May 4, 2009 Commentary, Jake's Posts
By Jake Allen
Last week I was ranting about the private security industry’s lack of movement along the self-regulation front. Industry regulation is not a new theme for me and the subject most recently came up due to the UK Foreign Office’s decision not to take action on regulation. Instead David Miliband, the British Secretary of State for Foreign & Commonwealth Affairs is calling on the private security industry to self-regulate by drafting a code of conduct and then encouraging industry participants to sign-on to it.
The problem with this model is that it is precisely what has been tried in the U.S. by the International Peacekeeping Operations Association, IPOA and their member Code of Conduct. The code itself is very comprehensive and IPOA are to be applauded for devoting so much time and energy to develop it. But, the motivation and the mechanics by which a PSC would sign-on and more importantly the authority such an agreement would have are severely lacking teeth and that lack of teeth leads to a lack of credibility.
Codes of conduct are the absolute bare minimum that a PSC should be adhering to. They are a moral floor, they are not the benchmark for industry performance. I encourage all PSCs to sign-up for IPOA membership and commit themselves to this global Code of Conduct but the fact that it is a voluntary effort can never be escaped. The whole point of this debate, in my estimation, is to develop a framework to regulate companies who themselves would likely not volunteer to be regulated.
Actually, self-regulation as such is something I have been calling for for years. But the term self-regulation is a misnomer for my purposes. I don’t any more believe that PSCs can self-regulate than can bankers or stock brokers or pharmaceutical firms or any other commercial segment of the global market. When I talk about self-regulation really what I mean to say is that the industry should show some self-leadership, particularly on the part of the biggest PSCs. These firms should step up and show some leadership and collaborate with government to identify ways in which the industry can be regulated and to take actions themselves and lead the effort in having other entities regulate them in an equitable manner. As it stands now it appears that the biggest players in the market are happy to have confounded governments in London and Washington.
What to do then?
Let me outline specifically how I think our industry should be regulated and the role that legitimate global firms should be taking to lead this effort. Many of these ideas are not uniquely my own but they are what I have been thinking about for a long time after having had a lot of discussions with colleagues as well as others, much smarter than me, who have commented on this subject.
The basic premise of my proposal centers around the creation of a ‘legimate’ market for qualified armed security service providers. By creating a regulated and legitimate market you are simultaneously creating an illegitimate or ‘black market’ for those same services. This then leaves consumers (mostly governments or private firms spending government grants) to decide if they want to purchase from the legitimate market or not. Similarly, it drives PSCs to consider whether or not they want to compete in the legitimate market or not.
Writing the Standard
The UK Foreign Office took a pass on regulating PSCs principally because by their estimation it is too difficult. I am not joking. David Miliband in his open letter for consultation says nearly point blank that regulating PSCs is difficult due to the global nature of the industry and the difficulty any single government would face in enforcing any standards, laws or penalties. Ah yes, the old ‘too hard basket’. When all other logical reasoning fails you can always just throw up your hands and say, “it’s just too hard” let’s talk about something else. Not exactly a shining moment in governmental leadership and certainly not the kind of response to a challenge you’d expect from a global leader.
In point of fact qualifying a PSC would not be that difficult. I propose to have a standard drafted in less than 24 months which would cover the majority of armed security services in the market today. It would take an additional 12 months to initially certify any UK based PSCs or any global PSCs wishing to take payment derived from UK taxpayers, most notably MoD or DFID.
How would I do it? I would form a standards committee made up of UK PSCs such as Aegis Defence, Armor Group, Control Risks Group and others. I would include representatives from other stakeholder communities in government as well as organizations such as Human Rights Watch and/or the ICRC. I would also bring in some standards drafting experts from the British Standards Institute or the United Kingdom Accreditation Society to facilitate the drafting of the standard to ensure that best practices were being applied.
I would then facilitate a series of recurring workshops where the committee members would work with existing standards such as the ISO-9001 Quality Management Standard and other general relevant international standards. I would also use the recently published Montreux Document as well as IPOA’s Code of Conduct and other relevant documents from across the PSC industry.
Look, there is any number of examples of where global industries have solved this problem or made great inroads to standardizing the level of service. The automotive sector which is also global, also deals with life-and-death consequences for poor quality and also has a very diverse and fragmented supply chain network was able to draft the TS-16949 standard. But it was done because the major automotive manufacturers took the lead in collaborating on it.
