II. The Promise of a Management System Approach to the Business Responsibility to Respect

As constructivism plays an increasingly important role in International Relations theory,Footnote ⁶ and in other fields such as Law,Footnote ⁷ growing attention is being paid to the regulative and constitutive effects of norms on State behaviour. Until recently, however, the effects of norms on the behaviour of transnational business actors was relatively neglected in the constructivist literature, in part because business actors were narrowly viewed as instrumental actors driven by a logic of consequences to fulfil a singular motive of profit maximization.Footnote ⁸ Efforts to engage in what would appear to be normatively driven business practices, such as corporate social responsibility and philanthropic initiatives, were explained as merely a matter of corporate cost–benefit calculations of whether doing good was also financially beneficial.

Now a subset of this literature is addressing non-state actors,Footnote ⁹ in particular business actors. Studies have specifically examined the role of corporations as norm entrepreneursFootnote ¹⁰ and as norm implementers, with the latter focused on exploring processes of norm internalization as companies move from norm commitment to norm compliance.Footnote ¹¹ Others have sought to open up the ‘black box’ of the corporation by elaborating on the socially constructed nature of corporate identity and interests, viewing corporations as socially situated actors responding to the norms and other institutions in which they are embedded while simultaneously engaging in creative acts to interpret and fit norms to their practices.Footnote ¹²

Whether applying, adapting or critiquing the constructivist literature, these authors are all indebted to two seminal models of norm diffusion: Finnemore and Sikkink’s ‘norm life cycle’Footnote ¹³ and Risse and Sikkink’s ‘spiral model.’Footnote ¹⁴ Both models describe various steps in the development and spread of norms from their creation to full uptake and adherence by the relevant actors, in this case PSCs. This article focuses on the final stage of those models, i.e., what Finnemore and Sikkink call ‘norm internalization,’ a situation where norms are no longer disputed and are taken for granted by the relevant actors, and what Risse and Sikkink term ‘norm institutionalization and habituation,’ the point where norm consistent behaviour is considered the normal course of action.

As stated in the Introduction to this paper, this final stage of norm internalization is of scientific interest in helping to identify whether certification to the ICoC and ANSI/ASIS PSC.1 and/or ISO 18788 standards can ensure that a PSC demonstrates norm compliance through rule consistent behaviour. In other words, do certified PSCs fully adhere to the norm of the corporate responsibility to respect human rights? This approach does not seek to explain the process by which a PSC gets to that final stage of the norm diffusion process, rather it examines those PSCs that have already committed to the corporate responsibility to respect human rights and claim to act in accordance with it. This enables two determinations to be made: (1) whether certification enables a sufficient assessment of norm internalization; and (2) whether the risk management process at the heart of the standards is likely to result in full norm internalization. As discussed below, international business and human rights frameworks, such as the UNGPs, propose that the corporate responsibility to respect human rights can be attained by amending corporate enterprise risk management procedures to consider human rights risks and impacts. This position is mirrored in the academic literature which differentiates between ‘commitment’, as reflected in public acceptance of human rights responsibilities in codes and statements, and ‘compliance’, as evidenced by the integration of norms into management systems and risk management strategies.Footnote ¹⁵ The private security management system standards, ANSI/ASIS PSC.1 and ISO 18788, are essentially quality assurance and risk management standards building on the ISO 31000 risk management guidance. They are portrayed as operationalizing into business practice standards the human rights and humanitarian law principles at the heart of the ICoC, which itself builds on the ‘Protect, Respect and Remedy’ framework at the core of the UNGPs. Thus, this approach not only examines the efficacy of certification as a measurement of successful norm internalization, but also of a risk management pathway to embedding the corporate responsibility to respect in PSCs’ corporate culture.

Unfortunately, the literature on these private security industry global governance initiatives does not offer much assistance as only a smattering of studies examine norm internalization by PSCs. MacLeod, however, recognizes that the internalization of human rights norms into corporate culture may be fostered by third-party assessment of PSCs’ conformance to human rights risk and impact assessment (HRRIA) requirements contained in management system standards, but examining this process is not the focus of her article; rather it focuses on the question of whether States are shedding human rights responsibilities by supporting the development of self-regulation standards for PSCs.Footnote ¹⁶

