**SSR Paper 12**

**SSR Paper 12**

**Towards an International Code of Conduct for Private Security Providers:**

The use of private security companies (PSCs) to provide security services has been on the rise since the end of the Cold War, with PSCs operating in a number of contexts, including armed conflict and areas where the rule of law has been compromised. The use of private actors to perform services that are traditionally associated with the state is not limited to PSCs, but is emblematic of a growing trend by governments to outsource functions with a view to improving efficiency and cutting budgets. Privatization of public functions can, however, present a number of challenges to existing national and international regulatory and oversight frameworks. In the private security sector these challenges were brought to international attention after high-profile incidents in which PSCs injured civilians revealed difficulties in effectively holding international PSCs accountable. This paper argues that crafting a multistakeholder regulatory approach in which key stakeholders work together to develop standards that are appropriately adapted for the private sector, as well as to create governance and oversight mechanisms to hold these private actors to effective account, helps to fill some of the governance gaps found in traditional regulatory approaches. It recounts the developments leading to the International Code of Conduct for Private Security Service Providers (ICOC) and its governance and oversight mechanism, the ICOC Association, offering an example of the development of an initiative which sets new international standards and elaborates a multistakeholder framework and approach to governance for the private security sector. A recent trend of state and non-state clients requiring compliance with the ICOC initiative in their contracts with PSCs offers a new take on binding international

**Anne-Marie Buzatu** is deputy head of the Public-Private Partnerships Division at the Geneva Centre for the Democratic Control of Armed Forces (DCAF). Working under a mandate of the Swiss government, she led DCAF's work to support the elaboration of the International Code of Conduct for Private Security Service Providers from January 2009 to November 2010. She subsequently led the development of the ICOC Association, a multistakeholder governance and oversight mechanism for the ICOC, which began operations in September 2013. Current projects include working with the International Committee of the Red Cross to develop guidance related to security sector governance and reform for multinational companies, as

well as supporting better governance approaches for internet/cyber security.

**A View from Inside a Multistakeholder Process** 

Anne-Marie Buzatu

regulation of private actors.

**Towards an International Code of Conduct for Private Security Providers: A View from Inside a Multistakeholder Process**

**Towards an International Code of Conduct for Private Security Providers: A View from Inside a Multistakeholder Process** 

Anne-Marie Buzatu

**SSR Paper 12**

**3** Towards an International Code of Conduct for Private Security Providers

### **Towards an International Code of Conduct for Private Security Providers: A View from Inside a Multistakeholder Process**

Anne-Marie Buzatu

Published by Ubiquity Press Ltd. 6 Osborn Street, Unit 2N London E1 6TD www.ubiquitypress.com

Text © Anne-Marie Buzatu 2015

First published 2015 Transferred to Ubiquity Press 2018

Cover image © Loan Ngyuen

Editors: Alan Bryden & Heiner Hänggi Editorial assistance: Kathrin Reed Copy editor: Cherry Ekins Design and layout: Pitch Black Graphic Design, Berlin/The Hague The Geneva Centre for the Democratic Control This paper has been submitted to a double-blind

ISBN (PDF): 978-1-911529-39-2 ISSN (online): 2571-9297 foundation established on the initiative of the Swiss government. It is one of the world's leading

#### DOI: https://doi.org/10.5334/bbw institutions in promoting good governance, and focuses on a specific public sector niche – the

of Armed Forces (DCAF) is an international

important themes and approaches relating to

This work is licensed under the Creative Commons Attribution 4.0 International License (unless stated otherwise within the content of the work). To view a copy of this license, visit http://creativecommons.org/ licenses/by/4.0/ or send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA. This license allows for copying any part of the work for personal and commercial use, providing author attribution is clearly stated. security sector. DCAF's mission is to assist partner states and international actors supporting these states in improving the governance of their security sectors through inclusive and participatory reforms based on international norms and good practices alone and do not in any way reflect the views of the institutions referred to or represented within this paper. ISBN 978-92-9222-377-9

contribution.

peer review process. The editors would like to thank the anonymous reviewers for their valuable

The views expressed are those of the author(s)

This book was originally published by the Geneva Centre for the Democratic Control of Armed Forces (DCAF), an international foundation whose mission is to assist the international community in pursuing good governance and reform of the security sector. The title transferred to Ubiquity Press when the series moved to an open access platform. The full text of this book was peer reviewed according to the original publisher's policy at the time. The original ISBN for this title was 978-92-9222-377-9. and in response to specific local contexts and challenges. SSR Papers is a flagship DCAF publication series intended to contribute innovative thinking on © 2015 Geneva Centre for the Democratic Control of Armed Forces EDITORS Heiner Hänggi and Albrecht Schnabel EDITORIAL ASSISTANCE Kathrin Reed

SSR Papers is a flagship DCAF publication series intended to contribute innovative thinking on important themes and approaches relating to security sector reform (SSR) in the broader context of security sector governance (SSG). Papers provide original and provocative analysis on topics that are directly linked to the challenges of a governance-driven security sector reform agenda. SSR Papers are intended for researchers, policy-makers and practitioners involved in this field. security sector reform (SSR) in the broader context of security sector governance. Intended for researchers, policymakers and practitioners involved in this field, the papers provide original and provocative analysis on topics that are directly COPY EDITOR Cherry Ekins DESIGN AND LAYOUT Pitch Black Graphic Design, Berlin/The Hague COVER IMAGE © Loan Ngyuen

The views expressed are those of the author(s) alone and do not in any way reflect the views of the institutions referred to or represented within this paper. linked to the challenges of a governance-driven SSR agenda.

#### Suggested citation:

Buzatu, A-M. 2018. Towards an International Code of Conduct for Private Security Providers: A View from Inside a Multistakeholder Process. London: Ubiquity Press. DOI: https://doi.org/10.5334/bbw. License: CC-BY 4.0

### Contents

**4** Anne-Marie Buzatu **5** Towards an International Code of Conduct for Private Security Providers


### Introduction

This paper was written during the set-up and establishment phase of the International Code of Conduct Association (ICOCA), the oversight and governance mechanism for the International Code of Conduct for Private Security Service Providers (ICOC). This institution, which was more than five years in the making, begins a new chapter in the regulation of private security companies1 (PSCs). If the ICOCA is able to meet even some of its ambitious objectives, it has the potential to transform how the international community regulates commercial security actors and their activities.

However, the very existence of this institution raises an important question, namely why has the private security industry voluntarily submitted itself to regulation, and even invited other stakeholders to join it in this endeavour? In considering this question, one first needs to understand why there is a need for more effective regulation, or in other words why the existing regulatory approaches are lacking or not sufficiently robust to regulate PSCs effectively. Answering this reveals that underlying assumptions in traditional state regulatory approaches are increasingly questionable, particularly in the face of the growing numbers of private actors taking up activities with proximate impacts on human rights on an international scale. This has created an environment in which the accountability of the private security industry has come into question, with concomitant damage to the sector's reputation and calls for more stringent means of regulation of the

industry, with some of the loudest voices coming from the PSC industry itself. This gives rise to a second question, asking what form this "more stringent means of regulation" should and could take, and furthermore how can it be developed? In this shifting climate, a number of creative initiatives have emerged whose approaches can be found along the axes of national/international regulation and private/public/public-private stakeholder participation.

Arising out of the recognition of these and similar challenges posed by a number of industry sectors is the nascent field of business and human rights (see SSR Paper 132 ). The emergence of various other efforts using non-state or public-private mechanisms to regulate several different industry sectors better highlights that the challenges posed by the regulation of PSCs are not unique to the PSC industry, but rather are symptomatic of a more fundamental shift in the way business is carried out on a global scale. In this light, approaches to regulation which are jointly developed by both state and relevant non-state actors – processes which are sometimes referred to as multistakeholder initiatives3 (MSIs) – can be seen as pragmatic responses to governance gaps4 that are created by the manner in which international business is carried out today. Such initiatives aim to support effective governance by ensuring that commercial actors operate within a framework of rule of law and respect for human rights, with an overarching goal of preventing human rights abuses perpetrated against the civilian population. Effective multistakeholder regulation of the private security sector aims to achieve this ultimate goal by creating a framework of oversight which can provide assurance that PSCs are performing to international standards.

This paper argues that crafting a multistakeholder regulatory approach in which key stakeholders work together to develop standards that are appropriately adapted for the private sector, as well as to create governance and oversight mechanisms to hold PSCs to effective account, helps to fill some of the governance gaps found in traditional regulatory approaches. In presenting this argument, the paper describes the ways in which groups composed of diverse and sometimes inimical stakeholders can together craft better approaches and solutions than would result from the work of one stakeholder group alone. It also speaks to the limitations of these initiatives, and offers some examples for supplementing them that give a new take on the state's role in governance.

The paper has five main parts: a conceptual section presenting the context out of which the ICOC initiative emerged, two sections that present in chronological fashion the developments leading to the creation of the ICOC and ICOCA respectively, and two sections taking stock and looking ahead, reflecting on lessons learned from these multistakeholder processes and considering what further work is required to support the effectiveness of this approach in accomplishing its ambitious goals going forward.

In preparing this paper, the author draws on her own direct experience and resources obtained through participation as a neutral facilitator to develop the ICOC and ICOCA, including in the research and preparation for and conceptualization of the project, as well as in the meetings and drafting processes leading to the final agreed drafts of the ICOC and ICOCA. This is complemented by a review of the relevant literature as well as supplementary consultations with stakeholders involved in these initiatives. In the recognition that writing from such a position can compromise the impartiality of the approach, the paper has been carefully reviewed both internally and externally to address as far as possible these deficiencies. That said, where the paper falls short in this regard the author claims full responsibility and hopes that the benefits of providing an "insider" viewpoint account of these processes outweighs the negatives arising from a lack of an impartial perspective.

## Regulating Private Security Companies

The nature of the private security sector is characterized by two elements: the provision of security services, and their delivery by non-state actors. The convergence of these elements calls for new thinking about how and what kind of regulation can contribute to good governance of PSC security provision. A traditional approach to good governance of the security sector includes democratic oversight and control to help ensure that state security providers operate both effectively and accountably within a framework of rule of law and respect for human rights. PSCs have clear market-based incentives to be effective and efficient in their delivery of security to clients, but these incentives do not necessarily apply when it comes to respect for human rights within the population at large, accountability and transparency. Moreover, because PSCs have a different relationship to the state and democratic systems of governance, they are not typically covered by the same systems that ensure accountability and support transparency in state security provision. This creates a governance gap that non-traditional regulatory approaches can help to fill by ensuring that even though PSC staff are not under the same kinds of control mechanisms as are state security personnel, they still operate with transparency and accountability within a framework of rule of law and respect for human rights.

#### **The challenges of the private security sector**

Since the end of the Cold War the PSC industry has grown exponentially. Flourishing in a climate where state armies have been downsized, it provides a range of services supporting security provision – for both public and private clients – all over the world. Such services may include close personal protection, guarding of convoys and buildings, maintenance of weapons systems and advice to or training of state security personnel. As such, the services of private security providers can be said to impact the "public good"5 of security, including the human rights of the local population or "human security".6 This holds true regardless of whether PSCs are contracted to protect something or someone in particular, or to contribute more generally to increased public security, such as by supplementing the work of public security forces. This raises the spectre of asymmetrical obligations, in that the PSC may only have an explicit contractual obligation to protect a distinct and therefore limited portion of the security sector, such as a particular person or property, as opposed to protecting general public security. Furthermore, this limited portion that the PSC is contracted to protect may be interpreted as taking precedence over other parts of the security sector, such as the public at large. This state of affairs differs significantly from the traditional concept of the state monopoly on the use of force, whereby security services are provided by public actors for the public good of security, and raises the question of whether there is a need for additional regulation.

Given that the growth of commercial security providers is a direct result of both increased supply and increased demand, one could propose that market forces act as the primary regulatory mechanism, based on the logic that "bad" companies will eventually go out of business as their poor performance causes them to lose contracts. However, this reasoning relies on certain assumptions that may not always be valid, such as that information about prior poor behaviour will be available to future prospective clients, and further that clients agree about what constitutes "good" and "bad" behaviour. Given these considerable risks, one may ask why such companies are not prohibited altogether, so that security services are only provided by the state. The simple answer to an ostensibly simple question is that for a variety of reasons states are unwilling or unable to provide adequate public security, and also unwilling or unable to prohibit commercial actors from providing security on a private basis.7 Some of the more complex aspects to this question are teased out in the discussion below.

The answer to the question of who works for PSCs touches on some of these aspects. Typically, PSC personnel have prior experience in either state armed forces or the police – but not necessarily for the same state in which they provide commercial security services. Some personnel have served in forces with controversial reputations, such as in South Africa during apartheid,8 or have gained their experience as non-state actors supporting governmental coups9 or operating in informal military groups or militias.10 It is common for personnel working for one company – or even working in one security team – to hail from different countries. Additionally, a company offering commercial security services may operate in multiple sites located in different countries.

Market conditions, including a country's regulation, can affect where a company chooses to locate its headquarters. A state with very lax oversight and few regulatory requirements may attract PSCs to set up shop on its territory. Moving a security team or even a company's headquarters from one state to another also changes the governing legal regime regarding both national and international laws, including whether international human rights and international humanitarian law (IHL) apply and how they are enforced. All these factors – nationality of personnel, location of operations, home state of contractor and state of incorporation – can affect where, when and how various regulations apply to companies and their personnel.

This brings us to the essential point that at the international level commercial security provision has become increasingly delinked from the state and its traditional sphere of control. Such a change means that the traditional paradigms for security provision, and more importantly the traditional paradigm for its regulation, no longer suffice to provide assurance that commercial security provision meets minimum standards of effectiveness and accountability.

The impact of this shift has been hotly debated in recent times. The unprecedented appearance of large numbers of private security personnel during the Afghanistan and Iraqi wars in the early 2000s led to claims that PSCs operated with impunity11 in a "legal vacuum".12 Investigative reports citing a long string of violent incidents for which allegedly responsible PSCs were not held accountable13 fuelled public outrage about private security personnel who seemed able and even predisposed14 to violate human rights of the civilian population while evading the usual constraints and oversight that applied to state security forces. PSCs responded to criticisms by emphasizing the "ethical" nature of their services and adopting self-imposed standards and codes of conduct – evidence that they saw the lack of effective regulation and oversight as bad for the industry.

At the same time, another current of thought took a more pragmatic approach to PSCs, seeing a legitimate place for such actors in an increasingly politically complex world. PSCs would be well suited to perform the "messy" humanitarian interventionist tasks that Western military forces did not want to take on, so long as services were provided within an international system of regulation taking into account international norms and values, including transparency and respect for human rights.15 The call for the development of different regulatory frameworks which adopted human-rights-based standards and some kind of public-private international oversight body for PSCs was raised by a number of authors.16 Proposals were made that regulatory frameworks could be organized within the institutional auspices of the United Nations,17 or within an unconventional multistakeholder framework inspired by the emerging area of business and human rights.18

All concerned stakeholders, including the PSCs themselves, agreed that existing regulatory approaches were not sufficiently robust to provide good governance of PSCs. Governments found they were often unable to regulate PSCs effectively and hold them accountable (see the section below on Blackwater). Civil society organizations (CSOs) protested incidents where PSC activities violated human rights, with seemingly little available in effective control or sanctions.19 PSCs, most of which provided security services without incident, found themselves to be subjects of intense criticism, portrayed as violent and dangerous actors operating with impunity. To understand better the context out of which this difficult situation arose, it is helpful to take a closer look at the existing approaches to regulation and the challenges PSCs posed to them.

#### **International law and private actors**

Since the mid-seventeenth century the traditional approach to international order has been based on the view that only sovereign states enjoy international legal personality, meaning that only states have rights and obligations under international law.20 The traditional approach relies upon states to set international standards and reach agreements for international law, as well as to enforce those standards and agreements upon the territories they control. If other governments become aware that a state is not enforcing its international obligations upon its territory, a variety of international responses have been developed, from stern diplomatic *d*é*marches* to economic sanctions or launching an armed conflict against the offending state.

However, particularly in this last case, international law has evolved to include the doctrine that only in cases where a state's failure to meet its international obligations constitutes a threat to other states should the international community

take forceful action, including in the form of launching an armed conflict against a non-compliant state. The notions of "collective security" and "collective self-defence" have made appearances in numerous international agreements on security and international order,21 and have been most recently enshrined in Chapter 7 of the UN Charter. While this restrictive approach has helped to reduce the number of international armed conflicts, in large measure this state-centric approach overlooks the plight of the vast majority of the ultimately intended beneficiaries of these international agreements: the civilian population, whose human rights states carry international obligations to protect.22

Viewed from this vantage point, certain weaknesses in the traditional state-centric approach to international regulation come to light, exposing underlying assumptions that are not always valid. The first of these assumptions is that a state has *effective control* over its territory. While there is no exact definition of what constitutes "effective control", various authorities have evoked elements describing it as "exercising the functions of government"23 over a territory and population.24 In the case of private security, even if there was agreement on minimal prescriptions of effective control, there would be no guarantee that a state would have the willingness or capacity to govern PSC activities to the extent necessary to meet the requirements of providing accountability within a framework of rule of law and respect for human rights. A second assumption is that a state's resident population remains reasonably static – and conducts the vast majority of its activities – within a territory where it is subject to the state's regulatory regime. While it was known there would be visitors from one country to the next, as well as commercial transactions conducted between residents of different states, these transnational activities were understood to account for a small percentage of activities regulated by the state, and in any case the vast majority of these transnational transactions were assumed to have very little or no relationship to or impact on the core state functions that would be the subjects of international agreements among states.

