³ On the human rights impacts of PSCs see, e.g., http://shockmonitor.org/

⁴ Guiding Principles on Business and Human Rights: Implementing the United Nations ‘Protect, Respect and Remedy’ Framework, HR/PUB/11/04 (2011).

⁵ See, e.g., the Commentary to UNGP 17, ‘Human rights due diligence can be included within broader enterprise risk management systems, provided that it goes beyond simply identifying and managing material risks to the company itself, to include risks to rights-holders’ and the commentary to UNGP 18, ‘While processes for assessing human rights impacts can be incorporated within other processes such as risk assessments or environmental and social impact assessments, they should include all internationally recognized human rights as a reference point, since enterprises may potentially impact virtually any of these rights’.

⁶ Checkel, Jeffrey T, ‘The Constructivist Turn in International Relations Theory’ (1998) 50:2 World Politics 324 CrossRefGoogle Scholar .

⁷ See, e.g., Brunnée, Jutta and Toope, Stephen J, ‘Constructivism and International Law’ in Jeffrey L Dunoff and Mark A Pollack (eds), Interdisciplinary Perspectives on International Law and International Relations: The State of the Art (Cambridge: Cambridge University Press, 2012) 119 CrossRefGoogle Scholar . See also dos Reis, Filipe and Kessler, Oliver, ‘Constructivism and the Politics of International Law’ in Anne Orford and Florian Hoffmann (eds), The Oxford Handbook of the Theory of International Law (Oxford: Oxford University Press, 2016)Google Scholar .

⁸ Kollman, Kelly, ‘The Regulatory Power of Business Norms: A Call for a New Research Agenda’ (2008) 10:3 International Studies Review 397 CrossRefGoogle Scholar . See also Hofferberth, Matthias, Brühl, Tanja, Burkart, Eric, Fey, Marco and Peltner, Anne, ‘Multinational Enterprises as “Social Actors”. Constructivist Explanations for Corporate Social Responsibility’ (2011) 25:2 Global Society 205 CrossRefGoogle Scholar .

⁹ Risse, Thomas, Ropp, Stephen and Sikkink, Kathryn (eds), The Persistent Power of Human Rights: From Commitment to Compliance (Cambridge: Cambridge University Press, 2013)CrossRefGoogle Scholar .

¹⁰ For example, see Nicole Deitelhof and Klaus Dieter Wolf, ‘Business and Human Rights: How Corporate Norm Violators become Norm Entrepreneurs’ in Thomas Risse et al (eds), The Persistent Power of Human Rights: From Commitment to Compliance (Cambridge: Cambridge University Press, 2013) 222. See also Flohr, Annegret, Rieth, Lothar, Schwindenhammer, Sandra and Dieter Wolf, Klaus, The Role of Business in Global Governance. Corporations as Norm Entrepreneurs (Houndsmills: Palgrave Macmillan, 2010)CrossRefGoogle Scholar .

¹¹ For example, see Kollman, note 8.

¹² Hofferberth, Matthias and Weber, Christian, ‘Lost in Translation: a Critique of Constructivist Norm Research’ (2015) 18:1 Journal of International Relations and Development 75 CrossRefGoogle Scholar . See also Hofferberth, Matthias, ‘Introduction: Studying Corporate Agency in Global Governance’ in Matthias Hofferberth (ed), Corporate Actors in Global Governance (Lynne Rienner, forthcoming)Google Scholar .

¹³ Finnemore, Martha and Sikkink, Kathryn, ‘International Norm Dynamics and Political Change’ (1998) 52:4 International Organization 887 CrossRefGoogle Scholar .

¹⁴ Thomas Risse and Kathryn Sikkink, ‘The Socialization of International Human Rights Norms into Domestic Practices: Introduction’ in Thomas Risse et al (eds), The Power of Human Rights: International Norms and Domestic Change (Cambridge: Cambridge University Press, 1999) 1.

¹⁵ Deitelhof and Wolf, note 10.

¹⁶ MacLeod, Sorcha, ‘Private Security Companies and Shared Responsibility: The Turn to Multistakeholder Standard-Setting and Monitoring through Self-Regulation-“Plus”’ (2015) 62 Netherlands International Law Review 119, 132 CrossRefGoogle Scholar .