In another analysis, Acheson outlines five stages of the norm socialization process in relation to PSCs, applying norms of corporate social responsibility (CSR), from pre- and basic CSR, through strategic and integrated CSR, and culminating in internalized CSR.Footnote ¹⁷ She provides indicators to assess where PSCs fall along these stages, related to internal factors (such as principles and policies, and vetting, selection and training procedures to foster responsible staff conduct) and external factors (practices related to improving accountability, oversight, transparency, and stakeholder engagement.) According to Acheson, movement through these stages indicates that during the socialization process, PSCs are increasingly driven by a logic of appropriateness rather than a logic of consequences. However, Acheson’s article reflects shortcomings found in some of the empirical scholarships investigating the application of models of norm internalization. Three issues are worth noting on this point. Firstly, CSR is best conceptualized as a bundle of norms, rather than a singular norm. This suggests, secondly, that one cannot assume that all PSCs have a shared understanding of the norm and what its application looks like in practice, as indicated by empirical evidence.Footnote ¹⁸ Finally, the logic of consequences and logic of appropriateness are distinguished from each other and it is implied that both cannot drive behaviour simultaneously and, furthermore, the researcher is assumed to be able to identify which one motivates behaviour at a given point in time. This is problematic because even in later stages of norm internalization evidence suggests that companies deploy rhetoric justifying their actions anchored in both logics.Footnote ¹⁹ Thus, evidence of a logic of appropriateness is not in itself indicative of norm internalization.

Others examine the motivation behind PSC participation in global governance initiatives resembling the ones studied here.Footnote ²⁰ Yet ultimately the motivating factors (e.g., avoidance of government regulation, responding to civil society pressure, reputational maintenance, and gaining competitive advantage) can be reduced to the instrumental logic of the profit motive, i.e., a logic of consequences.Footnote ²¹ A more poignant example of this is Rosemann’s use of Milton Friedman to argue that PSCs will only adhere to a code of conduct if there is a business case to do so. He advocates, therefore, ascribing a market value to human rights in order that they be considered in the corporate cost–benefit calculus.Footnote ²² His restricted approach to human rights in the study laid the groundwork for the development of the content of the ICoC.

Narrowing explanations of business actors’ behaviour to the instrumental profit motive cannot, however, adequately account for their acceptance of human rights responsibilities, as that singular motivation remains the same whether companies do or do not adopt such commitments and practices, and is also present in later stages of norm internalization.Footnote ²³ Thus, the profit motive alone cannot account for variance in corporate behaviour.

This article accepts and builds on aspects of the critique of the constructivist literature as applied to corporations. First, the logic of consequences and logic of appropriateness are not two distinct, and potentially opposing, logics. Beyond the challenge of ever knowing what ‘truly’ motivates a business actor, manifestations of both may be deployed in demands on and justifications of corporate behaviour, and ultimately as a means of narratively defending what a legitimate corporate actor is and what it should or should not do.Footnote ²⁴ Rational profit maximization is a norm and one promoted by shareholders and companies themselves, as well as being embedded in market forces.Footnote ²⁵ Yet, however important, it is still only one among other norms. Second, it is agreed that much of the constructivist literature on norm internalization has portrayed a unidirectional process, whereby a ‘tipping point’Footnote ²⁶ is reached and further diffusion or ‘cascade’ of a norm becomes almost inevitable.Footnote ²⁷ This robs actors of their agency as they become automaton-like,Footnote ²⁸ apparently reacting to the internal pressures created by an internalized norm. It discounts that norms are intersubjectively constituted during social interactions. Actors engage in creative acts in interpreting and applying norms in practice that in turn can re-shape shared understanding of that norm.Footnote ²⁹ In other words, norms are not ‘fixed standards’, they are ‘constantly in the making’.Footnote ³⁰ For example, companies develop norms once they are widely accepted by further elaborating a norm’s content, specific requirements, and appropriate enforcement mechanisms.Footnote ³¹ In other words, even in the later stages of norm internalization, the definition and requirements of norm compliance and how it is manifested and measured, can be a point of contention. In relation to PSCs, contention arose among security industry stakeholders on the relationship between certification to management standards and certification by the ICoCA as a means of evidencing norm compliance, as discussed below.