In a considerable and growing number of states one or both of these assumptions no longer holds true, leaving *de facto* gaps in regulatory effectiveness. Commentators have argued that the gradual shift from the pre-1945 "law of coexistence" era characterized by the Westphalian order to the "law of cooperation" that began to take shape after the Second World War25 was a result of the international community realizing that there were areas important for their domestic interests which they could regulate more effectively together. This recognition of common interests26 led to an increase in the development of international agreements and multilateral organizations with mandates covering specific subjects such as labour rights, intellectual property, food security and distribution, and public health – areas that were "historically the province of national governments only in their domestic relations" between "state and citizen… not between state and state".27

These common interests have only increased as the world has become proverbially smaller, and more activities and transactions impacting on a domestic level are carried out on a transnational level by private actors. Additionally, the number of sovereign states has nearly tripled since the Second World War, and a growing number of states are deemed to be weak or failing,28 no longer in effective control of part or all of their territories. With travel and communication across borders becoming more accessible, increasing numbers of activities are conducted by private actors outside their official country of residence – sometimes without the person even being physically present on the territory within which the activity takes place.29 This evolving situation gives rise to a world in which international "common interests" concern matters not only between state and state and citizen and state, but also between citizen and citizen, where citizen activities may even take on governance aspects. This is especially true in the private security arena, where private actors directly impact the public goods of national and human security.

#### **National and international regulatory responses**

In recognition of these challenges to private security governance, states, industry and other actors have developed various responses in order to mitigate governance gaps. These initiatives can be grouped along the axis of public, public-private and private initiatives at the national and international levels. Table 1 sets out some examples of these various initiatives, which will be discussed in the following sections.

**14** Anne-Marie Buzatu **15** Towards an International Code of Conduct for Private Security Providers

**Table 1: Regulatory initiatives across the public-private axis**


When it comes to the efficacy of regulation on the national level, many of the same challenges and weaknesses described above in relation to international regulation also apply. A state needs to have control over its territory and residents in order to enforce its own laws and regulations effectively. Even when a state is able to achieve this within its own territory, it still does not address the challenge posed by its residents engaging in activities and having impacts beyond its territorial borders. In response, one growing trend is for a state to enact laws that apply beyond its borders or have extraterritorial reach. However, the effectiveness of these kinds of laws is mixed, as the examples given in the following subsections illustrate. Even the most developed states lack oversight regimes that are designed, or are able, to enforce domestic legislation effectively abroad. The limits of national regulation to govern actors effectively beyond a country's borders have encouraged the participation of private actors in different governance frameworks.

#### *Private regulations on the national level*

Recognizing the need for more effective national regulation, industry organizations have taken it upon themselves to develop codes of conduct for their members. These codes endeavour both to set standards for the commercial provision of security and to provide some measure of assurance that their members are operating in compliance with the codes. Both the American industry group International Peace Operations Association and the now-defunct British Association of Private **16** Anne-Marie Buzatu **17** Towards an International Code of Conduct for Private Security Providers

Security Companies have developed such codes, which contain human-rightsbased standards for their members to follow. The fundamental weakness of these codes, however, lies in their lack of effective enforcement power.

#### *Public regulations on the national level*

South Africa has enacted some of the most stringent extraterritorial legislation to date, aiming to regulate private security and military activities beyond its borders. These include the Regulation of Foreign Military Assistance Act 15 of 1998 (FMA), and its intended replacement, the Prohibition of Mercenary Activities and Regulation of Certain Activities in Country of Armed Conflict Act 27 of 2006.31 These laws endeavour to prohibit mercenary activities and regulate all forms of military assistance carried out in areas of armed conflict by persons with ties to South Africa, including citizens, permanent residents, companies incorporated in South Africa and persons who recruit persons for such activities within South Africa's territorial borders. While the exact numbers are unknown, reports range from thousands32 to hundreds of thousands33 of such persons engaging in these activities outside South Africa's borders. Taking an approach similar to arms export regimes, these laws require security service providers to obtain authorization from the South African National Conventional Arms Control Committee before providing military and security services outside South Africa.

While wide-reaching in scope and purpose, the FMA has had difficulty in reaching the apparently large numbers of concerned persons who are violating the law. Convictions under the FMA have been few (less than ten), all taking the form of plea-bargains in which the defendants paid fines and served no jail term. In fact, in the few cases that went to trial, all defendants were acquitted.34 Experts speculate that the lack of convictions is due in part to the possibly unconstitutional nature of the legislation,35 as well as to the practical difficulties of enforcing legislation extraterritorially.36 In essence, this would require that other countries and the companies operating within them were aware of South Africa's legal requirements, and then enforced or followed them.37

Another example of difficulties in effectively prosecuting PSCs operating abroad can be found in the September 2007 Nisour Square incident in Baghdad, Iraq. Nearly seven years after the incident, in which personnel of the PSC then known as Blackwater killed 14 civilians and wounded 20 more, a trial relating to the event was finally concluded, resulting in convictions of manslaughter against four personnel. However, the trial was initially dismissed, appealed and eventually petitioned to the US Supreme Court because of the alleged mishandling of the

investigation by the US State Department's Diplomatic Security Services, which defendants argue tainted evidence such that it was not suitable to be admitted in a criminal trial – and this points to the kinds of challenges faced by states in conducting investigations outside their own territories.38 The long series of dismissals and procedural delays only served to reinforce claims of there being a "legal vacuum" regarding these actors. Simply put, the normal criminal oversight and investigation procedures of states are not designed nor typically sufficiently resourced to be carried out on foreign territory, and domestic criminal courts face significant challenges in prosecuting crimes committed abroad.

#### *Public-private regulations on the national level*

In an effort to establish a more effective industry organization, in January 2011 the UK government engaged in a novel public-private partnership with another industry body, the Security in Complex Environments Group (SCEG), which is housed within the Aerospace, Defence, Security and Space Industries (ADS) organization. This organization is governed by seven industry representatives elected by SCEG members, supported by affiliate members from ADS and the UK government's Foreign and Commonwealth Office and Department of Transport.

Switzerland passed a law at the end of 2013 which exercises extraterritorial regulatory reach and also relies in part on the oversight functions of the ICOCA. Addressing PSCs either domiciled in or operating from Swiss territory, the Federal Act on Private Security Services Provided Abroad39 regulates companies providing private security and related services outside Switzerland and European Union/European Free Trade Area states. In addition to imposing a number of requirements related to training, identification of personnel and declaration by the PSC of the services it is providing, it requires the companies providing security services to join the ICOCA, the oversight mechanism for the ICOC.40

#### *Private regulations on the international level*

While within the increasingly internationalized security marketplace a "binding international agreement" would seem to be a logical and effective approach to regulating PMSCs, it would only be one piece of the puzzle in an effective response. This is because, as described above, only states can undertake these obligations, meaning that they individually agree to act in accordance with the international instrument.41 In the absence of a supranational body with policing or enforcement functions, states cannot be compelled to join an international agreement in the first place, and, as discussed earlier, in cases of non-compliance the available sanctions are limited and generally have a disproportionately negative impact on the civilian population. Several different additional approaches on the international level have evolved to influence the behaviour of state and non-state actors. These efforts, which have largely taken place outside the traditional processes for developing and negotiating a treaty, point to "soft" international regulation which eschews "binding" international legal standards in favour of normative efforts that aim to change the way both public and private actors behave. As such, they have contributed to the development of public-private and multistakeholder regulatory approaches, including the ICOC initiative.

#### *Private regulations on the international level*

One such initiative is the Fair Labor Association (FLA), which was very influential in the development of the ICOC. An MSI that began in 1999, the FLA aims to improve labour practices internationally by monitoring company compliance with international labour standards. Importantly, this MSI conducts independent audits of factories worldwide, providing public reports of their findings that are available on the initiative's website. However, the FLA has received criticism for not including labour unions as part of its membership,42 as well as for being too sympathetic to the industry,43 which pays for the vast majority of the initiative's running costs.44 Furthermore, while this MSI includes companies, colleges and universities and CSOs in its members, it does not have representatives of government as part of its membership.

#### *Public regulations on the international level*

Taking a more traditional state regulatory approach, the UN Working Group on the Use of Mercenaries (UNWG) produced the draft International Convention on the Regulation, Oversight and Monitoring of Private Military and Security Companies (UNWG Convention).45 First released in late 2008, the draft UNWG Convention is intended to be binding on its state signatories and also seeks to establish new rules and procedures *vis-à-vis* PMSC46 regulation.

The draft UNWG Convention provides guidance to states in their regulation of PMSCs in several areas. For example, it asks them to enact special regulation, including registration and licensing of PMSCs and prohibitions on PMSCs using "weapons of mass destruction"47 or participating in the overthrow of governments.48 In terms of PMSCs, it lists some "inherently governmental" activities which they should not perform, including "waging war and/or combat operations, taking prisoners, espionage, intelligence and police powers, especially

**18** Anne-Marie Buzatu **19** Towards an International Code of Conduct for Private Security Providers

the powers of arrest or detention, including the interrogation of detainees".49 It also provides some guidance on the use of force and firearms by PMSC personnel.50 Interestingly, aside from the crime of operating without a licence, the draft UNWG Convention does not create any new criminal offences for either PMSCs or their personnel.51 It does reiterate that states should penalize crimes under certain existing conventions, but presumably these would already be crimes in national law under the terms of those conventions ratified by states. As such, the text of the UNWG Convention does little to articulate new international standards or create new state obligations regarding PMSCs.52

Regarding oversight and accountability of PMSCs, the draft convention envisages two principal methods of enforcement. First, states would undertake to implement measures at the national level that would give flesh to their obligations under the convention. In this respect, PMSCs would be subject to the implementing legislation of the signatory state and not directly under the convention principles themselves.53 Second, it foresees the establishment of an international committee that would oversee the implementation by states of the convention, and could also potentially act as a forum for bringing complaints to the attention of states.

In terms of state responsibility, it contains an explicit attribution of responsibility by stating that "each state party bears responsibility for the military and security activities of PMSCs registered or operating in their jurisdiction, whether or not these entities are contracted by the State".54 This statement clearly affirms responsibility for states providing security services within their territory. Including PMSCs "registered in their jurisdiction" could also refer to those companies operating outside their jurisdiction, therefore potentially requiring the development of extraterritorial legislation and an enforcement framework.

By engaging international law and state responsibility, the draft convention does have potential international legal power. It reaffirms the traditional international principle of state sovereignty,55 and its approach relies on state structures of investigation, adjudication and enforcement. Furthermore, one of the greatest strengths of the draft convention can be found in its provisions to coordinate the investigation, extradition and prosecution of PMSCs and their personnel56 in a manner that could be called a framework for future mutual legal assistance treaties. It also creates an international committee which looks very similar to other treaty-based international committees,57 and proposes a model for licensing import and export of PMSC services, evoking small-arms trade agreements. Under this logic, in a similar manner to the South African legislation described above, private security services are likened to arms and traded in a similar manner. This framework could offer more structured control to "importing" states, providing a more standardized basis – or not – for PMSCs to operate on their territory.

Unfortunately, the draft convention does not solve many of the biggest challenges posed to state regulation by PMSC activities. As discussed above, many states that have PMSCs operating on their territory do not have effective control, and relying on territorial state enforcement in these circumstances is unrealistic. Furthermore, it fails in large measure to set and harmonize international standards, instead relying on individual states to carry out enforcement on a state-by-state basis. As standards and enforcement can vary significantly among states, so could standards and enforcement under this convention. Finally, while it establishes a complaints process58 for the international committee to hear allegations of violations, only state parties to the convention have the standing to file a complaint that *another state party* is not upholding its state obligations to regulate PSCs effectively. In practical terms, this means that members of civil society who have been negatively impacted by PMSCs would have to rely on *another state* outside the one in which they are located to bring the matter to the attention of the committee.

Perhaps the draft convention's greatest weakness, however, is one of politics rather than of substance. Elaborated under a "mercenary" mandate, the UNWG is not supported by many states that have closer links to private security services, or within the PMSC industry itself. Voting patterns in the UN Human Rights Council and General Assembly show support for the UNWG and the UNWG Convention coming from the G77 group of states, with consistent opposing votes from the Western European & Others group.59 Under these circumstances the draft convention faces the near-impossible task of generating support within the industry and states from and within which it operates – and their ratification would be essential for the draft convention to have a chance to be effective.

The lack of political support may provide an explanation for the lack of further development of this draft since its release at the end of 2008.60 It has arguably had more of a normative influence as a "soft law" instrument reinforcing the traditional state-centric regulatory approach to PMSCs, finding support among many civil society groups and some states. Furthermore, in the years since its release the UNWG has taken a more pragmatic turn, showing itself to be more open to a variety of regulatory efforts and good practices for the regulation of

PMSCs. Its efforts have included a project for developing a database of national regulation of PMSCs, and acknowledging the "complementary" nature of its objectives with those of the Montreux Document (see below) and the ICOC initiative.61

#### *Public-private regulations on the international level*

In addition to more conventional approaches to international regulation, the UN has been involved in several public-private initiatives with a view to improving regulation of the international commercial sector. One of the first initiatives of this kind, the UN Global Compact (UNGC), has enjoyed resurgence of late. PSCs were not the only businesses to see their market grow exponentially after the end of the Cold War. In the 1990s multinational corporations shifted away from traditional "external" trade negotiated between states to a model where international business transactions were carried out within "internal" international corporate networks that largely left states out of the picture.62 Amid increasing reports about sweatshops, child labour63 and abuses by private security firms protecting company installations, there was increased concern about human rights being violated by these corporations.

In response, the UNGC, an initiative to encourage businesses all over the world to adopt socially responsible, human-rights-compliant and environmentally friendly practices and to provide reports on their implementation, was officially launched in June 2000. It consists of ten principles in the areas of human rights, labour standards, the environment and anti-corruption efforts.64 The UNGC is not a regulatory instrument, and companies that declare their support and intention to comply with its principles are not subject to any oversight; rather its primary function is to serve as a forum for discussion on the issues surrounding business and its impacts on human rights.

Member companies are expected to implement the principles in their business strategies, and integrate these into their day-to-day operations and organizational culture. Companies are not the only participants in the UNGC, which also includes other UN agencies, CSOs, academics, business associations, labour organizations and cities, which pledge to translate the UNGC principles into day-to-day urban governance and management. Recently the UNGC has tried to increase non-business participation, launching in October 2013 a "communication on engagement" tool suggesting ways in which non-business participants can support UNGC implementation.

**22** Anne-Marie Buzatu **23** Towards an International Code of Conduct for Private Security Providers

While the UNGC boasts more than 12,000 participants, it has received a fair amount of criticism, in particular for the initiative's lack of oversight and accountability mechanisms. Critics point out that a company's status as a participant gives no assurance that it actually operates in compliance with the principles, providing it with a positive public relations vehicle that is not necessarily merited (also known as "bluewashing"65). Complaints raised by CSOs alleging violations of the UNGC by participating companies have resulted in no action on the part of the UNGC.66 Additionally, critics have claimed that companies use the UNGC as an entry point to influence UN policies, as well as an excuse to discourage states from pursuing binding international regulation.67

In another initiative to promote corporate respect for human rights, the UN Commission on Human Rights (now known as the Human Rights Council) created a mandate in 2005 for an expert, Special Representative John Ruggie, to consider the issue of business and human rights. In consultations with companies, state representatives, non-governmental organizations (NGOs), human rights academics and other experts, he developed a three-pillar framework identifying the state duty to protect human rights, the corporate duty to respect human rights and the right of individuals to have access to an effective remedy, otherwise known as the "protect, respect and remedy" framework. This formed the basis for the much more elaborated Guiding Principles on Business and Human Rights: Implementing the United Nations "Protect, Respect and Remedy" Framework (Guiding Principles), which were endorsed unanimously by the Human Rights Council in 2011.68

The first pillar of the Guiding Principles recalls the state's duty to protect against human rights abuses by third parties, including businesses. In upholding this duty, the state must take "appropriate steps to prevent, investigate, punish and redress such abuse through effective policies, legislation, regulations and adjudication".69 The commentary to the Guiding Principles explains that this duty to protect is a "standard of conduct", and as such a state is not necessarily responsible for the abuses conducted by private actors, but could be if it has failed to take appropriate steps to "prevent, investigate, punish and redress" these abuses. States should also "promote respect for human rights by business enterprises with which they conduct commercial transactions",70 with the commentary explaining that states have an opportunity through their procurement practices to promote respect for human rights by businesses, "including through the terms of contracts".71 It also highlights the increased risk of "gross human rights abuses" by companies operating in conflict-affected areas, identifying several risk-mitigating strategies that states can undertake.

