INTRODUCTION The ANSI/ASIS PSC.1 – 2012 Management System for Quality of Private Security Company Operations (PSC.1) is a major step forward for assuring that private security companies (PSCs) adhere to applicable provisions of international human rights and humanitarian law when operating in complex environments, such as Afghanistan, Iraq, and other politically and economically unstable areas.[i] Despite the progress that the PSC.1 standard represents, there are still many issues that need to be resolved. An analysis of the public facing components of PSCs’ demonstrable adherence to PSC.1 indicates significant inconsistency within the private security industry, despite compliance with the PSC.1 standard being a procurement requirement of the U.S. Department of Defense (DoD) and Department of State (DoS) when utilizing private security providers overseas. The American National Standards Institute and ASIS International created the PSC.1.[ii] Certification bodies can audit PSCs as a means of demonstrating compliance with the PSC.1 standard to secure government contracts. Certification to the PSC.1 standard is a private-private relationship between a PSC and a private, for-profit, certification body.[iii] This relationship is problematic because it inherently lacks transparency and sufficient public oversight, resulting in inconsistent application of the PSC.1 standard. For the standard to be more effective, PSCs need to apply PSC.1 consistently, and information needs to be accessible to the public regarding the scope of certification, the PSCs’ statements attesting conformance to the standard, and the PSCs’ communication of their processes for analyzing human rights risks and receiving and addressing grievances. This article examines thirteen PSCs that received their PSC.1 certificates from accredited certification bodies and details each PSC’s conformance with the four public facing components of the PSC.1 standard: certificate scope, statement of conformance, risk assessment and communication, and available grievance mechanisms.[iv] Analysis of the public facing components of the PSC.1 standard is crucial because the system needs increased transparency. Transparency is essential because the public and PSCs’ clients need to know if a PSC is actually adhering to PSC.1’s human rights provisions. Ultimately, this article’s purpose is to utilize this analysis to highlight best practices for PSCs to improve conformance with PSC.1, increase transparency and disclosure in the private security industry, and ensure greater respect for human rights and humanitarian law. BACKGROUND Origins of PSC.1 PSCs are publicly traded or privately owned companies that perform security services in high risk and complex environments.[v] Over the last few decades, and in particular during the Iraq and Afghanistan wars, PSCs’ roles in modern conflicts and high-risk environments have dramatically increased.[vi] With the increased presence of PSCs comes a need for better regulation and oversight of their activities. The Montreux Document was one of the first major international agreements that sought to clarify the obligations of states regarding private military and security companies.[vii] The Montreux Document provides pertinent international legal obligations and best practices for states, which relate to operations of PSCs during armed conflict.[viii] The Montreux Document divides states into three, often overlapping, categories: contracting states (countries that hire PSCs), territorial states (countries on whose territory PSCs operate), and home states (countries where PSCs are headquartered).[ix] The Montreux Document is not legally binding, but recalls existing international humanitarian and human rights law obligations that states must follow concerning the activities of PSCs and details good practices to meet those obligations.[x] The Montreux Document was a major step forward in the international regulation of PSCs. Nevertheless, the Montreux Document has limitations. The Montreux Document only applies in active armed conflict, and many stakeholders, in particular civil society organizations (CSOs), were disappointed with the lack of specificity in the Montreux Document and its failure to incorporate key international human rights and humanitarian law provisions.[xi] Furthermore, the Montreux Document failed to include the 2008 ‘Protect, Respect, and Remedy’ framework that the UN Special Representative of the Secretary-General on Human Rights and Transnational Corporations and other Business Enterprises, Professor John Ruggie, developed.[xii] The ‘Protect, Respect, and Remedy’ framework provides detailed responsibilities to respect human rights, which states and businesses should follow when they carry out economic activities.[xiii] The International Code of Conduct for Private Security Service Providers (ICoC) was the second stage in the Swiss-led effort for the regulation of PSCs. The ICoC articulates specific international human rights provisions applicable to PSCs in complex and high-risk environments, and it references the ‘Protect, Respect, and Remedy’ framework.[xiv] The ICoC was adopted in 2010 and was the product of a multi-stakeholder initiative involving various stakeholders, including PSCs, CSOs, academics, and states.