Private security companies (PSCs) often operate in areas of conflict or weak governance, in the absence of effective regulation and with a high risk of implication in serious human rights abuses. As a result, governments and industry representatives, sometimes with civil society’s participation, have developed several guidelines and codes of conduct that seek PSCs commitment to human rights standards and monitor their activities.
Two key multi-stakeholder initiatives are the International Code of Conduct for Private Security Service Providers (ICoC), and the Voluntary Principles on Security and Human Rights(VPs). Such initiatives are not formally linked and target different audiences: the ICoC is aimed directly at PSCs, while the VPs at extractive companies contracting private security services. Other main instruments include guidelines and certification standards, such as: the series of ANSI standards on PSCs developed by ASIS International (PSC.1, PSC.2, PSC.3 and PSC.4); the Industry Stability Operations Association (ISOA) code of conduct and the Guidelines for Private Maritime Security Companies (ISO/PAS 28007:2012) developed by the International Organization for Standardization (ISO) to provide guidelines for shipping companies deploying privately contracted security personnel.
Measuring Business & Human Rights is carrying out a study to clarify the possible intersection between such initiatives and highlight common issues, in particular through the analysis of the use of human rights indicators.
Despite their differences in process, structure, organisation and requirements, all these initiatives address the issue of security and human rights. While not formally connected, they are potentially mutually reinforcing. For example, the ICoC Association has identified PSC.1 and ISO/PAS 28007 as the first two standards necessary for assessing whether a member company’s policies meet the requirements of the code. An external expert is comparing the ICoC and PSC.1 to establish whether certification to PSC.1 will be enough to grant certification to the ICoC or whether additional information related to the human rights impacts of the company’s operations is required. ISO is also working at a new certifiable management standard for private security company operations (ISO/PC 284), whose human rights content is informed by the ICoC.
In order to assess company compliance with standards and codes, measurable criteria are required and some initiatives have developed specific human rights indicators. Such indicators, however, are not designed to measure the human rights impacts of the company, but to assess the member company’s compliance to the set of principles or standards. For example, the VPs process has developed two documents that include human rights indicators: the Key Performance Indicators (KPIs) and the Audit Protocol. Indicator 2 of the KPIs deals with the comprehensiveness of stakeholder consultations, necessary to have a clear understanding of the operating environment. Companies receive points for a total out of 100% for: number of consultations; range of actors consulted (communities, local media, authorities etc…); and whether they let independent parties facilitate the consultation. But none of these factors guarantee outcomes, or provide any indication of the human rights impact of the company’s operations.
Another example is Indicator 5 of the KPI, concerning staff training. This indicator only check whether the different actors responsible for security have received training on human rights, but overlooks the quality of the training, possible outcomes and impacts. The Audit Protocol also includes a set of indicators to provide assurance that the systems and processes required by the VPs are in place and being complied with by the company. Such indicators are based on the KPIs and do not provide for weight of human rights impacts.
Likewise, measurable criteria under PSC.1 (management and governance; selection, screening and vetting of personnel and sub-contractors; training of personnel; procurement etc…) do not include any measurement of possible outcomes and human rights impact of the member company’s operations.
The lack of transparency is a common problem, especially in relation to the reporting systems. Lack of transparency is evident in the VPs, due to the confidential nature of the dialogue and that public reporting remains voluntary. The KPIs recognise that companies may have their own protocol for recording incidents and may be unwilling to document in writing therequested information. They describe it as a “unique opportunity for the companies to hold themselves accountable first”. Similarly, audit test results are confidential under the Audit Protocol. PSC.1 includes measurable criteria for managing, reporting and documenting incidents, as well as for the company grievance processes. These are also handled in confidence and do not include any information provided by affected parties. Similarly, complaints under the ISOA Code of Conduct are handled in confidence with only the complainant and the accused company appraised of progress. The ISOA justifies this high level of confidentiality to facilitate the provision of information by companies. The ICoC reporting is also covered by the “necessary confidentiality and non-disclosure arrangements” that allow companies to submit to a governance and oversight mechanism and assess their performance.
