The following interview with Dr. Rebecca DeWinter-Schmitt[1] was carried out in Washington D.C. on June 6, 2016 by Frauke Renz. The main focus of the interview was on self-regulation, industry standards and national regulation focused on Private Security Companies (PSC).[2] All footnotes are remarks by Frauke Renz, aimed at giving some additional background knowledge and especially giving the links to the cited documents so that the reader can follow up on these issues easily.


Self-Regulation and Industry Standards

In your post “Certifying Private Security Companies’ Human Rights Performance: Not All Certificates Are Created Alike”[3] you refer to the article of David Sebstead and his assessment of the way in which PSC are certified. One finding of your post and Sebstead’s article[4] is that the black box of certification needs to become more transparent with regards to the methodologies and metrics relied upon:

Are there any efforts to achieve a higher level of transparency with regards to those methodologies and metrics? If so, are they driven by the government, the industry or multi-stakeholder initiatives such as the International Code of Conduct Association (ICoCA)?

The ICoCA[5] is certainly the biggest driver for greater transparency. The current ICoCA certification procedure requires that the member PSCs demonstrate the scope of their PSC.1 certificates as well as provide information about any type of non-conformities that were evidenced in the audits and then also their corrective action plans.[6] Those already come along as part of the PSC.1 certification process. In addition to that, the ICoCA requires additional human rights related information. They want to know what kind of Human Rights Risk and Impact Assessment (HRRIA) the PSCs undertook, how the PSCs are vetting their subcontractors and whether the subcontractors are also adhering to the ICoC, as well as how PSCs train their personnel and ensure that personnel operate in conformance with the ICoC. So basically there are additional requirements imposed by the ICoCA as they need evidencing of human rights related information to ensure that the PSC is actually respecting human rights provisions.

How does that work in practice?

No PSC has become certified under the ICoCA yet, even though the procedure came out a year ago.[7] There has been a lot of dispute about using PSC.1 as the method to getting ICoC certification for two main reasons: accessibility and affordability. There is the concern that the certification may not be accessible to some companies as the certification bodies that are currently accredited are U.S. and UK based. For example, it is questionable if you are a medium sized security provider in Nigeria whether the certification bodies will be able to provide their services there. Additionally, there is the affordability factor. There is the perception that getting PSC.1 certified might be prohibitively expensive for small or medium sized enterprises. Certification for a small company starts at around 20,000 USD and it goes up from there depending on the size of the company. That is just the cost of getting certified. This does not yet include the costs arising if you don’t already have a management system in place and have to implement this system. And contrary to popular belief the private security industry has a very small and tight profit margin.[8] It therefore is a lot of money unless you can recoup that cost. If you are not a government contractor, it is questionable whether it will be worthwhile to go through a PSC.1 certification. Because there are those disputes about the accessibility and affordability of PSC.1 certification and in particular because of pressure from the civil society pillar, the ICoCA is looking at possible alternative routes and that may include getting potentially certified through the Association itself and not going through an outside body. But there are different perspectives on that and it is an ongoing discussion.

The NGOs would like to see that the Association is empowered and has greater control over scrutinizing its member PSCs without being reliant on attestation of their adherence to a standard by a third party, the certification body, that the Association has no oversight or control over. I have spoken to some PSCs who would not feel threatened if the Association were to offer a parallel certification process. But PSCs who have gone through the PSC.1 certification process to date want to ensure that their efforts are recognized and that certification serves as a differentiator, which is understandable.

What is important to note is that U.S. government agencies have different perspectives. The Department of Defense (DoD) requires PSCs that provide security services overseas to be compliant with PSC.1 and in the future alternatively also ISO 18788, whereas the State Department requires the companies to be compliant with PSC.1 and in good standing with the ICoCA.[9] Because of that there are certainly differing perspectives on the value of the Association. I don’t get the sense that the DoD in particular wants to see the centrality and importance of the PSC.1 certification be diminished in the ICoCA. The State Department has potentially been a bit more supportive of the ICoCA so they might be a little more open to the idea of having a parallel route aside from PSC.1.

