relevant international and human rights law provisions in reporting requirements; require training on international human rights law; and ensure that grievance mechanisms are publicly available and operate in a fair, prompt, impartial, and confidential fashion. Annex B contains a complete list of gaps.

Topics not mentioned in Annex B, where the ICoCA may want to push for additional information are:

1) ensuring that, in line with the UN GPs, when PMSCs evaluate and prioritize risk controls, management, mitigation, and treatments that they prioritize addressing human rights risks based on their scope and severity;

2) including indications of prior involvement in human rights violations, which in some countries may not be captured in criminal background checks, employment histories, and military and law enforcement service records, in the selection and vetting criteria for personnel and subcontractors, as required in ICoC paragraphs 48 and 51;

3) evidencing that personnel receive mandatory training in reporting requirements related to the types of crimes and human rights violations laid out in ICoC paragraph 22; and

4) ensuring that grievance mechanisms offer effective remedies to victims of negative human rights impacts as foreseen in ICoC paragraph 67 a). The remediation of harms caused by PMSCs’ activities is not addressed anywhere in ISO 28007.

While certainly an opportunity for PMSCs to improve their human rights performance, it will be interesting to see how many of them actually seek ICoCA certification. While nearly half of the original ICoC signatories were PMSCs, at this point many no longer exist – having closed shop after the decline in piracy off the coast of Somalia – or chose not to become transitional members of the ICoCA once it was formed in late 2013. ICoC paragraph 7 foresaw “the development of additional principles and standards for related services, such as… the provision of maritime security services.” The review of ISO 28007 was carried out based on a comparison to the ICoC’s current provisions, and not after consideration of developments in the maritime security industry which may require additional principles and standards to capture the unique nature of the industry’s security operations and human rights impacts. Furthermore, the development of additional principles by the ICoCA for the provision of maritime security was to happen after the establishment of “objective and measurable standards for providing Security Services based upon this Code” and the development of “external independent mechanisms for effective governance and oversight” (to include certification, auditing, monitoring, reporting, and grievance procedures). It is interesting that the ICoCA chose to prioritize reviewing ISO 28007 as a pathway to ICoCA certification ahead of reviewing ISO 18788 (the new ISO standard for private security operations based on the ICoCA recognized ANSI/ASIS PSC.1) and ahead of completing the development of key procedures, such as monitoring and grievance procedures. What remains unclear is whether PMSCs will seek ICoCA certification, or if their clients will require it, without the ICoCA having finalized all of its procedures.

Two developments in the maritime industry, however, do bode well. First, ISO 28007 no longer contains a note that appeared in the previous ISO/PAS 28007, which stated that the International Maritime Organization does not view the ICoC as “directly applicable to the peculiarities of deploying armed guards at sea to protect against piracy since it is written in the context of self-regulation for land companies only.” The ICoC is now referenced in the bibliography. Second, Maersk Group, which includes one of the world’s largest shipping lines, announced in its recent 2015 Sustainability Report that it had undertaken a human rights due diligence process based on the UN GPs for all the business activities of the Group. One area identified as a priority human rights issue for 2016-2017 is the use of security services. The imminent recognition of ISO 28007 provides an opportunity for the ICoCA to lobby the shipping industry and other clients of PMSCs, as well as flag, coastal, and port states, to require that PMSCs adhere to the principles of the ICoC. To be impactful on the larger security industry, the ICoCA must foster compliance with the ICoC principles by all security providers, whether maritime or land-based and whether employed by private or public sector clients.

New Report Provides an Insider Perspective on the International Code of Conduct Process

DCAF Report coverA new report, Towards an International Code of Conduct for Private Security Providers: A View from Inside a Multistakeholder Process, by Anne-Marie Buzatu of the Geneva Centre for the Democratic Control of Armed Forces (DCAF) provides a first-hand account of the process that led to the development of the International Code of Conduct for Private Security Service Providers (ICoC) and its accompanying governance and oversight mechanism, the ICoC Association (ICoCA). Ms. Buzatu representing DCAF, along with members of the Swiss Government and the Geneva Academy of International Humanitarian Law and Human Rights, formed the team of “neutral facilitators” that shepherded into existence this landmark multi-stakeholder initiative. Attaining consensus among stakeholders from private security companies, governments, civil society organizations, and other interested parties consulted during the process was no easy task. As Ms. Buzatu rightfully points out, the neutral facilitators in this case did everything to make that possible, from logistical project management and drafting of texts to building trust and mediating disputes among stakeholders.

The report covers a lot of historical ground. It begins by describing the circumstances at the time that gave impetus to the ICoC effort. In particular, in the wake of the wars in Iraq and Afghanistan and the accompanying rapid increase in the use of PSCs, it became clear that there were governance gaps at both the national and international levels that had to be addressed to ensure effective oversight and accountability for private actors with the potential to use force. There was also a growing recognition that PSCs operating globally in complex environments raised complicated jurisdictional issues, which no one state could address on its own. New forms of innovative governance at the cross-sections of the national and international and public and private would be required. Hence the emergence of the ICoC/ICoCA as exemplars of “co-regulation” i.e. regulatory approaches that bring together public and private actors and “combine the advantages of an international-level multistakeholder governance model with the force of statutory and/or contractual obligations.” By embedding adherence to the ICoC and membership in the ICoCA into the contracting requirements of some states and international organizations, this multi-stakeholder initiative is in the process of setting historical precedent in terms of “hardening soft law.”

However, the origins of the ICoC/ICoCA in response to the Iraq and Afghanistan wars and the ICoCA’s current inclusion of only state clients of PSCs, makes one wonder to what extent this may be an example of “regulating the last war,” to quote Sarah Percy. While insurers and private sector clients of the private security industry, particularly extractive companies, participated in some of the initial consultations on the ICoC and the charter of the ICoCA, in later stages Ms. Buzatu notes they took a “wait and see” approach. Fortunately, efforts are underway to solicit extractive companies buy-in, and the viability and more global applicability of the ICoC will depend on bringing in private sector clients of the private security industry.