[xv] PSC.1 resulted from efforts to take the principles of the ICoC and operationalize them into business practice standards. Provisions of the 2010 and 2011 U.S. National Defense Authorization Acts enabled the DoD to fund the development of a third party certifiable management system standard by ASIS International in consultation with industry representatives and other stakeholders.[xvi] PSC.1, released in 2012, was the outcome and became the accepted means for the DoD to differentiate among the quality of security service providers in making their procurement decisions. Approximately one year later, in 2013, the Swiss government and other relevant stakeholders launched the multi-stakeholder International Code of Conduct Association (ICoCA) to ensure that ICoC member PSCs adhere and are accountable to the ICoC.[xvii] A Board and General Assembly comprised of three equal pillars representing the industry, states, and CSOs govern the Geneva-based ICoCA.[xviii] In the summer of 2015, the ICoCA passed a certification procedure that recognizes certification to PSC.1, along with the submission of additional human rights-related information, as a pathway to ICoCA certification.[xix] Purpose of PSC.1 The PSC.1 standard builds on the normative foundations of the Montreux Document and the ICoC, and provides auditable criteria to ensure the quality provision of private security in a manner consistent with international human rights and humanitarian law and the national laws of host and home states.[xx] PSC.1 is a quality assurance and risk management standard that builds on the plan-do-check-act model of managing operations.[xxi] It is a third party auditable national management system standard; accredited certification bodies (CBs) can audit a PSC’s conformance to the standard.[xxii] PSCs are required to comply with PSC.1 to contract with the DoD and DoS to provide security services overseas.[xxiii] Although PSCs are required to comply with the standard, they do not necessarily need to be certified.[xxiv] Ultimately, it is up to procurement specialists to determine whether a PSC is in compliance.[xxv] In practice, most PSCs have chosen to demonstrate that they conform to PSC.1 by having an accredited CB certify them.[xxvi] This allows a PSC to secure government contracts, assure the high quality of its services to clients, and garner reputational and other benefits related to a demonstrated commitment to respect human rights. Nature of Certification Relationship PSCs can obtain a PSC.1 certificate by going through a two-stage audit process with an accredited CB.[xxvii] Certifications are valid for a three-year period contingent upon successfully passing interim surveillance audits.[xxviii] National accreditation bodies accredit CBs to conduct audits and issue certificates.[xxix] Currently, there are only two accredited CBs that can certify to the PSC.1 standard, MSS Global and Intertek.[xxx] The United Kingdom Accreditation Services (UKAS) has accredited both of them.[xxxi] Two other CBs, Tsamota Certification Limited and IQ Verify, are expected to receive their accreditation in 2016 from the ANSI-ASQ National Accreditation Board and UKAS respectively.[xxxii] There are several potential issues with PSC.1’s means of certification. One of the principle issues is the confidential nature of the relationship between two private actors. A CB cannot disclose specific information about audits without consent from the PSC. While a PSC may choose to disclose audit-specific information to a government or client upon request, it is unclear if a government contracting officer has the resources and capabilities to understand and scrutinize such information, if provided. Most likely, the government contracting officer will accept a PSC.1 certificate on face value. The auditing protocols used by CBs to assess conformance to the PSC.1 standard are proprietary and not disclosed.[xxxiii] Thus, there is no way of knowing what metrics and measures CBs use to assess conformance with the PSC.1 standard. The information available to the public is even more circumscribed and provides little means to judge actual conformance and human rights impacts. The audit process is effectively a black box. This can limit transparency and result in inconsistent application of the PSC.1 standard. ANALYSIS Research Design and Methodology This article assesses the public facing components of PSCs’ demonstrated adherence to PSC.1 as an initial step towards ascertaining the effectiveness of the certification system. The publicly available information on the websites of thirteen PSCs certified to PSC.1 were analyzed on four specific criteria: the scope of certification,[xxxiv] the statement of conformance,[xxxv] communication of human rights risk analysis,[xxxvi] and methods for addressing grievances.