¹⁷ Acheson, Aileen, ‘Socially Responsible Security Providers? Analysing Norm Internalisation Among Private Security Providers’, in Joakim Berndtsson and Christopher Kinsey (eds), The Routledge Resource Companion to Security Outsourcing (New York, NY: Routledge, 2016) 148 Google Scholar .

¹⁸ Sorcha MacLeod, 2014–15, ‘Socialisation and Internalisation of Human Rights in Private Security Companies’ (data on file with author). For example, the research disclosed that industry participants diverged substantially on their understanding of the concept of ‘external stakeholders’ in a business and human rights context and many excluded local communities from their definition. This means that many HRRIA undertaken by these PSCs would be inherently flawed because they would not address human rights impacts on all relevant stakeholders.

¹⁹ Hofferberth et al, note 8.

²⁰ See, e.g., De Nevers, Renee, ‘(Self)-Regulating War? Voluntary Regulation and the Private Security Industry’ (2009) 18 Security Studies 479 CrossRefGoogle Scholar . See also Nils Rosemann, Code of Conduct: Tool for Self-Regulation for Private Military and Security Companies (Geneva: DCAF Occasional Paper No. 15, 2008).

²¹ De Nevers, ibid.

²² Rosemann, note 20, 9.

²³ Hofferberth, note 12. See also DeWinter-Schmitt, Rebecca, ‘Managing Undesirable and Disruptive Events: Private Security Companies in Complex Environments’ in Matthias Hofferberth (ed), Corporate Actors in Global Governance (Lynne Rienner, forthcoming)Google Scholar .

²⁴ Ibid.

²⁵ Hofferberth et al, note 8.

²⁶ Finnemore and Sikkink, note 13.

²⁷ Sunstein, Cass, ‘Social Norms and Social Roles’ (1996) 96 Columbia Law Review 903 CrossRefGoogle Scholar .

²⁸ Jackson, Patrick, ‘Hegel’s House, or “People are States too”’ (2004) 30:2 Review of International Studies 281 CrossRefGoogle Scholar . See also Hofferberth and Weber, note 12.

²⁹ Hofferberth and Weber, ibid.

³⁰ Ibid, 85–86.

³¹ Deitelhof and Wolf, note 10, 232.

³² For example, definition of external stakeholders, see note 18.

³³ Kollman, note 8.

³⁴ DeWinter-Schmitt, note 23. See also Fasterling, Björn, ‘Human Rights Due Diligence as Risk Management: Social Risk Versus Human Rights Risk’ (2017) 2 Business and Human Rights Journal 225 CrossRefGoogle Scholar .

³⁵ ICoC, paras 21 and 22.

³⁶ MacLeod, note 18. PSC respondents’ understanding of human rights focuses disproportionately on those rights outlined in the ICoC, particularly on labour rights, to the exclusion of a broader human rights awareness and grasp.

³⁷ John Boatwright, ‘The Ethics of Risk Management in the Information Age’ (Bentley University Center for Business Ethics, 2010), http://www.bentley.edu/sites/www.bentley.edu.centers/files/centers/cbe/boatright-monograph.pdf (accessed 3 October 2018).

³⁸ DeWinter-Schmitt, note 23.

³⁹ See, e.g., Berndtsson, Joakim and Kinsey, Christopher (eds), The Routledge Resource Companion to Security Outsourcing (New York, NY: Routledge, 2016) Part I, 7–62 Google Scholar .

⁴⁰ See, e.g., Frost, Mervyn, ‘Regulating Anarchy: The Ethics of PMCs in Global Civil Society’ in Andrew Alexandra, Deane-Peter Baker and Marina Caparini (eds), Private Military and Security Companies: Ethic, Policies and Civil-Military Relations (London: Routledge, 2008) 43 Google Scholar . Immunity was granted to US government contractors by Coalition Provisional Authority Order Number 17 Status of the Coalition, Foreign Liaison Missions, their Personnel and Contractors, http://www.usace.army.mil/Portals/2/docs/COALITION_PROVISIONAL.pdf (accessed 28 April 2018).