Even without private sector clients on board, the ICoC/ICoCA process stands out among other examples of co-regulation for its transparency and multi-stakeholder, consensus-based decision-making. No doubt this was part of the recipe for success as each stakeholder pillar brings to the table different types of expertise and leverage to ensure that the provision of private security also facilitates general human security. PSCs have ground-truth and can best explain how to incorporate international human rights standards into their operations. Governments can give effect to international standards by incorporating them into international and national laws, regulations, and procurement requirements. Finally, civil society can provide insight into how security services are impacting on local populations and serve in a watch dog capacity. A section of the report on “Good Practices and Lessons Learned” cites trust among stakeholders, equally weighted participation, consensus-based decision-making, and transparency as key factors for successful co-regulation; sage advice for other co-regulatory initiatives underway that have at times found themselves struggling with differences among stakeholders. From this perspective, the Voluntary Principles on Security and Human Rights come to mind.

From an insider point of view, it would have been useful to hear more not just about what happened – from the Montreux Document to the ICoC, to the Temporary Steering Committee that drafted the charter for the ICoCA, and now the efforts of the ICoCA to develop procedures for certification, monitoring, and grievance mechanisms – but also how certain compromise positions were reached and why stakeholders took the positions they did.

That being said, one section of the report goes into greater depth detailing the process behind and provisions of the ICoC, which went through three versions before being finalized in 2010. The reader is able to trace from that section key provisions that developed over time, such as the applicability of the Code to complex environments; the need for a multi-stakeholder approach, rather than an industry-led process; the ability to agree about the value of an accompanying International Governance and Oversight Mechanism, but not about its specific contours; and the importance of embedding Code standards into procurement practices.

Another section on the drafting of the charter, later called the ICoCA Articles of Association, which was about two years in the making, also gives a good sense of the extensive, consultative drafting process undertaken by the multi-stakeholder Technical Steering Committee, as well as points of disagreement that had to be addressed and the consensus that was attained. Significantly, the very detailed initial draft of the charter was significantly pared down, leaving it to the ICoCA to develop the specifics of the certification, monitoring, and grievance procedures. During negotiations of the charter, differences in views about membership in the civil society pillar resulted in detailed membership criteria being finalized by the pillar after the launch of the ICoCA. Views also differed on the broad outline of the grievance procedure. In the end, with the exception of an arbitration function, nearly all proposed functions of the grievance procedure – advisory, referral, mediation, special audit, fact-finding, and gatekeeping functions – found their way to some degree or another into the charter.

However, what is not addressed in depth, and indeed shaped the how and why of much of these negotiated outcomes from the ICoC onwards, was the completion of the Department of Defense funded ANSI/ASIS PSC.1 management system standard for private security operations in 2012. The DoD, PSCs, and other interested parties supporting the development of PSC.1 saw it as an operationalization of the ICoC’s principles, as called for in ICoC Paragraph 7 which speaks to the need for “objective and measurable standards for providing Security Services based upon this Code.” Furthermore, once PSC.1 was completed and a pilot project was underway to accredit the first certification bodies and certify the first PSCs, this shaped negotiations on the certification function laid out in the charter of the ICoCA. The Articles of Association Paragraph 11.2.1 state that the ICoCA Board “shall define the certification requirements based on national and international standards and processes that are recognized as consistent with the Code,” and 11.2.4 states that the certification process shall not be “duplicative of certification under Board-recognized national and international standards.” Indeed, certification to PSC.1, along with some additional human rights relevant information, such as the human rights risk and impact assessment methodology used by a PSC, is now the first officially recognized route to ICoCA certification. Yet the relationship between those certification requirements, the field auditing requirements of PSC.1, and the ICoCA monitoring procedure currently under development is still an open matter of discussion.

Is re-hashing these discussions about the relationship between these two co-regulatory efforts a matter of opening old wounds? Not at all. This detailed history of the origins of the ICoC/ICoCA, together with an understanding of the differing views of stakeholders and how those differences were overcome to reach negotiated agreements, is essential background knowledge that amounts to something akin to “founders’ intent.” First, as new members join the ICoCA and new interested parties follow its further development, this history allows them to better grasp the significant strides that were made to get things to where they are today. Revisiting old disputes, or at least not understanding the origins of certain comprises, can hinder forward progress. Second, as ICoCA Board committees move forward with the work of assessing other international and national standards, developing monitoring and performance assessment procedures, and creating a grievance mechanism, it helps to remember the shared vision that drives the overall effort and the consensus that has already been attained. True multi-stakeholder initiatives by their very nature move at a slow pace. But the progress to date with the ICoC/ICoCA, in particular in terms of the commitments the industry has made to establishing an assurance framework with teeth, and the time in which this was achieved, are truly exceptional compared to other co-regulatory efforts. The historical insights offered in this report provide useful foundations for continuing to chart the way forward and increasing the uptake of international human rights standards by the private security industry on a global scale.

International Code of Conduct Association Reviews the Past Year and Maps Road Ahead

The International Code of Conduct Association (ICoCA) held its Annual General Assembly meeting on October 8 in Geneva. The ICoCA, established in September 2013, governs and oversees implementation of the International Code of Conduct for Private Security Service Providers and promotes the responsible provision of security services in line with the human rights and humanitarian law commitments laid out in the Code. As was the case at last year’s General Assembly, the Swiss-based multi-stakeholder initiative brought together its members from private security companies (PSCs), civil society organizations, and governments as well as observers to review the achievements of the previous year, discuss remaining challenges, and map next steps. Human Analytics participates as an observer to the ICoCA.

The Secretariat provided an Annual Report for 2014-2015 and addressed progress made to date in key areas. What follows are some highlights from the meeting. With regard to governance, the Secretariat has continued to grow in size and currently has a five person staff. Tasked with, among other things, administering the day to day business operations, overseeing the membership application process, administering the certification procedure, and providing support to the Board as it develops additional procedures, the Secretariat expects to add new staff when the monitoring and complaint procedures are completed. The ICoCA’s twelve member Board has created committees and working groups to assist it with its work, to include growing the size of the Article 12 Development Working Group, which is currently developing the monitoring, reporting and performance assessment procedure.

With the certification procedure recently completed and ANSI/ASIS PSC.1 recognized as the first national standard to serve as a basis for ICoCA certification, the Board is now focusing to monitoring adherence to the Code, one of the core functions of the ICoCA. With financial support from the U.S. government, as a first step the Article 12 Development Working Group is developing performance benchmarks based on the Code. The benchmarks will serve as objective criteria for assessing performance, shape the reporting requirements, and guide the Secretariat and Board’s efforts to monitor member companies remotely and in the field. A few industry members expressed concerns that any requirements under Article 12 must not be duplicative of steps already taken to gain certification to ANSI/ASIS PSC.1. If the time needed to develop the certification procedure is any indication, it will be awhile before stakeholders reach consensus on the procedure for monitoring, reporting, and performance assessment. From the perspective of many civil society organizations, this procedure is core to the ICoCA’s ability to assess the actual impact of security operations on local populations’ human rights. The complaint process will also prove essential to identifying negative human rights impacts, and the Board’s Complaint Process Development Working Group is currently undertaking a comparative study of existing complaints and grievance mechanisms to inform its work.