What is important to remember is that PSC.1 and ISO 18788 are useful as they are management standards. They are supposed to take the principles of the Montreux Document and the ICoC and for ISO 18788 also the UN Guiding Principles on Business and Human Rights as the normative foundations and operationalize them into business practice standards.[10] The ICoC is the normative underpinning but companies need to translate those principles into practice. ISO 18788 and PSC.1 are valuable in that sense. They help companies understand what their commitment to human rights means in terms of how they have to operate on a daily basis. And so you don’t want to lose that linkage as companies will only respect human rights in practice if they manage to embed them into their management, operations and into their corporate culture as well. So it is important to note that even if the ICoCA goes its separate route, there will still need to an effort to not only look at the outcomes in the end but to also understand the steps companies need to take to embed these principles.

Getting back to the question about transparency, the value of the ICoCA is that even if they are getting their information from the companies based on what was audited and it will not be made publicly available, as a multi-stakeholder initiative (MSI) the companies have the assurance that the information they provide will be scrutinized. So it acts as an additional oversight above and beyond what the certification bodies can do.

With regards to companies and transparency, it really varies. That also came out of David Sebstead’s article.[11] A number of companies have been very willing to share their certificates, others are not that transparent with regards to their HRRIA. There are some companies that have been very vocal in public forums about how they assess their risks, for example GardaWorld and AEGIS, which have now merged into one company. They have been very exemplary in being willing to talk about how they assess their human rights risk. There is some concern that transparency might open up PSCs to liabilities. But most companies realize the reputational benefits that they gain from sharing more information rather than less. With governments, the degree to which they drive transparency is difficult to assess. Obviously those involved with the Association must value transparency or they would not subject themselves to being involved in a MSI.

At the height of the wars in Iraq and Afghanistan and during the phase in which the Montreux Document as well as the ICoC were negotiated there was a lot of international focus on PSC. Do you believe that with those instruments in place and given the decreased public focus there is less pressure for companies to become more transparent with regards to their human rights risk and impact assessment process?

Certainly the scrutiny of the media is way down, you rarely read about this issue any more and it is certainly not the same as it was during the height of Iraq and Afghanistan. But regarding the question whether this has taken the pressure off companies one needs to first note that these are not voluntary standards as they are embedded in procurement policies and thus no longer really voluntary if you want to get government contracts. If one speaks of the self-regulatory framework what has basically happened is that it is linked very closely to government contracting. Sarah Percy has this great saying about regulating the last war.[12] This voluntary framework is really the result of Iraq and Afghanistan and the U.S. and UK government contracting. So a lot of what was developed really spoke to the need to have more responsible contracting going on. That pressure is not off to the extent that you still have to be PSC.1 compliant if you want to work for the DoD or the State Department, and those companies have chosen to be PSC.1 certified instead of only compliant. That pressure is still there and won’t go away as the WPS2[13] is a massive contract and of course when the U.S. Department of State requires it, every company is making sure to be PSC.1 certified and to be in good standing with the ICoCA.

But what is missing is bringing the private sector clients in, such as the extractive companies or any other company operating in conflict environments and utilizing private security. The humanitarian organizations and human rights groups use private security in the field for their researchers, the international organizations do so, as do other government agencies such as USAID.[14] To that extent there has been no tipping point where all PSC are trying to become members of the Association or demonstrate their compliance with these standards. A lot more work needs to be done. So the pressure is not off but beyond the government contracting realm I am not sure in how far the security industry as a whole is committing to and implementing these standards.

Do you believe that PSC will in the future place higher emphasis on establishing human rights risk and impact assessment processes?