⁴¹ See the most well known examples, e.g., the Blackwater Nisour Square Massacre, where the ongoing criminal proceedings against Blackwater employees have been in disarray with a saga of appeals, convictions being overturned and sentences reviewed. Johanna Walters, ‘Supreme Court Rejects Appeal from Blackwater Guards Convicted of Killing Iraqi Civilians,’ The Guardian (14 May 2018), https://www.theguardian.com/us-news/2018/may/14/blackwater-supreme-court-appeals-rejected-iraq. See also Spencer S Hsu, ‘Murder Conviction in Blackwater Case Thrown Out, Other Sentences Overturned,’ Washington Post (4 August 2017), https://www.washingtonpost.com/local/public-safety/murder-conviction-in-blackwater-case-thrown-out-other-sentences-overturned/2017/08/04/a14f275c-792e-11e7-9eac-d56bd5568db8_story.html?noredirect=on&utm_term=.41cf9d92425a (accessed 27 April 2018). Legal claims relating to Titan’s provision of translation services for interrogators at Abu Ghraib Prison were settled in 2013. John H Cushman Jr, ‘Contractor Settles Case in Iraq Prison Abuse,’ New York Times (8 January 2013), http://www.nytimes.com/2013/01/09/world/middleeast/contractor-settles-case-in-iraq-prison-abuse.html (accessed 27 April 2018). Allegations against CACI involvement with torture or cruel, degrading and inhumane treatment, also at Abu Ghraib Prison where the legal proceedings are ongoing. Rachel Weiner, ‘A Suit over Abu Ghraib Getting to “What Actually Happened”’, Washington Post (22 September 2017), https://www.washingtonpost.com/local/public-safety/abu-ghraib-contractor-treatment-deplorable-but-not-torture/2017/09/22/4efc16f4-9e3b-11e7-9083-fbfddf6804c2_story.html?utm_term=.bf8a9b0faa4c&noredirect=on (accessed 27 April 2018).

⁴² UNGPs, note 3.

⁴³ Anne-Marie Buzatu, ‘Towards an International Code of Conduct for Private Security Providers: A View from Inside a Multi-stakeholder Process’ (Geneva: DCAF SSR Paper 12, 2015) 28, https://icoca.ch/sites/default/files/resources/DCAF-SSR-12.pdf (accessed 28 April 2018).

⁴⁴ Montreux Document on Pertinent Legal Obligations and Good Practices for States Related to Operations of Private Military and Security Companies During Armed Conflict, http://www.mdforum.ch/en/montreux-document (accessed 28 April 2018). For a discussion of the multi-stakeholder process, see Cockayne, James, ‘Regulating Private Military and Security Companies: The Content, Negotiation, Weaknesses and Promise of the Montreux Document’ (2008) 13:3 Journal of Conflict and Security Law 401 CrossRefGoogle Scholar .

⁴⁵ Montreux Document Forum, http://www.mdforum.ch/en/participants (accessed 28 April 2018).

⁴⁶ Buzatu, note 43, 28–35.

⁴⁷ Nyon Declaration, https://www.humanrights.ch/upload/pdf/090617_Nyon_Declaration.pdf (accessed 22 May 2018).

⁴⁸ International Code of Conduct for Private Security Service Providers, https://www.icoca.ch/en/the_icoc (accessed 3 October 2018).

⁴⁹ Ibid, ICoC Definitions.

⁵⁰ The issue of scope generated many fraught discussions during the drafting of the Code with a clear rift between civil society’s preferred broad approach and the industry’s desire to limit the application of the Code. Ultimately the industry prevailed, although discussions regarding which geographies warrant designation as complex environments are ongoing.

⁵¹ ICoC, note 48, paras 2 and 3.

⁵² Ibid, paras 21, 22, 29–42.

⁵³ Ibid, paras 45–64.

⁵⁴ Ibid, paras 66–68.

⁵⁵ ICoCA Articles of Association, arts 11 and 12, https://www.icoca.ch/sites/default/files/resources/Articles%20of%20Association.pdf (accessed 3 October 2018).

⁵⁶ Ibid, art 12.2.7.

⁵⁷ The UKAS accredited Certification Bodies are IQ Verify, Intertek and MSS Global: http://www.ukas.com/browse-accredited-organisations/?org_cat=440&parent=Certification%20Bodies&type_id=11 (accessed 27 May 2018).