The second pillar articulates a corporate responsibility to respect human rights, explaining that companies "should avoid infringing on the human rights of others" and should address negative human rights impacts in which they are involved.72 The Guiding Principles go on to refer to the rights expressed in the International Bill of Human Rights and the International Labour Organization's Declaration on Fundamental Principles as articulating the minimum set of human rights that companies should respect.73 Companies are advised that, in order to fulfil their responsibility to protect, they should have in place appropriate policies and processes to exercise due diligence74 in preventing and remediating adverse human rights impacts. The document then explains what some of these policies and processes should look like, including those for carrying out human rights impact assessments,75 promoting transparency76 and providing remediation.77

The third pillar sets out a framework for access to remedy by those who have been adversely affected by human rights abuses. It sets out operational principles for state-based judicial and non-judicial mechanisms, as well as non-state-based grievance mechanisms, including those found in human-rights-based "industry, multi-stakeholder and other collaborative initiatives". Principle 31 offers guidance on how grievance mechanisms should look and the process for developing non-judicial grievance mechanisms.

The Guiding Principles have been generally, though not unanimously, well received by both public and private sectors, with the UN creating a working group on business and human rights in 2012 to take over Special Representative Ruggie's mandate. They have been referenced in numerous documents, tools and other guidance developed by companies, academics, governments and international organizations.78 However, as a soft law instrument they have also been criticized for not being sufficiently robust, with many CSOs and governments calling for more stringent "binding law" in the form of an international agreement. To this end, in June 2014 the twenty-fourth session of the Human Rights Council adopted by contentious vote a resolution to create an open-ended working group to draft a binding instrument on human rights and transnational corporations.79

International public-private initiatives to improve respect for human rights by the private sector have also taken place outside the UN. With states, companies and NGOs constituting the three pillars of membership, the Voluntary Principles on Security and Human Rights (VPs) were launched in 2000 to develop human rights guidelines for extractive companies' engagement with both public and private security forces that protect their installations. The VPs provide a forum for exchange among the different stakeholders. Each year the stakeholders are expected to produce an annual report on their efforts to implement the VPs; although, with the exception of the civil society pillar, these reports are generally not made public. The initiative can also undertake "in-country VPs processes", which endeavour to implement the VPs in countries where there are a significant number of extractive installations. Despite these efforts, the VPs initiative has been the subject of much criticism from the civil society pillar, in particular for its lack of independent assurance or oversight of VPs' implementation.80 Consequently, most of the human rights advocacy CSOs have left the initiative, including Amnesty International and Oxfam,81 with CSOs which provide human rights consulting services to companies making up the bulk of the diminished CSO pillar. This has led to concerns that the CSO pillar is not sufficiently independent from the company pillar to represent fairly the interests of local communities.82

#### *In focus: The Montreux Document*

The Montreux Document on pertinent international legal obligations and good practices for states related to operations of PMSCs during armed conflict aimed to address the negative impacts of private security activities on IHL and human rights. Concerned by reports of wrongdoing by PMSCs, particularly within the context of armed conflicts, and further assertions that PMSCs operated in a "legal vacuum",83 the Swiss government set out to demonstrate that in fact IHL did apply to PMSCs operating within an armed conflict, and further to set out pertinent state legal obligations required under existing IHL *vis-à-vis* these non-state actors. To achieve these objectives, the Swiss partnered with the International Committee of the Red Cross to launch a process that came to be known as the "Swiss Initiative", bringing together states to develop and crystallize this understanding, and also inviting members of the PMSC industry, CSOs, academics and other relevant stakeholders84 to contribute their expertise to the process.85

Between January 2006 and September 2008 four meetings were organized to consider existing treaty obligations arising out of the Geneva Conventions as well as to consolidate good practices for governments in their interactions with PMSCs. The resulting Montreux Document offers a new take on international regulation, interpreting existing binding treaty law contained in the Geneva Conventions and their additional protocols/customary law86 through the lens of the modern phenomenon of non-state actors operating in areas and functions that traditionally had been the province of state actors. It takes the approach

of organizing state obligations according to the state's relationship to a PMSC, categorizing states as:


These categorizations are particularly notable for recognizing cross-border or transnational state obligations under international law, which are defined by the particular relationship of a private company to a state.88 The recognition of these relationships and subsequent responsibilities has helped to bring new clarity to the discussions of regulatory options, giving granularity to general principles that had been too ambiguous to implement effectively.

Turning to the issue of state responsibility for actions committed by PMSCs and their personnel, while the Montreux Document recognizes that merely entering into a contract does not in itself engage the responsibility of states, it reaffirms customary international law on attribution of responsibility to a state in specific cases for acts committed by non-state actors.89 It also sets out a standard for "superior responsibility" for the actions of PMSC personnel that arguably went beyond customary law, stating that superiors such as governmental officials *or directors/managers of PMSCs* "may be liable for crimes under international law committed by PMSC personnel under their effective authority and control",90 while nevertheless specifying that "superior responsibility is not engaged solely by virtue of a contract".91 Of note is the inclusion of non-state commercial management in the category of those who may bear criminal responsibility for actions of their personnel. Taking a similar approach to the draft UNWG,92 the Montreux Document also sets out some limits as to what states could outsource to PMSCs, articulating a set of inherently governmental functions derived from IHL.93

In addition to articulating state obligations, it identifies 73 good practices that states should adopt *vis-à-vis* PMSCs operating both in areas of armed conflict and outside armed conflict. Grounded firmly in international law, particularly international human rights law, these good practices have contributed significantly to the ongoing and emerging discussions about companies' corporate responsi**26** Anne-Marie Buzatu **27** Towards an International Code of Conduct for Private Security Providers

bility to respect human rights in their activities, as well as providing a foundation for the subsequent ICOC.

The Montreux Document is notable for a number of reasons. Although the fruit of (mostly) state discussions and grounded in public international law, it was agreed and endorsed not through international treaty negotiations but through an innovative process of interpreting existing obligations in light of new challenges. Endorsing states publicly asserted that they understood their obligations as contained in previously agreed treaties to conform to the new interpretation contained in the Montreux Document, and, through an official communication to the Swiss government, they became "participating states".94 This resulted in a curious juxtaposition of earlier state commitments made when such scenarios and actors were not yet on the radar being "recalled" in light of these newly identified challenges, and the creative use of terms such as "participating" (instead of "signatory" or "ratifying") to indicate a state's support for the document. It proceeded on the assumption "that certain well-established rules of international law apply to states in their relations with private military and security companies (PMSCs) and their operation during armed conflict",95 and that these well-established rules included IHL and human rights law. This formula, whereby existing rules and laws were restated to describe explicitly how they should be applied to PMSCs, would be used again in the development of the ICOC.

Furthermore, the manner in which the Montreux Document was finalized and in which states demonstrated agreement with the text distinguished it from traditional international agreements. States verbally stated their approval to the assembled group, and for states and international organizations endorsing later this meant them sending an official letter to the Swiss Federal Department of Foreign Affairs in which they communicated their support for the document.96 At the time of writing another 34 states have communicated their support, bringing the total to 52 participating states, along with three international organizations.97

Finally, from the outset of the initiative non-state actors and experts were involved in the conversations to inform these interpretations, and to help ensure that they were relevant and made sense in light of current industry practices. While these non-state actors were not the primary addressees of the Montreux Document and did not hold state obligations in regards to PMSCs, they nevertheless had an important part in influencing the document.

At the last meeting on 17 September 2008, along with the endorsing states, there was clear appreciation of the Montreux Document from participating non-state actors, including members of human rights CSOs, academics and

PMSCs. However, there was also a sentiment from the industry that more was needed to make regulation effective. While welcoming the Montreux Document, industry representatives noted that since it relied largely on states to give it effect, the document did not really address the challenge of weakened rule of law where states were not upholding their obligations. At the close of the meeting industry participants called on Switzerland to help them develop regulation "with teeth" that applied directly to the PMSCs themselves. This call was answered by the Swiss government with the launch of the ICOC initiative.

# Developing an International Code of Conduct

This section takes an in-depth look into the efforts of the Swiss government to develop international standards for the private security industry. It describes the processes undertaken to identify the most important challenges posed by this industry to human security, and then to provide tailor-made responses forming the foundation upon which the international standards were based. Some of the key provisions of the ICOC are then considered in more detail, explaining how they are meant to respond to the identified challenges. The section also describes how an initiative which began as being essentially industry-driven then took on the character of an MSI.

In January 2009 the Swiss government initiated a complementary effort to improve accountability of the private security sector. From the outset, the initiative aimed to address the most pressing challenges to effective private security regulation: the absence of clear international standards for how PSCs should operate, and important *de facto* gaps in the accountability of PSCs to such standards. Nearly all existing national and international laws relied on states' effective and jurisdictional control to implement them, which, as discussed above, could be lacking. There was also a strong desire expressed by the PSC industry to have one clear international standard describing what "good" private security provision looked like. By developing more universally accepted benchmarks for the provision of private security, this would help PSCs to streamline their operations as well as to ensure that personnel operated in accordance with such standards. However, at the outset of this process in late 2008/early 2009, there was no "how-to" manual offering clear instructions for achieving these objectives. As a result, the project facilitators98 set in motion an iterative process that first aimed to acquire a thorough understanding of real on-the-ground challenges posed by PSC activities, and then began to develop tailored responses to those challenges. Building on the substantial foundation of the Montreux Document, the Guiding Principles and experiences of other business and human rights initiatives, the initiative learned as it went along, eventually taking on the character of an MSI.

#### **A second Swiss initiative**

It helps to set the clock back to late 2008 to understand why a code of conduct path was chosen. At this time the Afghan and Iraqi wars had been going on for more than five years, with reports that the numbers of private contractors operating in these environments exceeded US personnel on the ground.99 In response, a number of different entities,100 including industry groups and even the US Congress, tried their hand at different approaches to regulation, with limited apparent success (see the subsection above on national regulations). Against this backdrop three elements converged:


The Nisour Square incident served to ignite further earlier contentious discussions about the lack of clear standards for private security actors. At the same time, the US difficulties in swiftly and effectively investigating and prosecuting the personnel involved put a spotlight on the challenges faced by states to hold accountable PSCs operating in complex environments. However, instead of helping to build international consensus, the response of a portion of the international community, epitomized by the development of the draft UNWG Convention in 2008, only served to increase the north-south divide, with the two sides too far apart in their positions to begin any substantive dialogue on international standards or mechanisms to improve PSC accountability. In the face of such an impasse, the second Swiss initiative offered a potential way forward.

This is not to say that the Swiss efforts to improve regulation and accountability of the private security sector were universally appreciated. At the start of the ICOC initiative the UNWG, the force behind the draft UNWG Convention, was very sceptical of both the Montreux Document and the ICOC,101 criticizing the lack of involvement of Latin American and Caribbean states and the strong participation of "Western states" as showing "the heavy involvement of countries from where most of the security industry originates and operates".102 While it was supportive of the Montreux Document, similar criticisms *vis-à-vis* the ICOC initiative have been echoed by South Africa.103

While on its face it seemed obvious that any international standard should have as its "purpose… to oblige such companies to comply with international human rights standards and the norms of international humanitarian law (IHL), thus improving the protection of human rights",104 less clear was how to develop the initiative to achieve this purpose. To kick off the consultations, three workshops were organized during the first part of 2009 to speak directly with the most implicated stakeholders: the industry (March 2009), civil society/academic subject-matter experts (April 2009) and states/international organizations (May 2009). These early discussions set the tone for the initiative and helped to lay the groundwork for the eventual ICOC text.

These initial workshops were organized in stakeholder groups, reflecting an early belief that this approach would foster more frank and open discussions as participants would feel more comfortable voicing their honest concerns among presumably more like-minded participants. Early discussions were structured into two parts: identifying standards and good practices for PSCs and related services, and effective accountability mechanisms for PSCs and related services. While each stakeholder group voiced distinct areas of priority, there was no obvious

area of conflict between any given stakeholder groups, and furthermore there was a great deal of overlap in terms of both identified challenges and proposed responses.

In addition to these workshops, bilateral consultations were held during this period with a number of non-state clients – both multinational corporations (primarily extractive industry companies) and humanitarian organizations using PSCs to improve the security of missions conducted in complex environments.

#### **Developing a new multistakeholder approach**

Most of the areas of discussion in early 2009 are still relevant more than half a decade on, with several now-familiar themes making the first of many appearances in the process. These ranged from the areas of operation in which the initiative should be applicable to the kinds of activities that should fall under its scope.

#### *Industry workshop (March 2009)*

Before trying to define clear international standards for how PSCs should operate, it was important to understand more precisely the nature of their service offerings. Industry stakeholders participating in the workshop were keen to make a distinction between the services they provided and those offered by so-called "mercenaries" or state armed personnel. In particular, while they did sometimes provide services in the context of an armed conflict, participants stressed that their personnel did not directly participate in hostilities, and furthermore that they also provided services in areas that were not experiencing armed conflict. There was consensus that any standards should be applicable in any operational context. Consequently, participants felt that while the Montreux Document and IHL were important standards to build upon, a code of conduct should primarily be based upon international human rights standards.105

Discussions led to an overall consensus that the appropriate scope for a code of conduct would cover those activities that have a high likelihood of affecting human rights (e.g. right to life). This and other similar discussions found expression in the eventual ICOC text, which covers both armed and non-armed security services, but also adds the notion of "armed services", including "any other activity for which the Personnel or Companies are required to carry or operate a weapon in the performance of their duties".106

During the discussions industry participants additionally raised the common practice of contracting out security services to other service providers, and emphasized that all subcontractors should be held accountable to the same **32** Anne-Marie Buzatu **33** Towards an International Code of Conduct for Private Security Providers

requirements and standards as the contractor. The notion of "due diligence", including in the context of hiring subcontractors, would also feature prominently in the ICOC (see discussion below on subcontractors).

Turning to the topic of identifying potential accountability, oversight and enforcement mechanisms, two distinctive approaches emerged as alternatives for ensuring the oversight and enforcement of an international PSC code of conduct: a model based on the enforcement of common standards on an *ad hoc* stateby-state basis, and a model where standards would be enforced by a centralized international body, possibly an international secretariat, international industry association, international complaints commission or, as some suggested, an ombudsperson type of institution. Most participants argued that, if empowered with robust oversight and enforcement powers, an international body would be capable of addressing some of the governance gaps caused by incomplete national regulatory regimes and/or limited ability/willingness on the part of some states to regulate the PSC industry.

In terms of the actual functions of such an oversight body, some participants expressed scepticism as to the capacity of an international non-state body to investigate offences committed by a PSC on the ground. It was suggested that its primary functions should be to receive complaints alleging violations of the code, advise the competent state authorities on alleged violations for further investigation, and impose sanctions and/or suspend membership in the case of established misconduct. Participants reaffirmed the importance of the state's role in applying and enforcing criminal sanctions, recognizing that the oversight mechanisms would not be a substitute for this power. Moreover, the role of the state as contractor and its capacity to incorporate the code of conduct standards in its procurement practices were singled out as important means of enforcement, giving leverage that could help ensure the compliance of PSCs with a minimum set of rules, yet high respect for human rights standards. Such an arrangement could lead to the exclusion of non-compliant PSCs from bidding procedures and provide a legal contractual remedy against PSCs in cases of breach of contract, which would include breach of the code. This notion of "co-regulation", in which a state actor requires compliance with a non-state governance framework of international standards, was a common theme in the three preliminary workshops as well as throughout the process, and has become an important element of enforcement of the code.

#### *CSO workshop (April 2009)*

Participating CSOs evoked here many of the same themes that were discussed in the industry workshop, with more of the discussion focused on possible models for oversight and accountability mechanisms as well as the need to ensure effective remedies for victims. In a similar fashion to their industry counterparts, CSO participants agreed that IHL and human rights standards should be the basis for a code of conduct for PSCs, but there was some concern that creation of such a code could create two tiers of PSCs – legitimate PSCs willing and able to comply with the code, and those PSCs that were not. Some expressed the concern that those actors falling outside the application of the code may actually be those in more need of accountability. This raised the larger issue of *voluntariness* of the code, and the worry that without state enforcement powers requiring compliance such a document would only serve to validate the practices of the "good" companies that were already operating largely in compliance with humanitarian and human rights standards, and not require improvement on the part of those companies which were not.

A discussion followed on the recent efforts of national courts to apply laws primarily meant for state agents to civilian contractors, with participants acknowledging that these had not been wholly effective, and further that they had created confusion regarding how PSCs should be treated under existing law. This led to the recognition that uniform international PSC standards could make a critical positive contribution to effective industry regulation. Such standards, it was generally acknowledged, could not only have a *preventive effect*, lowering the number of human rights violations, but could also have the potential to provide more clarity to national courts on the appropriate standards for compliance with human rights by transnational PSCs. Furthermore, non-judicial grievance mechanisms could add value in their own right by supplementing available national judicial remedies and supporting victims' access to effective remedies.

