Skip to main content

Private Security Companies and Shared Responsibility: The Turn to Multistakeholder Standard-Setting and Monitoring through Self-Regulation-‘Plus’


The rapid and increasing outsourcing of security services by states to Private Security Companies (PSCs) in recent years and associated human rights violations have served as one of the catalysts for long overdue regulation of the global PSC industry. As part of an ‘empirical stocktaking’, this article focuses on current multistakeholder self-regulatory developments in relation to PSCs, in particular the International Code of Conduct for Private Security Providers and the PSC1 certification standard, and considers their likely impact on the responsibility of states in this area. What is clear is that the traditional conception of international responsibility is ineffectual when applied to PSCs because of its focus on the ex post facto responsibility of states for internationally wrongful acts. Furthermore, the fact that PSCs operate in high risk and complex environments and the fact that their clients are often non-state actors, means that an alternative prophylactic approach to responsibility for human rights violations by PSCs seems to be necessary. As it stands, however, the ‘self-regulation-plus’ approach adopted is not the definitive solution. While endeavouring to ensure that PSCs respect human rights, this approach may allow states to evade their own obligations to protect human rights.


The unlawful activities of certain Private Security Companies (PSCs) have been the focus of international scrutiny since the 1990s.Footnote 1 More recently, however, the international interventions in Iraq and Afghanistan, in particular, have highlighted the increasing reliance of many states on such companies to provide security and other logistical services to support their military forces, and the corresponding accusations of human rights violations by PSCs. This article examines and assesses the novel international multistakeholder self-regulatory mechanisms that have emerged in response to the harmful human rights outcomes resulting from the conduct of some PSCs and considers their likely impact on the responsibility of states in this area.Footnote 2 It departs substantially in its understanding of shared responsibility as outlined in the conceptual framework of the SHARES project.Footnote 3 While the SHARES project conceives of shared responsibility as the responsibility for internationally wrongful acts that is shared by multiple actors, in this instance PSCs and a state, this article highlights that developments in this area have taken a different approach. PSCs operate in a complex and multilayered commercial environment and, as will be seen, their activities often involve no direct interactions with states. The emerging regulatory framework seeks to delineate clearly the extent of PSC obligations in relation to human rights and their ultimate responsibility, rather than mere accountability, for breaches of human rights. The Introduction to this symposium recognises that the traditional rules on state responsibility probably cannot be applied to PSCs and acknowledges that ‘strengthening standards and commitments by both non-state actors and states, coupled with supervisory mechanisms’Footnote 4 is a promising alternative.

In the aftermath of the United States (US)-led coalition interventions in both Iraq and Afghanistan, hundreds of new PSCs were set up or their existing activities expanded to take advantage of the emerging and extremely lucrative commercial opportunities in security and reconstruction activities for donor governments.Footnote 5 The mounting reliance on PSCs by states is a direct result of donor state reductions in ‘the size of their armed forces’ to focus on ‘the “core” task of combat fighting’.Footnote 6 In privatising these activities and delegating functions to PSCs, states have ‘deliberately created … an anarchy’, that is, a ‘social arrangement which is not centrally controlled by a government’.Footnote 7 In the current absence of international legal regulation of PSCs there has been a clear move towards using what the United Kingdom (UK) government has termed ‘robust regulation and monitoring’. The so-called ‘Swiss Initiative’, formulated by the Swiss Government and the International Committee of the Red Cross, has offered a starting point for serious international multistakeholder discussions around the role of Private Military and Security Contractors (PMSCs) in armed conflicts and has culminated in the publication of the Montreux Document in 2008.Footnote 8 Stakeholders involved in the drafting of the Montreux Document have continued to meet with the goal of clarifying the obligations and responsibilities of the security companies themselves. This has led to the drafting of the International Code of Conduct for Private Security Providers (ICoC) and the establishment of a multistakeholder oversight body, namely, the International Code of Conduct Association (ICoCA).Footnote 9 While the Montreux Document represents the first intergovernmental statement of existing state legal obligations in relation to PMSCs, the ICoC and ICoCA seek to ensure blanket improvement of PSC industry standards, including respect for and compliance with human rights standards, through the use of a certification or audit process accompanied by institutional oversight and compliance measures.Footnote 10

This article has two goals. Firstly, it examines the extent to which these new self-regulatory approaches set out PSC human rights obligations and the ways in which PSCs can be held responsible, if at all, for human rights violations. By focusing on the responsibility of the PSCs themselves, it can be argued that industry self-regulation may allow states potentially to circumvent their responsibility to protect human rights under international law in a very practical way, by shifting responsibility for human rights violations to contractors. Some states, such as the USFootnote 11 and UK however,Footnote 12 take the view that their participation and membership of the ICoC and ICoCA meet their general due diligence obligations under international law to protect human rights, and their particular commitments under the Montreux Document and the Guiding Principles on Business and Human Rights (Guiding Principles),Footnote 13 to ensure that PSCs respect human rights. Given that the scope and extent of state oversight of the ICoC and ICoCA is still unclear and the grievance mechanism is not yet in place, it cannot be determined at present whether participating states are meeting their international obligations. Indeed, it can be argued rather that states are potentially distancing themselves from sharing responsibility with PSCs and may in fact be imposing a higher share of responsibility directly on companies for human rights violations than international law permits. The ‘Protect Respect Remedy’ framework of the Guiding Principles on Business and Human Rights reiterates that the primary obligation to protect human rights rests with states and that business actors have a (non legally binding) obligation to respect human rights, but the way in which the PSC regulatory framework has developed suggests that states are interpreting their responsibility restrictively.Footnote 14

Secondly, as part of an empirical stocktaking of developments in this area, this article considers whether ‘self-regulation-plus’, of the type envisaged in the ICoC and the ICoCA, and operationalised in the risk-based approach of industry certification standards such as the PSC1 Management System for Quality of Private Security Company Operations, is likely to be an effective tool for ensuring PSC adherence to international human rights standards and the avoidance of adverse human rights impacts.Footnote 15 What is being witnessed in this recent PSC standard-setting and the certification processes advocated by states and the PSC industry is a shift towards norm-internalisation or socialisation of human rights as a means of effecting behavioural change within these companies. Koh describes a culture of human rights ‘norm-internalization’Footnote 16 as a process of socialisation whereby one moves from ‘grudgingly accepting a rule one time only to habitually obeying it’ as ‘the rule transforms from being some kind of external sanction to becoming an internal imperative’.Footnote 17 This requires what Murphy describes as a move towards ‘human rights preparedness’.Footnote 18 She notes that

managing the risk of rights is part of managing risk, so there could be a way in here for human rights. And because human rights reach beyond human rights law, managing the risk of rights stretches beyond legal risk—beyond, that is, claims and litigation concerning human rights violations. Rights as risk encompasses, for instance, the potential for human rights activism to disrupt the interests and overall standing of a government or organisation—a potential that may be entirely detached from legal liability.Footnote 19

Thus further questions arise as to whether the risk-based certification model affects the responsibility of states. Is this approach shifting responsibility for human rights violations onto PSCs or is governmental involvement in, and supposed oversight of, this new regulatory regime a sufficient means for states to meet their obligations under international law to protect human rights? What is clear is that there are several weaknesses in the self-regulation-plus approach which must be addressed in order to increase the likelihood of effective and credible regulation of PSC human rights compliance.