⁵⁸ ANSI/ASIS PSC.1 and ISO 18788 apply to land-based security while ISO 28007 applies to maritime security. This article focuses on the former.

⁵⁹ ANSI/ASIS PSC.1 Additional Requirements: https://icoca.ch/sites/default/files/uploads/Annex%20B-%28Additional-Requirements%29-to-Recognition-Statement-for-PSC1.pdf (accessed 28 May 2018). See also ISO 18788 Additional Requirements: https://icoca.ch/sites/default/files/uploads/ICoCA-Recognition-Statement-ISO-18788_Annex%20B.pdf (accessed 28 May 2018).

⁶⁰ Lichterman, Paul, ‘Seeing Structure Happen: Theory-Driven Participant Observation’ in Bert Klandermans and Suzanne Staggenborg (eds), Methods of Social Movement Research (Minneapolis: University of Minnesota Press, 2002) 120, 138 Google Scholar .

⁶¹ MacLeod’s data and observations gathered during: (1) UK Foreign and Commonwealth Office’s ANSI/ASIS PSC.1 Pilot Scheme where she acted as Human Rights Technical Expert (2015) (on file with author); (2) research project: ‘Socialisation and Internalisation of Human Rights in Private Security Companies’. See note 18.

⁶² The 2014 research project resulted in an unpublished manuscript, co-authored with Heather Elms: ‘Transnational Business Governance in the Private Security Industry: The Proliferation, Dynamic Interaction, and Evolution of Self-Regulatory Initiatives’. The 2017 interviews provided data for DeWinter-Schmitt, note 23.

⁶³ David Sebstead, ‘Certifying Responsible Private Security Companies: Assessing the Implementation of Transparency and Disclosure Provisions’ (2016) Washington College of Law Human Rights Brief, http://hrbrief.org/2016/05/certifying-responsible-private-security-companies-assessing-implementation-transparency-disclosure-provisions/ (accessed 2 October 2018).

⁶⁴ MacLeod, note 16.

⁶⁵ Behnam, Michael and MacLean, Tammy, ‘Where is the Accountability in International Accountability Standards? A Decoupling Perspective’ (2011) 21 Business Ethics Quarterly 45 CrossRefGoogle Scholar .

⁶⁶ DeWinter-Schmitt, Rebecca, ‘Transnational Business Governance Through Standards and Codes of Conduct’ in Rita Abrahamsen and Ana Leander (eds), Routledge Handbook of Private Security Studies (New York: Routledge, 2016) 258 Google Scholar .

⁶⁷ For more on the background to the standards, see Rebecca DeWinter-Schmitt, ‘Commentary: A New Twist to Management Standards, Bringing in Human Rights, Private Security Monitor (Summer 2014)’, http://psm.du.edu/commentary/ (accessed 28 May 2018).

⁶⁸ To date, ANAB has not accredited any CBs.

⁶⁹ Intertek, MSS Global and IQ Verify. All of the companies that are certified by the ICoCA have been audited by either MSS Global or Intertek but the certifications are not restricted to UK PSCs. All but two of ICoCA certified PSCs are non-UK registered companies.

⁷⁰ http://www.iaf.nu/ (accessed 19 April 2018).

⁷¹ https://icoca.ch/sites/default/files/resources/ICoCA-Procedures-Article-11-Certification.pdf (accessed 19 April 2018).

⁷² https://www.sceguk.org.uk/accredited-certification-psc1-and-iso-28007/ (accessed 28 May 2018).

⁷³ For example, of 35 participating companies, in MacLeod’s 2014–15 research project ‘Socialisation and Internalisation of Human Rights in Private Security Companies’, note 18, only four were certified to ANSI/ASIS PSC.1.