The lived and contested nature of norms are captured by highlighting the different views held by the stakeholders in private security global governance initiatives on what the corporate responsibility to respect human rights means, what it entails in terms of operationalized business practices, and how it is best evidenced.Footnote ³² It is a negotiated outcome that there is now a dominant discourse that the risk management standards reflect an operationalization into business practice standards of the ICoC’s human rights principles and that adherence to them is best evidenced by third-party certification to those standards with additional human rights-related information provided to the ICoCA. Evidence exists that this is a strategy that has been used by corporations before. For example, with ISO 14001, which embeds environmental norms into a quality assurance management process, companies managed to shift the focus of the standard to management processes and not environmental targets.Footnote ³³

The risk management approach to fulfilling human rights responsibilities creates opportunities, but also closes off certain courses of action, and thus has implications for ensuring norm compliant behaviour. For example, an enterprise risk management approach, traditionally used to assess corporate risks, may result in a delimited set of human rights issues being examined rather than a full-fledged human rights due diligence process which captures risks to rights-holders.Footnote ³⁴ Such a delimitation of human rights can be seen in the ICoC, which focuses attention on human rights issues around the use of force, detention, torture, sexual exploitation and abuse or gender-based violence, human trafficking, slavery and forced labour, child labour and discrimination, with some additional references to rights to freedom of expression, association, peaceful assembly and freedom from arbitrary or unlawful interference with privacy or deprivation of property.Footnote ³⁵ Even though the Code expressly states that human rights are ‘not limited to’ the rights articulated, nevertheless, in practice it is being interpreted as a delimited approach and has resulted in a truncation of human rights due diligence among PSCs. This threatens to turn HRRIAs into a tick box exercise, as well as impairing the development of rights-compliant training and grievance mechanisms.Footnote ³⁶ An enterprise risk management approach also tends to reinforce soft law initiatives relative to government regulation by limiting governments to validating the adequacy of corporate self-regulatory practices.Footnote ³⁷ Finally, relying on third-party certifications conducted on the basis of a contractual agreement between two private actors may also constrain the ability of other interested parties, such as civil society and multi-stakeholder associations, to contribute to and scrutinize the sufficiency of assurance frameworks meant to attest to norm internalization.Footnote ³⁸

These opportunities and challenges are explored to assess whether certification to risk management standards can ensure PSC adherence to the internationally recognized norm of the corporate responsibility to respect human rights.

III. The Development of Multi-Stakeholder Initiatives for the International Private Security Industry

Much has been written about the evolution of the international private security industry in the last decade and a half, but an understanding of the industry and the development of its regulatory frameworks is essential to any analysis of the effectiveness of those frameworks in changing corporate human rights culture.Footnote ³⁹ It is generally well known that the industry came under increasing global scrutiny as a result of its extensive expansion and use by allied State forces during the interventions in Iraq and Afghanistan in the early 2000s. The absence of oversight, poor corporate governance and the immunity granted to US companies under Coalition Provisional Order 17 in particular, gave significant cause for international concern in an environment that has been described by those on the ground at the time as chaotic and by academics as lawless and anarchic.Footnote ⁴⁰ These circumstances gave rise to frequent allegations of alarming behaviour by PSCs, with claims of human rights violations often being made, many of which were the subject of subsequent legal proceedings, some successful, others not.Footnote ⁴¹

Against a backdrop of a more universal shift towards regulation of business and human rights through the Ruggie process and the drafting and later adoption of the UNGPs,Footnote ⁴² it became clear that regulatory action ‘to address the most pressing challenges to effective private security regulation’ was urgently required.Footnote ⁴³ Thus, in response to the twin difficulties of weak corporate governance and failure to adhere to human rights standards, and with eye on the emerging corporate responsibility to respect human rights, the Swiss Government and the International Committee of the Red Cross brought together multiple governmental, civil society and industry stakeholders in 2005 under the umbrella of the so-called ‘Swiss Initiative’. The resulting multi-stakeholder negotiations led to the adoption of the Montreux Document three years later in September 2008.Footnote ⁴⁴ Aimed at States, the Montreux Document articulates how international law applies to the activities of private military and security companies during armed conflict and sets out good regulatory practices. Currently 54 States and three international organizations adhere to the Montreux Document.Footnote ⁴⁵ It is not a binding agreement and it explicitly does not create any new legal obligations for States. Moreover, it does not aim to regulate PSCs directly other than to offer some ‘good practices’, but it establishes the foundations for the ICoC, which was finalized in 2010 and addresses the responsibilities of PSCs directly. From its earliest conceptions, the ICoC set out to address governance gaps and to unequivocally situate human rights and humanitarian standards as an integral part of the regulatory process.Footnote ⁴⁶ In the Wilton Park Nyon Declaration of 2009, it is clear that industry participants accepted this position unequivocally: ‘Following a collective process involving pertinent stakeholders, we have achieved a broad consensus that an international code of conduct must be compliant with Human Rights and IHL. Further, there is a clear necessity for effective oversight, accountability and operational standards in such a code.’Footnote ⁴⁷