In light of their proposed governmental and civil society oversight and monitoring elements, these new PSC regulatory mechanisms are labelled here ‘self-regulation-plus’ to differentiate them from more conventional forms of self-regulation. What has been created through the ICoC is novel in some respects and deserves individual consideration, because rather than neatly falling into one acknowledged category of private ordering, the self-regulation-plus approach cuts across the self-regulation ‘spectrum’.Footnote 20 It has long been recognised that there are different types of private ordering: two decades ago Ogus talked of a ‘multitude of institutional arrangements’, and noted that they are not all the same in terms of nature, structure and efficacy.Footnote 21 Indeed, they may demonstrate ‘different degrees of legislative constraints, outsider participation in relation to rule formulation or enforcement (or both), and external control and accountability’.Footnote 22 So while the adherence to the ICoC and membership of the ICoCA are on the face of it voluntary in nature and to that extent are similar to other existing self-regulatory mechanisms, particularly among business and human rights initiatives, their approach also resembles other forms of mixed regulation such as co-regulation because states, civil society actors and private actors (in this case PSCs) are regulating jointly and ‘twinning public and private powers’.Footnote 23 This can be seen in the state adoption of the certification standards, highlighted previously, and which challenges the notion that the system is entirely voluntary because PSCs may be contractually bound to comply.Footnote 24

For states embracing this approach, it could be argued that in doing so they are meeting their due diligence obligations in relation to the activities of PSCs operating extraterritorially. Elements of meta-regulation are also present, notably ‘official validation’ of the system by individual governmental contractual arrangements or approval, and via membership of the ICoCA.Footnote 25 Thus it seems that the ICoC and ICoCA’s self-regulation-plus has the potential to be a positive and sophisticated example of a ‘hybridized system[s] of both market and social regulation’ which may ‘open up further vistas’Footnote 26 of ‘collaborative governance’.Footnote 27

Regulation of Private Security Companies

Notwithstanding the increasingly large numbers of active PSCs, the industry has been subject to little significant national or international regulation beyond basic company law requirements of home or host states.Footnote 28 At the same time, it is evident that PSC business models have become progressively more organised, professional and corporate in nature and structure:

PSCs have grown to such a degree that today they are organized along corporate lines (including boards of directors, share-holdings and corporate structures) their work has a clear contractual aim and obligation to their clients.Footnote 29

This corporatisation and professionalisation of PSCs can be traced to a desire on the part of the PSC industry to distinguish and distance commercial security activities and logistical support from the direct combat activities of mercenaries.Footnote 30 The former head of the UN Working Group on the use of mercenaries, Gomez del Prado, points out, however, that the line between PSCs [or Private Military and Security Companies (PMSCs)] and mercenaries is often blurred given that the ‘security industry of private companies moves large quantities of weapons and military equipment’ and ‘[i]t provides services for military operations’, as well as recruiting former military personnel ‘to carry out passive or defensive security’ in a civilian capacity.Footnote 31 Direct participants in hostilities or mercenaries are excluded from the scope of this article, which focuses instead on the regulation of providers of lawful commercial security services.

PSCs, like all other private business actors, fall outside of the reach of international law and they are not bound by international human rights law in particular.Footnote 32 So while well-known allegations of human rights abuses by the employees of PSCs such as ‘Blackwater’, ‘Titan’ and others in relation to their activities in conflict, post-conflict and fragile regions have proliferated throughout the past decade or so and have attracted much international attention, these abuses have not resulted in legal accountability or responsibility under international law.Footnote 33 There are two key reasons for this in international law, a third reason which relates to the nature of PSC clients, and a fourth reason relating to the lack of national legislation.

Firstly, for the purposes of attribution of conduct under international law, PSCs do not meet the strict criteria for attribution for they do not exercise governmental authority, nor does the contractual relationship with governments sufficiently infer that they are acting under the direction and control of a state.Footnote 34 Secondly, PSCs do not possess the requisite legal personality necessary for the application of international legal responsibility. The prevailing paradigm within which international law operates, has traditionally adhered to a subject-object dichotomy in relation to international legal personality.Footnote 35 Accordingly, this means that states are subjects of international law because only they, on this analysis, exercise sovereign power and business actors are merely objects of international law for the purposes of applying and enforcing international human rights law.Footnote 36 Higgins rightly describes this situation as ‘an intellectual prison of our own choosing’ that is then ‘declared … to be an unalterable constraint’, while Pellet criticises the ‘clearly “ideological” reasons’ which are operating to ‘avoid facing the consequences of questioning the monopoly of States over international law’.Footnote 37 Nonetheless, the effect of this position is that PSCs may not be properly regarded as current subjects of international law and, as such, are not bound by international human rights law.

It is this international legal lacuna that has led to the turn to standard-setting for PSCs as one alternative to the application of state responsibility principles. To that end, the international community is developing and adopting self-regulation-plus in the form of multistakeholder soft law mechanisms which incorporate government, civil society and industry oversight, as well as certification and monitoring processes which are intended to address, among other things, the harmful human rights outcomes of some PSC’s activities.

A third problem is that international human rights law was never intended to apply horizontally. As Shelton remarks, human rights law was ‘designed to restrain abuses by powerful States and State agents, not to regulate the conduct of non-State actors’.Footnote 38 Thus human rights apply vertically between individuals and states rather than horizontally between affected individuals or groups and PSCs. When considering the question of legal accountability and responsibility in relation to PSCs, it is therefore crucial to note that such companies operate frequently outside conflict zones, albeit in what are often referred to as complex, challenging or high-risk environments, and that they are regularly contracted by non-state clients. So when trying to apply traditional state-oriented principles of international legal responsibility for wrongful acts, depending on the type of client, the rules of attribution may be simply irrelevant if no state actors are involved. The question of whether the home state of the PSC has performed adequate due diligence of course remains, but as will be seen it is not yet clear whether the emerging PSC regulatory regime satisfies its requirements. A significant proportion of PSC contracts relate to the provision of security services for a variety of non-state actors including non-governmental organisations (NGOs) and other commercial entities.Footnote 39 For example, they may provide mobile security for humanitarian workers in natural disaster zones, transportation for election monitors from intergovernmental organisations in unstable regions, or static guarding of oil and gas facilities for natural resource companies in high risk environments. Due to client sensitivities around this topic, of both commercial and NGO clients, as well as commercial confidentiality issues, it is difficult to ascertain the extent to which non-state actors utilise PSCs.Footnote 40 Determining the extent of their use by the NGO sector is particularly problematic (as for a variety of reasons many NGOs oppose the use of PSCs)Footnote 41 but in 2006, Singer noted that:

Industry representatives estimate that approximately 25 % of the ‘high-end’ firms that provide security services, and over 50 % of firms that provide military support or logistics functions, such as military air transport, have worked for humanitarian clients.Footnote 42