In addition, the ICoCA is currently piloting ICoCA certification and plans to develop guidelines to assist member PSCs through that process, in particular with regard to the additional human rights related information they must submit. The Board’s Certification Committee, with the new certification procedure and analytical matrix to assess new standards in hand, is completing its review of the maritime security standard ISO 28007-1. This is an important development for maritime security providers, who initially signed on the Code in large numbers. The next standard to be reviewed will be the new ISO 18788. The Secretariat indicated that since ISO 18788 builds on the already recognized ANSI/ASIS PSC.1, there is no reason to believe that the Board would not also recognize ISO 18788 in a time frame that would comport with the first certification bodies becoming accredited to certify to it.

Perhaps somewhat more unexpectedly, a proposal was made by a Swiss company to examine the suitability of the generic ISO 9001 quality management standard for certification to the ICoCA. The request is likely linked to Switzerland’s new law that requires membership in the ICoCA for companies based in Switzerland providing security services overseas or who support the provision of those services, as well as PSCs providing contracted security services to Swiss government agencies overseas and holding companies headquartered in Switzerland with control over PSCs operating overseas. The law’s expansive definition of security services does not match that of the Code which, among other things, has created some implementation challenges. The proposal met opposition, with some fearing that the ubiquitous ISO 9001 certification might result in a watering down of the Code’s requirements, as well as support, with some advocating a pragmatic, stepped entry into the ICoCA for both small and medium sized and non-U.S. and UK PSCs, for whom certification to ANSI/ASIS PSC.1 may not be as readily attainable. The Secretariat committed to examining the factual basis for concerns that certification to PSC.1, and ultimately ICoCA certification, is inaccessible to some PSCs interested in becoming members. The Secretariat stated that it does not want to exclude PSCs committed to the Code based on commercial considerations.

During break-out sessions of the individual pillars and observers, the industry pillar of the ICoCA voted in a new representative, and announced shortly thereafter that Pamela Hosein would join the Board. Ms. Hosein’s company is based in Trinidad & Tobago, and her election to the Board represents an important step in diversifying the Board to reflect the global make-up of member companies. One challenge identified during the meeting was broadening the ICoCA’s membership to include non-U.S. and UK companies. Currently, of the 88 member PSCs, 23 are home in the UK and 15 in the U.S. The remaining 50 PSCs are based in 29 different countries, with the UAE, Pakistan, and Cyprus being the only countries home to 5 or more member PSCs. However, the greatest growth in membership comes from PSCs headquartered outside of the U.S. and UK, and the Secretariat reported that two new applications are pending review and 34 are in process. An uptick in PSC membership should thus occur soon, as the application processing time has been reduced to two weeks.

The civil society pillar has also increased its global diversity, with the 13 civil society organizations at home on four different continents. Unfortunately, the government pillar’s six members (U.S., UK, Switzerland, Sweden, Australia, and Norway) are less geographically diverse. However, there is hope that the recently established Montreux Document Forum, with its 52 governments who have expressed support for the Montreux Document, might serve as a conduit for involving more countries in the ICoCA. The Montreux Document Forum has established an ICoCA Working Group that will liaise with the ICoCA. On a positive note, five of the governments currently participating in the ICoCA recognize in some fashion the importance of adherence to the Code in their regulations and procurement policies. With the Secretariat’s efforts to reach out to other non-state clients of the industry, such as extractive companies via its plans to join the Voluntary Principles on Security and Human Rights as an observer, one can expect continued growing interest among clients of the security industry in the verifiable provision of responsible security services.

Update: Further Progress Made in Finalizing Certification to ICoCA Using PSC.1

In a previous blog post, ICoCA Releases Draft Certification Procedure for Vote by Members, Human Analytics described the process by which a national or international standard is considered for approval by the International Code of Conduct Association (ICoCA) as the pathway for a private security company (PSC) to gain ICoCA certification. To be approved a standard must be consistent with the principles of the International Code of Conduct for Private Security Service Providers (ICoC). Where there are inconsistencies between a standard and the ICoC, the ICoCA can request additional human rights and humanitarian law related information from member PSCs in order to assess whether their systems and policies meet the requirements of the ICoC. On July 3, the ICoCA Secretariat announced that the General Assembly approved the Certification Procedure with no dissenting votes and 65%+ participation in the vote by members from all three pillars – governments, PSCs, and civil society organizations.

With the Certification Procedure now in place, the Secretariat is undertaking the next step of assessing whether certification of a PSC to PSC.1 – shorthand for the ANSI/ASIS PSC.1-2012: Management System for Quality of Private Security Company Operations – meets the requirements of the ICoC. To that end the ICoCA Secretariat has circulated a Draft ICoCA Recognition Statement for ANSI/ASIS PSC.1 – 2012 along with Annex A: Draft Analysis of ANSI/ASIS PSC.1-2012 against the ICoCA Certification Assessment Framework and Annex B: Draft Certification Additional Information Requirement for PSC.1. These documents are now open for public comment. Compiled comments will be posted to the ICoCA website once the comment period ends on August 24. Thereafter, the Board will review the comments and will vote whether to accept the standard and publish a Recognition Statement for PSC.1. If accepted, the ICoCA will begin processing requests for ICoCA certification beginning in early October. Under the Articles of Association, member PSCs must obtain ICoCA certification within one year of the release of the Certification Procedure, which would be July 2016.

Human Analytics, as an Observer to the ICoCA, submitted the following comment to the Secretariat:

“Human Analytics, as an Observer to the International Code of Conduct Association, welcomes the progress that has been made in approving a Certification Procedure and releasing a Draft ICoCA Recognition Statement for ANSI/ASIS PSC.1 – 2012 and accompanying Draft Annexes. This represents an important step forward in enabling the ICoCA to exercise its governance and oversight functions. Furthermore, Human Analytics is pleased to see that the ICoCA recognizes the importance of harmonizing the International Code of Conduct with recently developed and emerging national and international standards applicable to the private security industry, in particular the UN Guiding Principles on Business and Human Rights and the ISO 18788 Management System for Private Security Operations – Requirements with Guidance.

