A New Twist to Management Standards, Bringing in Human Rights
The International Organization for Standardization (ISO) has a long history of setting international standards for products, services, and practices to foster global trade. Many of these standards are management system standards, the ISO 9001 quality management system standard probably being the best known and most implemented among them. While ISO already has a number of standards that address various aspects of security and risk management, until now there was no management standard for organizations seeking to deliver professional private security services in a fashion that ensures respect for human rights and humanitarian law. So when the American national standards body, ANSI, proposed creating an international management standard for provision of private security services, a new Project Committee had to be established to tackle the task.
The new Project Committee (PC 284), comprised of 14 voting and 16 observing national delegations, met for the second time the first week of June under the leadership of Committee Chair Dr. Marc Siegel, the Commissioner heading the ASIS International Global Standards Initiative. The PC’s work on drafting a new international security operations management standard is proceeding apace, and will likely result in an ISO standard unlike any other. Currently, one other ISO standard directly addresses human rights matters in a more comprehensive fashion: the ISO 26000 guidance on Corporate Responsibility. ISO 26000 was recently updated to bring it more into line with the UN Guiding Principles on Business and Human Rights. However, as a guidance companies cannot be certified to it. In contrast, the ISO management standard for security operations will be a certifiable standard, to which organizations can demonstrate their conformance through a third party certification audit. It is at its very core about establishing the need for security providers to respect human rights throughout their operations and business relationships. In terms of the language of the Guiding Principles, it’s about companies knowing and showing that they respect human rights.
The origins of the new ISO standard explain why human rights are so central to it. Three key documents inform its content: 1. the Montreux Document on Pertinent International Legal Obligations and Good Practices for States related to Operations of Private Military and Security Companies during Armed Conflict, 2. the International Code of Conduct for Private Security Service Providers (ICoC), and 3. the ANSI/ASIS PSC.1-2012: Management System for Quality of Private Security Company Operations (PSC.1). The Montreux Document spells out the existing legal obligations that states have under international law as well as a series of good practices with regards to the use and authorization of private military and security companies during armed conflict. As a follow-on to the Montreux Document, the ICoC sets out principles for the responsible provision of private security services in complex environments based on international human rights and humanitarian law. The accompanying ICoC Association was created to breathe life into the ICoC’s principles by serving as an independent governance and oversight mechanism, which among other things will create procedures for certification, monitoring and performance assessment, and addressing grievances.
PSC.1, also drafted under the leadership of Dr. Siegel, was created with the intention of operationalizing the principles of the ICoC into a certifiable management system standard. Accredited certification bodies audit private security companies to determine if they may be certified as compliant with PSC.1. When the ISO standard is completed, each national standards body that comprises the membership of ISO may determine whether or not it accepts the new ISO standard. In the US, it will default to ASIS to decide if the ISO standard surpasses PSC.1, in which case ASIS can withdraw PSC.1 or let it sunset at its review period.
PSC.1 frames the need to respect human rights in language that companies understand by highlighting the importance of managing risks associated with rights abuses linked either directly to company operations or indirectly to subcontracting or outsourcing relationships. It also helps companies operationalize human rights principles by embedding the commitment to respect human rights into a company’s management system. This is again in keeping with the Guiding Principles, which recommend that a company’s human rights commitment be reflected in operational policies and procedures so as to embed it throughout the business enterprise. However, some civil society organizations think it is foreign to speak of human rights violations as “undesirable or disruptive events,” balk at putting human rights protections in the language of minimizing organizational risk, and worry that the standard will not go far enough in placing rights-holders at the center of risk impact assessments and risk management processes.
The interlocking nature of these three initiatives is not a settled matter. The ICoC Association has acquired an outside expert to compare the ICoC and PSC.1 and provide an assessment of whether certification to PSC.1 will suffice to grant certification to the ICoC or whether additional human-rights related information will be required of member companies. While most private security companies and governments participating in the ICoC Association see a complimentary fit between these initiatives and would like to avoid potentially duplicative certifications, some civil society organizations are less sure about the adequacy of PSC.1 certification and are awaiting the analysis provided by the outside expert before making any determinations. They want to ensure that audits are conducted with the necessary human rights expertise and are not a desk-based check the box exercise, but rather also glean information from the field and capture actual human rights impacts on the ground.
The British government together with the United Kingdom Accreditation Service has recently conducted a pilot project to accredit certification bodies to audit to PSC.1, and a few private security companies participated to become certified to PSC.1, with Olive Group being the first to receive its certification. A transparent and public report of lessons learned from that pilot project would be useful for those interested in determining the compatibility between these initiatives and whether the human rights risk assessments conducted as part of the certification process amount to more than a “check the box” exercise. Such a report could also be a valuable input into the ongoing negotiations to develop the new ISO standard, as the Project Committee is seeking to ensure that all relevant provisions of the ICoC are reflected in the international standard.
- Dr. Rebecca DeWinter-Schmitt is Co-Director for the Human Rights in Business Program at the American University Washington College of Law.