PSC operations in these contexts have tended to attract less global attention than those in places, particularly conflict zones, where states are the predominant, but not the only, clients. More importantly, any human rights violations by PSCs contracted to non-state clients are likely to operate in a legal vacuum unless it can be established that a state has failed to meet the requirements of the general principle of due diligence. So, for example, while the UK government has indicated that it will ‘urge’ non-state clients to ‘commit to contracting only with PSCs that are pursuing certification against recognised standards by accredited certifying bodies’ this undemanding approach may not satisfy the due diligence requirement.Footnote 43

Fourthly, regulatory developments at the national level are very limited. A recent sample study undertaken by the author makes clear that the majority of states do not have specific regulatory mechanisms addressed to PSCs. Of 78 states examined in the initial study, only a limited number have implemented or drafted legislation, or introduced policy measures directed towards PSCs, and a meagre handful make explicit reference to applicable human rights standards.Footnote 44 A further problem is that existing national regulatory mechanisms focus on state-clients. The French delegation at the second session of the UN inter-governmental working group on PMSCs observed that when enacting domestic legislation in this area it is ‘important’ to include other clients such as ‘international organizations and companies’.Footnote 45

Given the lack of, and limitations in, national and international regulation, several factors have combined to further drive the shift towards norm-setting and compliance initiatives. Recent allegations about the adverse human rights impacts of certain PSC activities have resulted in increasing scrutiny of, for example, ‘G4S’ in South Africa, ‘G4S Australia’ at Manus Island Detention Centre in Papua New Guinea, and ‘Saracen International’ in Somalia.Footnote 46 In addition, the perceived failure of industry-based self-regulatory codes of conduct, as well as national legal systems, to hold PSCs to account for human rights violations, have also served to galvanise the international community into action to address the absence of regulation, responsibility and accountability.Footnote 47 It was in particular the inability of one of the PSC industry’s most prominent trade associations, the International Peace Operators Association (IPOA) (now the International Stability Operations Association) to hold the infamous ‘Blackwater USA’ to account for the massacre in Nisour Square in Iraq, that highlighted the failings of solely industry-based self-regulation. Blackwater was a member of IPOA and voluntarily subject to that organisation’s internal code of conduct. On being informed of an IPOA investigation into events at Nisour Square, Blackwater left the organisation, changed its name to ‘Xe Services’ and today continues to win US government contracts to operate in Iraq as ‘Academi’.Footnote 48 Such deficiencies in voluntary self-regulation intensified pressure from civil society, and in an increasingly competitive market place has led to many in the PSC industry becoming increasingly sensitive to reputational damage, while states which are home to significant numbers of PSCs (such as the UK and US) have realised that regulatory inaction was no longer an option.

Consequently, two different but interlinked, multistakeholder projects emerged to address the regulatory gaps and to create standards and implement monitoring and compliance procedures for PSCs, namely the Montreux Document and the ICoC together with the Articles of Association of the newly constituted ICoCA.Footnote 49

Emerging Standards: The Montreux Document, ICoC and the PSC1 Quality Management Standard

While the Montreux Document itself does not fall within the category of self-regulation-plus mechanisms, it is an important starting point for understanding the development of both the ICoC and ICoCA. The Montreux Document is essentially a non-binding restatement of the existing international legal obligations of states which are home to, host to, or contract with PMSCs. It seeks to ‘promote compliance’ with international humanitarian law and international human rights law during armed conflict only.Footnote 50 No new international obligations are created for states.Footnote 51 It also sets out ‘good practices’ which may be ‘instructive’ for PMSCs but does not create legal obligations for them.Footnote 52 In contrast, the ICoC is addressed directly to PSCs, and signatory companies undertake to ‘commit to the responsible provision of Security Services so as to support the rule of law, respect the human rights of all persons, and protect the interests of their clients’.Footnote 53

Proponents of these initiatives highlight their multistakeholder approach and attempts to ensure oversight and monitoring and argue that this renders these initiatives a more ‘robust’ form of self-regulation, in other words an approach which attempts to be more effective in ensuring accountability than traditional forms of self-regulation, i.e. it is self-regulation-plus.Footnote 54 Most notably this is to be achieved through the use of certification procedures or auditing and this is examined in more detail below.

Both the Montreux Document and the ICoC are products of so-called multistakeholder processes which involve the participation of states, the PSC industry, as well as civil society actors, and which demonstrate an emerging shift from traditional forms of international law-making towards something akin to ‘top-down-bottom-up’ regulation. So rather than international law always being imposed on non-state actors by states from above, top-down–bottom-up approaches are hybrid in nature and combine legislative ‘top-down’ approaches with softer ‘bottom-up’ non-legislative mechanisms. Such an analysis links clearly with Slaughter’s ‘liberal theory’ of international law, where she describes these types of regulatory developments as ‘multiple bodies of rules, norms and processes that contribute to international order’ which encompass everything from ‘voluntary codes of conduct adopted by individual and corporate actors operating in transnational society’ to ‘transnational and transgovernmental law’ and ‘traditional public international law’.Footnote 55 In the case of the ICoC and ICoCA the process involves different stakeholders, in this case governments, civil society and industry, working together to create a mutually agreed regulatory standard but without the legislative element. What remains unclear, however, is the extent to which states are fulfilling their international human rights obligations by choosing the softer option of self-regulation-plus and omitting legislative options.

Certainly the government and industry drafters of the ICoC want it to be regarded as an example of best practice in the business and human rights sphere. This can only be achieved if the weaknesses identified above and below can be addressed. Such soft law approaches to the regulation of PSCs are not universally welcomed and it is worth noting that two separate UN working groups, on mercenaries and PMSCs, have explored or are exploring the possibilities for creating binding regulation for the industry through international conventions.Footnote 56 At the second session of the inter-governmental working group on PMSCs in July 2014, some states and civil society actors expressed concern about the limitations of an audit-based self-regulation scheme, despite the element of oversight incorporated into the ICoCA in paragraph 12.1 of its Articles of Association.Footnote 57 Furthermore, at the 2014 Human Rights Council, states voted in favour of elaborating a multilateral convention to ensure direct legal responsibility of all business actors for human rights abuses, not just the PSC sector.Footnote 58

Nevertheless, in the context of PSC-specific regulatory approaches, the relationship with international law and in particular the responsibility of the state for extraterritorial activities of its corporate nationals remains explicitly traditional, at least in terms of the principles articulated. As highlighted above, the Montreux Document is declaratory in nature and aims to ‘recall certain existing international legal obligations of States regarding private military and security contractors’.Footnote 59 It applies only to the activities of PMSCs in situations of armed conflict but it is addressed specifically to states. Furthermore, it notes throughout that the existing obligations of states under international law remain unaffected. Paragraph 1 of part A of the Montreux Document is unequivocal and provides that: ‘Contracting States retain their obligations under international law, even if they contract PMSCs to perform certain activities’. A distinction is made between contracting states (clients),Footnote 60 territorial states (the place of the PSC operation or project)Footnote 61 and home states (the state of incorporation of the PSC).Footnote 62 While it is unclear how the responsibilities of these different states transect, nevertheless the Montreux Document is focused on state responsibility rather than that of PSCs.