The Annex A: Draft Analysis of ANSI/ASIS PSC.1-2012 against the ICoCA Certification Assessment Framework is a valuable document for clarifying where the ICoCA sees a limited number of inconsistencies between the ICoC and PSC.1, which informed the additional information requirements laid out in Annex B. However, when undertaking such comparisons, it is useful to bear in mind the nature of the two documents and their inter-relationship. The drafters of PSC.1 saw the standard’s purpose in the operationalization for implementing PSCs of the human rights and humanitarian law principles and commitments detailed in the ICoC through a risk and quality assurance management system process. In other words, PSC.1 turns the principles of the ICoC into business practice standards.

Furthermore, the Montreux Document and the ICoC form the normative foundations of PSC.1. This has a number of implications. When PSCs establish the framework for their management system, as detailed in section 5.1 of PSC.1, the management system “shall incorporate and adopt the legal obligations and recommended good practices of the Montreux Document relevant to PSCs and the guiding principles of the ICoC.” In other words, all requirements of the ICoC must be met for a company to be certified as in conformance with PSC.1. According to accredited certification bodies, audits are undertaken with PSC.1 as well as the ICoC in hand.

Finally, the provisions contained in the Guidance, while reflecting “should” rather than “shall” statements, are nonetheless significant both for PSCs and their auditors. For PSCs, the Guidance provides further information on how to interpret and understand the standards’ requirements, as well as additional detail on possible means to tailor implementation of those requirements to a particular company’s operating context. For auditors, the Guidance offers additional information not only on how to interpret the requirements, but also on what to look for when gathering evidence of conformance.

The most significant identified inconsistency between the two documents is with regard to the Human Rights Risk and Impact Assessment (HRRIA). While technically not a term appearing in either the ICoC or PSC.1, the ICoCA has rightfully identified an adequate HRRIA process as essential to identifying, preventing, mitigating, and addressing human rights risks linked to security operations. A HRRIA requirement is also an important step toward harmonizing the ICoC with emerging national and international consensus on the type of human rights due diligence any company should undertake, and in particular when operating in complex environments.

However, Human Analytics has some concerns with regard to the HRRIA checklist. First, it is unclear how the Secretariat will evaluate a written risk assessment model or process against this checklist. What is proposed here would appear to amount to a desk-based review of a company’s self-reported policies and may not provide a fuller view of what actually happens in practice. Second, the substantive questions relating to internal controls and policies and prohibitions contained in the ICoC amount to a restatement of the ICoC’s key provisions formulated as a list of questions on whether or not the HRRIA considered these provisions. Checklists lend themselves to tick the box exercises.

HRRIAs are a relatively new tool for identifying and managing human rights risks, and to date there has been limited standardization and agreement on best practice. Therefore, in keeping with Article 12.4 of the Articles of Association, which states that the ICoCA shall promote industry best practices, the ICoCA could help advance rights-respecting conduct of PSCs by supporting the development of sound HRRIA processes and tools specifically geared toward the needs of the private security industry and the rights-holders and other stakeholders affected by its activities. In developing such tools, the ICoCA could consider drawing on the expertise not only of its member PSCs, who have already undergone PSC.1 certification, but also of other companies in other sectors operating in complex environments, who have undertaken HRRIAs, as well as the various organizations – legal, academic, consulting, and not-for-profit – that have substantive knowledge of and first-hand experience with conducting HRRIAs.”

The Viability of Multi-stakeholder PSC Regulation

Individuals that follow the regulation of Private Security Companies (PSCs) will be particularly interested in Dr. Sorcha MacLeod’s recently published article, Private Security Companies and Shared Responsibility: The Turn to Multistakeholder Standard-Setting and Monitoring through Self-Regulation-‘Plus’.

MacLeod focuses on both the merits and questions concerning recent international multi-stakeholder initiatives related to PSC standards, certification, and oversight, specifically the Montreux Document, the International Code of Conduct for Private Security Providers (ICoC), the  International Code of Conduct Association (ICoCA), and ANSI/ASIS PSC.1-2012 Management System for Quality of Private Security Company Operations  (PSC.1), deliberately walking through each of these efforts and the intended role and interrelated nature of each.

Taken together she deems these multi-stakeholder processes for regulation of PSCs the “self-regulation-plus” approach because of the involvement of not only industry, but also states and civil society organizations.  However, MacLeod concludes, among other points, that this approach “is not the definitive solution.” In the end she feels that unless several cited issues with the current approach are adequately addressed “the likely effectiveness of the ICoC and ICoCA human rights model as applied through a standard such as PSC.1” remains an open question.

It is in the interest of all – the PSC industry itself, as well as the states, commercial enterprises, and NGOs that utilize PSCs – to have effective and universally accepted standards, certification, and oversight frameworks. MacLeod’s stated significant concerns (listed below with comments) with the new PSC regulatory mechanisms should be reviewed carefully and taken into consideration by each of the three member pillars of the ICoCA (states, industry, civil society) as well as by the commercial and NGO entities that utilize PSCs. The latter are not well represented in the state-client focused ICoCA.

State involvement and support. The ICoCA oversight mechanism must be perceived as strong and functional. In the United States, conformance with the PSC.1 standard is now required by the Department of Defense for all contracted private armed security overseas and the Department of State has recently stipulated in its largest protective services solicitation that each bidder must confirm compliance with the requirements set forth in PSC.1 (as well as demonstrate that it is a member in good standing with the ICoCA).  In the United Kingdom, the Foreign Commonwealth Office has stipulated PSC.1 compliance for overseas contracted security services. MacLeod questions how the ICoCA, with its focus to the state clients of PSCs, can be extended to the other commercial and NGO clients of PSCs.

Ability to deal with non-certified and rogue PSCs. Furthermore, MacLeod queries how the ICoCA can contend with non-certified PSCs. She makes the case for states to weigh in to encourage PSC clients in the NGO and commercial sectors to use only ICoC compliant PSCs.

Scope of the certification. MacLeod recommends that clients of certified PSCs know the scope of their PSC’s certification. Is the company globally certified to the PSC.1 standard or is the scope of the certification limited to a specific operating unit or geography?