[xxxvii] The thirteen PSCs include: Academi, Aegis Defense Services, Britam Defence Ltd, Chenega-Patriot Group, Control Risks Group Ltd, Edinburgh International, Hart, Garda World Consulting Ltd, G4S Secure Solutions, Olive Group, Reed International, Sterling, and Triple Canopy. Chart: Compliance with the Public Facing Components of PSC.1: The thirteen PSCs were ranked based on the effective implementation of the four public facing components and were grouped into four categories – very good (3), good (2), fair (1), and poor (0) – based on the companies’ average performance. Each of the four components were assigned a set of factors that were indicative of effective implementation of that component. Each factor was worth one point and the points of those factors were added together for each component. The PSCs were given 3 points for having most or all of the factors, 2 points for some, 1 point for one or two factors, and 0 if none of the factors were found. The totals were then averaged and the companies were then ranked based on their overall numbers. The factors examined for scope consisted of a downloadable certificate, a clear definition of scope based on geography or service line, no misleading or ambiguous statements about the scope on the website or in a press release, and whether the scope of the certificate was global.[xxxviii] The factors for the grievance mechanism included having a link to a third party complaint mechanism, a phone number for making complaints, an email for making complaints, policy or procedure information or contact information in multiple languages, specifically in the official languages of host states, and a third party complaint process or policy available on the website.[xxxix] The grievance factors also ensured that the grievance procedure takes into account language, educational attainment, fear of reprisal, and need for confidentiality.[xl] The factors for the statement of conformance included a clear statement endorsed by senior management of the PSC and references to compliance with the ICoC, the Montreux Document, relevant national and local laws, and relevant international laws.[xli] The communication of human rights risk assessment component is different from the other factors because it is unlikely to be available on a website if a PSC is communicating its human rights risks and its efforts to address these risks to affected stakeholders. This indicator looked at several factors but was ultimately reduced to a binary determination. The determination was based on whether there was any indication in statements or policies available on the PSC’s website that human rights risks are assessed and communicated with relevant stakeholders and particularly local populations of the host state.[xlii] Scope of the Certification The scope of the CB’s certificate is an important public facing indicator for the PSC.1 standard and indicates what was actually examined by the CB during the auditing process. Scopes can range from global certification, to more narrow regional or national certifications or certifications based on specific service lines that the PSC provided.[xliii] The scope can be misleading if the scope is not made publicly available. A PSC might note that they are PSC.1 certified, but without the scope of the certification the public and clients do not know the extent of what was audited. Many of the PSCs studied did well on the scope indicator, because they presented the scope of their certification clearly. Overall, six of the thirteen PSCs researched had the actual certificate with a clear scope available on their website. Several other PSCs did not have the certificate available, but still clearly articulated the scope of their certification through other means, such as a press release on their website. However, six PSCs did not provide any information about the scope of their certification. Other PSCs attempted to outline the scope of their certification, but were unclear. For example, many of these PSCs outlined the scope of their certification in a press release on their website, which often contained ambiguous or misleading statements about the scope of their recent certification. Ultimately, six of the thirteen PSCs studied did not have sufficient information outlining the scope of their certification. Although many PSCs do well on the scope component, there is significant room for improvement. More PSCs should strive to achieve certification with a global scope. So far, based on what is publicly available on the websites of the researched companies, only three PSCs have global certification: Aegis Defense Services, Garda World, and Sterling. Clearly providing the scope of the certification on a website is as simple as posting the actual certificate, and more PSCs should strive to post the certificate. Grievance Mechanisms Providing an adequate means to address third party grievances is an essential measure for protecting human rights. This is an important public facing component of PSC.1 because it is the means for impacted stakeholders to lodge complaints against the PSC and have the PSC work with the complainant to resolve the issue. There are several ways to provide an adequate grievance mechanism, such as providing a hotline, an email, or a detailed procedure on the PSC’s process for addressing grievances. Ultimately, the PSC should provide contact information for a third party to submit a complaint, as well as a basic policy framework outlining the process for resolving grievances. There are several best practices that many PSCs utilize for addressing grievances. Many PSCs provide a 24-hour hotline and email address. Furthermore, some PSCs, like Edinburgh International and Triple Canopy, provide grievance information in multiple languages, principally in the language of the host state. Other PSCs should adopt this practice because issues such as language barriers should not limit access to the grievance mechanism. Additionally, many PSCs outline in a policy document on the website the