The initiatives analysed have also a different degree of multi-stakeholder consultation. For example, the ICoC was developed through a transparent and inclusive multi-stakeholder process (with representatives from governments, industry and civil society) and overseen by an independent institution. All the information related to the ICoC process, the minutes of the three Working Groups, as well as the drafting of the articles establishing the oversight mechanism are publicly available. On the contrary, in the member-based associations, like ASIS, information is available only to members. Likewise, the VPs Audit Protocol was developed on by a group of corporate-only participants and the protocol itself is the only document publicly available. ISO also lacks a technical committee and a mix of stakeholders with necessary human rights expertise.
Third-party oversight, in relation to monitoring, auditing, certification, or accreditation, has a mixed degree of development in the different initiatives. The VPs lack third-party oversight as monitoring of, and compliance with, the principles is up to individual companies. Likewise, under the Audit Protocol, compliance is limited to the data provided by the company, consisting of its policies, procedures, guidelines and examples of country implementation, without a third-party data supplier. For instance, indicator B.4 and B.6 look at whether a company has a procedure for reporting and for addressing security-related human rights allegations. The company reports on its procedures or mechanisms alone. To verify compliance, the auditors are required to confirm that such procedures are in place. This is done mainly through discussions with the executive responsible for the VPs, without checking the company information against any other data.
The ICoC, on the other hand, formed the ICoC Association in 2013 to provide external and independent third-party oversight mechanism. The Association’s mandate is to ensure the effective implementation of the ICoC through certification, human-rights-oriented field monitoring, and a compliance procedure. Importantly, the Association is mandated to gather and receive information from the public on whether member companies are operating in compliance with the code. The ICoC also establishes an auditing process through which independent auditors conduct on-site audits, including in the field, and report the data gathered to the oversight mechanism. This will in turn verify whether the company is meeting the requirements and, if not, what remediation is required.
Compliance with ISO/PAS 28007:2012 can be assessed by first, second and third party certification. The new ISO/PC 284 will also be a certifiable standard, to which organisations can demonstrate their conformance through a third party certification audit. Likewise, conformance to PSC.1 standard is validated by an independent third-party accredited certification body – which must first be accredited by an independent accreditation body. Here there is the opportunity for external parties to provide feedback and report concerns at all levels of the certification process.
Related to the external oversight is the issue of accountability and enforcement. Enforcement is lacking in the VPs. These call for companies “where appropriate” to include the VPs in legally binding contracts with private security companies. Some extractive companies have done so, making adherence to the VPs a mandatory part of the agreement. But the company’s commitment to adhere to the VPs is voluntary, the actions under the VPs are not verified or enforced, and signatories face few consequences for failing to uphold the principles. There are no provisions for penalties in case of non-compliance, other than the possibility of being expelled from the VPs.
The enforcement of the ISOA Code of Conduct is guided by the publically available ISOA Enforcement Mechanism. This mechanism ensures that anyone can bring a complaint, based on the Code of Conduct, against an ISOA member company, for review by the ISOA Standards Committee. ISOA can expel members that refuse to address problems.
The ICoC is not a legally binding instrument, but some governments have already indicated that they will only hire PSCs that have signed the ICoC and agreed to submit to the accountability system. For example, the US Department of State said that ICoC Association membership will be a requirement in the bidding process for the successor contract to the Worldwide Protective Services programme. Similarly, conformance to the PSC.1 standard is required in US Defense Department contracts for private security functions, as well as those contracted through the UK Foreign and Commonwealth Office. This means that the interest of the company to comply with the human rights provisions goes beyond mere membership as non-compliance may affect its ability to procure contracts.