CSO workshop participants also expressed a clear preference for an international oversight body, which at a minimum should be mandated to receive complaints from people affected by the conduct of PSCs and oversee whether PSCs were respecting the ICOC. A central issue discussed here was how to make a code of conduct enforceable. All participants affirmed the primary role of the state in ensuring compliance with and punishing violations of law, while recognizing that implementation varied significantly from state to state and even from case to case. While some were of the opinion that an international code of conduct might require implementing national legislation to give it legal enforceability, others felt that such a code could be applied principally through incorporation into PSC contracts, providing legal contractual remedies against a PSC in case of breach, which could include violations of human rights. This theme of mixing state and non-state regulatory mechanisms to improve accountability, or "co-regulation", was continued in a discussion using the example of the UK Law Society and Bar Council, whereby some kind of validated adherence to industry standards would be required for engagement in the "profession", with the state requiring that only members in good standing with the oversight body could offer PSC services for hire.

#### *States and intergovernmental organizations workshop (May 2009)*

Participants at the last preparatory workshop represented both regulators and clients of PSCs, and discussions primarily reflected these two perspectives. Hence the main areas of discussion centred on the means of effectively overseeing PSCs and the particular challenges and needs of PSC clients. While it was generally agreed that national regulation should provide the primary means of holding PSCs accountable, as in the previous workshops it was recognized that national legislation alone was often not sufficient. Participants representing clients noted that they would find a reliable means of differentiating between PSCs useful, expressing hope that a suitable international code of conduct would become the benchmark against which all key buyers and suppliers of PSCs would be measured. To that end, the creation of a central public register or database of PSCs currently in compliance with an international code of conduct would be an indispensable resource for many entities contracting PSCs.

#### *Multistakeholder workshop (June 2009)*

This first phase of the project culminated in bringing all involved stakeholders together for a conference organized by the UK-based organization Wilton Park,107 held in Nyon, Switzerland, in June 2009. The conference was well attended, with nearly 50 representatives from PSCs, civil society, academia, non-state clients and states, including four of the P5 states.108 The key outcomes of the event included the following:

**•** There was broad consensus to draft an international code of conduct based on international humanitarian and human rights law, including oversight and accountability mechanisms.


The conference came to a close with private security industry groups issuing the Nyon Declaration, stating that an international code of conduct compliant with human rights and IHL and including effective oversight, accountability and operational standards should be developed.111

Another less tangible but hugely important result of the Nyon conference was the beginning of building trust between different stakeholders. Discussions were constructive, with all stakeholder groups participating actively and adding value. The large turnout of concerned actors underlined the commitment and importance the different groups accorded to this work.

Leaving the conference with a clear mandate and a proposed structure to elaborate a code of conduct for PSCs, as well as the clear impression that the project was on the right path, the Swiss initiative began drafting the ICOC.

### **Drafting the International Code of Conduct**

Having found their initial multistakeholder strategy to have been largely successful, the project organizers continued along the same lines, including all previously involved stakeholders and enlarging discussions to include another important stakeholder in the supply chain: insurance companies. As a result, between September 2009 and September 2010 eight workshops were held, of which six were multistakeholder and the other two were attended primarily by industry representatives with some limited participation from the other stakeholder groups.

During this time, two draft versions of the ICOC were released for public comment: a first draft in January 2010 and a second in August 2010. The final draft was essentially agreed at the last multistakeholder workshop in September 2010. This text was then officially adopted at the ICOC signatory conference held on 9 November 2010.

As important as the paper outputs of these meetings were the intangibles, notably the building of trust. Throughout the numerous meetings, different stakeholders developed constructive ways of working – and of solving issues – together. Furthermore, the high degree to which the different stakeholders shared common or compatible visions for the code helped to move the process forward, and at times could be surprising. This is not to say that there were no disagreements or differences of opinion, but in nearly all cases participants were able to find ways forward through consensus.

A crucial but less obvious element in the success of the process was the role of the neutral facilitator,112 who took on tasks ranging from organizational and logistical project management activities to research and analysis for the code text and identifying and building consensus around challenging issues. The facilitator also had an important role in the drafting of the actual code text. Together, members of the Swiss government, the Geneva Academy of International Humanitarian Law and Human Rights113 and DCAF would meet after workshops to sift through and analyse the contents of those discussions, putting together draft texts that would then be circulated to the next round of multistakeholder meetings for further feedback, starting the process over again.

Furthermore, the neutral facilitator acted in the role of informal mediator of minor points of contention. As an actor with effectively independent funding and no agenda beyond developing a successful code, the facilitator was able to help build trust among the different stakeholder groups.

While the underlying objectives of the code process remained constant, the approach to implementing it did change and evolve. To help chart these changes, it is particularly useful to compare the different drafts of the code, which offer snapshots in time of how the thinking of the participating stakeholders evolved over the course of the process. There is a substantial difference between the three versions of the code which is worth considering in more depth: the scope of its application.

In the first draft, the code is said to "apply globally to all circumstances, whether or not there is a situation of armed conflict". This differs substantially from the phrase "complex environments" found in the second draft, which is very similar to the formulation found the final document. The shift in approach reveals the discussions that took place regarding the need for the code in the first place, also recognizing the need to support (or at least not undermine) effective

state regulatory processes. As mentioned earlier, one of the biggest challenges to effective regulation was the difficulty states had in enforcing national or international law in relation to private security actors. This was the thinking behind the first draft, which endeavoured to highlight that the principles and standards contained in the code were relevant to PSC operations regardless of the situation on the ground – whether it was armed conflict or not. However, the ability of states to enforce laws varied significantly from state to state and could depend on a number of factors, including the existence of armed conflict or other catastrophic situations such as natural disasters, and whether the PSC was beyond a state's jurisdictional reach. Conversely, a state might be in the position to regulate and enforce laws against a PSC effectively, in which case the oversight function might not be needed.114

The decision to scale back the scope of application also stemmed from a resource concern for an eventual oversight mechanism. As overseeing PSCs all over the world in all areas where they were operating would be extremely expensive, it was desirable to restrict the areas that would be overseen by the mechanism to something more cost-effective while still fulfilling the code's objectives. The adoption of a "complex environments" scope of application reflected a balancing effort to focus the oversight efforts on those areas that needed it most. This can be seen in the final iteration of "complex environments" as contained in the code:

Complex Environments – any areas experiencing or recovering from unrest or instability, whether due to natural disasters or armed conflicts, where the rule of law has been substantially undermined, and in which the capacity of the state authority to handle the situation is diminished, limited, or non-existent.

In looking at this definition, it becomes clear that it is the effectiveness of the state governance, rather than the capacity of PSCs, that is the defining factor for the code's scope of application. This definition also emphasizes that in other "non-complex" areas states hold the primary responsibility of oversight. Although it makes logical sense, this approach raises the question of how to determine whether or not a given region is considered a "complex environment". While there seems to be a general understanding that this determination will be made by the ICOCA, at the time of writing there has been no clear progress as to how to make the determination.

In the end, 58 companies signed the ICOC in Geneva on 9 November 2010. A noteworthy element of the signatory conference was stakeholder participation. The small number of other stakeholder groups attending the conference, in particular human rights CSOs and states, was in stark contrast to their weight and influence in developing the ICOC. This can be partially explained by their different roles in regard to the code. Unlike signatory companies, participating CSOs and states were not undertaking commitments to perform activities in accordance with the principles contained in the code. Instead, CSOs had acted as a check on the quality and credibility of the code to help ensure that it respected international human rights law and IHL in a way that reflected specific concerns

they had about companies' operations. States had largely participated in a dual capacity: as both regulators with state obligations to uphold and as clients of private security services. While both of these stakeholder groups had clear linkages to the aims and objectives of the ICOC, at the time of its adoption their participation consisted primarily in their substantial contributions to the text.

However, the multistakeholder character of the initiative was recognized more and more towards the end of the code's development, with the first real reference included in paragraph 7 calling for "Signatory Companies, Clients and other relevant stakeholders" to establish "external independent mechanisms for effective governance and oversight". Furthermore, on the day after the signatory conference three members from each of the stakeholder groups – signatory companies, CSOs and governments – were elected to a temporary steering committee (TSC) to develop what became known as the ICOC Articles of Association, or the framework for the oversight mechanism of the ICOC. Through this second process, more active and substantive roles for states and CSOs would evolve over the development of the governance and oversight mechanism, with each stakeholder group having an equal say in developing and drafting the oversight mechanism and the recognition of the process as an MSI.

While the large initial uptake, and subsequent exponentially larger uptake,115 was hailed as a resounding success of the ICOC, it is worthwhile considering what these companies were signing up to. In a similar fashion to the Montreux Document (see the earlier discussion), the ICOC states that "The Code itself creates no legal obligations and no legal liabilities on the Signatory Companies, beyond those which already exist under national or international law."116 Here again we see the formula of recalling existing legal obligations, followed by an interpretation of how those obligations should be applied to the addressees – this time to the PSCs themselves. While it is unclear if or how a court of law might

take the ICOC into consideration when applying national or international law to a PSC, signature of the code was a public commitment by companies to undertake further responsibilities, including submitting to another non-standard oversight organization.

As discussed further below, developing the governance and oversight mechanism proved to be a more difficult nut to crack, taking considerably longer than the time spent developing the code.

#### **Setting relevant standards: The ICOC's key provisions**

The actual text of the code was shaped by the challenges and good ideas identified during the multistakeholder consultations as well as by other initiatives. The Montreux Document, the "protect, respect and remedy" framework and a number of international human rights treaties were identified in the opening paragraphs as essential foundations of the ICOC. Turning to the substance, a glance at the ICOC table of contents shows clearly that human rights principles form the backbone of the document. It is worthwhile – and also revealing of the compromises reached during its elaboration – to take a closer look at some key provisions adopted in the ICOC.

#### *Rules for the use of force*

Paragraphs 30–32, which contain the "rules for the use of force", offer a telling example of both the compromises and the innovative approaches that emerged from the multistakeholder discussions. The two primary sources on which these paragraphs are based are the standards for the use of force in self-defence accepted by most national jurisdictions in criminal law, and the UN Basic Principles on the Use of Force and Firearms by Law Enforcement Officials. Paragraph 30 employs a common standard for the use of force by private persons in self-defence: force used must be "strictly necessary, and should be proportionate to the threat and appropriate to the situation". This language reinforces the notion that PSC personnel are civilian in nature, and do not enjoy additional special powers that are traditionally accorded to public security personnel.

Paragraph 31 contains an almost verbatim reproduction of the first half of paragraph 9 of the UN Basic Principles, with an important change reflecting that PSC personnel are *not* state security actors: omitting the second part of the sentence that refers to arrest of persons, a power which commercial security providers should not have in the context of private security provision.

**40** Anne-Marie Buzatu **41** Towards an International Code of Conduct for Private Security Providers

Finally, paragraph 32 considers the situation of when private security personnel would be formally authorized to assist in the exercise of a state's law enforcement authority. It steers clear of associations with military personnel, instead requiring them to "comply with all national and international obligations applicable to regular law enforcement officials of that state and, as a minimum, with the standards expressed in the United Nations Basic Principles on the Use of Force and Firearms by Law Enforcement Officials (1990)".

In a nutshell, the rules for the use of force contained in the ICOC describe a very limited use in cases of self-defence or defence of others – a right to use of force held by all civilian persons. Only where a PSC has been formally incorporated into a state's law enforcement authority are powers such as the right to use force above this threshold contemplated, and in such a case the PSC would essentially become part of the state police apparatus and under its responsibility. Importantly, the right to use military force in the context of an armed conflict – the so-called "combatant's privilege" to participate directly in hostilities – is not included, thereby reinforcing the civilian nature of PSCs and the norm of a distinction between public and private privileges in the use of force.

#### *Subcontractors*

The ICOC includes several provisions to help ensure that all subcontractors of PSCs should be held accountable to the same requirements and standards as the prime contractor, to prevent signatory PSCs from effectively "contracting out" of their responsibilities under the code. Paragraphs 16 and 18 state the general rule that signatory companies must require all subcontractors and other parties carrying out security services under their contracts to comply with the code, and that this compliance must be an integral part of contractual agreements with subcontractors. Paragraphs 50–51 go into more detail regarding what is required of PSCs when selecting and vetting subcontractors, stating that they must "exercise due diligence in the selection, vetting and ongoing performance review of all subcontractors performing Security Services".

Furthermore, a number of important terms in the code are defined in such a way as to try to close as many gaps as possible in the case of subcontractors. For example, the definition of "personnel" makes it clear that persons who perform security services for PSCs are considered personnel, whether or not they are employees and even if they are not paid. Notably, persons working for another company under a contract of assignment to provide security services under a member company's contract are included in the definition of "personnel", thereby assigning the responsibilities member companies have in the code towards their own personnel to the personnel of another company providing services under a contract of assignment.117

#### *Certification*

Throughout the ICOC development process there was much discussion about how a PSC could demonstrate compliance with the code in order to be a company in "good standing". There was a general recognition that PSCs would need to demonstrate that they had fulfilled the management and policy requirements of the code, including elements such as proper selection, vetting and training of personnel, management of weapons, incident reporting, grievance procedures and human rights impact assessments. Along these lines, the code called for the development of "objective and measurable standards... with the objective of realizing common and internationally-recognized operational and business practices". At the same time, stakeholders recognized that these elements would only suffice for part of the code certification process, and the company would be required to undergo continuous "Monitoring, Auditing and verification, including in the field, by the governance and oversight mechanism". One related development in regard to certification was a parallel process launched by the US Department of Defense to develop an American National Standards Institute (ANSI) process for certification of PSCs. Requiring compliance with the Montreux Document and the ICOC as well as with numerous standards derived from those documents, the resulting PSC.1 standard is the first national standard designed to certify a PSC's systems and policies. Currently, a process is under way to develop an International Organization for Standardization (ISO) standard offering similar certification at an international level.

#### *Fostering a corporate culture that respects human rights*

Another important objective of the ICOC was to encourage and support a culture of respecting human rights within PSCs. To support the responsibility of companies to establish "a corporate culture that promotes awareness of and adherence by all Personnel to the principles of this Code",118 a significant number of the code's provisions were devoted to corporate governance practices (paragraphs 44–69), and essentially offer guidance to companies on how to carry out due diligence to avoid or lower the likelihood of human rights violations.

While this section of the code aims to set out the broad principles underpinning such efforts, it also contains a significant amount of granularity, identifying specific efforts and responsibilities that companies must undertake. In essence it aims to strike a delicate balance between encouraging companies to adopt and implement the highest standards possible, while nevertheless setting high "minimum standards" that should provide assurance of basic compliance with the principles. Areas covered in this section include the selection and vetting of personnel, training, management of weapons and *materiél* of war, incident reporting and a "safe and healthy working environment".

#### *Grievance procedures*

The penultimate subsection on grievance procedures contained in paragraphs 66–68 is another interesting product of compromise. The opening paragraph contains the overarching guiding principle: "Signatory Companies will establish grievance procedures to address claims alleging failure by the Company to respect the principles contained in this Code brought by Personnel or third parties." The following paragraphs go on to list a number of requirements that describe how such grievance procedures must be carried out, including that they "must be fair, accessible and offer effective remedies", that allegations will be investigated promptly and impartially, and, in the case of finding a violation, that companies must "take appropriate disciplinary action, which could include termination of employment". Paragraph 67(g) includes whistle-blowing protections for "Personnel who report wrongdoings in good faith".

What these paragraphs do *not* do is establish an external oversight grievance mechanism, despite the somewhat oblique reference contained in paragraph 7(b) which calls for the establishment of "external independent mechanisms for effective governance and oversight, which will include... execution of a mechanism to address alleged violations of the Code's principles or the standards derived from the Code".119 The decision to postpone development of the oversight mechanism until after the ICOC had been finalized was both controversial and risky, but most participants felt that from a standard-setting point of view it would be important to release the ICOC sooner rather than later so that companies could begin the process of ensuring that their operations were in compliance with the ICOC.

Postponing the development of the oversight mechanism also meant an initial lower threshold for what was required of companies to demonstrate their compliance with the ICOC. During the period from the adoption of the ICOC in November 2010 until the launch of the oversight mechanism in September 2013, all that was required of a PSC to become a "signatory company" was to send a letter to the Swiss government with a short description of the company and the services it offered along with an affirmation that it would provide security services in accordance with the code. At this stage there was no fee for signing, nor any substantial oversight, check or follow-up on the companies' submissions. There were complaints from all stakeholder groups that companies were being awarded a kind of licence without having to do or prove anything substantial to obtain it. In fact, in a similar fashion to the critiques of "bluewashing" by the UNGC, the ease with which companies could become signatories and the lack of additional oversight of or other requirements from the companies (which were then listed on a code of conduct website) led to criticism that the ICOC was a promotional vehicle for PSCs. Further, there were allegations that companies which were not even PSCs – but which provided related services, such as training or consulting – had joined as signatories, giving them some free advertising and networking opportunities, along with a label proclaiming their supposed human rights compliance.

However, rather than an indication of bad faith or "corporate capture" of the initiative, the ambiguity of the code on the oversight and grievance mechanism reflected the lack of a clear common vision among the multistakeholder participants as to how the code's approach to handling grievances could work.