That is a tough question. If you talk to most companies, they will tell you that they already analyze their human rights risk as part of their ongoing risk assessment processes that they undertake before and while operating in complex environments. They say they account for their human rights effects but don’t label it that way. Now whether that is accurate or not is hard to say. But it is important to understand that the human rights risk assessment is not like any other risk assessments. As is spelled out in the UN Guiding Principles, it is not just about assessing the material risk to a company but first and foremost about assessing the risks to the rights holders. And it is fine to integrate human rights risk assessment into the risk assessment process as long as that is kept in mind. But a lot of companies still think in terms of risk to themselves. That is still problematic.

The other big issue is that there is a lack of standardization when it comes to HRRIA. There is a number of limited HRRIA methodologies publicly available. The Danish Institute for Human Rights and NomoGaia offer good, publicly available tools.[15] The UN Global Compact put out another really good guide for managing human rights risk.[16] But those are not industry specific. In some ways you need industry specific guidance. The extractive industry has very good sector specific due diligence guidance, such as IPIECA for the oil industry[17] and the ICMM for the mining industry.[18] That is not yet the case for the security industry.

There needs to be more cross-sectoral sharing of best practices in HRRIA so that the security industry could learn from others who have been doing this for longer periods of time. The problem is that there is a lot of hesitation to share the outcomes and reports of the HRRIA in fear of exposing themselves to liabilities. One good exception has been BP with the Tangguh Project. The Tangguh Independent Advisory Panel has been publicly releasing its reports since 2002.[19] So it is possible, but this case is the exception from the rule. Frankly, most HRRIA are confidential and proprietary, which is why the companies are hiring law firms and consultants to do them and they are not about to share their results. Even the Danish Institute for Human Rights does not share information about the assessments it is paid to carry out for its clients. That has hampered the development of standardized best practices and for the security industry the development of industry specific standards. One can hope that the ICoCA, which has the development of best practices as part of its mission, might actually start working on some type of methodology or tool. Until then you can expect us to see a lot of real differences in terms of what is passing as HRRIA.

How do you assess the likelihood of a shift away from the current model in which private certification bodies audit conformance to industry standards such as PSC.1 towards having either a government authority or a body such as the ICoCA in charge of certification?

The whole model of having national management system standards, international management system standards, accreditation bodies accrediting certification bodies, certification bodies granting certificates is an architecture in itself. No one is going to touch that. What the ICoCA could do at best is to scrutinize what those certifications mean in terms of actual human rights practices but technically they are not in a position to oversee a certification body. And I doubt that the ICoCA would want to get involved with the accreditation of certification bodies.

Recently, the ANSI-ASQ National Accreditation Board (ANAB) developed an accreditation rule for certification bodies that want to get accredited to audit companies to ISO 18788.[20] There is not any way in which the ICoCA would take that over, they can just hope to develop something parallel.

On a side note, it will be interesting to see what happens because initially it looked like with the creation of PSC.1 there was a proliferation of standards. But then, there was this feeling that they are not competing but complementary initiatives because the ICoCA has recognized PSC.1 as a route for certification. So finally all those pieces seemed to fit together. And they are currently reviewing whether ISO 18788 will also be a pathway to ICoCA certification. But if the ICoCA develops its own parallel certification procedures that may again potentially put these various initiatives on a more competitive footing with each other in terms of companies having to decide what certification they want. The impact on the complementary nature of those various initiatives will be interesting to follow.

My research has always focused on various types of corporate responsibility initiatives and what they can hope to achieve. It is interesting to watch this process unfold. It has been a little slow going which is a shame because ironically the security industry is the industry which has gone the furthest fastest in terms of its willingness to commit to a MSI, look at the Voluntary Principles as a contrast.[21] So it always seemed to me to have a tremendous amount of promise. But as with every MSI it is slow going and all about negotiations. But the Association is definitely trying to wrest back some of the momentum that was taken from it with the development of PSC.1 and ISO 18788 and it is trying to assert more dominance and control over what it expects from its member PSCs and how it assesses that. And this is what was originally planned prior to the PSC.1, which was presented as a fait accompli by the DoD and then everybody had to figure out what it meant for the Association. Now we are going back to where things once were and the Association is saying it wants more control over certification and monitoring. I have a lot of hope because it is a good MSI, especially as governments are very involved in this MSI as opposed to other initiatives. The State Department is even represented by a sitting government official, which is an interesting development, but we’ll have to monitor how this proceeds.