In contrast to the Montreux Document, the ICoC and ICoCA address PSCs directly and attempt in general terms to set out the extent of their human rights obligations. Notwithstanding this focus, paragraph 2 of the ICoC Preamble records that ‘well-established rules of international law apply to States in their relationships with private security providers’ which would include states retaining the responsibility to protect human rights. The state’s international legal obligations do not transfer to PSCs through the contractual relationship. Moreover, paragraph 14 provides that the ICoC does not limit or alter the applicable international law, nor does it establish any legal obligations or liabilities for PSCs. Companies are, however, required to affirm their responsibility to respect human rights and to establish fair and accessible grievance procedures that offer effective remedies for human rights violations. One of the key strengths of the ICoC is that by focusing on the obligations of the PSCs as opposed to states, there is the potential for human rights norm-internalisation, as will be demonstrated in the following section.

The ICoCA was launched in September 2013 and its key function is to set out the basic requirements for certification of PSCsFootnote 63 and to monitor and assess PSC compliance with the ICoC.Footnote 64 Traditionally, effective self-regulation depends upon the degree of ‘external control and supervision’ exercised by government.Footnote 65 Thus the issue of governmental ‘oversight’ and its definition becomes of crucial importance in this instance, as can be seen below.

As of August 2014, there are 708 signatory companies to the ICoC from 70 countries.Footnote 66 Presently there are 135 PSC members of ICoCA, 13 civil society organisations (CSOs) and 6 states.Footnote 67 Each of these three ‘pillars’ is now represented within the ICoCA, which is tasked with ensuring compliance with the ICoC.Footnote 68 Article 11.1 of the ICoCA Articles of Association provides that:

The Association shall be responsible for certifying under the Code that a company’s systems and policies meet the Code’s principles and the standards derived from the Code and that a company is undergoing monitoring, auditing, and verification, including in the field.Footnote 69

No specific certification standard is specified in the Articles of Association and the ICoCA ‘shall define the certification requirements’ on the basis of ‘national or international standards and processes’ which comply with the International Code of Conduct.Footnote 70 Allied to company certification is internal and external oversight as well as a mechanism for addressing Code violations:

The Association shall be responsible for exercising oversight of Member companies’ performance under the Code, including through external monitoring, reporting and a process to address alleged violations of the code.Footnote 71

At present it is unclear what form the oversight, monitoring, reporting and grievance arrangements will take, but the ICoCA Articles of Association make clear that it is the organisation that will exercise oversight not the member states. This again raises the question of whether states will be able to claim to be fully meeting their international legal obligations through this mechanism. Their active and dynamic participation will be essential, otherwise states will be vulnerable to claims that they have failed to meet their obligations in relation to their responsibility to protect human rights. Work is ongoing to determine the nature and substance of these processes, so it is too soon to draw any conclusions about the effectiveness of the ICoCA, but its multistakeholder three-pillar approach has much to commend it. The credibility of the ICoCA will depend greatly on the robustness of the Board of Directors. It will also depend on the merits of the mechanism chosen to deal with alleged violations of the ICoC and how the Board tackles individual cases. In particular, the Board is obliged to ensure that ‘effective remedies’ are provided by certified PSCs, but how this is to be achieved remains to be seen. At the July 2014 meeting of the UN inter-governmental working group on PMSCs many states voiced concern about the effectiveness of the ICoC approach and ICoCA oversight, but it is simply too early to draw conclusions about their efficacy at this stage.

Towards Norm Internalisation?

So what do these developments mean for state responsibility for human rights violations in the PSC context? Steven Ratner argued in 2001 that there has been an ‘erosion of the domain reservé’ which presents ‘a challenge to the traditional prerogative of States to regulate companies within their jurisdiction’.Footnote 72 Ratner claimed that ‘[t]he question is not whether non-State actors have rights and duties but what those rights and duties are’.Footnote 73 At that time he concluded that states remained ambivalent about ‘accepting corporate duties’ especially in relation to human rights duties.Footnote 74 Nevertheless, he took the view that such ‘duties of a company’ were ‘a direct function of its capacity to harm human dignity’.Footnote 75 He noted that

Proposing international norms of corporate responsibility for violations of human dignity continues the trajectory that the law has taken, but it also represents new challenges for the enterprise. It challenges the state’s exclusive prerogative (what some might call sovereignty) to regulate business enterprises by making them a subject of international scrutiny; it makes them entities that have their own duties to respect human rights.Footnote 76

Given the way in which the self-regulation-plus regime has developed in relation to PSCs, it is difficult to see how the state’s prerogative to regulate business actors is being challenged. Furthermore, the regulatory mechanisms are clear that state obligations and responsibility remain unaffected. It is possible, however, that the way in which the third party audit and certification process operates could, through the push towards internalisation of human rights norms in particular, result in a situation where more responsibility is being placed on PSCs for human rights violations and states are, if not quite shedding elements of responsibility, at least distancing themselves from sharing responsibility. This is related directly to the construction of the regulatory arrangements.

The PSC regulatory regime developed is complex and involves many different layers of actors beyond states, civil society and industry. PSCs will be required to demonstrate to auditors that they are complying with the human rights set out in the ICoC, that they are conducting Human Rights Risk Assessments and Analysis, and that they have instituted third party grievance mechanisms. States are removed from the various processes. As highlighted above, the ICoCA retains responsibility for oversight, monitoring and remedies, but at the level below, national accreditation bodies are required to certify certification bodies which in turn carry out the audits of PSCs. It is this complexity which could lead to states not meeting their international legal responsibilities. In this system, participant states must provide effective oversight of the ICoC itself, as well as their own national accreditation and certification bodies, because a failure to do so will result in this fragile regulatory house of cards falling apart. It is not enough that states become members of the ICoCA, as the success and credibility of the regulatory regime is dependent upon states upholding consistently the effectiveness of the international and national elements of the certification process. It is only by doing this that states can truly claim to be meeting their international human rights obligations. To acquire an understanding of the extent to which states may be distancing themselves from their responsibility to protect human rights, it is necessary to examine the mechanisms established. So what does the certification process look like and how should it work?