steps that the company will take to resolve the issue. Analysis of the thirteen PSCs revealed that there are a number of shortcomings in current practices and a significant degree of inconsistency among PSCs on the grievance mechanism indicator. Many PSCs have 24-hour hotlines, but they are not easily accessible on the website. Additionally, many companies have a hotline or an email, but not both. Furthermore, six PSCs provide detailed procedures to the public on how the company will address third party complaints. Additionally, few PSCs have their grievance mechanisms available in the languages of the host states in which they operate. PSCs need to do more work on the grievance mechanism indicator. There are some positive points, but generally a lot of inconsistency among PSCs and among indictors. For example, most PSCs have an in-house grievance mechanism, while some PSCs, like Sterling, utilize an outside provider to process complaints. There needs to be more detail from the PSCs in grievance policy procedures, and the PSCs need to identify and address barriers to accessibility, whether technological, language, or otherwise. Statement of Conformance The statement of conformance is a requirement of the PSC.1 standard and ultimately reflects a companies’ commitment to respect human rights and relevant laws.[xliv] According to the PSC.1 standard, the statement should mention compliance with the ICoC, the Montreux Document, and relevant international humanitarian law, human rights, and customary laws and agreements.[xlv] Furthermore, the senior management of the company should endorse the statement and communicate it internally and externally to stakeholders. Most of the PSCs examined tended to do well on the statement of conformance indicator with nine out of the thirteen PSCs sorted into the highest category for the statement of conformance component. Seven PSCs had a code of conduct that was publicly available on the website. Additionally, there was usually clear evidence that there was an endorsement of the code of conduct from the senior management. Companies like Reed International, Britam Defence, and Garda World Consulting had a clear endorsement from the senior management on their codes of conduct. Some companies, like Garda World Consulting and Britam, even had separate detailed human rights policies that were available on the website. When companies struggled with the statement of conformance indicator it was usually because there was a lack of detailed information or no information available on human rights. Some companies, like Sterling, mentioned environmental impact, but failed to mention adverse impacts on human rights. Furthermore, some companies failed to explicitly mention compliance with key documents like the Montreux Document or the ICoC. More PSCs need to have a clear statement of conformance available to the public on their websites. Although most companies usually provide a statement, the statements often lack detail and specificity. Although many companies do well on this indicator, there is still room for improvement; for example, PSCs can provide an explicit commitment to abide by the relevant provisions of international human rights and humanitarian law. Communication of Risk Analysis The communication of risk analysis is basically any mention of a human rights risk assessment that the PSC makes available on the website. The measure was a binary yes or no, as opposed to the other three components’ factors. The research design used a binary answer because it is unlikely to be available on a website whether and how relevant risk information is communicated to specific stakeholders as required in PSC.1. The study looked for any indication that PSCs were assessing human rights risks. Seven PSCs did mention that a human rights risk assessment was of a fundamental importance in their codes of conduct. However, even when PSCs mentioned the risk assessment it was often vague. No PSC provided details in terms of what that risk assessment process actually entails or methodologies used. While some companies like Britam Defence and Garda World do well on this component, most PSCs do not provide enough information to ascertain that a human rights risk assessment is a core part of their risk management process. More explicit references to a human rights risk assessment are required, as well as details about that process and efforts to involve affected stakeholders. CONCLUDING RECOMMENDATIONS Many unanswered questions remain about the PSC.1 standard. Principally, is there enough transparency in the system to assess which are the more socially responsible security providers? Most of the PSCs in the study were in the fair category with six out of thirteen PSCs being placed in the fair to moderate range, four out of thirteen were sorted into the good category, and three PSCs were sorted into the poor category. This demonstrates a general lack of transparency in the system because key information that the PSCs should provide is unavailable to the public and clients, who cannot know if the company is truly in compliance with relevant human rights laws. Furthermore, the decentralized and privatized certification system might not be the most effective means for enhancing conformance to the human rights-related provisions of the PSC.1 standard. There was a great amount of inconsistency between