When companies want to be not only PSC.1 certified but also ISO 18788 certified, is this an entirely separate process?

The DoD has revised the Defense Federal Acquisition Regulation so that PSC providing security services overseas will need either PSC.1 or ISO 18788.[22] So first of all, there is only one accredited certification body, that is MSS Global, which can audit and certify companies to ISO18788.[23] My understanding is that when they go in and audit a company to ISO 18788, they also get their PSC.1 certificate along the way. It is however unclear how the relationship between PSC.1 and ISO18788 will develop over time.

The ISO 18788 is an improvement to the PSC.1, as when we drafted ISO 18788 we had the experience of companies already having implemented PSC.1 for a couple of years. It has stronger human rights provisions and is more in line with the UN Guiding Principles, for example, human rights risk assessments are now a requirement.[24] There is an expectation that PSCs consult with external stakeholders and grievance mechanisms need to be publicly available on their website and criteria for their effectiveness need to be documented. PSCs must publicly communicate their respect for human rights, and operate in conformance with human rights even in countries where rights are not respected. They must also ensure that they assess the human rights risks in their supply chains and that their subcontractors also respect human rights.

ISO has a technical committee 292 (TC 292) which is responsible for ISO 18788 and it is a whole different set of characters as it is an international organization.[25] It is not the same people who developed PSC.1, even though PSC.1 was developed with a lot of international input. The advantage of having an ISO standard is that it internationalizes PSC.1, an American standard, which may lead to greater uptake within the global security industry, as some companies do not like the idea of operating to an American national standard.

However, TC 292 has some challenge as it emerged from bringing together a number of other project committees and technical committees at the ISO level, people who usually did not work together and they created this massive committee with a focus on protective security. There is some concern that they could potentially water down the standard with the next revision. Right now there has been an upward trend in terms of the stringency and the rigor of standards. It is unclear if it will remain that way. For that reason, the DoD and the American National Standards Institute (ANSI) have chosen to keep the PSC.1 standard even though normally the national standards is phased out when there is an international standard. This is not going to happen with PSC.1 because there is just a little hesitation to fully trust in ISO and TC292 and their ability to maintain the standard. For that reason, it does not make sense for certification bodies to just do one or the other. And if you look at the ANAB accreditation rule that will come out soon, certification bodies are going to get accredited to do both. It would not make sense any other way. The rest is going to depend on how things develop over time in terms of the relationship of the standards to each other.


National Regulation

Do you see any potential for Congress to pass CEJA[26] in the near future to close the jurisdictional loophole with regards to contractors working for the U.S. government but not the DoD? If not, what is holding back the process?

As we said before there is less scrutiny as opposed to the peaks of the wars in Afghanistan and Iraq. So there is no pressure for Congress to act. But it is unfortunate because the industry supports CEJA as PSCs prefer operating under clear regulations. It helps reduce uncertainties. In the past, before it became CEJA the proposed legislation was another expansion of MEJA. And at that point there was tremendous bipartisan support and it is a no-brainer. It makes absolutely no sense that one would treat State Department or USAID contractors differently than DoD contractors. The second big issue aside from the lack of pressure on Congress is the intelligence carve-out.[27] It basically says that intelligence contractors would be exempt from the provisions. For a lot of human rights NGOs that was a real non-starter and they did not understand why intelligence contractors should be exempted. But in many ways intelligence contracting is different. You can’t put the two together, there are different rules that apply to how intelligence is gathered. But still, this is a bit of a holdup. But I don’t have a very good explanation for why it does not get passed. Everyone recommends it. But there is too much on Congress’ plate and no pressure to take this up.