In conclusion, the credibility of these initiatives depends on their adoption of effective oversight and reliable complaints mechanisms that ensure remedy for victims, and a greater capacity to monitor compliance and to sanction non-compliance. The efficacy will also rely on PSCs acceptance of such independent external oversight, and on governments and other clients’ commitment to hiring only PSCs that are in full compliance. There is also a need for an open, transparent consultation process that includes extensive outreach to attract appropriate stakeholders and ensures that audits are conducted with the necessary human rights expertise. Assessing measurable criteria in relation to the human rights risk conducted as part of the certification process, needs to amount to more than a desk-based box-ticking exercise. Certification institutions, accreditations bodies and auditors need to gather information from the field and capture actual human rights impacts on the ground. While a certain degree of confidentiality is necessary in certain operating environments, the reporting process, especially when related to human rights incidents, needs to include public disclosure. This would help to ensure that certification goes beyond what the company chooses to report – for example on parts of the business where they have achieved compliance while ignoring areas in which they face human rights issues. A transparent and public report of lessons learned would be useful also to determine the compatibility between these initiatives. These steps may help to increase transparency and disclosure concerning the activities of PSCs, and to hold them accountable for human rights abuses.
Irene Pietropaoli
Irene Pietropaoli is one of the co-Directors of MB&HR and a PhD candidate at the Law school of Middlesex University, London. In the past years she worked as a researcher at the Business & Human Rights Resource Centre. She is now based in Yangon, Myanmar.
This is an informative blog about the wide range of codes and standards that have been developed in recent years to guide the responsible provision of security services. However, I would respectfully disagree with the depiction of the ISO/PAS 28007 for maritime security as a “security and human rights” standard. ISO/PAS 28007 stands out from the other standards because of the lack of inclusivity and transparency in its drafting and for its failure to include human rights provisions. To the first point, unlike the committee that drafted ANSI/ASIS PSC.1, which included academics and representatives from NGOs such as Human Rights First, Amnesty International USA, the Geneva Center for the Democratic Control of Armed Forces, and Fund for Peace, the Technical Committee that drafted the ISO/PAS 28007 did not include civil society organizations.
Regarding human rights, the ISO/PAS 28007 cannot be described as contributing to the mutually reinforcing and complementary nature of the other standards. Two notes in the definition section, point out that the International Maritime Organization does not believe that the ICoC or the Montreux Document are applicable to maritime security operations. This will make it very challenging for the ICoC Association to consider recognizing certification to the ISO/PAS 28007 as meeting the principles and certification requirements of the ICoC. So will the fact that the ISO/PAS has been scrubbed of almost any reference to international human rights law. The Universal Declaration of Human Rights is not listed as an informative document in the bibliography and in the entire standard human rights are only referenced twice. Once in conjunction with health and safety stating that the organization should have guidelines for disciplinary offenses involving human rights abuses, and the second time to state that the organization should develop procedures to identify applicable international law to include human rights obligations. Human rights are erroneously mentioned a third time referring to possible limits under human rights law to screening personnel. International human rights law, to my knowledge, does not speak to this issue.
What is not addressed that is covered in other standards like the ICoC and PSC.1? The responsibility of maritime security companies to respect human rights and carry out human rights due diligence processes. There is no mention of conducting human rights risk analyses or engaging with affected communities and stakeholders during that process. In fact, there is no mention that maritime security operations can potentially impact on human rights. Furthermore, there are no stipulations for human rights trainings for personnel, and the requirements for grievance mechanisms are inadequate. While there is a provision that no one under 18 should be employed to carry weapons, there is no reference to avoiding the worst forms of child labor or other gross human rights violations. The ISO/PAS 28007 is simply not a human rights standard.
Unfortunately, it also falls short in terms of what certification to the standard can hope to accomplish with regards to ensuring responsible provision of maritime security services. One important point about certification to the ISO/PAS 28007 needs to be clarified. Companies are not certified to the ISO/PAS 28007; as a Publicly Available Specification this is not possible. Technically they are certified to ISO 28000: Specification for security management systems for the supply chain using ISO/PAS 28007 as guidance. Here there is a fundamental breakdown in the logic of what companies claim to be achieving through certification. The ISO 28000 is about addressing risks in the supply chain. It is not about addressing the risks of security operations, or about the quality of security operations – two things that PSC.1 does address.