Reflecting the lack of a clear vision for an eventual oversight mechanism, statements within the ICOC as to its structure were left deliberately vague, and yet included some important elements. Paragraph 7(b) stated that it "will include Certification of Signatory Companies' compliance with the Code's principles and standards derived from the Code… Auditing and Monitoring of their work in the field, including Reporting" and, as discussed above, the development of a mechanism to address possible violations of the code. Paragraph 11 instructed the TSC to elaborate a charter to "outline mandate and governing policies for the mechanism". The ICOC also made a specific requirement that signatory companies themselves establish effective internal grievance mechanisms; but little detail was offered on how this would work in practice, particularly how such internal grievance mechanisms would interface with the external independent mechanisms for effective governance and oversight.

However, the process undertaken to develop the ICOC had already provided a strong basis for the next stage of the process. It demonstrated that different stakeholders could work together constructively to build consensus around the most pressing challenges posed by and to the industry, as well as to articulate standards of conduct to respond to those challenges. More importantly, it evolved into a consultative model in which participants were regularly consulted and asked to provide feedback on an evolving draft that was shepherded by the neutral facilitator. This approach helped to build and maintain trust in the process among the different participating stakeholders, and provided a good blueprint for the next phase to develop an oversight mechanism.

## Building an Effective Oversight Mechanism

While this next phase of the process to develop a multistakeholder oversight mechanism for the ICOC benefited from the experience gained in developing the code, it also further developed and systematized the earlier approach, evolving into a more mature process embodied by the TSC. This included developing defined rules of procedure, a rotating chair to ensure robust participation by all stakeholders, and taking a proactive approach to transparency through the development of a website which provided regular updates on TSC activities. The TSC also sought the advice of experts who were largely outside the process, but who could bring ideas and examples from other relevant initiatives. All these procedural improvements and additional resources were very much needed to support the development of a governance framework which ended up taking twice the time originally envisioned in the ICOC, and which still left many details to be worked out by the resulting oversight body. At the same time, a new trend of requiring code compliance by companies through national law, public and private procurement policies and in contracts for private security services has helped to "harden" an essentially soft law process.

Through tremendous work that ultimately coalesced into a common vision, the TSC created a new kind of multistakeholder oversight institution that aims to achieve the stated objective of providing effective oversight of PSCs with some teeth. It is still left to be seen if it will provide a plausible answer to the question posed at the beginning of this paper: how can a non-state institution effectively oversee PSCs?

#### **Preparing the ground for an oversight mechanism**

As its first order of business, the newly formed TSC developed rules of procedure120 that put into written form many of the ways of working that had evolved organically during the ICOC process, developing them even further. In practical terms this meant designing a process that strongly favoured decision-making by consensus, but also included the possibility of having a vote in the event that consensus could not be reached. The rules of procedure distinguished between two types of votes, "procedural" and "substantive", and further stated that "Deciding whether a matter is procedural or substantive is itself a substantive matter."121 Those matters qualifying as procedural, described as along the lines of "adoption of minutes or reports or establishment of subcommittees", only required a simple majority vote of those present. However, for matters considered to be substantive a successful vote required a two-thirds majority of those members present, "with at least one Participant from each stakeholder group voting in favour". In what came to be known as the "Dutton majority", named after the Australian government TSC member David Dutton who suggested it, this qualified voting requirement assured that no vote would be agreed by the TSC in the case that one stakeholder pillar was wholly opposed. In practical terms, the threat of this vote meant that no vote was actually ever taken by the TSC. Instead, all decisions were ultimately reached by consensus, even if the road taken to reach this point was quite long and sometimes contentious, requiring compromises and new ways of thinking from all sides. Reflecting the multistakeholder character of the TSC, it was decided to adopt a rotating-chair approach, whereby the chairmanship would cycle through each of the three stakeholder groups before starting over again. The chair of the meeting had the tasks of preparing, in cooperation with the project facilitator, the meeting's agenda and presiding over the meeting itself. S/he also was tasked to "work closely together" with the chairs of the previous and subsequent meetings "to ensure continuity",122 meaning that a member from each stakeholder group was involved. This encouraged active involvement from all participants.

Finally, in an effort to increase transparency of the process, DCAF as neutral facilitator established a website for the ICOC to inform the public about the TSC's work. Acting as a clearinghouse of information, the website contained the minutes from TSC meetings, copies of reports and other working documents, and other news and information on ICOC-related events. In the words of TSC CSO member Meg Roggensack, "This was an unprecedented level of transparency during a challenging formative stage; it helped to maintain a degree of ongoing awareness and engagement that informed the TSC's work and that led to an emphasis in the charter on the value of regular public reporting and transparency about ICOCA's work."123

In approaching the task of developing the ICOCA, the TSC also had guidance from the ICOC, which included a timeline124 for achieving certain milestones. The first of these, to develop a "workplan for constituting the mechanism by March 2011",125 was delegated to a smaller working group, composed of members from industry and civil society, to produce a first draft. This approach of delegating distinct tasks to smaller groups, typically including a member from each stakeholder group, to then be presented to and reviewed/amended by the entire multistakeholder body became a standard way of working for the TSC. By using this approach, the TSC was able to develop a workplan and a discussion paper on "Elements of a Governance and Oversight Mechanism for the ICOC"126 by the March 2011 deadline. However, despite these efforts and the decision to *meet at least once a month*, with smaller working groups meeting more frequently, the sheer complexity of the process to design an effective multistakeholder governance and oversight mechanism required much more time and work than was foreseen in the code.

In the first meetings of the TSC there were already some emerging areas of consensus regarding the functions of the governance and oversight mechanism, in particular that it should have some sort of accreditation function as well as an ombudsman function.127 However, the TSC members recognized that they required more expertise and input into the process than they alone possessed. For this reason, they reached out to the larger stakeholder communities to create three multistakeholder working groups composed of experts with specific subjectmatter expertise128 to consider in more depth the following areas:


Each working group met, primarily via teleconference, between six and 11 times during the summer months of 2011.129 Drawing on a broader spectrum of expertise, the working group discussions helped to lay the foundation for the future ICOCA Articles of Association (AOA).

Working Group 1 tackled the core functions of the oversight mechanism, including assessments, reporting and internal/external oversight. In addition to holding meetings where all its members were able to participate, Working Group 1 created three subgroups, each tasked with a particular focus: standards-based assessment and certification; principles-based monitoring and performance assessment; and terminology, reporting and ICOC process. Over the course of their discussions, Working Group 1 and its subgroups explored in great detail the process of certification of companies, performance assessment/monitoring and reporting. Many of the results of their deliberations went on to shape the structure and form of the ICOCA, including the following:


Other areas in which the group recognized the need for further discussion included the frequency of and appropriate trigger(s) for field monitoring by the oversight mechanism, as well as precise methods and procedures for conducting effective "remote monitoring". While there were many subsequent discussions on these matters, the specific guidelines and procedures for monitoring were passed on to the board of the ICOCA, to be developed after the association was created.130

Working Group 2 tackled the issue of grievance mechanisms by considering seven possible functions that could be performed by an oversight mechanism:

**•** *an advisory function* to provide advice about what the code requires of member companies to be in compliance, including how to develop/implement an internal grievance mechanism that is compliant with paragraphs 66–67 of the ICOC, and to give guidance on how IHL and human rights laws apply to PSCs;


In so doing, the group looked closely at several other non-judicial grievance mechanisms, including the World Bank Group (office of the compliance adviser/ ombudsman), the OECD (national contact points) and the FLA (third-party complaints procedure), as well as at the work of the UN special representative for business and human rights on effective non-judicial grievance mechanisms, in particular paragraph 31 of the UN Guiding Principles for Business and Human Rights.131

Nearly all the elements considered by Working Group 2 were included in the ICOCA AOA in some form. The advisory function, essentially a function whereby the oversight mechanism provides advice to member companies on a number of code-related issues, can be found in Article 13.1 of the AOA. Similarly, the referral and mediation functions as part of the ICOCA's "good offices" are included under Article 13.2.1–13.2.5. While not so named, the fact-finding, special audit and gatekeeping functions considered by Working Group 2 are largely covered under provisions contained in both Article 12 (Reporting, Monitoring and Assessing Performance) and Article 13 (Complaints Process).132 The only function clearly not adopted within the AOA was that of arbitration, which was considered to be too expensive and complicated, as well as more likely to interfere with local investiga**50** Anne-Marie Buzatu **51** Towards an International Code of Conduct for Private Security Providers

tions as its fact-finding processes could impede existing parallel judicial investigations. Most importantly, the oversight and grievance mechanisms are designed to remediate company performance and provide remedies to injured parties in accordance with the human rights standards contained in the ICOC. Therefore, even in cases where companies are subject to state jurisdictions where the rule of law is weakened, members of the ICOCA will be held accountable to the "high minimum" standards contained in the ICOC.

Working Group 3 examined areas of structure, governance and funding of an oversight mechanism. It is perhaps in the discussions of this working group133 that one can see the most change, with the gradual push and pull moving from an industry-led initiative to a multistakeholder approach to governance. Questions included where the institution should be located (possible locales were Switzerland, the US or the UK), who would be eligible for membership of the oversight institution (probable answer at this time: only companies), how to choose the "right" kind of civil society participants to ensure their independence and real commitment to human rights protection, and how decisions should be taken (simple majority, qualified majority, etc.). Several areas of emerging consensus will now sound familiar to those who have read the AOA. For example, in terms of institutional bodies the basic contours of the future ICOCA were laid out: the board, the plenary (now known as the general assembly) and a secretariat. More importantly, one of the key elements not in question was that the governing body of the board should be multistakeholder in its composition.

The various processes undertaken to share expertise and identify elements are important not only for their contributions to the ICOCA, but also because it is through these processes that the different stakeholders came to understand the value of working collaboratively together, leading to the ICOC initiative becoming an MSI.

#### **Developing the ICOC Association**

The TSC then set about the task of putting down on paper a first draft for the creation of the ICOCA.134 Once again, the TSC created a multistakeholder subgroup supported by the neutral facilitator to draft sections of the text in between monthly meetings where they would be reviewed and amended by the whole group. It also adopted the practice of holding weekly teleconference calls to discuss the progress of the drafting subgroup and offer suggestions and other support. Finally, on 16 January 2012, the first version of the ICOCA AOA, or the "draft charter" as it was called then, was released for public comment until the end of March 2012. During this first public comment period, a number of briefings on the document were held in several venues for the TSC to present the draft charter to a wide variety of stakeholders and engage them in an interactive discussion about it.135

More than 800 comments from nearly 40 entities were received on the draft, beginning yet another intense period of work to amend the text. At the same time, the TSC held several outreach meetings in May and June 2012 to discuss its takeaways from the comments face to face with other stakeholders, and verify that it was on the right track in the second draft. The TSC also created multistakeholder subgroups to work on specific sections of the draft, each of which met on a separate schedule.136 The second draft charter for the oversight mechanism was released for public consideration in January 2013, serving as the basis for discussion at a drafting conference held in Montreux in February 2013. In turning to the content of the adopted AOA, it is illuminating to see how some key provisions evolved along the way from the first draft.

During the two years or so that the TSC worked to develop the founding instrument for the ICOCA, its thinking shifted significantly, based in large part on the feedback received from the wider stakeholder communities. This is clearly evidenced when looking at the drafts released in January 2012 and January 2013, which vary substantially in their approaches. The AOA adopted in February 2013 had only minor changes from the January 2013 draft and, unless specifically noted, can be considered to be substantially the same.

One of the most obvious differences between the first and second drafts is the length of the two documents. At 26 pages the first draft is more than twice as long as the second draft, which measures a modest 11 pages. This reflects the changing thinking of the TSC on what a charter document should contain in terms of detail and direction, and is also a direct result of the feedback received after the first draft was published.

Receiving feedback along the lines that the first draft was long-winded, duplicative and confusing, the TSC went back to the drawing board, with the objective of simplifying and streamlining the text, retaining important elements but providing more latitude to the executive director and multistakeholder board to carry out monitoring and review of company performance, and eliminating the "chief of performance assessment" position, which had the primary responsibility of reviewing alleged violations of the ICOC.137 The second draft left the detailed procedures for implementing certification, monitoring and handling third-party complaints to the future board and general assembly to develop and adopt. The final AOA are better understood when read with the first draft charter **52** Anne-Marie Buzatu **53** Towards an International Code of Conduct for Private Security Providers

as background, because this helps to shed light on the thinking of the TSC behind certain provisions contained in the AOA as well as providing some ideas for how they could be implemented.138

One noteworthy area where the second draft charter pulled back from the first draft in detail is in the criteria for CSOs to join the oversight mechanism. This reflects the sometimes contentious ongoing debate about what is the "right kind" of CSO to participate in the initiative. While it was fairly clear what was required of PSCs and governments to join their respective stakeholder groups – PSCs were any person or entity offering private security services, and governments were recognized as being responsible for effective control over their territories139 – CSOs did not have such clear defining qualities other than being NGOs.

Starting from the premise that the added value of CSOs in this initiative was primarily the credibility and expertise they brought by being independent organizations working in a watchdog capacity to promote respect for human rights and humanitarian law, the first draft charter went into considerable detail in spelling out indicators for independence (or lack thereof), and requiring that CSOs be recommended and approved by at least three of the four CSO board representatives – a requirement that many balked at as being too subjective. The second draft charter and final AOA took the approach of stating the overarching requirements that CSOs have a "demonstrated institutional record… of the promotion and protection of human rights, international humanitarian law or the rule of law"140 and that they be independent, which "shall be assessed by reference to relationships with other stakeholder pillars, such as via specific, relevant or substantial funding, or through active working relationships".141 The AOA tasked the future board to "propose for approval by the General Assembly membership requirements" within six months of adoption of the AOA.142

In order to become a member of the board, one must be a member of the ICOCA and then elected according to procedures that are developed within each stakeholder pillar. For example, to put itself up as a candidate for an industry board seat, a member must receive recommendations from at least three other industry members. Furthermore, industry representative elections are organized regionally, with slots for representatives of UK and US companies – the two regions from which the largest number of PSCs hail – another slot for companies from outside the UK and US, and a fourth "at large" member, representing the company that got the highest number of votes outside those categories. Since the CSO and governmental pillars are significantly smaller, there are fewer conditions for becoming a board member beyond being a participating member of the stakeholder pillar.

Another striking difference between the two charters was the shift in the relative responsibilities of the institution's organs, from a governance model where the board was the "primary decision-making body"143 and the annual plenary was limited to ratifying a very limited, mostly non-substantive, number of decisions that had already been approved by the board144 to one where the plenary (now the general assembly) was the "supreme governing body" whose approval was required for a number of key decisions to enter into force.145 As such, the balance of power shifted from being almost completely dominated by the board to being more distributed between the board and the whole membership. This was due in part to the choice of an association located in Switzerland as the institutional form for the oversight mechanism, which required the general assembly to have a few key powers, including the power to dismiss the board, providing an important check on its functions.146 However, the powers accorded to the general assembly went far beyond what was required under Swiss law, reflecting a fundamental shift in the thinking of the institution itself: from a model in which only PSCs could be members (and therefore vote in the plenary), with the important decisions undertaken by the multistakeholder representation contained in the board, to a model where both the general assembly and the board were structured in a multistakeholder configuration, meaning that all decisions required multistakeholder participation and approval. When compared to the first draft charter, the AOA for the ICOCA, adopted by consensus at the drafting conference held in Montreux in February 2013, implemented a purer form of "multistakeholderism" in their approach to governance and oversight of the private security sector.

Regarding another stakeholder, non-state clients, as mentioned earlier several were approached and participated fairly actively in the beginning of the ICOC project. While they continued to be invited to various outreach events, and a few provided comments on the drafts of the ICOC, their response during the second half of the initiative was cordial but more at arm's length. Taking a "wait and see" approach that the ICOC was an interesting project but they would wait for the result before getting more involved, they effectively took themselves out of the main stakeholder groupings, a development that was criticized particularly by companies and some governments.

As work shifted from the ICOC to the ICOCA oversight mechanism, with some notable exceptions147 non-state clients continued to take a more passive than active role, despite the work being arguably more relevant to their own operations. Furthermore, considering the important role of these clients in giving some "teeth" through requiring compliance with the ICOC as part of their contracting policies, it is clear that they should have participated more actively in the processes. However, after the first draft of the ICOCA charter was released in January 2012 several multinational corporations, primarily from the extractive sector, became more active in the process and were able to contribute to some extent to the resulting document. At the time of writing, the board of the ICOCA is engaged in outreach efforts to bring non-state clients more closely into the process.

#### **Setting up governance structures: The Articles of Association**

The "multistakeholder approach" to designing more effective elements of governance is able in many instances to find new and creative ways to address governance gaps, as illustrated by the following key provisions.