Do you believe that States are currently fulfilling their obligation under the Montreux Document to ensure respect for international humanitarian and human rights law by PSC?

We, the Human Rights in Business Program at the Center for Human Rights & Humanitarian Law, wrote our report Montreux Five Years On three years ago[28] and DCAF recently wrote a report focused on best practices,[29] whereas our report looked more in depth at a handful of countries. When you take a deeper dive it is clear that there is no state doing any particularly good job in fulfilling its Montreux commitments. That being said, the U.S. has a very robust regulatory framework. It is simply not true when people say that there is a regulatory vacuum, that is absolutely ridiculous and not accurate. Since 2003 every National Defense Authorization Act has contained provisions applicable to military and security contractors.[30] But generally the states are not fully meeting their commitments and that has not changed since the report came out.

When looking at the high level takeaways concerning the U.S. from the 2013 report, many of the same problems persist. There is still the need to define which services are inherently governmental and in how far human rights risks should factor into the decision whether or not services should be outsourced, not only whether or not outsourcing is allowed under the law. The licensing system has not been revised to reflect the Montreux Document commitments. Past performance and in particular human rights performance is not yet taken into account in the selection and contracting of PSCs. The implementation of a number of statutes, regulations and guidelines could be improved. The reporting system for serious incidents could be augmented as well as contracting officials training improved. There is still a patchwork of statutes regarding the system for criminal accountability for PSCs and their personnel. The system for civil liability is still in flux and access to remedies, both non-judicial and judicial for those who have suffered human rights abuses is lacking. There has not been all that much achieved since we assessed the situation three years ago. And while the self-regulatory framework has not replaced the pressure for binding laws and regulations, for better procurement policies and better oversight over contracts, it has certainly taken some pressure off of it. A lot of the action is happening in the self-regulatory arena and both the U.S. and the UK government are very happy to go this route. What Deborah Avant pointed out very well in her essay is that we had the Commission on Wartime Contracting that came up with all these recommendations but there has not been much done with it.[31] A lot of what was recommended is still outstanding, for example that all government agencies input information into the Synchronized Predeployment and Operational Tracker (SPOT) database.[32] SPOT is the database into which the DoD, State Department, and USAID enter contract and personnel information to ensure greater visibility over contractors.

In the interim, the Montreux Document Forum[33] is supposed to be a Forum in which countries committed to the Montreux Document can meet and share best practices and learn about ways to implement commitments. But the extent to which this is really resulting in national legislation is hard to judge. Currently, 53 states and three international organizations, NATO, the EU and the OECD, are supporting the Montreux Document. The Document is great in terms of reasserting existing legal obligations, and the good practices are probably the best part of it. But it is still just a Declaration and that is why countries such as South Africa show consternation when it comes to the Montreux Document Forum. They just see it as more voluntarism when progress needs to be made in terms of developing a binding international instrument via the UN Working Group. I am not getting a good sense of what the Montreux Document Forum is actually achieving. It would be great if countries submitted reports, such as they did at the fifth anniversary. They could outline what they have done and where they stand with their commitment and it should be done regularly and publicly. There is no reason those reports should be kept confidential. The U.S. government was one of the only ones that published its 2013 report. That should be a minimum requirement for participating in the Forum. Otherwise it is all very behind closed doors and there is no transparency in terms of what is actually being achieved.

Thank you very much for the interview.


[1] More about Dr. Rebecca DeWinter-Schmitt at:

[2] There is an ongoing debate between academia, NGOs, the government and the industry whether the correct term is Private Security Companies (PSC), Private Military Companies (PMC) or Private Military and Security Companies (PMSC). This transcript follows the term used by Human Analytics and thus refers to PSC.