In drafting the ICoC, multiple stakeholders including civil society, governments and industry created a soft law mechanism in which signatory companies ‘commit to the responsible provision of Security Services so as to support the rule of law, respect the human rights of all persons, and protect the interests of their clients’.Footnote ⁴⁸ This corporate commitment extends to the provision of security services in so-called ‘complex environments’, a controversial term because it restricts the application of the Code to: ‘any areas experiencing or recovering from unrest or instability, whether due to natural disasters or armed conflicts, where the rule of law has been substantially undermined, and in which the capacity of the state authority to handle the situation is diminished, limited, or non-existent’.Footnote ⁴⁹ Thus many PSC commercial activities fall outside the deliberately narrow scope of the ICoC as they do not take place in, e.g., conflict or post-conflict zones or other fragile environments.Footnote ⁵⁰

As mentioned previously, the Code unambiguously endorses and incorporates the Protect, Respect and Remedy framework of the UNGPs and therefore envisages that adherence to human rights standards and good corporate governance will be achieved through the process of norm internalization, as described above.Footnote ⁵¹ To that end PSCs are expected to adhere to rules on: (1) human rights, also explained above;Footnote ⁵² and (2) management and governance including, inter alia, standards on the use of force, risk assessment, vetting, training, weapons, incident reporting, health and safety and grievances.Footnote ⁵³ Notably, the section on respecting human rights precedes the section on management and governance which further bolsters the importance of the human rights provisions in the Code. Furthermore, human rights due diligence principles and a requirement to ensure the provision of internal remedies and whistleblowing are integrated into the Code.Footnote ⁵⁴ In essence the ICoC broadly reflects the key substantive elements of the UNGPs’ corporate responsibility to respect human rights as well as its norm internalization approach. The Code is no longer open for signature by PSCs but by 2013, 708 companies had signed it. Today, companies wishing to adhere to the ICoC are instead invited to become members of the International Code of Conduct Association (ICoCA), a Swiss-registered non-profit organization that governs and oversees compliance with the Code. In doing so, PSCs commit to an ICoCA certification process as well as agreeing to ‘ongoing independent monitoring, auditing, and verification’ including a grievance procedure.Footnote ⁵⁵ At the time of writing, the ICoCA has 92 member PSCs.

Like the drafting process of the Code, the ICoCA is multi-stakeholder in nature, consisting of three pillars, government, industry and civil society, and is governed by a Board of Directors whose make-up reflects the pillars. The purpose of the ICoCA is to ensure member compliance with the Code. To that end, it is mandated by its Articles of Association to receive compliance reports from its members, certify compliance to the ICoC, monitor member activities in certain instances, as well as being authorized to receive complaints alleging violations of the Code. If a member company is found to have violated the Code and fails ‘to take corrective action or to cooperate with the Association in good faith’ it may be suspended by the ICoCA Board.Footnote ⁵⁶ To date, no company has been suspended for failure to comply with the ICoC.

IV. Security Industry Management Systems: ANSI/ASIS PSC.1, ISO 18788 and ISO 28007

As outlined above, the idea that norm internalization can alter corporate behaviour is embedded in the UNGPs for all business actors generally, and in the ICoC and the ICoCA for PSCs specifically. Thus, according to the Code, ICoCA member PSCs are required to ‘establish and/or demonstrate internal processes to meet the requirements of the Code’s principles and the standards derived from the Code’. For ICoCA member PSCs there is a two-stage process. Firstly, they choose a commercial certification body (CB) to carry out independent auditing and certification of those processes. CBs in turn are accredited to carry out the audits by National Accreditation Bodies (NABs). There are currently three CBs accredited to audit to these management system standards and all are accredited by the UK Accreditation Service (UKAS).Footnote ⁵⁷ Secondly, member PSCs must obtain certification from the ICoCA itself by submitting evidence of successful conformance to an approved standard. At present the ICoCA recognises the US-developed ANSI/ASIS PSC.1 standard and the international ISO 18788 and ISO 28007 management systems as meeting the majority of the requirements of the Code.Footnote ⁵⁸ A PSC that is certified to one of these standards will then receive ICoCA certification subject to the fulfilment of some additional requirements. This is because the ICoCA Board, after having reviewed the standards against the ICoCA’s requirements, determined that there are gaps between the Code and the standards; a determination which some government and corporate stakeholders opposed. Therefore, in addition to a certificate, PSCs must provide their audit results and any corrective action plans as well as additional human rights-related information to include, among other things, their HRRIA process.Footnote ⁵⁹ It is important to note that the ICoCA Articles of Association 11.2.4 provide that ‘[t]he certification process shall operate in a manner that is complementary to, and not duplicative of, certification under Board-recognized national and international standards.’ What this has meant in practice is that the Association has been actively discouraged from exploring the competence or efficacy of the auditors and monitoring ongoing conformance to the standards and so a certification by a CB is taken largely at face value. This has serious consequences as will be shown below.