Currently, the Technical Committee that created the ISO/PAS 28007 has submitted it for comments and voting as a Draft International Standard (DIS). If successful, this would turn the ISO/PAS into a full ISO international standard. The DIS has not been updated at all and is the PAS word for word. Quite surprising considering that 22 maritime security companies have been certified to date. One would think that there would have been at least a few lessons learned that would indicate the need for some changes to the standard’s language. The DIS is currently open for comment until the end of October and the vote closes on November 19. Civil society organizations should take this opportunity to reach out to their national standards bodies’ mirror committees – ANSI in the U.S. and BSI in the UK – and submit their comments and concerns. If the ISO 28007 wants to be in the company of the other security standards detailed in this blog, it must include human rights provisions.
Thanks a lot for your interest in this blog and for your useful comments, Rebecca. I agree with your points. ISO/PAS 28007 unfortunately, does not directly include provisions establishing the responsibility of maritime security companies to respect human rights and carry out human rights due diligence. I want to clarify that I do not depict the ISO/PAS 28007 as a “human rights standard”. However, this tool, as the others analysed, deal, in practice, with the issue of security and human rights. Despite its shortcomings, the use of ISO/PAS 28007 by maritime security companies can have an impact on human rights. And its lack of specific human rights provision may have a negative impact on human rights.
I absolutely agree with your point that unlikely the ANSI PSC standards – and the VPs and ICoC – ISO/PAS 28007 does not include civil society organizations. This is why in relation to lack of multi-stakeholder consultations, I am arguing that what is needed for ISO is a technical committee and a mix of stakeholders with human rights expertise.
In terms of the complementarity/mutually reinforcing nature of those initiatives, I am only referring to this in relation to ISO/PAS 28007 because of the ICoC Association’s identification of ISO/PAS 28007, and PSC.1, as the first two standards necessary for assessing whether a member company’s policies meet the requirements of the code.
This blog only provides a descriptive comparison of initiatives and tools developed for the security sector. MB&HR will shortly release a more detailed “initiative card” for each such tool with an analysis of and their use – if any – of human rights indicators and their strengths and weakness from a human rights perspective. We will certainly take your comments on board.
The ISO/PAS 28007 has been now released as a full ISO standard. Here’s a blog post describing why some progress has been made on the human rights front, but there is still room for improvement.
http://human-analytics.net/new-iso-standard-private-maritime-security-companies-reflects-progress-human-rights/
New ISO Standard for Private Maritime Security Companies Reflects Some Progress on Human Rights
In a previous Human Rights in Complex Environments blog, we argued that the ISO/PAS 28007:2012 Ships and marine technology – Guidelines for Private Maritime Security Companies (PMSC) providing privately contracted armed security personnel (PCASP) on board ships (and pro forma contract) – ISO/PAS 28007 in short – could not be described as a “security and human rights” standard. At the time, the Publicly Available Specification was being developed into a full ISO standard. That standard, ISO 28007-1: 2015, is now completed and available. While some improvements have been made in terms of clarifying the human rights responsibilities of PMSCs providing armed security on board ships, shortcomings remain.
What ISO-28007-1 is and is not
ISO 28007-1 suffers from a bit of an identity crisis. It is a set of informative guidelines for organizations implementing ISO 28000: Specification for security management systems for the supply chain. In other words, it is additional guidance for organizations wanting to assure security in their supply chains, which is different from the management of private security operations and the responsible provision of armed security services – something that standards like ANSI/ASIS PSC.1:2012 Management system for quality of private security company operations – Requirements with guidance (PSC.1) and its accompanying guidance specific to private maritime security, ANSI/ASIS PSC.4-2013: Quality Assurance and Security Management for Maritime Private Security Companies – Guidance (PSC.4), do explicitly address. While the Introduction to ISO 28007-1 states that, “[i]n effect, ISO 28000 is a risk-based quality management system for the security of operations and activities conducted by organizations,” in reality ISO 28000 is not a quality management system and the word quality appears nowhere in the main body of ISO 28000.