As previously mentioned, the concept of membership within the ICOCA changed substantially, from the principle that only PSCs could join as members of the association but would be governed by a multistakeholder board to a model where both board participation and general assembly membership would be multistakeholder. The earlier thinking was coloured by the perception that this was an "industry-led" initiative, flowing from the fact that the industry had asked for such an initiative, and that PSCs were the primary addresses of the ICOC and the only stakeholder group clearly undertaking responsibilities to operate in compliance with the code. However, in the year between the first public draft of the AOA (January 2012) and the second draft (January 2013) the TSC decoupled the notion that "undertaking responsibilities" under the ICOC was necessary for having membership responsibilities within the association. Indeed, the fact that the process to develop the ICOCA accorded equal decision-making power to all three stakeholder groups from the start was strong evidence that the other stakeholders had clear interests and responsibilities within the initiative. Along with this realization that all stakeholders had a reason to join the club came a more elegant way of taking decisions within the ICOCA.

Allowing all three stakeholders to participate in the general assembly allows them to vote on decisions, but in the very likely case that one stakeholder pillar is populated by disproportionately more members, this comes with the risk of that stakeholder group drowning out the votes of the other stakeholders, meaning that the other stakeholders' opinions would not have much impact on decisions. The TSC tackled this problem by creating a tripartite or three-pillar structure in the general assembly, requiring that for a vote to be successful, it had to succeed

within each pillar of the general assembly, independent of how many members each pillar contained.

Regarding votes in the board of directors, the AOA continued in the tradition of the TSC rules of procedure by adopting a weighted majority vote approach similar to and inspired by the earlier "Dutton majority". Successful votes within the board required that decisions be adopted with a majority of eight out of 12 votes, which must include a minimum of two out of four votes from each of the three stakeholder pillars.

Both of these approaches help to ensure that all three stakeholder pillars are able to influence decision-making, and also that votes will not pass if one stakeholder pillar is wholly against a measure. Based on the prior experience in developing the ICOC and ICOCA, it is hoped that this weighted voting structure will also support building and taking decisions by consensus, and early meetings of the board seem encouraging in this regard.

#### *Article 10: Advisory Forum of Montreux Document participants*

Reflecting the need expressed by some governments for a way in which to provide input to the ICOCA without becoming formal members of the association, Article 10 calls for the creation of the Advisory Forum of Montreux Document Participants. Entrusted with the broad mandate of "provid[ing] advice to the Association on national and international policy and regulatory matters", the advisory forum was conceived to be a platform from which states that had endorsed the Montreux Document could feed into the ICOCA. However, beyond this very general purpose, there was little detail offered as to what such a body should look like, how it should function or by what mechanisms it would interact with the ICOCA.

To date these questions have not been fully answered, but there has been some progress on the development of the forum. The "Montreux Document Forum" was announced at a conference held in honour of the fifth anniversary of the Montreux Document in December 2013. At that meeting, and subsequent meetings held over the course of 2014, a consensus emerged to form a distinct working group within the Montreux Document Forum in order to fulfil the function described in Article 10 of the ICOCA AOA. This was done in large part to meet the concerns of some Montreux Document participating states, such as South Africa, which did not wish to participate in the advisory function to the ICOCA. While at the time of writing it is too early to tell how the Montreux Forum and its working group will contribute to the ICOCA, it does provide a conduit through which a more diverse group of states can provide input to the association, and as such forms another link in the overlapping network of diverse actors working together to promote better governance and implementation of international standards.

#### *Article 11: Certification*

While much of the detail was left to the future ICOCA board to develop, the AOA did set out certain requirements for how the association must carry out its functions to ensure a multistakeholder governance approach. In Article 11 the AOA specify that "The Board shall develop procedures for this Article... and submit them to the General Assembly for approval." As the voting structures require significant support within each stakeholder group in order to take decisions, this helps to ensure that such procedures will be developed with balanced input from all three stakeholder groups. Furthermore, taking into account the certification requirements of ICOC paragraph 7, the ICOCA goes on to say:

The Board shall define the certification requirements based on national or international standards and processes that are recognized by the Board as consistent with the Code and specifying any additional information relevant to the human rights and humanitarian impact of operations it deems necessary...

This gave the multistakeholder board the last word in defining certification requirements under the code.

This innocuous language belies both the significant amount of division certification requirements caused among stakeholders and the considerable effort required to achieve compromise and consensus. In early 2011 the US Department of Defense launched an initiative that endeavoured to establish "objective and measurable standards for providing Security Services based upon this Code". In pursuing this objective, the Department of Defense contracted with ANSI to develop a national quality management system based on the Montreux Document and the ICOC. The standard developed through this process, PSC.1, was finalized in spring 2012.

ANSI PSC.1 takes a form similar to ISO 9001 and other similar quality management system (QMS) standards, incorporating the principles and standards contained within the ICOC and the Montreux Document. For those not familiar with these kinds of standards, a QMS can be described as a collection of business processes as expressed in the implementing organization's structure, policies, procedures, processes and resources. Examples of company processes that make up part of a QMS include internal audits, corrective action and preventive action.148 To be certified under a QMS, an organization must demonstrate that it has defined these processes, and explain how they are sequenced and how they interact with each other. Certifications of companies to the standard are typically carried out by auditors working for certification bodies.

As stakeholders were divided over the extent to which certification to the ANSI PSC.1 standard could fulfil certification requirements under the ICOC as defined by the ICOCA, a compromise was reached that is reflected in the language quoted above, leaving open the possibility that certification under a national or international standard could be used to fulfil requirements for certification under the ICOCA, but that the multistakeholder board would decide to what extent this would occur and would also have the power to define additional requirements.149

#### *Article 12: Reporting, monitoring and assessing performance*

The subject of much less controversy, Article 12 requires that the board should develop these procedures, specifying that they must use "established human rights methodologies". It then goes on in some detail to give an overview of the kinds of reporting and monitoring envisaged. To these ends, it requires member companies to "provide to the Association a written assessment of their performance pursuant to a transparent set of criteria", and empowers the executive director to initiate field monitoring, "unless the Board decides otherwise", in cases where there is an identified need for more extensive monitoring, including "field based review", or where a member of the association (either company, state or civil society) has made a request. All alleged violations of the code must be referred by the executive director to the board, which will review them and offer any observations and advice to the concerned member company it deems pertinent. If the board finds that corrective action is necessary to remedy a member company's non-compliance with the code, it will enter into a process to bring this about. Thus even the executive director and secretariat have important roles in overseeing companies, carried out in close cooperation with the multistakeholder board.

#### *Article 13: Complaints process*

Article 13 describes an approach that aims to give effect to the ICOC requirement that grievance procedures "must be fair, accessible and offer effective remedies"150 in the face of limited financial resources. Essentially, Article 13 describes a process in which either the implicated member company or the secretariat receives complaints of code violations by a member company that harm one or more individuals, and then informs the complainant of the various available grievance mechanisms that can offer an effective remedy, including but not limited to the company's own internal grievance mechanism required under Article 67 of the ICOC. Where a complainant alleges that the company's internal grievance mechanism does not offer an effective remedy, or otherwise is not in compliance with Article 67, this is reviewed by the secretariat and can have several follow-on effects, including recommending the complainant to other grievance mechanisms such as mediation or use of the "Association's good offices", and review of the member company's grievance mechanism by both the secretariat and the board. If the latter procedures find the company's grievance mechanism lacking, this triggers a dialogue with the company to implement corrective action to bring the grievance mechanism into compliance with the code; and if the company fails to take reasonable corrective action within a specified period or to cooperate in good faith the board must take action, which can include suspension or termination of membership.

#### *Finance*

Often dominating meetings to the detriment of more substantive issues, finance – specifically how much the oversight mechanism would cost, and most importantly who would pay – was a critically important element of discussions. While there was a general understanding that member PSCs would have to bear a significant share of the costs, opinions varied as to the percentage that share should be.

To that end, a finance working group developed the "TSC Note on Financing the ICoCA",151 which aimed to set out initial expectations for the costs and financing of the organization. This note included:


order to demonstrate the association's financial viability for the information of prospective members.

The note also opens a window into the thinking of the TSC on how the ICOCA AOA would be operationalized as a functioning oversight organization. In the "Workload" section of this document, the TSC explains that it expects the first two years of the association's operations to be devoted to developing the procedures for the functions set out in Articles 11 (Certification), 12 (Reporting, Monitoring and Assessing Performance) and 13 (Complaints Process). The note goes on to say that the ICOCA would probably not become fully operational until the third year, and further that it will likely take several more years for these procedures to mature.

Because of this expected work-stream, the TSC believed there would be an "inelastic relationship between the number of member companies and the workload of the Association during the first two years", as its efforts would be largely devoted to developing the procedures – tasks that are not very much dependent on the number of member companies – rather than implementing them, when the level of increased costs would be very much dependent upon the number of companies joining the association. This explains in large part the approach for member company dues, the first two years of which are set out in the chart below.


The note goes on to say that it would expect industry dues to rise after the first two years of operation, "as company members realise increasing benefits from membership and as the Association becomes fully operational".153

Beyond industry dues, the note considers other sources of funding, in particular pledges made by governments (Swiss, UK, US and Australian) and the possibility that CSOs could bring in financial support from foundations for those functions related to the human rights objectives of the association and the code. Finally, income from non-voting observers to the association – a category still to be developed by the board – is presented as another possible revenue stream.

**60** Anne-Marie Buzatu **61** Towards an International Code of Conduct for Private Security Providers

Taking all these elements into consideration, the TSC offers in the note a "Five-year indicative model". While the long list of assumptions and caveats preceding this model underscores its conjectural nature, it does accomplish one important objective: reassuring companies and other potential members that a working association was viable with the amount of funding it was likely to receive.

Another important aspect of this note was the presentation of a multistakeholder approach to funding. While many in the process seemed to assume that industry members would bear the brunt of funding, this model portrays states as providing slightly more, with potential revenue streams coming from other actors. In this "indicative model", industry is portrayed as bearing around 43 per cent of costs, states 48 per cent and CSOs and other actors around 9 per cent. It is the author's opinion that having diversified sources of revenue adds to the credibility of the oversight mechanism. Such a model responds in part to criticisms about the industry membership fees being too low,154 as states are expected to provide slightly more of the funding, and in any case membership dues are expected to rise as operations get into full swing.

#### **The ICOC as a point of reference for new regulatory initiatives**

In response to the development and launch of the ICOCA, several new regulatory initiatives on both national and international levels have been created which depend in part on the ICOC and the governance and oversight functions of the ICOCA. These initiatives make compliance with the ICOC/membership in the ICOCA a requirement either as a matter of law or as a prerequisite for obtaining private security contracts with the state or an international organization.155 These co-regulatory approaches combine the advantages of an international-level multistakeholder governance model with the force of statutory and/or contractual obligations, potentially helping to fill some of the governance gaps identified at the start of this paper and making the "soft law" approach of the ICOC initiative somewhat harder. Furthermore, such efforts cut against the *voluntariness* of the ICOC, in that if PSCs want access to these markets, they must join the ICOCA and/or demonstrate compliance with the ICOC.

#### *The UN guidelines on the use of armed security services by PSCs*

Beyond providing a forum to draft international standards and agreements, the UN is also an important consumer of private security services to support its operations around the world.156 To minimize the negative impacts that PSCs can have on UN missions, the UN Department of Safety and Security adopted

guidelines at the end of 2012 for the hiring and use of PSCs. The guidelines detail a number of requirements for hiring PSCs, including those on screening, training and use of force, as well as outlining management and oversight responsibilities towards the PSCs. Of note, the guidelines require as a prerequisite for engagement that the PSC be a member of the ICOCA, and specifically that it meet the requirements of the ICOC in the areas of use of force and weapons handling. While at the time of writing it is too early to draw conclusions about the impact of the UN guidelines on the private security industry, companies operating from one region have been signing up to the code in clusters in response to requests for proposals to provide security services to a UN operation in the same region. This serves to highlight the power of the client to require adherence to an MSI as a prerequisite for making a bid to provide services, with "hard" or binding obligations being found in the contract.

#### *The UK government and the Security in Complex Environments Group*

As mentioned earlier, the SCEG is a novel public-private partnership between the UK government and an industry body. Currently this organization requires its members to agree to abide by the ICOC and the UN Guiding Principles on Business and Human Rights, and to demonstrate intent to become certified under ANSI PSC.1. These efforts to articulate human rights standards and some form of accountability for the private security industry demonstrate the industry's belief that a commitment to ethical and accountable practices is necessary for the success of its business.

#### *US government PSC procurement policies*

The US government has taken an active participatory role in developing both the ICOC and the ICOCA and publicly pledged its support, including by providing financial support.157 Furthermore, the US Department of State has indicated its plan to require membership of the ICOCA in its procurement policies.158 However, the US Department of Defense has taken a different position, requiring "conformance" with the ANSI PSC.1 standard, which as discussed incorporates requirements from the ICOC and the Montreux Document. It is not clear whether such "conformance" necessarily requires certification to PSC.1 by a certification body, or whether there is another means by which such conformance can be demonstrated. Currently, certification to PSC.1 is only offered by two certification bodies, both located in the UK, resulting in limited capacity to obtain certification. Nevertheless, the inclusion of ICOC principles and standards in PSC.1 and in the upcoming ISO standard offers yet another regulatory framework, helping to reinforce and harmonize international standards and norms for the provision of private security services.

#### *Australian government PSC procurement policies*

The Australian government's Department of Foreign Affairs and Trade (DFAT) has included requirements in its procurement regulations for the PSCs it engages in conflict environments. It requires that they be signatories to the ICOC, or state their willingness to become signatories, as a condition of tender. Further, the DFAT requires that PSCs demonstrate compliance directly to the department with a number of requirements consistent with those of the ICOC, including that the PSC does the following:


By requiring as a condition of tender adherence to the ICOC as well as demonstrated compliance with a number of ICOC-consistent requirements, the Australian DFAT is helping to reinforce the ICOC standards while also providing its own direct oversight over certain elements that are consistent with the code.

*The Swiss Federal Act on Private Security Services Provided Abroad* Taking the multistakeholder initiative to another level, this Swiss law requires membership in the ICOCA of private security companies either domiciled in

or operating from Swiss territory providing private security and related services outside Switzerland and European Union/European Free Trade Area states. At the time of writing the ordinance providing implementing instructions for this law had just been released;159 once they are fully operational, these will provide more information about the impact of the law. Of particular note, the ordinance gives a more developed definition of complex environments, and establishes a regulatory authority to review whether the relevant services provided by affected PSCs are in compliance with Swiss law.

#### *The overall effect*

The process of developing an MSI really matured during the second phase of establishing the ICOCA mechanism. The more structured approach driven by an active and committed TSC and supported by the neutral facilitator resulted in the development of a governance framework that aims to ensure balanced and accountable decision-making by members of both the board and the plenary. The number of client organizations at national and international levels which are now requiring PSC membership in the ICOC also demonstrates a level of confidence in the initiative's approach to setting standards and holding companies to account to those standards. Time will tell, however, if the initiative is successful in its overarching objective: "to promote the responsible provision of security services and respect for human rights and national and international law in accordance with the Code".160

## Good Practices and Lessons Learned

With a view to answering one of the questions posed at the beginning of this paper, how to develop more effective regulation for PSCs, a number of key lessons can be identified and are considered in more depth in this section. This analysis considers both elements of *process*, or what activities and approaches were undertaken to develop the standards and the governance framework of the ICOC initiative, and elements of *substance*, discussing how the results of these processes help to fill governance gaps.

#### *Developing the ICOC initiative: Elements of process*

In crafting an MSI in which diverse stakeholders with sometimes antithetical views participate, it is critically important that these actors have *substantially similar overall objectives and vision for the initiative.* This is not to say that the reasons why each stakeholder group participates need to be the same. All the different rationales for participating can be satisfied by the same result: improved human security. With this common "end-game result" desired by all participants, they are likely to be more flexible when grappling with details, to work together to find creative solutions and to believe in the good-faith intent of other stakeholders.

As a close corollary to the first point, *building trust among all stakeholders is essential.* Building trust between such disparate actors takes time and requires substantial work investments, as illustrated by the multiple meetings, workshops,

expert working groups and conferences that resulted in several rounds of draft documents. Importantly, it is through these many occasions to discuss challenges and exchange ideas – leading to consensus on how to meet them – that trust among different stakeholders is slowly built. An *iterative process* that advances on the basis of small victories and developing consensus as stakeholders get to know each other allows the agreement to emerge in a series of small, forward-moving steps. This is essential to bridge differences and support productive discussions that can lead to the fulfilment of the initiative's objectives. This cannot be skipped over or fast-tracked, and is likely the single most important factor for success in developing an MSI.

The building of trust is also supported through adopting governance structures that allow for *equally weighted participation and decision-making from all involved stakeholder groups*, 161 sometimes called true or real multistakeholderism.162 For example, the TSC was made up of nine voting representatives, three from each stakeholder group, each of whom had an equal weight and voice in discussions. However, when taking decisions the requirement that there be some support from all three stakeholder groups helped to ensure that all decisions would be multistakeholder in character. In practical terms, *adopting a weighted majority voting process supported decision-making by consensus.* This ultimately encouraged new thinking and often resulted in innovative approaches that could build consensus. Furthermore, the practice of rotating the TSC chair among all stakeholder groups helped to ensure that all groups had a say, stayed engaged, encouraged consensus and helped to build trust across the different stakeholders.