Certification of PSCs by third parties, whether CBs or MSIs, in this case the ICoCA, is supposed to indicate conformance with the human rights-related and other requirements in management system standards and the Code. However, as discussed next, what certification is meant to attest to in theory and what it really evidences in practice may diverge, which in turn affects perceptions of the sufficiency of certification as an indicator of norm compliance.

In examining whether certification is an adequate and effective means of ensuring that PSCs meet their corporate responsibility to respect human rights, certification methodologies, audit results, and corporate process and performance data are ideally needed to compare requirements against actual corporate implementation and outcomes. This in turn would allow a determination of whether auditors identify and capture discrepancies between requirements and performance and make appropriate decisions regarding awarding of certification, and if certification drives an ongoing continual improvement process leading to a deepening internalization of the corporate responsibility to respect.

Unfortunately, instances of opacity throughout the certification process inhibit access to complete data. In particular, the agreements between PSCs and the CBs auditing them represent a contractual relationship between two private actors involving information deemed proprietary and confidential by both. This means that CBs do not publicly share their self-developed, proprietary auditing methodologies, because they believe them to be an important source of competitive advantage relative to their competitors. PSCs are similarly not required to share the results of their audits but may choose to do so, as some member PSCs have done with the Secretariat of the ICoCA as part of the additional information required for ICoCA certification. While the Secretariat of the ICoCA has access to the audit reports of its members, it must be noted that it cannot see the methodology behind the audit results and determinations, and in any event it cannot share such information publicly.

While non-transparency, due to concerns about the disclosure of proprietary and confidential information which could have a range of second order competitive and legal effects, is certainly justified in some instances, it poses a challenge for researchers and other interested parties – industry clients, NGOs, government officials, the media – seeking to assess the sufficiency of certification. The authors have sought, therefore, to overcome these challenges by basing their conclusions on four distinct sources of data:

1. (1) Direct participant observation: participant observation is ‘research in which the researcher observes and to some degree participates in the action being studied’, which ‘produces the most direct evidence on action as the action unfolds in everyday life’.Footnote ⁶⁰ It allows a synthesis of evidence gathered through observation with theories of social processes, enabling an integration between micro and macro levels of analysis as the researcher moves back and forth between observed practices and theory application and extension. The authors have participated in various capacities (e.g., Human Rights Technical Experts) in the development of the governance initiatives examined here including contributing to the drafting of the ICoC, the ICoCA’s Articles of Association, and ANSI/ASIS PSC.1 and ISO 18788, participating in the UK Foreign and Commonwealth Office’s (UK FCO) PSC.1 pilot scheme to certify the first PSCs to PSC1, and serving as Observers to the ICoCA.

2. (2) Research project: data collected in 2014–2015 through questionnaires and semi-structured interviews of government, industry and civil society stakeholders for a research project on human rights standards and training in the private security industry.Footnote ⁶¹ Respondents and interviewees included government representatives, legal counsel and compliance officers from the PSC sector, civil society and other stakeholders.

3. (3) Additional semi-structured interviewing: this article draws to a limited extent on semi-structured interviews conducted in 2014 for a research project on the interactions between private security governance initiatives and more extensively on interviews carried out in October 2017 to support research examining PSCs as agents in global governance.Footnote ⁶² Interviewees included corporate representatives, government officials, civil society representatives, individuals involved in the governance initiatives, and employees of law and consulting firms. Interviews were conducted for non-attribution to facilitate a more open sharing of information.