PSC1 and the Shift towards Norm Internalisation

As outlined previously, the ICoC sets out a requirement for signatory companies to undertake certification or an audit to measure the extent of its compliance with the Code.Footnote 77 To that end, the American National Standards Institute (ANSI) and ASIS International developed a quality management system standard that includes specific requirements for audited PSCs to demonstrate that they have considered human rights risks and adverse human rights impacts as part of their management system, as well as providing remedy mechanisms for third parties affected by harmful outcomes of PSC activities.Footnote 78 PSC1, as it is known, has been endorsed and adopted by the UK government as the ‘applicable standard for UK-based PSCs working in complex environments on land overseas’, and since May 2012 all contracts undertaken by the US Department of Defence require conformity to the standard.Footnote 79 The PSC1 standard has been piloted in the UK.Footnote 80 It also forms the basis of a proposed international standard at the International Organization for Standardization (ISO).Footnote 81

PSC1 is a Quality Management System (QMS) developed with the aim of improving standards across the PSC industry and human rights standards in particular.Footnote 82 Emphasis is therefore placed on ensuring high standards of management throughout the organisation of the company. A company’s conformance with the PSC1 standard will generally be measured, but not always, by independent third party Certification Bodies or auditors during a two-stage audit which takes place at both the PSC’s headquarters (stage 1) and on-site (stage 2). The company pays for the audit. A PSC1 audit is not specifically focused on human rights, its remit is much broader, but human rights language runs throughout the entire standard and the improved protection of human rights was very much a driving force behind the creation of the standard. In addition to the ICoC, it is clear that PSC1 draws heavily upon the Protect, Respect, Remedy approach of the UN Guiding Principles on Business and Human Rights, especially in relation to its due diligence and grievance procedure requirements.Footnote 83

In particular, PSCs are required to demonstrate that they have taken into account any potential adverse human rights impacts on external stakeholders. It is therefore necessary for a PSC to identify any external stakeholders likely to be affected by its activities, e.g. local communities. Moreover, while PSC1 does not specifically require that PSCs undertake a Human Rights Risk and Impact Analysis (HRRIA), it is clear that some form of human rights risk assessment is expected. The informative Commentary annexed to PSC1 does make a specific reference to HRRIAs but the standard itself does not use that language. This is something which companies have identified as confusing, and consequently they are unclear about their specific obligations in regard to HRRIAs.

PSC1 also includes an upstream and downstream due diligence requirement so that companies must carry out due diligence in relation to both their clients and their contractors and supply chains. This approach is in line with the UN Guiding Principles on Business and Human Rights. It seems likely that due diligence in relation to contractors and the supply chain will be easier to undertake than in relation to clients. There appears to be some reluctance on the part of PSCs to demand human rights due diligence of their clients, probably as a result of a highly competitive market. It is perceived by some PSCs that this could exclude them from certain contracts, but of course if the clients are educated and aware of their ‘baseline’ responsibility to respect human rights, then in theory this should become less problematic particularly as the Guiding Principles undergo wider dissemination and implementation.

PSC1 also requires conforming companies to have in place incident monitoring and reporting mechanisms. In addition, there must be accessible grievance and whistle-blower policies, and procedures which must be communicated to both internal and external stakeholders. Where a complaint is made, the PSC must document the corrective actions taken and any ‘compensation and redress given to the affected parties’.Footnote 84 Ongoing monitoring and continual improvement of the company’s procedures and processes is a crucial aspect of the PSC1 standard.

UK PSC1 Pilot Scheme

A pilot scheme commenced in August 2013 in the UK to ‘road-test’ PSC1 as part of the UK government’s self-described commitment to industry self-regulation. The UK has been actively involved in the drafting of the ICoC and development of the ICoCA and its participation follows many years of regulatory inaction in this area.Footnote 85 In doing so, the UK government considers itself to be meeting its obligations to ensure human rights protection through its support for ‘robust regulation’.Footnote 86 Specifically, it regards its adoption of the PSC1 certification standardFootnote 87 with eventual ICoCA oversight as helping the UK to fulfil its ‘commitments’ under the UN Guiding Principles on Business and Human Rights as set out in the UK National Action Plan.Footnote 88 The pilot scheme was supported and closely followed by the UK Foreign and Commonwealth Office. In addition, the UK Accreditation Service, which was to certify approved Certification Bodies to carry out PSC1 audits, was actively involved in monitoring the auditing process both in the UK and at audited project sites.

The scope of PSC1 is broad and applies to PSCs offering services and operating in complex environments. It therefore extends beyond conflict zones. As mentioned previously, there is no specific guidance on how a PSC should consider and address ‘adverse human rights impacts’ within its operations, e.g. through the use of HRRIAs. Nevertheless, there appears to be no hierarchy of risks and it seems to be the case that human rights risks are to be regarded as a risk in the same way as health and safety or environmental risks. The question is, to what extent will defining human rights as a risk and assessing potential adverse human rights impacts be an effective way to ensure compliance with human rights standards, and ultimately prevent the occurrence of human rights violations? Murphy notes that the move towards a risk-based approach is becoming increasingly common in a variety of spheres:

Rights as risk—emphasises a now dominant feature of governance: namely, the assessment and management of risk. Today, governments and organisations alike are expected to identify and handle the risks (financial, legal, political, reputational and so on) to which they are exposed.Footnote 89

By requiring PSCs seeking certification to assess human rights as a potential risk and to implement an HRIA, PSC1 has the capacity to help ‘internalise’ human rights norms within a company’s culture and to raise awareness of human rights impacts.

Reputational damage is of particular concern to those in the PSC sector. They have become susceptible to ‘brand tarnishing’ and ‘reputational disaster’ in the same way that the natural resource sector did in the 1990s.Footnote 90 The market for security services is extremely competitive and the highly publicised actions of a few companies in recent years have rendered the industry very sensitive to reputational risk and the potential impact that allegations of human rights abuses might have on their ability to win future contracts. This of course does not apply to rogue PSCs which choose to remain outside regulatory frameworks and which will continue to violate international human rights standards regardless.


It is clear that the traditional conception of international responsibility is ineffectual when applied to PSCs because of its focus on the ex post facto responsibility of states for internationally wrongful acts. No state has been found responsible in international law for the unlawful activities of its PSC contractors. In light of this, and the fact that PSCs operate in high risk and complex environments and that their clients are often non-state actors, an alternative prophylactic approach to responsibility for human rights violations seems to be necessary. The emerging multilayered regulatory framework in the form of the Montreux Document, the ICoC, the ICoCA, PSC1 and the draft ISO standard represents current progress. As it stands, however, this self-regulation-plus approach is not the definitive solution. It lets states off the hook in terms of ensuring that PSCs abide by their obligations, but in doing so this allows states to evade their own obligations to protect human rights.

What is clear is that the extent to which self-regulation-plus reflects any shared responsibility between states and PSCs, and the likely effectiveness of the ICoC and ICoCA human rights risk model as applied though a standard such as PSC1, depend on a variety of factors:

  1. 1.

    State involvement and support.

  2. 2.

    Ability to deal with non-certified and rogue PSCs.

  3. 3.

    Scope of the certification.

  4. 4.

    Auditor competence.

  5. 5.

    Human Rights Impact Assessments.

  6. 6.

    Client awareness, education and training.

First, in terms of state responsibility, civil society organisations and some states continue to express some general concerns that the adoption of any human rights risk certification scheme will result in states not complying with their international obligations.Footnote 91 Despite the fact that the Montreux Document and the ICoC make clear that states cannot transfer their international legal obligations to PSCs through the contractual relationship, nevertheless, the distance created by the very nature of the QMS process (state—accreditation body—certification body—PSC) lends credence to the concern. The PSC could be kept very much at arm’s length from state oversight both at the international and national level. What is clear is that if the ICoCA oversight mechanism and other elements are perceived as weak and lacking in credibility, states will be unable to rely on these mechanisms as evidence that international human rights obligations are being met. Therefore, in addition to general oversight of the operation of the ICoCA, development of a consistent and robust oversight culture by the participant states of their accreditation bodies and certification bodies, as well as the PSCs themselves, is crucial to the credibility and effectiveness of the certification scheme, and of course to ensure that states meet their own international obligations. Active state involvement and support for the ICoC and any certification process undertaken by PSCs is crucial. For example, there are reports of certain non-ICoCA host state authorities refusing auditors on-site access to monitor PSC conformance with PSC1.Footnote 92 The reasons for such refusals are unclear but it may be for security reasons, or more likely it may be due to a simple lack of knowledge on the part of the host state about the, as yet, immature PSC1 process. Such behaviour undermines the whole process so it is essential that ICoCA member-states in particular disseminate information, both at home and in host states, throughout government agencies about the certification process, especially to those likely to encounter auditors in order to encourage support for, and the embedding of, the new standards. By ensuring robust oversight at all stages ICoCA member states will help to reinforce the credibility of the system and perhaps reassure some of the more skeptical states and members of civil society about its effectiveness.