Another element that can encourage the building of trust is the *participation of a neutral facilitator* who is trusted by different stakeholders, can bring them together, structures and manages the project, and facilitates discussions and helps to resolve differences – if possible before they rise to the level of real conflicts. From a practical standpoint, the facilitator can also serve as a point of contact and a centre of gravity for the initiative, from which communications about the work and progress of the initiative can be shared and disseminated. The website created by DCAF to provide information on the progress of the development of the ICOCA is one example of this. It helped to support better *transparency*, allowing anyone with an interest to keep up to date with the latest developments in the process.

To support more constructive meetings in which clear progress is made, it is helpful to *set clear public objectives with milestones and approximate timelines.* In contrast to the development of the ICOC, where milestones and timelines were not publicly announced, the process to develop the ICOCA was much more structured and focused, helping to move the process in a forward direction. This more structured approach served to keep the TSC on track even as it was grappling with the significantly more challenging task of developing a multistakeholder governance and oversight mechanism.

Another strategy that helped to support progress was *the development of small multistakeholder subgroups* to work on specific tasks and challenges in between regular meetings. These groups, which at crucial times in the process invited subject-matter experts from the broader stakeholder communities to provide additional advice and guidance, helped both to advance the progress of the project and to obtain broader expertise, guidance and lessons learned from other similar processes. This helped to ensure that the ICOC initiative was able to benefit from the experience of other initiatives, which provided a basis from which the ICOC could evolve and develop further.

#### *Developing the ICOC initiative: Elements of substance*

Turning to matters of substance, in terms of the governance functions of the ICOCA, *certification* is meant to provide snapshots at regular intervals in time that capture the extent to which companies have implemented due diligence requirements in their systems and policies. Essentially, companies will need to provide information on how they have transformed the principles and standards from the ICOC into practices within their company. This would include, for example, describing the methods they use for selection and vetting of personnel and the types and content of training they provide to them, as well as the procedures they have in place for handling grievances. Member PSCs should also provide evidence that they use practices respecting human rights to manage and support personnel, such as by taking reasonable precautions to provide them with a safe and healthy working environment, and implementing a zero-tolerance policy for harassment and abuse within the company. Ultimately, these practices are meant to filter into the way that companies operate and provide private security services, thereby significantly lowering the likelihood that their activities will negatively impact human rights.

Certification will be complemented by ongoing *monitoring*, consisting of processes that collect real-time information on companies' operations in between the certification "snapshots", with the objective of becoming a kind of "early warning system" to detect signs that a company is not operating in conformity with the code. A finding of non-conformity would trigger a dialogue with the

company on the manner in which it is operating, and should help to prevent larger, more damaging incidents from occurring. If the company does not participate in good faith in this dialogue and begin to rectify the non-compliance, this would kick off a process that could lead to the company's membership being suspended or terminated, and potentially for it to lose business. This ambitious and complex function will likely take up the bulk of the ICOCA's activities and resources. As the procedures for the function are currently under development, it is yet to be seen whether this non-state mechanism will be able to perform monitoring effectively such that it can achieve at least some of its aims.

Along the same lines, the *grievance mechanism* should provide a means for injured parties to obtain effective remedies, particularly where other accountability mechanisms are ineffective or unavailable. While not able to prosecute personnel members or companies for criminal wrongdoing, such an approach at least should be able to provide some measure of relief and recompense to those negatively impacted by companies' activities. Furthermore, the decentralized system whereby a company's internal grievance mechanism serves as the regular venue of first instance, operating under the watchful eye of the ICOCA, provides a compromise that keeps costs lower while providing some assurance that aggrieved parties are treated fairly and get the remedies they deserve. At the same time, leaving the option open that they can approach the ICOCA directly in the first instance in certain situations,163 or as a kind of venue of appeal in cases where the company's handling of the grievance did not meet the requirements of the code, offers the flexibility to adapt to different situations in order to fulfil the objectives of the grievance mechanism. Finally, this flexibility in handling and responding to grievances is necessary to ensure that the ICOCA is not negatively impacting or undermining effective investigations of abuses being carried out by governments, but can step in and provide a forum to hear grievances where government authorities are not conducting effective investigations. In fact, it is conceivable that having the international standards developed by the ICOC and the oversight mechanism of the ICOCA could even encourage more effective oversight and accountability by states, both by providing more clarity on the kinds of behaviours of PSCs that respect human rights standards and by offering a little "friendly competition" in terms of accountability mechanisms: the existence of a multistakeholder grievance mechanism available to step in when governments show reluctance to handle grievances effectively may exert some pressure on them to carry out their state responsibilities to protect victims and provide them with effective remedies.

Finally, the growing number of governments and intergovernmental organizations encouraging or requiring membership in the ICOCA changes the nature of the multistakeholder approach to governance, shifting it from an initiative which relies largely on the willingness of companies to participate to one in which membership in good standing is a condition of entry into some markets and a condition of law in others. This "co-regulatory" approach allows the different relevant actors to exert influence and take decisions where they have the best expertise and the most leverage, bringing in both subject-matter knowledge and the concerns of the affected communities, as well as the availability of enforcement through obligations of contracts and as a matter of law. Taken together, these efforts are emblematic of an emerging consensus that effective governance of these kinds of private actors requires regulatory efforts by multiple actors – both public and private – often overlapping, but all largely harmonized in the standards they use. Perhaps most importantly, the ICOC initiative approaches human rights standards from the perspective of persons impacted by the activities of PSCs, or from a *human security* vantage point. In contrast to a state-centric national security approach in which abuses of the civilian population by either public or private actors may not trigger a response from the international community, the ICOC initiative holds the respect for human rights of the civilian population as the standard against which companies are assessed and held accountable, recognizing that respect for human rights concerns matters between state and state, citizen and state, and citizen and citizen.

### Conclusion

The need to develop and implement effective approaches to close governance gaps created by the global marketplace will continue to grow in importance as our world becomes more socially interconnected and economically interdependent. Identifying these gaps is an essential first step in being able to conceptualize and craft effective responses that can address real challenges to governance and accountability. This paper aims to present such a process undertaken in the context of the private security industry, first identifying governance gaps in public regulatory frameworks and then describing a multistakeholder response that endeavours to set international standards for the private security sector and address governance gaps in its oversight and regulation. The processes to develop both the ICOC and the ICOCA demonstrate that multistakeholder approaches involving relevant actors from both the public and private sectors can be successful in developing and setting international standards, as well as in crafting regulatory frameworks that make use of complementary public and private means of accountability and enforcement – thereby offering the potential to fill some governance gaps.

In considering the foregoing elements, it is important to view them in the context of the point of departure of this paper, namely why the private security industry has voluntarily submitted itself to regulation by an MSI. While it would not be incorrect to say that in embarking on this journey the private security industry was seeking legitimacy for its activities, the reasons for this lack of **70** Anne-Marie Buzatu **71** Towards an International Code of Conduct for Private Security Providers

legitimacy were due not only to wrongdoing on the part of PSCs, but also to the failure of the international legal system composed of states to oversee PSCs and hold them accountable effectively. This also points to the trend of states increasingly outsourcing to private actors many activities that were traditionally understood to be the responsibility of the state, including security provision, and which are the subjects of multiple international agreements. In this complex, multifaceted and continuously evolving situation in which both public and private actors have influence and control, and where private actors are not directly regulated by international agreements, additional forms of regulation, oversight and governance are required. This was recognized by the PSC industry, and explains why it considered that an initiative to develop a code of conduct with effective governance was necessary.

This also helps to explain why government and civil society actors were invited to participate with PSCs in this endeavour: all these actors have a stake in the provision of private security, with governments in the role of both regulators and sometimes clients, civil society being directly impacted by PSC activities, and PSCs delivering these services. To ensure as far as possible that private security is provided in such a manner that activities on the ground respect international law and the rights of individuals, it needs the participation of all these actors. PSCs can offer a "reality check" on the services they are providing, including the actual challenges they face on the ground, and how to integrate international standards effectively into private security provision; civil society can provide information on how these services and activities are actually affecting people on the ground; and governments are able both to regulate PSCs at national and international levels and to include requirements in their laws and procurement practices. Non-state clients also have an important stake and the ability to impose requirements in their contractual agreements describing how the PSCs they hire must provide private security services.

This also helps to answer the second question posed at the start of this paper, asking what form this regulation should and could take, and furthermore how it could be developed. Taking the two parts of this question in reverse order, as explained above, those actors with important relationships to and experience in private security provision had the expertise to contribute substantively to a consultative and iterative process that identified their challenges and needs, as well as good practices and positive experiences. This information was interpreted through the lens of well-established international human rights and IHL standards by legal scholars and experts, which resulted in the ICOC, or the standard-setting part of regulation. The ICOCA takes regulation to another level by establishing a multistakeholder governance framework that requires companies to demonstrate they have implemented the ICOC in their management systems and policies, and to submit their activities to monitoring and to a process for handling grievances that includes providing effective remedies to those negatively impacted by their private security services. Finally, as more state and non-state clients contractually require the PSCs they hire to operate in compliance with the standards of the ICOC and to become members in good standing of the ICOCA, this adds another level to the regulatory matrix, helping to "harden" an essentially "soft law" approach.

Furthermore, in participating in this initiative, it is important to recognize the level of scrutiny to which the industry was subjected in the course of these processes. More accurately, the private security industry can be said to have submitted its activities and ways of doing business to an in-depth review by its peers, governments, clients and members of civil society – effectively asking the question what does the multistakeholder international community think is appropriate for the private security industry to provide, and according to what standards and within what limits? The answer paints a picture of private security activities that should be quite limited in scope and in use of force, and should not be involved in overthrowing governments or directly participating in armed conflict, but in so far as these services can positively contribute to public and human security in accordance with international humanitarian and human rights standards, they can be beneficial.

While at the time of this writing it is too early to say how successful the ICOCA will be in achieving its objective of promoting "the responsible provision of security services and respect for human rights and national and international law in accordance with the Code", both the ICOC and ICOCA can already be said to have had important normative effects. Increasingly, the ICOC is seen as the benchmark against which other standards and regulatory efforts for private security are measured. With signatures by over 700 companies headquartered in 71 different states, the ICOC has achieved a high level of recognition and acceptance across the PSC industry. Furthermore, the principles and standards contained in the ICOC are currently being transformed into an ISO standard.164 This document, like its ANSI precedent PSC.1, takes a QMS approach to the ICOC, setting out a framework to evaluate the extent to which the systems and policies of a PSC demonstrate compliance with the ICOC. So long as the future ISO standard faithfully reproduces and incorporates the principles and standards **72** Anne-Marie Buzatu **73** Towards an International Code of Conduct for Private Security Providers

contained in the ICOC, its subsequent adoption will be another indicator of the standard-setting success of the ICOC. While the value of such standards in the absence of a fully functioning oversight and governance mechanism supporting and verifying implementation may seem questionable, setting a clear normative benchmark can have an effect of its own, giving clients leverage to demand higher standards from their service providers.

Evidence that this is already happening can be found in the increasing number of government and intergovernmental clients that are referencing the ICOC and ICOCA in their procurement guidelines – even before the ICOCA has fully implemented its oversight functions. Such references can be seen as a vote of confidence for both the standards and the potential of a multistakeholder governance framework as embodied in the ICOCA. Called by some in the business and human rights community "the next generation of multistakeholder initiatives",165 the ICOCA is increasingly viewed as a model for other MSIs to emulate.

A more interesting question is whether the multistakeholder governance model can lead to "good governance"; that is, to what extent does it result in a system that ensures both effectiveness and accountability within a framework of rule of law and respect for human rights? In light of the foregoing discussions, certain points are worth keeping in mind as this and other MSIs go forward. In particular, MSIs raise the question of who is a good and relevant stakeholder. The answer – transcribing rationales for democratic governance to the realities of a transnational global marketplace – seems to indicate something going beyond nationality, where "stakeholder citizens" are expected to have a particular expertise, background or *stake* as a requirement for influencing decisions that will ultimately impact them in a proximate way. How to ensure that all relevant stakeholder citizens are included in the appropriate MSI such that they are not disenfranchised and do actively participate, can appropriately influence and effectively control the sector, and are properly overseen supporting a kind of "stakeholder rule of law" are important questions that will require more complete answers as the number of MSIs increases.166

While this paper does present the case that multistakeholder approaches to governance can improve regulation of the private security sector, it does not present concrete evidence of the effectiveness of multistakeholder approaches to governance, e.g. proof of reduced instances of human rights abuses by PSCs. On one hand, this goes to the difficulties in obtaining reliable baseline information against which success or lack thereof can be compared. However, it also speaks to the relatively nascent nature of these approaches, and the need to develop appropriate methodologies for analysing the effects and impacts of MSIs, particularly on the civilian populations they are aiming to protect.

Against this backdrop, it is suggested that additional work be undertaken along these lines to analyse the different approaches of existing MSIs. Specifically, further research of these initiatives is required to identify good practices, lessons learned and reliable indicators for implementation, with a view to developing more standardized frameworks for evaluating their impacts and effectiveness, and contributing to their improvement. In conducting this research, attention should also be paid to the quality of governance, specifically how to ensure as far as possible that the relevant and appropriate stakeholders are taking part and have an appropriate say and influence in the initiative so as to support "good governance" in the multistakeholder context. Even more importantly, this future research should consider the impacts of such initiatives as experienced by the civilian populations that these efforts are meant to protect. Finally, the recent trend of governments and intergovernmental organizations requiring ICOCA membership illustrates an interesting hybrid approach relying on both state regulation and the regulation and oversight capacities of the multistakeholder ICOCA as a means of filling some governance gaps, and may serve as model for more governments and organizations to emulate. Taken together, these recommendations will help support the development and evolution of multistakeholder governance approaches to respond effectively to emerging governance challenges, while also helping to ensure that they will meet their human rights protection objectives.

# Annex: International Code of Conduct for Private Security Service Providers

### **9 November 2010**

#### **A. Preamble**

	- a) to operate in accordance with this Code;
	- b) to operate in accordance with applicable laws and regulations, and in accordance with relevant corporate standards of business conduct;
	- c) to operate in a manner that recognizes and supports the rule of law; respects human rights, and protects the interests of their clients;
	- d) to take steps to establish and maintain an effective internal governance framework in order to deter, monitor, report, and effectively address adverse impacts on human rights;
	- e) to provide a means for responding to and resolving allegations of activity that violates any applicable national or international law or this Code; and
	- f) to cooperate in good faith with national and international authorities exercising proper jurisdiction, in particular with regard to national and international investigations of violations of national and international criminal law, of violations of international humanitarian law, or of human rights abuses.
	- a) Establish objective and measurable standards for providing Security Services based upon this Code, with the objective of realizing common and internationally-recognized operational and business practice standards; and
	- b) Establish external independent mechanisms for effective governance and oversight, which will include Certification of Signatory Companies' compliance with the Code's principles and the standards derived from the Code, beginning with adequate policies and procedures, Auditing and Monitoring of their work in the field, including Reporting, and execution of a mechanism to address alleged violations of the Code's principles or the standards derived from the Code;

and thereafter to consider the development of additional principles and standards for related services, such as training of external forces, the provision of maritime security services and the participation in operations related to detainees and other protected persons.

8. Signature of this Code is the first step in a process towards full compliance. Signatory Companies need to: (1) establish and/or demonstrate internal processes to meet the requirements of the Code's principles and the standards derived from the Code; and (2) once the governance and oversight mechanism is established, become certified by and submit to ongoing independent Auditing and verification by that mechanism. Signatory Companies undertake to be transparent regarding their progress towards implementing the Code's principles and the standards derived from the Code. Companies will not claim they are certified under this Code until Certification has been granted by the governance and oversight mechanism as outlined below.

**76** Annex **77** International Code of Conduct for Private Security Service Providers

#### **B. Definitions**

These definitions are only intended to apply exclusively in the context of this Code.

**Auditing** – a process through which independent auditors, accredited by the governance and oversight mechanism, conduct on-site audits, including in the field, on a periodic basis, gathering data to be reported to the governance and oversight mechanism which will in turn verify whether a Company is meeting requirements and if not, what remediation may be required.

**Certification** – a process through which the governance and oversight mechanism will certify that a Company's systems and policies meet the Code's principles and the standards derived from the Code and that a Company is undergoing Monitoring, Auditing, and verification, including in the field, by the governance and oversight mechanism. Certification is one element of a larger effort needed to ensure the credibility of any Implementation and oversight initiative.

**Client** – an entity that hires, has formerly hired, or intends to hire a PSC to perform Security Services on its behalf, including, as appropriate, where such a PSC subcontracts with another Company.

**Company** – any kind of business entity or form, such as a sole proprietorship, partnership, company (whether public or private), or corporation, and "Companies" shall be interpreted accordingly.

**Competent Authority** – any state or intergovernmental organization which has jurisdiction over the activities and/or persons in question and "Competent Authorities" shall be interpreted accordingly.