4. (4) Desk-top research of materials made publicly available by PSCs: using an adaptation of Sebstead’s methodology initially applied to assess whether PSCs certified to ANSI/ASIS PSC.1 had adequately fulfilled the public-facing, transparency requirements of the standard, the authors conducted a similar assessment of the 16 PSCs currently certified to the ICoCA as well as PSC1 and (or) ISO 18788, which focus on land-based security services, based on materials accessible on their websites.Footnote ⁶³

V. Auditing and Certification ‘In Theory’

MacLeod has described the interconnection between the requirements for PSCs to receive ICoCA certification and auditing and certification to the management system standards ANSI/ASIS PSC.1 and ISO 18788 as ‘self-regulation-“plus”’.Footnote ⁶⁴ Indeed the combination of evidenced conformance to commercial management system standards with additional human rights-related certification and monitoring and oversight requirements laid out by a MSI promises, in theory, a particularly rigorous assurance process that should ideally minimize the possibility of decoupling. Decoupling has been a main critique of the efficacy of management system and other accountability standards and captures the idea that weak assurance frameworks can result in compliance as ‘window dressing’ by determining adherence to a process rather than accountability for substantive outcomes.Footnote ⁶⁵ Before detailing how certification manifests itself in practice, the workings of this system are described briefly in theory.

Turning first to ANSI/ASIS PSC.1 and ISO 18788, these governance initiatives have a disaggregated and marketized infrastructure supporting them.Footnote ⁶⁶ In a nutshell, the standards are drafted by Technical Committees under the auspices of standards-setting bodies, in this case ASIS International (US) and the International Organization for Standardization (ISO) (global), respectively.Footnote ⁶⁷ In both instances, the US Department of Defense (DoD) funded the development process of the standards, although this is not supposed to lend the DoD greater voice in the process. The Committees consist of interested stakeholders, but are heavily dominated by business interests, such as PSCs, commercial clients and consultants. For example, Committee members for ANSI/ASIS PSC.1 were drawn from three stakeholder categories: users/managers, producers/service providers, and general interest, the first two of which primarily represent for-profit interests. National standards bodies, such as ANSI, recognize standards as having been developed in accordance with their standards development requirements. The standards are published and available for a fee.

National accreditation bodies such as the UK Accreditation Service (UKAS) or the US-based ANSI-ASQ National Accreditation Board (ANAB) create rules and guidance for accrediting CBs to audit PSCs on their conformance to the standards.Footnote ⁶⁸ Accreditation rules generally build on ISO’s standard for accreditation, ISO 17011 Conformity Assessment – General Requirements for Accreditation Bodies Accrediting Conformity Assessment Bodies. In this case, ANAB’s accreditation rule and UKAS’ accreditation guidance were developed after the first CBs were accredited and the first PSCs certified under a UKAS pilot project supported by the UK FCO. Probably due to the limited market for PSC certification, as mentioned above, there are only three UKAS-accredited CBs.Footnote ⁶⁹ While a small number of companies around the globe offer certification it is unclear whether they are accredited by national accreditation bodies.

ANAB and UKAS are members of another oversight body, namely the International Accreditation Forum (IAF). The IAF describes its purpose as ‘to develop a single worldwide program of conformity assessment which reduces risk for business and its customers by assuring them that accredited certificates may be relied upon. Accreditation assures users of the competence and impartiality of the body accredited.’Footnote ⁷⁰ The ICoCA certification procedure stipulates that it will only recognize certification to the management standards granted by CBs accredited by an IAF-member national accreditation body.Footnote ⁷¹

Under management system standard certification schemes, CBs are bound by additional standards that set out how audits are to be conducted. ANSI/ASIS PSC.2-2012: Conformity Assessment and Auditing Management Systems for Quality of Private Security Company Operations provides such guidance and is built on the ISO 17021 Conformity Assessment – Requirements for Bodies Providing Audit and Certification of Management Systems standard. Often, auditors are certified individually after participating in accredited auditor training programmes. In this case, however, CBs are training their own auditors on auditing ANSI/ASIS PSC.1 and ISO 18788 specific elements in-house, although it is known that two of the accredited CBs worked with external human rights consultants for a limited time prior to and during some of the early ANSI/ASIS PSC.1 certifications.