Second, are the ICoC mechanisms capable of dealing with rogue PSCs, which after all are the reason for the implementation of the standards in the first place? What about non-certified companies? What happens if there is non-conformance with the certified standard? The emphasis of this emerging regulatory regime is clearly focused on the responsibility of PSCs themselves as opposed to state clients. It seems that states are determined to keep their responsibility at arm’s length which may well be a function of the different clients that contract with PSCs. The continued existence of non-certified rogue PSCs which do not engage with the ICoCA processes present perhaps the greatest challenge for states and for state responsibility. It is, therefore, in the interest of home states to ensure that all PSCs engage with the ICoCA. The US and the UK have gone some way to encouraging this by adopting the PSC1 standard but other states are waiting for the ISO standard to be finalised. States should also be encouraging, if not requiring outright, other PSC clients in the commercial and NGO sectors to contract only with ICoC compliant PSCs.

Third, there are some concerns about the potentially limited scope of the PSC1 standard. It should be noted that the decision to apply for PSC1 certification is voluntary, as is adherence to the ICoC Code of Conduct. Indeed a PSC may self-certify that its operations are in conformance with PSC1. Furthermore, the PSC itself chooses the geographical scope of the certification. Thus a PSC may have operations in several different countries, but the certification might only apply to one project in one country. So, for example, a PSC may be contracted to operate in a conflict zone such as Afghanistan or Iraq, but it chooses to apply for PSC1 certification for a security operation in a non-conflict (but potentially high risk) country. It is therefore extremely important that the clients of PSCs (states, other companies and NGOs) are made aware of the possible limitations of the certification and are educated on how to determine the extent of the advertised PSC1 certification.

Fourth, it is essential that the third party auditors used to certify PSCs are competent in human rights. In the UK Pilot Scheme, the certification bodies adopted different approaches. It was envisaged by some that the ‘[c]ertification teams will include significant human rights expertise—though paid for by the PMSC being certified’, but this was certainly not the case for all of the pilot certifications undertaken.Footnote 93 Some certification bodies have adopted this approach and have appointed Human Rights Subject Matter Experts (SMEs) to assess the human rights elements of the PSC1 standard. Others have bought in training for their auditors. There must be discussion about the merits of the different approaches as there is some concern that the certification bodies utilising SMEs are holding PSCs to a higher human rights standards than others. It is anticipated that the UK Accreditation Service will be issuing draft guidance on the matter for consultation but there must be a wider debate on this issue. Failing that, the lack of consistency will potentially impact on the credibility of the PSC1 certification process.

Fifth, credible strategic and operational HRRIAs must be defined in the standards and undertaken by PSCs. At present it is unclear how a PSC should assess human rights risk and impacts and which tools it should use. The extent to which there is engagement with human rights expertise by the industry is also unclear. It is important that human rights risks and adverse impacts are being identified and assessed at both the management and operational levels and that companies are not engaging in a mere tick-box exercise.

Finally, the effectiveness of the PSC1 certification standard will be dependent upon the extent to which all clients, governmental, commercial and civil society, understand the certification process. In particular, it is important that they understand the potentially limited scope of certification and the importance of auditor human rights competence.

Given these significant concerns it is crucial that states actively support the development of the emerging certification process to ensure that the system matures effectively and becomes more widely recognised and adopted. Ultimately it is in the interest of states to do so if they expect the international community to accept that their due diligence obligations under international law to protect human rights are being met. Anything else will be perceived as unsatisfactorily shifting all responsibility for human rights violations onto PSCs.


  1. See e.g. ‘Sandline’ which was the subject of UN Doc. S/RES/1132 (8 October 1997) on the illegal export of arms to Sierra Leone. For background on the Sandline affair see UK Select Committee on Foreign Affairs, Second Report, Sierra Leone, 9 February 1999, HC 116-I, session 1998–1999. See also the offensive operations carried out by Sandline International in Sierra Leone and Papau New Guinea in e.g. Vierucci (2011), p. 235 and p. 237; and Wulf (2005), pp. 51–53. See also the mercenary activities of ‘Executive Outcomes’, another company with UK links, which was active in Angola and Sierra Leone in the late 1990s, e.g. Ballesteros EB, ‘Report on the question of the use of mercenaries as a means of violating human rights and impeding the exercise of the right of peoples to self-determination’, UN Doc. E/CN.4/1997/24 (20 February 1997), in particular para. 15. For the mercenary activities of Executive Outcomes’ personnel in various African states, see e.g. Wulf (2005), p. 39, p. 43 and p. 51; and Singer (2011), pp. 101–118.

  2. Different acronyms are used in the various international standards to refer to the companies discussed in this article e.g. Private Security Companies (PSCs), Private Military Companies (PMCs), Private Security Providers (PSPs) and Private Military and Security Companies (PMSCs). The international standards referred to throughout include companies within their scope on the basis of the service they provide or function they perform. In the absence of an agreed definition, this article utilises the acronym appropriate to the relevant standard and PSC in all other cases.

  3. Nollkaemper and Jacobs (2013).

  4. D’Aspremont et al. (2015), Section 5.3.

  5. See Krahmann (2007). On the history of increasing privatisation of the security sector in general see e.g. Likosky (2009).

  6. Krahmann (2007), p. 112.

  7. Frost (2008), p. 51.

  8. Montreux Document on Pertinent International Legal Obligations and Good Practices for States Related to Operations of Private Military and Security Companies During Armed Conflict, Montreux, 17 September 2008 (Swiss Initiative, in Cooperation with the International Committee of the Red Cross, on Private Military and Security Companies) (Montreux Document).

  9. Written Ministerial Statement to Parliament, ‘Private Military and Security Company Industry’, 10 March 2011, c 78WS, available at While there is no international legal regulation of PSCs at present, the Human Rights Council in Res. 15/26 (7 October 2010), mandated an ‘Open-ended intergovernmental working group to consider the possibility of elaborating an international regulatory framework on the regulation, monitoring and oversight of the activities of private military and security companies’. International Code of Conduct for Private Security Companies (ICoC), 9 November 2010, available at International Code of Conduct Association (ICoCA), Articles of Association (2013), available at

  10. See generally the ICoC; the ICoCA Articles of Association, Arts. 2, 11 and 12.

  11. ‘Section 833 of the National Defense Authorization Act of 2011 required the Defense Department to use business and operational standards in contracting and management of PSCs, with the intent of raising the overall standard of performance of these companies. Pursuant to this requirement, the Department of Defense facilitated the development of consensus based quality management standards. These standards were recognised by the American National Standards Institute in March 2012. Since May, 2012, all Defense Department contracts for private security functions performed overseas require conformance with this standard’. US Office of the Deputy Assistant Secretary of Defense, ‘Private Security Companies (PSCs)’, 21 February 2014, available at

  12. On the UK’s position see ‘Good Business: Implementing the UN Guiding Principles on Business and Human Rights’, ref: CM 8695, 4 September 2013, available at (UK National Action Plan), Section 2 (iv).