**Complex Environments** – any areas experiencing or recovering from unrest or instability, whether due to natural disasters or armed conflicts, where the rule of law has been substantially undermined, and in which the capacity of the state authority to handle the situation is diminished, limited, or non-existent.

**Implementation** – the introduction of policy, governance and oversight mechanisms and training of Personnel and/or subcontractors by Signatory Companies, necessary to demonstrate compliance with the Code's principles and the standards derived from this Code.

**Monitoring** – a process for gathering data on whether Company Personnel, or subcontractors, are operating in compliance with the Code's principles and standards derived from this Code.

**Personnel** – persons working for a PSC, whether as employees or under a contract, including its staff, managers and directors. For the avoidance of doubt, persons are considered to be personnel if they are connected to a PSC through an employment contract (fixed term, permanent or open-ended) or a contract of assignment (whether renewable or not), or if they are independent contractors, or temporary workers and/or interns (whether paid or unpaid), regardless of the specific designation used by the Company concerned.

**Private Security Companies and Private Security Service Providers (collectively "PSCs")** – any Company (as defined in this Code) whose business activities include the provision of Security Services either on its own behalf or on behalf of another, irrespective of how such Company describes itself.

**Reporting** – a process covered by necessary confidentiality and nondisclosure arrangements through which companies will submit to a governance and oversight mechanism a written assessment of their performance pursuant to a transparent set of criteria established by the mechanism.

**Security Services** – guarding and protection of persons and objects, such as convoys, facilities, designated sites, property or other places (whether armed or unarmed), or any other activity for which the Personnel of Companies are required to carry or operate a weapon in the performance of their duties.

**Signatory Companies** – are PSCs that have signed and agreed to operate in compliance with the Code's principles and the standards derived from the Code and "Signatory Company" shall be interpreted accordingly.

#### **C. Implementation**


#### **D. General Provisions**


#### **E. General Commitments**


Code, applicable national or international law, or applicable local, regional and international human rights law, and are not excused by any contractual obligation from complying with this Code. To the maximum extent possible, Signatory Companies will interpret and perform contracts in a manner that is consistent with this Code.


**82** Annex **83** International Code of Conduct for Private Security Service Providers

the Competent Authorities in the country where the act took place, the country of nationality of the victim, or the country of nationality of the perpetrator.


### **F. Specific Principles Regarding the Conduct of Personnel**

#### *General Conduct*

28. Signatory Companies will, and will require their Personnel to, treat all persons humanely and with respect for their dignity and privacy and will report any breach of this Code.

#### *Rules for the Use of Force*

29. Signatory Companies will adopt Rules for the Use of Force consistent with applicable law and the minimum requirements contained in the section on Use of Force in this Code and agree those rules with the Client.

#### *Use of Force*


#### *Detention*

33. Signatory Companies will only, and will require their Personnel will only, guard, transport, or question detainees if: (a) the Company has been specifically contracted to do so by a state; and (b) its Personnel are trained in the applicable national and international law. Signatory Companies will, and will require that their Personnel, treat all detained persons humanely and consistent with their status and protections under applicable human rights law or international humanitarian law, including in particular prohibitions on torture or other cruel, inhuman or degrading treatment or punishment.

### *Apprehending Persons*

34. Signatory Companies will, and will require their Personnel to, not take or hold any persons except when apprehending persons to defend themselves or others against an imminent threat of violence, or following an attack or crime committed by such persons against Company Personnel, or against clients or property under their protection, pending the handover of such detained persons to the Competent Authority at the earliest opportunity. Any such apprehension must be consistent with applicable national or international law and be reported to the Client without delay. Signatory Companies will, and will require that their Personnel to, treat all apprehended persons humanely and consistent with their status and protections under applicable human rights law or international humanitarian law, including in particular prohibitions on torture or other cruel, inhuman or degrading treatment or punishment.

### *Prohibition of Torture or Other Cruel, Inhuman or Degrading Treatment or Punishment*


*Sexual Exploitation and Abuse or Gender-Based Violence*

38. Signatory Companies will not benefit from, nor allow their Personnel to engage in or benefit from, sexual exploitation (including, for these purposes, prostitution) and abuse or gender-based violence or crimes, either within the Company or externally, including rape, sexual harassment, or any other form of sexual abuse or violence. Signatory Companies will, and will require their Personnel to, remain vigilant for all instances of sexual or gender-based violence and, where discovered, report such instances to competent authorities.

#### *Human Trafficking*

39. Signatory Companies will not, and will require their Personnel not to, engage in trafficking in persons. Signatory Companies will, and will require their Personnel to, remain vigilant for all instances of trafficking in persons and, where discovered, report such instances to Competent Authorities. For the purposes of this Code, human trafficking is the recruitment, harbouring, transportation, provision, or obtaining of a person for (1) a commercial sex act induced by force, fraud, or coercion, or in which the person induced to perform such an act has not attained 18 years of age; or (2) labour or services, through the use of force, fraud, or coercion for the purpose of subjection to involuntary servitude, debt bondage, or slavery.

*Prohibition of Slavery and Forced Labour*

40. Signatory Companies will not use slavery, forced or compulsory labour, or be complicit in any other entity's use of such labour.

*Prohibition on the Worst Forms of Child Labour*

	- a) all forms of slavery or practices similar to slavery, such as the sale and trafficking of children, debt bondage and serfdom and forced or compulsory labour, including forced or compulsory recruitment of children for use in provision of armed services;

 Signatory Companies will, and will require their Personnel to, report any instances of the activities referenced above that they know of, or have reasonable suspicion of, to Competent Authorities.

#### *Discrimination*

42. Signatory Companies will not, and will require that their Personnel do not, discriminate on grounds of race, colour, sex, religion, social origin, social status, indigenous status, disability, or sexual orientation when hiring Personnel and will select Personnel on the basis of the inherent requirements of the contract.

#### *Identification and Registering*


### **G. Specific Commitments Regarding Management and Governance**

*Incorporation of the Code into Company Policies*

44. Signatory Companies will incorporate this Code into Company policies and internal control and compliance systems and integrate it into all relevant elements of their operations.

#### *Selection and Vetting of Personnel*

	- a) been convicted of a crime that would indicate that the individual lacks the character and fitness to perform security services pursuant to the principles of this Code;
	- b) been dishonourably discharged;
	- c) had other employment or engagement contracts terminated for documented violations of one or more of the principles contained in this Code; or
	- d) had a history of other conduct that, according to an objectively reasonable standard, brings into question their fitness to carry a weapon.

 For the purposes of this paragraph, disqualifying crimes may include, but are not limited to, battery, murder, arson, fraud, rape, sexual abuse, organized crime, bribery, corruption, perjury, torture, kidnapping, drug trafficking or trafficking in persons. This provision shall not override any law restricting whether a crime may be considered in evaluating an applicant. Nothing in this section would prohibit a Company from utilizing more stringent criteria.

49. Signatory Companies will require all applicants to authorize access to prior employment records and available Government records as a condition for employment or engagement. This includes records relating to posts held with the military, police or public or Private Security Providers. Moreover, Signatory Companies will, consistent with applicable national law, require all Personnel to agree to participate in internal investigations and disciplinary procedures as well as in any public investigations conducted by competent authorities, except where prohibited by law.

#### *Selection and Vetting of Subcontractors*


#### *Company Policies and Personnel Contracts*


#### *Training of Personnel*

55. Signatory Companies will ensure that all Personnel performing Security Services receive initial and recurrent professional training and are also fully aware of this Code and all applicable international and relevant national laws, including those pertaining to international human rights, international humanitarian law, international criminal law and other relevant criminal law. Signatory Companies will maintain records adequate to demonstrate attendance and results from all professional training sessions, including from practical exercises.

#### *Management of Weapons*

	- a) secure storage;
	- b) controls over their issue;
	- c) records regarding to whom and when weapons are issued;
	- d) identification and accounting of all ammunition; and
	- e) verifiable and proper disposal.

#### *Weapons Training*


this Code and the UN Basic Principles on the Use of Force and Firearms by Law Enforcement Officials (1990), and national laws or regulations in effect in the area duties will be performed.

*Management of Materiel of War*

	- a) secure storage;
	- b) controls over their issue;
	- c) records regarding to whom and when materials are issued; and
	- d) proper disposal procedures.

#### *Incident Reporting*

63. Signatory Companies will prepare an incident report documenting any incident involving its Personnel that involves the use of any weapon, which includes the firing of weapons under any circumstance (except authorized training), any escalation of force, damage to equipment or injury to persons, attacks, criminal acts, traffic accidents, incidents involving other security forces, or such reporting as otherwise required by the Client, and will conduct an internal inquiry in order to determine the following:

	- a) time and location of the incident;
	- b) identity and nationality of any persons involved including their addresses and other contact details;
	- c) injuries/damage sustained;
	- d) circumstances leading up to the incident; and
	- e) any measures taken by the Signatory Company in response to it.

Upon completion of the inquiry, the Signatory Company will produce in writing an incident report including the above information, copies of which will be provided to the Client and, to the extent required by law, to the Competent Authorities.

#### *Safe and Healthy Working Environment*

	- a) assessing risks of injury to Personnel as well as the risks to the local population generated by the activities of Signatory Companies and/or Personnel;
	- b) providing hostile environment training;
	- c) providing adequate protective equipment, appropriate weapons and ammunition, and medical support; and
	- d) adopting policies which support a safe and healthy working environment within the Company, such as policies which address psychological health, deter work-place violence, misconduct, alcohol and drug abuse, sexual harassment and other improper behaviour.

#### *Harassment*

65. Signatory Companies will not tolerate harassment and abuse of co-workers by their Personnel.

#### *Grievance Procedures*


68. No provision in this Code should be interpreted as replacing any contractual requirements or specific Company policies or procedures for reporting wrongdoing.

#### *Meeting Liabilities*

69. Signatory Companies will ensure that they have sufficient financial capacity in place at all times to meet reasonably anticipated commercial liabilities for damages to any person in respect of personal injury, death or damage to property. Sufficient financial capacity may be met by customer commitments, adequate insurance coverage, (such as by employer's liability and public liability coverage appropriately sized for the scale and scope of operations of the Signatory Company) or self insurance/retention. Where it is not possible to obtain suitable insurance cover, the Signatory Company will make alternative arrangements to ensure that it is able to meet such liabilities.

#### **H. Review**

70. The Swiss Government will maintain a public list of Signatory Companies and convene an initial review conference with a view to reviewing the Code after governance and oversight mechanisms (as referenced in the Preamble and Section C "Implementation" to this Code) are developed.

# Annex: International Code of Conduct Association Articles of Association

#### **Article 1: Name and Registered Office**


#### **Article 2: Purpose**


the responsible provision of security services and respect for human rights and national and international law in accordance with the Code.

2.3 The Association may engage in all activities and take all actions necessary and appropriate to carry out this purpose in accordance with these Articles.

#### **Article 3: Membership**


Montreux Document and the Code, including the development of their domestic regulatory framework for PSC activities, and to promote compliance with the ICoC in their contracting practices and policies.


#### **Article 4: Liability**

4.1 The Association's financial obligations shall be satisfied only from its assets. Members of the Association shall not be personally liable for any acts, omissions, obligations or debts of the Association. The Association shall adopt appropriate procedures to address the indemnification of Members of the Board of Directors, Secretariat and the Executive Director.

#### **Article 5: Association Bodies**

5.1 The bodies of the Association are: the General Assembly; the Board of Directors; the Secretariat operating under the supervision of an Executive Director; and such other bodies that may be established pursuant to these Articles.

#### **Article 6: General Assembly**


#### **98** Annex **99** The ICOCA Articles of Association

#### 6.4.8 Complaints Process Procedures.


#### **Article 7: Board of Directors**


the stakeholder pillar he or she represents. Board Directors shall be selected in accordance with the requirements set forth in this Article and under nomination procedures to be established by each stakeholder pillar. Directors shall be selected with regard for the need for a high level of competency, commitment to participation, and diversity of experiences, insights and perspectives related to the Purpose of the Association. The Board shall maintain a record of the nomination procedures adopted by each stakeholder pillar. Election and dismissal of Board Directors shall be approved by the General Assembly in accordance with Article 6.5.


7.8 Board Directors shall act on an unpaid basis and be entitled only to the compensation of their effective costs and travelling expenses.

#### **Article 8: Powers of the Board of Directors**


#### **Article 9: Executive Director and Secretariat**


#### **Article 10: Advisory Forum of Montreux Document Participants**

10.1 An Advisory Forum of Montreux Document Participants shall be established. The Forum will be open to all Montreux Document Participants irrespective of their membership status in the Association and will be available as a resource to the Board. The purpose of this body is to provide advice to the Association on national and international policy and regulatory matters.

#### **Article 11: Certification**


#### **Article 12: Reporting, Monitoring and Assessing Performance**


#### **Article 13: Complaints Process**


corrective action, including the suitability of the complaint being referred to another, identified fair and accessible grievance procedure that may offer an effective remedy.


#### **Article 14: Finances**


14.5 The Association shall not normally be responsible for the costs of Board Directors fulfilling their duties nor make payment for fulfilling duties as a Board Director.

#### **Article 15: Formation and Dissolution**


#### **Notes**


However, the seeming impunity for those actors who were involved in incidents made the lack of an effective oversight and governance regime apparent.



<sup>26</sup> Ibid.

**112** Anne-Marie Buzatu **113** Towards an International Code of Conduct for Private Security Providers

directly or indirectly participate in any manner in the initiation, causing or further of (i) an armed conflict, or (ii) a coup d'état, uprising or rebellion against any government; or (iii) directly or indirectly perform any act aimed at overthrowing a government or undermining the constitutional order, sovereignty or territorial integrity of a state". The 2006 law also includes a list of "security services", as distinct from mercenary activity, which may be performed with approval from the South African National Conventional Arms Control Committee.


their additional protocols of 1977. Of note, the convention adds a definition of "third states", being states whose nationals are employed to work for a PMSC. These third states were not explicitly recognized in the Montreux Document, but despite adding the definition there is no other indication in the draft as to what the rights or obligations of these third states would be.



<sup>105</sup> Ibid.

ing to an approach that a finding of non-conformity with the code could impact a company's standing within the association regardless of where the services are provided. This is probably influenced by the decision in the ANSI PSC.1 standard and the upcoming ISO standard to drop the notion of "complex environments", instead favouring "applicability in all situations".


or may not accept. The membership requirements for CSOs as adopted by the board and confirmed by the general assembly can be found in "Requirements for association membership", www.icoca.ch/en/ resources?keywords=Requirements%20for%20Association%20Membership&form\_id=\_search\_for\_ resources\_filter\_form.

	- revenue less than US\$9 billion = \$35,000 annual membership dues
	- revenue more than US\$9 billion = \$45,000 annual membership dues
	- new members must pay a one-time application fee of \$5,000.

Anne-Marie Buzatu

#### **Towards an International Code of Conduct for Private Security Providers: A View from Inside a Multistakeholder Process**

Anne-Marie Buzatu

The use of private security companies (PSCs) to provide security services has been on the rise since the end of the Cold War, with PSCs operating in a number of contexts, including armed conflict and areas where the rule of law has been compromised. The use of private actors to perform services that are traditionally associated with the state is not limited to PSCs, but is emblematic of a growing trend by governments to outsource functions with a view to improving efficiency and cutting budgets. Privatization of public functions can, however, present a number of challenges to existing national and international regulatory and oversight frameworks. In the private security sector these challenges were brought to international attention after high-profile incidents in which PSCs injured civilians revealed difficulties in effectively holding international PSCs accountable. This paper argues that crafting a multistakeholder regulatory approach in which key stakeholders work together to develop standards that are appropriately adapted for the private sector, as well as to create governance and oversight mechanisms to hold these private actors to effective account, helps to fill some of the governance gaps found in traditional regulatory approaches. It recounts the developments leading to the International Code of Conduct for Private Security Service Providers (ICOC) and its governance and oversight mechanism, the ICOC Association, offering an example of the development of an initiative which sets new international standards and elaborates a multistakeholder framework and approach to governance for the private security sector. A recent trend of state and non-state clients requiring compliance with the ICOC initiative in their contracts with PSCs offers a new take on binding international regulation of private actors.

**Anne-Marie Buzatu** is deputy head of the Public-Private Partnerships Division at the Geneva Centre for the Democratic Control of Armed Forces (DCAF). Working under a mandate of the Swiss government, she led DCAF's work to support the elaboration of the International Code of Conduct for Private Security Service Providers from January 2009 to November 2010. She subsequently led the development of the ICOC Association, a multistakeholder governance and oversight mechanism for the ICOC, which began operations in September 2013. Current projects include working with the International Committee of the Red Cross to develop guidance related to security sector governance and reform for multinational companies, as well as supporting better governance approaches for internet/cyber security.

**SSR Paper 12** **SSR Paper 12**

**Towards an International Code of Conduct for Private Security Providers: A View from Inside a Multistakeholder Process**

**Towards an International** 

**Private Security Providers:**

**Multistakeholder Process** 

**Code of Conduct for** 

**A View from Inside a** 

Anne-Marie Buzatu