Auditor competence. MacLeod stresses that certifying auditors must be competent in human rights. The human rights elements in PSC.1 are significant and require the use of auditors with suitable expertise. Additionally, it can also be argued that it is essential that PSCs draw upon human rights expertise themselves if they are to fully and adequately develop, implement, and sustain the human rights components of the PSC.1 standard. Failing to sufficiently develop, implement, and sustain the human rights risk management provisions of the PSC.1 will be corrosive to the credibility of the PSC’s certification as well as a significant undermining factor in demonstrating their responsibility to respect human rights and prevent adverse impacts.

Human Rights Impact Assessments. MacLeod highlights the current lack of clarity on how a PSC should assess human rights risk and impacts and what tools they should use to do so. She is spot on here. While PSC.1 does not explicitly require PSCs to conduct human rights risk and impact assessment (HRRIA), human rights is a specified component of the risk assessment process. As part of the risk assessment process, PSCs have the opportunity to conduct an HRRIA to identify specific human rights risk exposure and develop the processes to address each risk. PSC.1 also requires the establishment of a complaint and grievance mechanisms with external stakeholders. An effective HRRIA conducted with the cooperation and involvement of the local impacted community can greatly facilitate this process. HRRIAs are an imperative part of the overall risk assessment process and should be conducted as part of every pre-deployment survey or advance party at the tactical and operational level. Like security, human rights risk mitigation is most effective when it is developed and integrated at the initial project planning stage and not implemented as a “bolt on” or reactionary activity.

Client awareness, education and training. This certainly requires a greater awareness effort and MacLeod rightfully argues that the effectiveness of PSC.1 certification will be dependent upon the extent to which all clients, government, commercial, and civil society, understand the certification process. The ICoCA, with its multi-stakeholder three-pillar approach, can, and undoubtedly will, be instrumental in this regard.

By identifying areas of perceived potential weakness with the multi-stakeholder process as it currently now stands, MacLeod goes a long way in spotlighting the specific areas that must be addressed in the short term if a credible and viable “self-regulation-plus” PSC industry regulatory mechanism is to continue for the long term.

 

Swiss Law on Private Security Companies Contributes to Protection of Human Rights

On June 24, the Swiss government published a detailed decree relating to the Swiss law on Private Security Companies (PSCs) and announced that it will go into effect on September 1, 2015. The Swiss government, through its Federal Department of Foreign Affairs (FDFA), has taken the lead in fostering international consensus on regulation for PSCs through its two-part Swiss Initiative. Phase one, carried out in conjunction with the International Committee of the Red Cross, was an effort to create a non-binding declaration directed at states that contract with PSCs and are home to them, as well as the territorial states where they operate. The resulting Montreux Document, released in September 2008, recalls the existing international humanitarian and human rights law obligations of states with regards to the activities of private military and security companies during armed conflict, and elaborates good practices to assist states in meeting those obligations. Phase two of the Swiss Initiative focused on developing an international code of conduct and accompanying governance and oversight mechanism for the private security industry. Released in November 2010, the International Code of Conduct for Private Security Service Providers (ICoC) details human rights-based principles for the responsible provision of security services in complex environments. The multi-stakeholder governed International Code of Conduct Association (ICoCA), launched in September 2013, ensures implementation of, and accountability to, the ICoC.

The Swiss Federal Council’s decree details provisions to bring the 2013 law into full effect, and reflects the national manifestation of its international efforts. The law was passed to help ensure Swiss security and neutrality as well as respect for human rights. It applies to companies based in Switzerland providing security services overseas or who support the provision of those services, as well as Swiss government agencies contracting private security overseas and holding companies headquartered in Switzerland with control over PSCs operating overseas.

Key provisions of the law include the following:

  • PSCs headquartered in Switzerland may not participate in offensive operations during armed conflict.
  • PSCs must be members of the ICoCA.
  • Services that could result in severe human rights abuses are forbidden. For example, prison services cannot be provided in countries where it is known that torture occurs regularly at those facilities.
  • PSCs that wish to provide security services in complex environments, to include the protection of people, property, goods, as well as check point and prison services, must register with the Political Directorate of the FDFA. The FDFA will decide within a 14 day span whether the services are routine and acceptable, require additional investigation, or should be forbidden because they run counter to the intent of the law. Expedited registration is possible for services provided in an emergency situation.
  • Among the information required at time of registration is the types of services to be provided and clients, operating environments, weapons to be used, number of personnel and personal information of armed personnel, screening of personnel, expected risks, and trainings, including on human rights and humanitarian law.
  • The Federal Council has set minimal contractual requirements for PSCs working with Swiss government agencies, including reporting on the status of service provision, the identity of personnel, who can be replaced if they threaten delivery of contractually required services, notification of the contracting agency of any situation that may affect fulfillment of the contract, and notification of any incidents involving use of force. A sample contract containing these minimal requirements is available.

 

The enforcement of the law foresees measures such as empowering the FDFA to carry out, under certain conditions, unannounced inspections of the offices of PSCs, to include examination of their files. Failure to comply with the law can result in prison sentences of up to three years and fines.

ICoCA Releases Draft Certification Procedure for Vote by Members

The International Code of Conduct Association (ICoCA) has released its draft Certification Principles and Procedure for vote by the members of its General Assembly from the private security industry, civil society, and government pillars. When the vote is finalized by June 29, and assuming the Certification Procedure is approved by a majority of each pillar, this will represent an important step for the ICoCA in executing its role as an oversight authority overseeing implementation of the International Code of Conduct (ICoC). The ICoC was completed in 2010 and lays out a set of human rights and humanitarian law principles regarding the conduct of private security company personnel as well as commitments regarding management and governance.

The certification procedure was a long time in the making as Board representatives from the three pillars and the ICoCA Secretariat worked with each other to find consensus in particular with regard to the ICoCA’s position on certification to PSC.1 – short hand for the ANSI/ASIS PSC.1-2012 Management System for Quality of Private Security Company Operations. However, this vote does not fully address that issue at this time, but rather seeks approval for the process to assess any national or international standard presented to the ICoCA for consideration. As laid out in Article 11.2.1 of the ICoCA Articles of Association:

“The Board shall define the certification requirements based on national or international standards and processes that are recognized by the Board as consistent with the Code and specifying any additional information relevant to the human rights and humanitarian impact of operations it deems necessary for assessing whether a company’s systems and policies meet the requirements of the Code and its readiness to participate in the Association”

The draft Certification Procedure lays out the process the Certification Committee will undertake before the Board decides whether to recognize a standard:

Step 1:

A Member can submit any standard related to security operations as a potential pathway to certification.