⁷⁴ The ICoCA certified companies (as of 2 October 2018) are: Academi (now part of Constellis Holdings) (US), Al Hurea Security Services (Iraq), Britam Defense (part of Janus) (UK), Chenega Security and Support Solutions (Chenega Solutions 3) (US), Erinys Iraq (Iraq), Erys Group (France), GardaWorld (UAE), Hart (Cyprus), Janus Global Operations (US), Olive Group (now part of Constellis Holdings) (UK), Reed International (US), Scandanavian Risk Solutions (Sweden), SOC (US), Somali Risk Management (Somalia), Triple Canopy (now part of Constellis Holdings) (US) and Vesper Group (Sweden). ICoCA industry membership data: https://www.icoca.ch/en/membership?private_security_companies=companies&op=Search&view_type=list&form_id=_search_for_members_filter_form (accessed 30 September 2018). In an indication of the shifting nature of the industry, three companies which previously held ICoCA certification are no longer ICoCA certified: (1) Chenega Patriot Group LLC which no longer exists as a company; (2) Security and Management Services (part of the Pathfinder Group), which is no longer a member of the ICoCA, and (3) Aegis Defence Services, which is now part of GardaWorld.

⁷⁵ DeWinter-Schmitt, Rebecca, ‘International Soft Law Initiatives: The Opportunities and Limitations of the Montreux Document, ICoC, and Security Operations Management System Standards’ in Helena Torroja (ed), Public International Law and Human Rights Violations by Private Military and Security Companies (Cham, Switzerland: Springer, 2017) 105 CrossRefGoogle Scholar . See also DeWinter-Schmitt, note 23. Although already involved in the process to create the ICoCA, the DoD simultaneously funded the development of ANSI/ASIS PSC.1 before negotiations over the ICoCA’s Articles of Association, which included a certification procedure, were completed.

⁷⁶ ICoCA Articles of Association, note 55.

⁷⁷ ANSI/ASIS PSC.1 does not require that the certificate with scope be made publicly available, and ISO 18788 only states that the ‘scope shall be available as documented information’ (clause 4.3). Nevertheless, publishing the audit certificate with an exact geographical scope is an essential human rights element because without that information any party interested in a PSC’s norm compliance (e.g., clients, affected rights-holders, civil society) will have no basis for gauging its expectations.

⁷⁸ Expired certificate.

⁷⁹ Under ANSI/ASIS PSC.1 clause 6.3c), the Statement of Conformance shall be ‘available to stakeholders’ and under ISO 18788 clause 5.1b the Statement shall be ‘publicly available’. The Statement of Conformance is akin to the UNGPs provision under UNGP 16 that companies make a publicly available policy commitment to respect human rights.

⁸⁰ An essential component of human rights due diligence as detailed in the UNGPs is a process to assess actual and potential human rights impacts, see, e.g., UNGP 17. The ICoC requires as part of its gap analysis that member PSCs undertake a HRRIA. ANSI/ASIS PSC.1 under clause 7.2 requires that human rights considerations be part of the risk assessment process and under clause 7.2.1 requires that a process for communication and consultation with external stakeholders be part of the risk assessment process. ISO 18788 makes explicit reference under clause 6.1.1 to the need to undertake a human rights risk analysis and under 6.1.3d that risks and their treatments be communicated with appropriate stakeholders. While the terminology used by the ICoCA and the standards varies slightly – e.g., human rights risk analysis (the standards), human rights risk and impact assessment (ICoCA recognition of ANSI/ASIS PSC.1), and human rights risk assessment (ICoCA recognition of ISO 18788) – in practice these terms are used interchangeably.

⁸¹ Under ANSI/ASIS PSC.1 clause 9.5.7 a PSC shall establish grievance procedures and communicate those to external (and internal) stakeholders to facilitate reporting of non-conformances. ISO 18788 has similar requirements under clause 8.8.3 but also requires under clause 7.4.4 that grievance procedures be publicly available on a website.

⁸² Sebstead, note 63. Sebstead’s research included PSCs that are not yet ICoCA certified so while there is some overlap between the companies mapped it is not an exact overlap.

⁸³ MacLeod, note 18. The four ANSI/ASIS PSC.1 certified respondents provided detailed accounts when asked to explain their understanding of the term ‘external stakeholders’. Of these responses, customers, communities and governments were mentioned most frequently, but ‘NGOs’, ‘suppliers’, ‘investors’ and the ‘media’ were also referred to. That said, two of the four responses also made reference to ‘shareholders’ and ‘investors’ as ‘external stakeholders’.

⁸⁴ Ibid.

⁸⁵ Hofferberth and Weber, note 12.

⁸⁶ Commentary to UNGP 14, note 4.

⁸⁷ ICoCA Articles of Association, art 12, note 55.