Determining accurately the precise number of PSCs certified to either ANSI/ASIS PSC.1 or ISO 18788 is problematic. There are several reasons for this. Firstly, the international security industry is in a regular state of flux with frequent takeovers and mergers as well as insolvencies. This means that there are some certified PSCs that have been absorbed by other certified companies and some that were not competitive and were dissolved, thus reducing the overall number of certified PSCs. Secondly, complex corporate structures hamper identification of the number of certified PSCs. The use of subsidiaries, joint ventures and other commercial arrangements creates a certain haziness around which specific entity is certified. Thirdly, some PSCs are certified to both ANSI/ASIS PSC.1 and ISO 18788. Notwithstanding these difficulties, at the time of writing, the Security in Complex Environments Group (SCEG) counts 40 PSCs as ANSI/ASIS PSC.1 certified and 27 as ISO 18788 certified, but it should be noted that these numbers are inflated as some PSCs are certified to both standards.Footnote ⁷² Nevertheless there has been a significant increase in certifications since 2015 and it is understood that another 20+ certifications are currently in progress.Footnote ⁷³

As can be seen below in the analysis of the data, it is also challenging in many instances to identify the precise scope of a certificate when this information is not shared publicly. While it is permissible to limit the scope of certification to parts of a business enterprise, certain operations or programmes and delimited geographies, any party interested in the scope as an indicator of which portion of the PSC’s business activities are norm compliant will almost certainly not have easy access to this information. While the 2011 version of ISO 17021, which formed the foundation of ANSI/ASIS PSC.2, contained requirements in clause 8.3 that a CB maintain and make publicly accessible a directory of valid certificates, which among other things contains information about certificate scope, that requirement was eliminated in the updated 2015 version of ISO 17021. Now under clause 8.1.2 of the 2015 version such information must only be made available upon request.

Currently 16 out of 92 ICoCA member PSCs are further certified by the ICoCA, which brings the companies into full compliance with the Code, i.e., they have fulfilled the additional ICoCA requirements.Footnote ⁷⁴ The ICoCA recently determined that upon joining the Association, PSCs have a two-year period in which to earn certification. That transitional membership process began in April 2018 for current members.

It must be noted, however, that the current ‘fit’ between the management system standards and ICoCA, as two very different types of governance initiatives, resulted from an intensely negotiated compromise between stakeholders that took nearly two years. As detailed elsewhere, while the dominant narrative is that the management system standards represent an ‘operationalization’ into business practice standards of the high-level human rights and humanitarian law commitments contained in the ICoC, the initial proposals for an international governance and oversight mechanism (later to be named the ICoCA) and participating civil society organizations did not foresee dependence of ICoCA certification on prior certification to ANSI/ASIS PSC.1 or ISO 18788.Footnote ⁷⁵ The linkage to the standards created certain path dependencies for the ICoCA in terms of the extent to which it could request additional information from members. In particular, in discussions around the development of the certification procedure, member PSCs and governments pushed the Association to avoid what they termed ‘duplication’ of certification requirements already met under the standards. Similarly, there was also initial resistance to aspects of the proposed field-based monitoring procedure justified by the fact that Stage 2 audits required for ANSI/ASIS PSC.1 and ISO 18788 certification incorporated field visits. Interviews with some industry representatives indicate, however, that the dependency may flow both ways, as they recognize that the multi-stakeholder nature of the ICoCA can lend legitimacy to the management standards, whose credibility could otherwise be called into question as a solely industry-driven initiative. Current stakeholders from all three pillars of the ICoCA – governments, PSCs and civil society – see positive potential in melding a management system approach with the independence, oversight and accountability offered by an MSI to ensure PSCs’ internalization of their corporate responsibility to respect human rights.

Nevertheless, an analysis of publicly available data relating to the 16 PSCs certified by the ICoCA reveals some disturbing trends and in some instances demonstrates that compliance is worsening rather than improving, i.e., the opposite of norm internalization. Of the 16 companies analysed, 11 have been certified by MSS Global with the remaining five certified by Intertek. The 16 certified companies have all received either an ANSI/ASIS PSC.1 or an ISO 18788 certification (and in some cases, both) and have subsequently been assessed by the ICoCA as meeting the full requirements of the ICoC (eight via PSC.1 and eight via ISO 18788). Again, it must be borne in mind that the Association accepts the certifications as verification of conformance with ANSI/ASIS PSC.1 or ISO18788 and only assesses whether the PSC seeking ICoCA certification successfully addresses the gaps between the ICoC and the standards.Footnote ⁷⁶ The ICoCA does not monitor conformance to either PSC.1 or ISO 18788.