Step 2:

If a standard is accepted for consideration, the Committee will evaluate the content of the standard against the ICoC as well as the process by which a company is certified. A draft Certification Assessment Framework for purposes of such an analysis was also released, with the full analysis of PSC.1 to follow at a later date. The Framework is not subject to vote. Whatever gaps the assessment reveals can serve as the basis for defining the “additional information relevant to the human rights and humanitarian impact of operations.” A draft Certification Additional Information Requirement for PSC.1 reveals where consensus has emerged about what that additional information likely will be for PSC.1, although the document will not be finalized until after the vote on the Certification Procedure is completed. In its current form companies will need to provide:

  • The certificate with the scope of their certification by an accredited certification body.
  • Any non-conformities identified in the certification report.
  • Their corrective action plans to address those non-conformities.
  • Their Human Rights Risk and Impact Assessment (HRRIA) model or process.
  • A range of documents with regards to subcontractors’ uptake of the ICoC’s commitments, screening and vetting of personnel, anti-discrimination policies, and competency reviews and training of personnel.

With regard to the HRRIA, a draft HRRIA assessment framework was also released. It contains a series of Yes/No questions and requests to evidence references in company policies. It is divided up between process questions – regarding the frequency of HRRIAs, the involvement of relevant internal and external stakeholders, and implementation of HRRIA findings – and a series of substantive questions relating to internal controls and policies and specific human rights provisions of the ICoC. The HRRIA assessment framework is an effort to assess whether a company’s HRRIA covers many of the commitments laid out in the ICoC with regard to conduct of personnel, human rights, and management and governance. The framework will also be finalized at a later date; however, at this point it is unclear what benchmarks the ICoCA will use to determine the acceptability of answers and how it will assess the accuracy of information submitted.

Step 3:

If a standard is deemed to be consistent with the ICoC, the Committee will draft a Recognition Statement which will include the additional information identified by the Committee based on the Assessment Framework. The draft statement will be made available for public comment.

Step 4:

After considering the comments, the Board will decide whether to accept the standard and publish a Recognition Statement. One consideration that may factor into whether a standard is consistent with the ICoC is “practical considerations relating to the ability of the ICoCA to effectively assess the Additional Information associated with a standard.” It will soon be seen whether this consideration is an issue in the assessment of the ISO 28007-1: 2015 Ships and marine Technology: Guidelines for Private Maritime Security Companies (PMSC) providing privately contracted armed security personnel (PCASP) on board ships (and pro forma contract), which is the next standard the ICoCA will analyze. As we argued before, that standard still has some significant human rights shortcomings which will surely generate a good bit of information for the ICoCA.

Step 5:

After a Recognition Statement has been released, member companies can seek ICoCA certification by evidencing certification to the recognized standard by an independent, accredited certification body. A company will provide to the Secretariat the certificate and the additional information detailed in the Recognition Statement, and the Secretariat will review the materials and make a recommendation to the Board whether to approve a company for ICoCA certification. If the Secretariat has concerns about a member company’s ability to gain approval, it can engage that company in discussions to clarify what additional steps and information may be needed to gain approval. Prior to casting its vote the Board can request the Secretariat to elicit additional information from a company, if it deems this necessary to its ability to cast a vote on ICoCA certification.

If all goes well, and the Board votes to grant ICoCA certification to a company, that certification will have the same scope as the certification provided by the independent, accredited certification body. ICoCA certifications will be valid for a period of three years, as is the case for certification to PSC.1. In keeping with its role to foster industry best practices, the Secretariat can provide companies Advisory Comments to assist them with ICoC implementation.

The finalization of the certification procedure is a big step forward in ensuring governance and oversight of the ICoC. While the road ahead is still long, with the ICoCA tackling monitoring and reporting procedures as its next task, relative to other industries operating in complex environments, the private security industry is demonstrating that it is willing to actually subject itself to audits and evidence that it is implementing human rights standards.

Human Analytics Makes Recommendations for the U.S. National Action Plan on Responsible Business Conduct

Human Analytics has submitted the following recommendations to the State Department, which is overseeing the process to develop a U.S. National Action Plan (NAP) on responsible business conduct. The recommendations focus to security and human rights, which was a theme of the NAP consultation held in Norman, OK at the University of Oklahoma on April 9. Human Analytics participated in the consultation. The below recommendations, as well as those submitted by other organizations and individuals, can be found at the International Accountability Roundtable’s website dedicated to the NAP process.

Human Analytics Recommendations for the U.S. National Action Plan on Responsible Business Conduct with regard to Private Security

April 22, 2015

Human Analytics welcomed the chance to participate in the recent April 2 National Action Plan (NAP) consultation held at the University of Oklahoma in Norman, OK, which had as one focus security and human rights. Human Analytics is a consultancy specializing in helping public and private organizations, in particular private security providers, address human rights risks associated with operating in complex environments. We would like to offer the following recommendations related to the private security industry for consideration as the U.S. government proceeds with developing its NAP on responsible business conduct.

Require Enhanced Human Rights Due Diligence:

The private security industry frequently operates in high-risk, conflict-affected areas. As Guiding Principle 7 of the United Nations Guiding Principles on Business and Human Rights indicates, the risks of human rights abuses are heightened in such areas, and States must help ensure that business enterprises operating in those contexts are not involved in abuses. As the Commentary to Guiding Principle 7 notes, States “should review whether their policies, legislation, regulations and enforcement measures effectively address this heightened risk, including through provisions for human rights due diligence by business.” Human Analytics recommends that the U.S. government mandate at a minimum for its contracted private security service providers that they undertake an enhanced human rights due diligence process and disclose their findings, to include a company’s human rights due diligence policies and procedures, risks and impacts identified, and measures taken to prevent, mitigate and address them throughout their operations. The U.S. government should also encourage, for example through its participation in the Voluntary Principles on Security and Human Rights, private sector clients of the security industry, such as oil, gas, and mining companies, to undertake and disclose information about their human rights due diligence processes. Legislative precedent for such a requirement already exists, for example the mandatory disclosure of due diligence measures relating to conflict mineral supply chains under Dodd-Frank 1502. Other organizations, such as Amnesty International USA and NomoGaia, have made similar recommendations.