  13. Guiding Principles on Business and Human Rights and Commentary, Implementing the United Nations ‘Protect, Respect and Remedy’ Framework, HR/PUB/11/04 (United Nations, 2011) (Guiding Principles).

  14. Guiding Principles.

  15. US Management System for Quality of Private Security Company Operations—Requirements with Guidance ANSI/ASIS PSC.1—2012 (PSC1). A management system in this context is a mechanism by which the PSCs organisational structures, policies, procedures and processes are measured to determine whether they meet certain standards, in particular human rights standards.

  16. Koh (1999), p. 1400. See also generally Koh (2005); Goodman and Jinks (2003).

  17. Koh (1999), p. 1400. For a riposte to Koh’s theory of norm internalisation see e.g. Franck (1998–1999).

  18. Murphy (2013), p. 72.

  19. Murphy (2013), p. 72 (emphasis in original).

  20. Ogus (1995), p. 100.

  21. Ogus (1995), p. 99.

  22. Ogus (1995), p. 100.

  23. Rawlings (2010), p. 2.

  24. See n. 11.

  25. Rawlings (2010), p. 2; see also Parker (2007), chapter 7.

  26. Rawlings (2010), p. 6.

  27. Freeman (1997), p. 4.

  28. Although see n. 9.

  29. O’Brien (2007), p. 38.

  30. O’Brien (2007), pp. 37–39; See International Committee of the Red Cross, Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol I), 8 June 1977, 1125 UNTS 3 (Additional Protocol I), Art. 47(2) which contains the most widely recognised definition of ‘mercenary’ in the context of international armed conflicts. It provides that a mercenary is an individual whose primary motivation for participating in the hostilities is the ‘desire for private gain’. This definition has been criticised as ‘being crafted quite restrictively’ (Dinstein (2010), p. 57) and ‘unworkable’ (Hampson (1991), p. 30). Faiza Patel of the UN Working Group on Mercenaries has stated that while there are ‘indications of strong disapproval of the involvement of private actors in combat activities, there was no clear international prohibition’, Human Rights Council, ‘Report of the open-ended intergovernmental working group to consider the possibility of elaborating an international regulatory framework on the regulation, monitoring and oversight of the activities of private military and security companies on its second session’, UN Doc. A/HRC/22/41 (24 December 2012), para. 16.

  31. Gomez del Prado (2010).

  32. See White and MacLeod (2008).

  33. On the human rights allegations against PSCs, see MacLeod (2011). See also Gomez del Prado (2010). For an outline of the Nisour Square incident see Chesterman and Fisher (2009), p. 222. The Blackwater case in the US stalled, but new charges were successfully prosecuted against four Blackwater employees, with one convicted of first-degree murder and three convicted of voluntary manslaughter, see US Department of Justice, Office of Public Affairs, Press Release, ‘Four Former Blackwater Employees Found Guilty of Charges in Fatal 2007 Shootings at Nisur Square in Iraq’, 22 October 2014.

  34. Articles on Responsibility of States for Internationally Wrongful Acts, ILC Yearbook 2001/II(2) (ARSIWA), Arts. 5–11; see White and MacLeod (2008).

  35. There are examples of legal persons being admitted as subjects of international law, but they are exceptional e.g. UN Convention on the Law of the Sea, Montego Bay, 10 December 1982, in force 16 November 1994, 1833 UNTS 3, Art. 137(1): ‘nor shall any State or natural or juridical person appropriate’. See also Convention on Civil Liability for Oil Pollution Damage, 29 November 1969, 973 UNTS 3, as replaced by the 1992 Protocol, 27 November 1992, 1956 UNTS 255, as amended in 2000; Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer Space, including the Moon and other Celestial Bodies, London/Moscow/Washington DC, 27 January 1967, in force 10 October 1967, 610 UNTS 205; UN Convention Against Transnational Organized Crime, New York, 15 November 2000, in force 29 September 2003, 2225 UNTS 209.

  36. See e.g. Vagts (1970); Zerk (2006), p. 104; Johns (1994).

  37. Higgins (1995), p. 49; Pellet (2008), p. 38, para. 8.

  38. Shelton (2002), p. 279.

  39. On the use of PSCs by NGOs generally see e.g. Singer (2006). See also, Spearin (2007).

  40. Singer (2006), p. 70. On the use of PSCs by NGOs generally see Spearin (2007).

  41. Singer (2006), p. 69.

  42. Singer (2006), p. 70.

  43. UK National Action Plan, ‘New Actions Planned’ (ii).

  44. MacLeod S, ‘Consideration of the Human Rights Aspects: Review of All Measures including Existing National Legislation for Registering, Licensing and Contracting PMSCs’, Invited Expert Intervention to the Open-ended inter-governmental working group to consider the possibility of elaborating an international regulatory framework on the regulation, monitoring and oversight of the activities of private military and security companies, third session, 21–25 July 2014, Geneva, Palais des Nations.

  45. Human Rights Council, UN Doc. A/HRC/22/41 (24 December 2012), para. 72.

  46. Cockayne (2012). On the allegations against G4S at Manus Island Detention Centre, Papua New Guinea, see the submissions made to the Australian Senate’s Legal and Constitutional Affairs References Committee’s ‘Inquiry into the incident at the Manus Island Detention Centre during 16 February to 18 February 2014’, available at

  47. See Cole (2007). On the failed criminal prosecutions in the US see e.g. Quirico (2011), pp. 423–424.

  48. See Cole ‘Blackwater Quits Security Association’; Quirico (2011), pp. 423–424; Chesterman and Fisher (2009), p. 222; Apuzzo (2014).

  49. Montreux Document; ICoC; ICoCA. On the drafting of the Montreux Document see Cockayne (2008).

  50. Montreux Document, Preface, paras. 1–3.

  51. Montreux Document, Preface, para. 4.

  52. Montreux Document, Preface, para. 5.

  53. ICoC, Preamble, para. 3; White (2011).

  54. See e.g. UK National Action Plan.

  55. Slaughter (2000), p. 242; Slaughter (1995). See also International Council on Human Rights Policy (2002), p. 160.

  56. In its 2010 report, the Working Group on the Use of Mercenaries as a Means of Violating Human Rights and Impeding the Exercise of the Right of Peoples to Self-Determination, proposed a draft convention for the regulation of PMSCs, UN Doc. A/HRC/15/25 (12 July 2010). Subsequently a new working group has been tasked with considering the treaty option, see Human Rights Council, Res. 15/26 (7 October 2010).