The authors monitored the websites of the 16 certified PSCs over several months from February to September 2018 and discovered multiple and ongoing instances of non-conformance with the human rights elements of the Standards (Fig. 1):

Figure 1 Mapping ICoCA certified companies: conformance with key human rights indicators of ICoC and/or ANSI/ASIS PSC.1 and/or ISO18788

What these figures show is that even when companies are certified to a recognized standard, they are not acting in conformance with some of the most basic human rights elements of ANSI/ASIS PSC.1 and ISO 18788, which they must evidence publicly. By extension this means that they also cannot be complying with the ICoC, not to mention the UNGPs.

There are two groups of companies included in the group mapped: (1) those that received certification post-2016 and whose public-facing human rights indicators have not been mapped previously; and (2) those companies that received certification prior to 2016 and some of whose conformance has been subject to scrutiny previously.Footnote ⁸² Both groups demonstrate instances of non-conformance. Not one of the ICoCA certified PSCs met all of the human rights indicators mapped and astonishingly one company does not meet a single one of the indicators.

Of most concern, however, is that the authors identified numerous instances of the pre-2016 certified PSCs that had in fact regressed in their level of conformance with the standards and so their behaviour contradicts the theory that there is a unidirectional norm cascade process toward ever greater norm internalization. So, for example:

• ∙ In two cases, ANSI/ASIS PSC.1 and ISO 18788 certificates that were previously available publicly, are no longer available and formal confirmation of the geographical scope of those certifications is also unavailable;

• ∙ Similarly, Statements of Conformance that demonstrate commitment to human rights at the highest level that were previously available publicly are no longer available;

• ∙ A link to a previously accessible third-party grievance mechanism did not work for a minimum of eight months, rendering it inaccessible.

Furthermore, for some of the PSCs, human rights policies that were previously published on company websites can no longer be accessed. In another case, references to human rights due diligence have been removed, and in several cases where human rights are mentioned, the references to assessment and mitigation of human rights risks and impacts are vague or non-existent.

While a couple of the PSCs have improved the accessibility to grievance mechanisms and policies since previous mapping, shockingly two companies have no publicly available and accessible third-party grievance mechanism at all. In seven cases, while a grievance mechanism is made available, there is no information given about the grievance process itself in terms of describing, e.g., who will hear the complaint, how long it will take and possible outcomes. Upon closer examination, other barriers include mechanisms only being available in English, several broken links to online information, overly legalistic wording and a requirement to submit complaints in writing to a head office in another country. Furthermore, five of the supposedly third-party grievance mechanisms focus on whistleblowing and internal stakeholders, such as employees, rather than external stakeholders such as local communities as required. This is a recurring problem with the international private security industry. MacLeod’s research has identified that even when a company has been through a certification process, corporate understanding of the definition of external stakeholders can be confused, with respondent PSCs identifying employees, for example, as external stakeholders.Footnote ⁸³ For companies yet to be certified, lack of awareness of human rights risks and impacts for external stakeholders increases substantially, with half of non-certified respondents in MacLeod’s research omitting any reference to local communities.Footnote ⁸⁴ Given this lack of understanding it is not surprising, therefore, that many PSC third-party grievance mechanisms fall short of conformance by focusing only on internal stakeholders, but it also raises questions about the likely effectiveness of any HRRIA undertaken by a company. It will be impossible for PSCs to undertake an adequate HRRIA if they cannot identify accurately those whose human rights may be impacted adversely by their commercial activities.

These findings should be of the utmost concern to all stakeholders as it undermines the credibility of the overall PSC regulatory project. They raise several issues:

1. (1) If the simple public-facing elements for conformance are not being met, to what extent can PSCs be trusted to conform to the less transparent human rights requirements of the standards, e.g., human rights due diligence?

2. (2) If the CBs are not requiring conformance with the public-facing elements of the standards, through regular surveillance audits, special audits or monitoring or even withdrawal of the certificate, to what extent can they be trusted to require conformance with the less transparent human rights requirements?

3. (3) If PSCs struggle to even recognize that the standards require them to consider human rights risks to and impacts on local communities, and that they should incorporate human rights methodologies into their risk management processes, how can they be trusted to conduct HRRIA appropriately and effectively?

4. (4) As noted above, the ICoCA has been explicitly discouraged by its stakeholders from examining PSC conformance with the standards once a certificate has been awarded by a CB. So there is a clear lack of adequate and effective public oversight of a private certification process.