Certifying Companies
Regardless of how the standard is reached in order to ‘certify’ a PSC as conforming to the standard two separate functions must be employed; assessors and accreditation bodies.
Assessors, also referred to as auditors must be completely independent of the PSCs they are auditing as well as any other PSC in the global market. Through a mixture documentation analysis and on-site physical assessing the auditor will make a determination as to whether or not the PSC is conformant to the requirements contained in the standard. If they are then they are issued a certificate stating as much and placed on a periodic monitoring program and a recertification date in 3 years time. If the PSC is not conformant then a report is issued identifying any major or minor nonconformities and the PSC is given a period of time to take the necessary corrective actions.
Ah but who is checking the checkers you ask? That is the role of the accreditation body or society. The accreditation body issues authority to conduct audits and issue certificates of conformity to the auditing firms.
Leverage Existing Infrastructure
It sounds a little confusing but believe me this is a well beaten path with expertise all over the place which could easily be brought to bear. All of this infrastructure exists already in every country on the planet and could easily be applied to PSCs.
The International Standards Organization (ISO) in Switzerland already authors, issues and in some cases simply adopts external standards through an active committee process. The same could be done in the case of PSCs.
Global auditing firms such as the British Standards Institute (BSI), Det Norsk Veritas (DNV), Securite Generale Surveillance (SGS) in Switzerland and Bureau Veritas in France each have offices in over 80 countries and conduct hundreds of thousand of audits of other types every year. It would not be difficult for organizations such as these to get their hands on a standard and quickly come online with auditing capability.
Lastly every country already has accreditation bodies similar to UKAS the United Kingdom Accreditation Service who issue accreditation rights to the auditing firms for audits conducted on companies in operation in their jurisdiction.
So, again, developing the standard is doable and so is the execution of the audits and the eventual company certifications. We are slowly running out of excuses.
Market Conditions
In order for a system like this to work it requires that the market demand be created by states and state collective organizations such the United Nations, the African Union, the Arab League, etc, etc. This can take a long time to achieve as the decision making process in these organizations can be painfully slow and fraught with political blind-alleys. But just because it is difficult does not mean it should be shelved.
States must enact policy and legislation mandating that armed security services be purchased on the open market in an open bid process from not less than 2 qualified service providers. This is critical to the initial success of the program as it will first create demand for the certification and second add a level of transparency to the procurement process which has thus far been lacking. In the end only those possessing the certification will be rewarded by gaining access to potential revenues precluded from non-certified companies.
Major governments like the U.S. and the UK have made a strategic decision to outsource armed security in many instances. The least they can do it provide a meaningful watchdog function and ensure the their funding is spent with firms who are qualified and regulated.
A grace period
Following the successful pilot program a grace period of say 12 to 24 months should be extended to the entire market. This give PSCs enough time to get their hands on the standard, understand its implications, make any necessary changes to ensure conformity, schedule the audit and either remediate the process or receive the certificate.
Penalties must be in effect at the witching hour for companies who have not managed to conform to the standard. This is another role that governments can play in providing oversight and if necessary the enforcement in the form of financial penalties and if necessary the shutting down of companies who refuse or incapable of conformance.
The argument about the global nature being too difficult to regulate is only superficially correct. There is any number of instances where various industries have worked with governments to build cross-border regulation. And even in instances such as in financial services where both the U.S. and the UK authorities have maintained rightful autonomy there have always been a close working partnership and knowledge of what the other one is doing.
The bottom line
The bottom line here is that regulation is a subject the industry’s leaders should take active leadership in. If for no other reason than leaving it entirely to the politicians will most certainly result in an environment that is fraught with over-reaching restrictions and penalties where the good-guys end up paying the freight for the cowboy’s mistakes even more than they are already doing today.
Self-regulation is not going to fly. We’ve seen that from IPOA’s Code of Conduct. Despite IPOA’s good efforts and the quality of the content in their Code the bottom line is that it lacks wide ranging credibility because it is a voluntary exercise pre-incident and post-incident there are no financially negative consequences for simply taking your name off the signatory list.
The future of our industry is what we make it to be. If we believe that we are adding value and contributing positively to the implementation of governmental foreign policy then we must legitimize our existence by standardizing our services. In doing so we will take large step forward in minimizing the negative occurrences which though rare, reflect poorly on the entire industry.
Drafting a standard for PSCs is not difficult. What apparently is difficult to do is to marshal the political will to do have a crack at it.
Tags: Montreux