Assist the Private Security Industry with the Development of a Human Rights Risk and Impact Assessment Tool:

Guiding Principle 7 states that States should engage “at the earliest stage possible with business enterprises to help them identify, prevent and mitigate the human rights-related risks of their activities and business relationships” as well as provide “adequate assistance to business enterprises to assess and address the heightened risks of abuses.” One means through which the U.S. government could further efforts of the industry to engage in an effective, enhanced human rights due diligence process is to assist with the development of a security industry specific human rights risk and impact assessment tool. A venue already exists to do this, namely the International Code of Conduct Association (ICoCA). The U.S. is a founding member of the State pillar of the ICoCA. According to the ICoCA Articles of Association, one purpose of the Association is to serve as a central agency for the promotion of industry best practice. The U.S. government should provide funding to the ICoCA to develop a human rights risk and impact assessment tool. Despite promises otherwise, to date the U.S. government, unlike other member States, has not provided monetary or in-kind assistance to the ICoCA.

Ensure Policy Coherence:

Guiding Principle 8 recommends vertical and horizontal policy coherence to “ensure that governmental departments, agencies and other State-based institutions that shape business practices are aware of and observe the State’s human rights obligations when fulfilling their respective mandates.” Furthermore, Guiding Principle 6 states that “States should promote respect for human rights by business enterprises with which they conduct commercial transactions,” for example through procurement policies and practices. With respect to the U.S. government’s role as both a regulator and user of private security services, greater policy coherence entails ensuring that the Department of Defense (DoD) and Department of State (DoS) undertake similarly rigorous measures in procuring, overseeing, and regulating contracted private security providers. In particular, there is inconsistency in the level of commitment to more privatized forms of governance, such as the International Code of Conduct/ICoCA and the ANSI/ASIS PSC.1-2012 Management System for Quality of Private Security Company Operations – Requirements with Guidance (PSC.1). While the DoS has announced that it will require its security providers to be members in good standing of the ICoCA and to certify compliance to PSC.1, the DoD has thus far only required compliance to PSC.1 in the DFARS.

Perhaps more significantly, the U.S. Agency for International Development (USAID) has been largely absent from both initiatives. While USAID does not directly contract for private security services to the same extent, the organizations it partners with do utilize and subcontract with private security providers. USAID should require its implementing partner organizations to place similar requirements on their security providers.

These recommendations are in keeping with those made by Amnesty International USA, namely that “[g]overnment procurement contracts with private companies should include requirements that they carry out human rights due diligence and report on their due diligence policies and practices. They should also include clauses providing for the suspension or termination of contracts based on non-compliance. Companies that are directly or indirectly linked to human rights abuses should become ineligible for public procurement contracts.” The U.S. government has the opportunity to use the power of its purse strings to ensure corporate respect for human rights and greater accountability for companies complicit in the commission of human rights abuses.

Improve Accountability by Closing Gaps in U.S. Laws:

While the recent convictions of four Blackwater security contractors involved in the 2007 shooting deaths of Iraqi citizens in Nisour Square demonstrated that U.S. laws can reach extraterritorially to address human rights abuses committed overseas, news reports indicate that an appeal of the verdicts is likely based on the fact that the Blackwater contractors were operating on behalf of the DoS at the time, and thus did not fall under the jurisdiction of the Military Extraterritorial Jurisdiction Act. The U.S. Congress must pass the Civilian Extraterritorial Jurisdiction Act to close gaps in the law by extending federal criminal jurisdiction over all U.S. government contractors. As the International Corporate Accountability Roundtable elaborates in its “Shadow” U.S. National Baseline Assessment for Pillar 1 of the UN Guiding Principles,

“The Military Extraterritorial Jurisdiction Act of 2000 (MEJA)… includes criminal liability for people who are “employed by or accompanying the armed forces” abroad. However, this includes contractors and sub-contractors hired by the Department of Defense only. The proposed Civilian Extraterritorial Jurisdiction Act of 2011 (CEJA) aimed to address this gap by amending Title 18 of the United States Code to clarify and expand federal criminal jurisdiction over federal contractors and employees who commit certain crimes outside of the United States while employed by or accompanying any agency of the United States other than the Department of Defense (DOD). The CEJA bill was introduced on 3 June 2011, in a previous session of Congress, but was not enacted.”

The private security industry has in the past expressed support for legislative proposals that would close the gaps in MEJA.

We thank the Department of State for coordination of the NAP consultations and hope these recommendations are of use. We look forward to continued engagement throughout the process of developing the NAP.

Framework or fragmentation of standards for private security providers?

IRAQ-US-SECURITY-BLACKWATER

 

 

 

 

 

 

 

 

A recent article in the Fletcher Security Review entitled “Accountability for Armed Contractors” by Dr. Ian Ralby provides an excellent, concise summary of what he terms “accountability initiatives” for private armed contractors. The key declarations, codes, and management standards he highlights include the following:

 

Ralby expresses a number of concerns about the ability of these initiatives to ensure effective governance and accountability. Many of them, he argues, are a legacy of the Iraq and Afghanistan wars and may be ill-suited to addressing future challenges the industry may face as it moves into new areas of work. This is reminiscent of Sara Percy’s argument that efforts to regulate the private security industry have been a matter of “regulating the last war,” rather than dealing with current and emerging trends. Furthermore, even though these initiatives are backward looking, they have gaps and do not address all the issues that have arisen to date, which could result in a loss of confidence. Ralby also notes that there is not a consistent approach across all U.S. government agencies in how security contractors are procured and to which initiatives armed security providers are expected to adhere.

Emerging convergence

The latter is indicative of what Ralby sees as the larger problem with accountability initiatives to date, namely that “the resulting collection forms a patchwork, rather than a framework for governing the conduct of armed contractors.” However, this concern may be overstated in light of developments in the past year within the landscape of initiatives for armed security services, which have trended away from fragmentation towards signs of convergence. Ralby makes the sensible recommendation that initiatives be revisited in light of the changing nature of industry operations, and one should add evolving normative and practical understandings of appropriate corporate behavior. Yet, this is exactly what is happening and contributing to a more coherent framework. For example, the ICoCA’s proposed additional human rights-related information requirements for certification (beyond what certification to PSC.1 already requires) are grounded in the human rights risk and impact assessment language of the UN GPs – something which cannot be found in the ICoC itself, which was completed in 2010 before the finalization of the UN GPs. While PSC.1 makes reference to the UN GPs, they were released just before completion of the management standard in 2012, and implementation of the UN GPs’ human rights due diligence requirements had not yet been put into practice by companies. With expected release of the ISO 18788 mid-this year, one finds in the draft international standard more thorough due diligence requirements than explicated in either the ICoC or PSC.1, to include human rights risk analysis as part of the risk assessment and management process.