[3] You can access the blog post here:

[4] David Sebstead, “Certifying Responsible Private Security Companies: Assessing the Implementation of Transparency and Disclosure Provisions”, Human Rights Brief, May 24, 2016,

[5] The International Code of Conduct for Private Security Providers’ Association is a multi-stakeholder initiative established by a Swiss non-profit organization. The International Code of Conduct for Private Security Providers (ICoC) is the outcome of this multi-stakeholder initiative and has the goal of setting international principles and standards for the responsible provision of private security services, particularly when operating in complex environments. The Swiss government brought together PSC, states, civil society organizations and academics to elaborate the ICoC and it was finalized in 2010. More on this at:

[6] More about the current ICoCA certification requirements: PSC.1 is a standard which was created by the American National Standards Institute and ASIS International. Certification bodies audit PSC, making it a private-private relationship as highlighted in David Sebstead’s article.

[7] According to the ICoCA website, member PSCs would have to become certified within a year of the announcement, which would be before 1 July 2016.

[8] In fact, there have been several consolidations in the industry. For example, in 2015 AEGIS was acquired by GardaWorld ( and the companies Academi, Triple Canopy, Edinburgh International and other PSC merged into Constellis Group (

[9] About the DoD requirements for PSC:

[10] The UN Guiding Principles on Business and Human Rights are a set of guidelines to prevent, address and remedy human rights abuses committed in business operations. More on them here:

[11] David Sebstead ranked thirteen PSC according to the scope of their certification, their statements of conformance, the communication of their human rights risk analysis and the methods for addressing grievances. To view his results visit:

[12] Sarah Percy, “Regulating the Private Security Industry: A Story of Regulating the Last War”, International Review of the Red Cross vol. 94, vol. 887 (2012), pp. 941-960,

[13] The Worldwide Protective Services (WPS) contract provides the Department of State with protective movement security, specialized emergency services, and static guard services for diplomatic missions in high-threat areas.

[14] For research and audit reports about the USAID’s use of private contractors:

[15] Those tools can be accessed here: and

[16] The UN Global Compact tool is available here:

[17] IPIECA human rights training tool is accessible here:

[18] ICMM’s Implementation Guidance Tools address some of the challenges the companies were facing with regards to the Voluntary Principles. More on this at:

[19] The reports are available here:

[20] The accreditation rule is not yet publicly available but for those interested in learning more about ANAB:

[21] The Voluntary Principles on Security and Human Rights are a multi-stakeholder initiative with a focus on the extractive industry. Established in 2000, they are a set of principles guiding companies in maintaining the safety and security of their operations. Although established significantly earlier than the ICoC, the Voluntary Principles have less members. To follow-up on the participating companies as well as governments as well as the principles:

[22] The DoD states that the substance of the ISO 18788 and the ANSI standards are the same and that companies in compliance with PSC.1 will also be in substantial conformance with ISO 18788. It thus accepts ISO 18788 as an alternative to compliance with ASNI/ASIS PSC.1-2012:

[23] MSS Global offers an overview over the certification process on their website:

[24] To learn more about the International Organization for Standardization (ISO) standard ISO 18788 Management System for Private Security Operations, this webinar offers great insights: span style=”color: #0000ff;”>

[25] More about TC 292 and its work on standardization in the field of security:

[26] The Civilian Extraterritorial Jurisdiction Act (CEJA) would clarify U.S. criminal jurisdiction over U.S. contractors working abroad for other government agencies than the DoD. A general factsheet with the viewpoints from a human rights NGO is available here:

[27] Senator Chuck Grassley was vocal about his opposition to CEJA because of the intelligence carve-out. His view can be followed here:

[28] The report is available here:

[29] The report of the Geneva Centre for the Democratic Control of Armed Forces as well as other relevant reports on the privatization of security are accessible here: of Security/%28subtree%29/32295/%28classid%29/41

[30] For an overview over the PSC related provisions in the National Defense Authorization Acts:

[31] The reports of the Commission on Wartime Contracting are available here:

[32] SPOT shows the contracts, contractors, costs and type of contractors as well as the kind of work they do and the availability of government furnished services:

[33] To find out more about the Montreux Document Forum go to:

Copyright © 2016. All Rights Reserved.