Furthermore, it should be noted that ISO 28007-1 is specific to the provision of security services on board ships. The evolving industry is largely unaddressed by the standard, and it does not cover newer activities, such as offshore installation protection, littoral work, and seismic survey work, which are more likely to put PMSCs in a position where human rights might become an issue.
Improved human rights provisions
As noted in our previous blog, human rights were almost wholly absent from the ISO/PAS 28007. The Universal Declaration of Human Rights (UDHR) was not listed as an informative document in the bibliography, and in the entire standard human rights were only correctly referenced twice: once in conjunction with health and safety stating that the organization should have guidelines for disciplinary offenses involving human rights abuses, and the second time to state that the organization should develop procedures to identify applicable international law to include human rights obligations. While the UDHR still is not referenced in the bibliography and the term international human rights law appears nowhere in the ISO 28007-1, the Introduction now explicitly references the UN Guiding Principles on Business and Human Rights (UNGPs), which reflect the current international norm for responsible business conduct with relation to the human rights impacts of companies. Specifically, the Introduction states: “Organisations seeking to be certified to this International Standard should respect the human rights of those affected by the organisations [sic] operations within the scope of this International Standard, including by conforming with relevant legal and regulatory obligations and the UN Guiding Principles on Business and Human Rights.” This is a marked improvement over the ISO/PAS 28007. However, choosing to reference the UNGPs only in the Introduction and not integrating them and elaborating on their relevant provisions in the main body of the guidance weakens the expectation that companies conform to the UNGPs. The drafters could have cited the UNGPs as a normative reference, as was done with the ISO 18788 Management system for private security operations – which is the international standard based on PSC.1 – but that path was not taken. Furthermore, the definition provided of the UNGPs is incomplete and only discusses the human rights responsibilities of companies, i.e. Pillar II, and not the accompanying human rights obligations of States and the need for both States and companies to provide effective access to remedy for victims of human rights abuses linked to economic activities.
That being said, referencing the UNGPs is not the only improvement in the ISO 28007-1’s human rights provisions. Noteworthy are the following additions:
• The term stakeholders is now used and impacted communities have been added as a relevant stakeholder.
• As part of the risk assessment process, organizations are advised to carry out meaningful consultation with relevant stakeholders, including those directly affected by their operations.
• Organizations should have a human rights policy, alongside a Code of Ethics.
• In addition to minimum age requirements for PCASPs, there is also now a commitment not to employ child labor and referencing of relevant ILO conventions.
• The provisions on complaints and grievance procedures have been improved and now reference protection of whistle-blowers, procedures to assess effectiveness of complaints and grievance mechanisms, and procedures to protect complainants from retribution.
It is also noteworthy that remarks in the definitions section which stated that the International Maritime Organization does not believe that the International Code of Conduct for Private Security Service Providers (ICoC) or the Montreux Document are applicable to maritime security operations were removed. The ICoC and Montreux Document have been added to the bibliography.
Still room for more improvement
While these additions warrant recognition, there is still room for strengthening the human rights provisions of the IS0 28007-1 if it is to truly reflect the UNGPs. Additional improvements should entail:
• Recommending that organizations carry out a human rights due diligence process, to include conducting a human rights risk and impact assessment to identify, address, and mitigate actual and potential negative human rights impacts.
• Clarifying that when organizations systematically evaluate and prioritize risk controls, management, mitigation, and treatments that they should prioritize addressing human rights risks based on their scope and severity. Not addressing actual or potential severe human rights risks raises legal liability concerns, and not just considerations of reputation and cost effectiveness. Severe human rights risks linked to an organizations’ operations must be addressed even if risk treatment is not cost effective per se.
• Adding provisions that explicitly state that negative human rights impacts should be remediated.
• Using past involvement in human rights violations as a screen for vetting PCASPs.
• Requiring that PCASPs receive relevant human rights training.
Thankfully ISO standards are reviewed on a regular basis, so there will be opportunities in the future to include human rights experts in the review process and address these shortcomings.