Voluntary and mandatory regulation: Two sides of a coin

The three pillars of the UN GPs – the state responsibility to protect human rights, the corporate responsibility to respect human rights, and the right of victims to access remedy – clarify that mandatory State regulation of companies and voluntary corporate commitments to respect human rights are two sides of a coin rather than a dichotomy. The Montreux Document, which is largely directed at States, and the multi-stakeholder ICoC/ICoCA were conceived from the outset as two interconnected parts of the Swiss initiative – an effort to find international consensus on appropriate regulation of armed security services. This recognition of the interconnected nature of State-based regulation and corporate self-regulation is reflected in recent efforts to further link the Montreux Document and the ICoCA. The Montreux Document Forum was established this past December to support national implementation of the Montreux Document’s legal obligations and good practices, develop implementation tools, and to encourage greater state support of it. The Forum will offer a venue for interstate dialogue on better regulation of armed security providers, and will support the functions of the ICoCA’s Advisory Forum of Montreux Document participants. The Advisory Forum, as foreseen in the ICoCA’s Articles of Association, is to provide advice on national and international policy and regulatory matters to the ICoCA.

Closing gaps

The blurring of the line between voluntary and mandatory regulation is further evidenced by the fact that governments, to include the U.S. government’s Departments of Defense and State, have included or are planning to include conformance with accountability initiatives in procurement decisions. Ralby expresses concern that differential requirements – with the DoD procurement regulations referencing PSC.1 and the DoS security contracts, in particular the Worldwide Protective Services contract, likely to require PSC.1 and ICoC conformance – exacerbate fragmentation. However, with the ICoCA soon likely to decide to accept certification to PSC.1, with some additional informational requirements, as the basis for receiving certification to the ICoCA, the “gaps” between the two becomes less of an issue. The DoD continues to be actively involved in the ICoCA as well as funding management standards development. The PSC Series standards were created to operationalize and embed the ICoC’s requirements into a management system process. The DoD and other stakeholders involved in drafting ISO 18788 have further worked to reduce gaps with the ICoC and the UN GPs.

The road to “best value” and respect for human rights

As Ralby rightfully points out, these accountability initiatives when embedded into procurement processes work to the advantage of private security contractors. Government contractors have long asked for contract awards to be made on “best value” rather than “lowest price technically acceptable.” Accountability initiatives can serve as a “best value” differentiator for those willing to respect the human rights and humanitarian law requirements at the heart of these initiatives. From the perspective of affected communities that live in the areas where these companies operate, such initiatives offer an opportunity for greater respect of their human rights and access to remedy for negative impacts associated with security operations.

Association for oversight of private security companies holds meeting to share successes and plan the road ahead

logo-smallThe International Code of Conduct Association (ICoCA) held its Annual General Assembly meeting in London last week. The ICoCA was established last year to provide oversight and ensure implementation of the human rights and humanitarian law commitments laid out in the International Code of Conduct for Private Security Services Providers (ICoC). The gathering brought together members from the multi-stakeholder organization’s three pillars – private security companies, governments, and civil society organizations – as well as independent observers. Human Analytics is a member of the observer pillar. The cross-section of leading security companies and industry stakeholders came together to learn about the ICoCA’s activities in the past year, objectives for the coming year, and progress made in developing key procedures essential for effective oversight and accountability, namely certification, reporting, and monitoring.

Much has been accomplished since the launch of the ICoCA. Executive Director Andy Orsmond recounted the many steps taken to put the ICoCA on a sound organizational footing, such as setting up the Secretariat in Geneva, establishing Board election procedures, which allowed for the election of a new Board chair and two new Board members, the development of membership requirements and an application process, and creating infrastructure and an information security policy. The latter is particularly important to member companies, who must include detailed information about their operations in their applications, and will soon be requested to share additional information as part of the regular reporting requirements, which are still being developed. Those companies want to know that their information is being preserved in a confidential and secure fashion.

Looking to next year, from the basis of a strong financial footing, the ICoCA has laid out ambitious objectives for itself. One of the top priorities is to complete development of the certification process, to include voting on certification procedures and the creation of a framework to assess various national and international standards to which security companies are currently being certified. PSC.1, shorthand for ANSI/ASIS PSC.1-2012: Management System for Quality of Private Security Company Operations, is the first national standard to be evaluated against the requirements of the ICoC. A maritime security standard, ISO/PAS 28007, is next in line. Recognizing that attaining certification is a phased process, the ICoCA will develop a means for companies to transition into full certification.

In addition to tackling certification procedures, the Board has set up a working group that is currently in the process of developing reporting criteria and monitoring protocols. As the ICoCA seeks to grow its membership and the observer pillar in the coming year to include reaching out to other industry stakeholders, including non-state clients, potential new members and supporters will no doubt be interested in understanding what certification, reporting, monitoring, and grievance procedures look like in practice. The intense discussion among attendees about evolving concept papers on these various procedures leaves no doubt that developing these procedures will require extensive negotiations and consultations. However, listening to the Secretariat staff and Board members, it is clear that they are forging common ground. It is to the credit of the ICoCA that it is carrying out these discussions in an open and transparent fashion.

Multi-stakeholder consensus building is never an easy process, but what comes out at the end will likely have greater legitimacy and credibility. As UN Business and Human Rights Working Group member Alexandra Guaqueta said in Geneva at the UN Forum the day before the Annual General Assembly, the ICoCA reflects a “new generation” of multi-stakeholder initiatives. She described it as being exemplary for its consultative nature, the solid technical work it is based on, its strong governance structure with greater accountability mechanisms, its solid membership with willing first movers, the high level of industry participation, and a built in incentive structure, with participating governments building adherence to the ICoC into procurement processes.

However, as other participants remarked, to move forward each pillar must be prepared to give a little and not allow the perfect to be the enemy of the good. The ICoCA will always be a work in progress.