companies and even between CBs. The current system lacks adequate direct oversight and may not be effective enough to ensure full conformance with human rights and humanitarian law by all certified PSCs. Finally, and perhaps most significantly, the actual impacts of PSC.1 certification on human rights protections have yet to be fully determined. Most of what is being shared publicly, and assessed by CBs, are policies and processes. There is no systematic assessment of actual human rights impacts across PSCs’ global operations or of cumulative impacts of multiple PSCs’ activities in one area of operation. Embedding a commitment to respect human rights in management systems is an important first step, but adequately identifying and mitigating actual human rights impacts on the ground in host states where PSCs operate is essential. Full-Text PDF available here END NOTES [i] ASIS International, Management System for Quality of Private Security Company Operations – Requirements with Guidance, Am. Nat’l Standards Inst. (2012), http://www.acq.osd.mil/log/ps/.psc.html/7_Management_System_for_Quality.pdf [hereinafter PSC.1]. [ii] Id. [iii] See Rebecca De Winter-Schmitt, Routledge Handbook of Private Security Studies (Rita Abrahamsen & Anna Leander eds., 2015) (highlighting the role of certification bodies regarding certification to the PSC.1 standard). [iv] PSC.1, supra note 1, at art. 5.5, art. 6.3, art. 7.2, art. 9.4.3, art. 9.5.7. [v] Faiza Patel, Regulating Private Military and Security Companies: A Comprehensive Solution, 107 Am. Soc’y Int’l L. Proc. 201 (2013). [vi] See De Winter-Schmitt, supra note 2; see also Moshe Schwartz, The Department of Defense’s Use of Private Security Contractors in Afghanistan and Iraq: Background, Analysis, and Options for Congress (Congressional Research Service 2011). [vii] The Montreux Document: On pertinent International Legal Obligations and Good Practices for States Related to Operations of Private Military and Security Companies During Armed Conflict, (Sept. 17, 2008) available at https://www.icrc.org/eng/assets/files/other/icrc_002_0996.pdf [hereinafter The Montreux Document]. [viii] Id. [ix] Id. [x] Id. [xi] Scott Jerbi, Geneva Acad. of Int’l Human. L. and Hum. Rts., Academy Briefing No. 4: The International Code of Conduct for Private Security Providers 6 (2013) available at http://www.geneva-academy.ch/docs/publications/briefing4_web_final.pdf. [xii] Id. [xiii] U.N. Office of the High Comm’r on Hum. Rts., Guiding Principles on Business and Human Rights: Implementing the United Nations ‘Protect, Respect and Remedy’ Framework (2011) available at http://www.ohchr.org/Documents/Publications/GuidingPrinciplesBusinessHR_EN.pdf. [xiv] Jerbi, supra note 11. [xv] International Code of Conduct Association, http://icoca.ch/en/history. [xvi] See e.g., National Defense Authorization Act for Fiscal Year 2010, Pub. L. No. 111-84,123 Stat 2190 (2009); De Winter-Schmitt, supra note 2, at 262. [xvii] History, Int’l Code of Conduct Assoc., http://icoca.ch/en/history; The ICoC Association, Int’l Code of Conduct Assoc., http://icoca.ch/en/icoc-association. [xviii] The ICoC Association, Int’l Code of Conduct Assoc., http://icoca.ch/en/icoc-association. [xix] See ICoCA Recognition Statement for ANSI/ASIS PSC.1-2012, Int’l Code of Conduct Assoc., (September 2015) available at http://icoca.ch/sites/default/files/uploads/ICoCA%20Recognition%20Statement%20for%20PSC%201.pdf. [xx] PSC.1 supra note 1. [xxi] Id. [xxii] See De Winter-Schmitt, supra note 2. [xxiii] PGI Case 2012-P010 ANSI/ASIS PSC.1-2012 Standard in Requirements Packages, PGI 225.7401, available at http://www.acq.osd.mil/dpap/dars/archive/2012/change_notices.html. [xxiv] Id. [xxv] See id. 1-800-377-6914 [xxvi] See De Winter-Schmitt, supra note 2. [xxvii] ASIS International, ANSI/ASIS PSC.2 – 2012 Conformity Assessment and Auditing Management Systems for Quality of Private Security Company Operations, Am. Nat’l Standards Inst., (2012), http://www.acq.osd.mil/log/ps/.psc.html/8_ANSI_ASIS_PSC.2_2012.pdf. [xxviii] Id. [xxix] De Winter-Schmitt, supra note 2. [xxx] See Security Management Systems, MSS Global, (2016) http://www.mssglobalservices.com/services/security-management-systems/land-security/; see also Accreditation for Management Systems Certification, Intertek, http://www.intertek.com/auditing/accreditation-for-management-systems-certification/. [xxxi] First UKAS accreditations granted for the certification of Private Security Companies, United Kingdom Accreditation Services, https://www.ukas.com/news/first-ukas-accreditations-granted-for-the-certification-of-private-security-companies/. [xxxii] Accredited Schemes, IQ Verify, http://www.iqverify.org.uk/certifications; Private Security Certification, Tsamota Certification Limited, http://www.tsamotacertification.com/psc.1.html. [xxxiii] De Winter-Schmitt, supra note 2. [xxxiv] PSC.1, supra note 1, at art. 5.5. [xxxv] Id. at art. 6.3. [xxxvi] Id. at art. 7.2. [xxxvii] Id. at art. 9.4.3, art. 9.5.7. [xxxviii] Id. at art. 5.5. [xxxix] Id. at art. 9.4.3, art. 9.5.7. [xl] See id. [xli] Id. at art. 6.3. [xlii] Id. at art. 7.2. [xliii] See e.g., Intertek, Certificate of Registration, Olive Group, (2014) http://www.olivegroup.com/uploads/file/Olive%20Group%20FZ-LLC%20PSC.1%20Certificate%281%29.pdf (highlighting a scope based on service line). [xliv] PSC.1, supra note 1, at art. 6.3. [xlv] Id.