  57. Human Rights Council, Open-ended intergovernmental working group to consider the possibility of elaborating an international regulatory framework on the regulation, monitoring and oversight of the activities of private military and security companies, third session, Geneva, 21–15 July 2014, UN Doc. A/HRC/WG/10/3/3 (2014) at paras. 18 and 22. ICoCA Articles of Association 2013, Art. 12.1: ‘The Association shall be responsible for exercising oversight of Member companies’ performance under the Code, including through external monitoring, reporting and a process to address alleged violations of the code’.

  58. Human Rights Council, Res. 26/9 ‘Elaboration of an international legally binding instrument on transnational corporations and other business enterprises with respect to human rights’, UN Doc. A/HRC/26/L.22/Rev.1 (25 June 2014); Human Rights Council, Res. 26/22 ‘Human rights and transnational corporations and other business enterprises’, UN Doc. A/HRC/26/L.1 (23 June 2014).

  59. Montreux Document, Part One, Introduction.

  60. Montreux Document, paras. 1–8.

  61. Montreux Document, paras. 14–17.

  62. Montreux Document, paras. 18–21.

  63. ICoCA Articles of Association 2013, Art. 11.

  64. ICoCA Articles of Association 2013, Art. 12.

  65. Page (1986), p. 143.

  66. For the list of signatories see Signatory status closed on 14 August 2013.

  67. Including Australia, Norway, Sweden, Switzerland, UK, and the US; for ICoCA membership see

  68. ICoCA Articles of Association 2013, Art. 3.1.

  69. ICoCA Articles of Association 2013, Art. 11.1.

  70. ICoCA Articles of Association 2013, Art. 11.2.1.

  71. ICoCA Articles of Association 2013, Art. 12.1.

  72. Ratner (2001), p. 524.

  73. Ratner (2001), p. 476.

  74. Ratner (2001), p. 487.

  75. Ratner (2001), p. 524.

  76. Ratner (2001), p. 540.

  77. ICoC 2010, para. 8; see also the ICoC Association Articles of Association 2013.

  78. US Management System for Quality of Private Security Company Operations—Requirements with Guidance (PSC1).

  79. Written Ministerial Statement to Parliament, ‘Private Security Companies’, HC Deb 17 December 2012, c 72WS, available at While it was stated that the government would issue a ‘publication specifying that ASIS PSC 1-2012 is the applicable standard for UK-based PSCs working in complex environments on land overseas’ no such document has been issued. UK National Action Plan, under ‘New Actions Planned’, the UK will (ii) ‘[b]egin certifying Private Security Companies in the UK based on the agreed UK standard for land-based companies, by working with the UK Accreditation Service (UKAS) to take forward the certification process, ensuring this includes expert human rights advice’. US Office of the Deputy Assistant Secretary of Defense, ‘Private Security Companies (PSCs)’.

  80. The author acted as a Human Rights Subject-Matter Expert for an independent Certification Bodies which participated in the PSC1 pilot scheme and which was supported by the UK Foreign and Commonwealth Office and the UK Accreditation Service (UKAS).

  81. ISO PC/284 Management system for private security operations—requirements with guidance, available at The author is a member of British Standards Institute Mirror Committee to ISO PC/284 and a member of the UK delegation to the ISO committee. As of August 2014, the standard is at the third draft stage and it is anticipated that it will become a full ISO standard in 2015.

  82. US Management System for Quality of Private Security Company Operations—Requirements with Guidance (PSC1).

  83. Guiding Principles.

  84. US Management System for Quality of Private Security Company Operations—Requirements with Guidance (PSC1), para. 9.5.6.

  85. ICoC 2010. For the history of PSC regulation in the UK see Alexander and White (2009).

  86. Written Ministerial Statement to Parliament, ‘Private Military and Security Company Industry’, supra n. 9.

  87. Written Ministerial Statement to Parliament, ‘Private Security Companies’, supra n. 79.

  88. Written Ministerial Statement to Parliament, ‘Private Security Providers Association Launch’, HC Deb 15 October 2013, c 51WS, available at; UK National Action Plan; Guiding Principles.

  89. Murphy (2013), p. 72. See also Whitty (2011), on ‘legal risk’ and ‘legal risk+’.

  90. Chandler G, Keynote Speech, JUSTICE/Sweet and Maxwell conference, ‘Corporate Liability Human Rights and the Modern Business’, 12 June 2006 (on file with author).

  91. Human Rights Council, third session draft report, UN Doc. A/HRC/WG/10/3/3 (2014).

  92. Confidential interview with PSC1 accredited auditor, 2 June 2014 (on file with author).

  93. Cockayne (2012).


  • Alexander K, White ND (2009) The regulatory context of private military and security services in the UK, PRIV-WAR National Report Series No 01/09, 30 June 2009. Available at

  • Apuzzo M (2014) Trying to salvage remains of Blackwater case. NY Times: electronic version of NYT:

  • Chesterman S, Fisher A (eds) (2009) Private security, public order: the outsourcing of public services and its limits. Oxford University Press, Oxford

    Google Scholar 

  • Cockayne J (2008) Regulating private military and security companies: the content, negotiation, weaknesses and promise of the Montreux Document. J Confl Secur Law 13:401–428

    Article  Google Scholar 

  • Cockayne J (2012) From Sandline to Saracen: time to hold the private security industry to its human rights commitments, Institute for Human Rights and Business, Commentary, 25 September 2012. Available at

  • Cole A (2007) Blackwater quits security association. Wall Street J: electronic version of Wall Street Journal:

  • D’Aspremont J, Nollkaemper PA, Plakokefalos I, Ryngaert C (2015) Sharing responsibility between non-state actors and states in international law: introduction. Neth Int Law Rev. doi:10.1007/s40802-015-0015-0

    Google Scholar 

  • Dinstein Y (2010) The conduct of hostilities under the law of international armed conflict. Cambridge University Press, Cambridge

    Book  Google Scholar 

  • Franck TM (1998–1999) Dr. Pangloss meets the Grinch: a pessimistic comment on Harold Koh’s optimism: commentary. Houst Law Rev 35:683–698

  • Freeman J (1997) Collaborative governance in the administrative state. UCLA Law Rev 45:1–98

    Google Scholar 

  • Frost M (2008) Regulating anarchy: the ethics of PMCs. In: Alexandra A, Baker D-P, Caparini M (eds) Private military and security companies: ethic, policies and civil-military relations. Routledge, London, pp 43–55

    Google Scholar 

  • Gomez del Prado JL (2010) The privatization of war: mercenaries, private military and security companies (PMSC), UN Working Group on Mercenaries and Global Research, 7 November 2010. Available at

  • Goodman R, Jinks D (2003) Toward an institutional theory of sovereignty. Stanf Law Rev 55:1749–1788

    Google Scholar 

  • Hampson FJ (1991) Mercenaries: diagnosis before proscription. Neth Yearb Int Law 22:3–38

    Article  Google Scholar 

  • Higgins R (1995) Problems and processes: international law and how we use it. Clarendon Press, Oxford

    Book  Google Scholar 

  • International Council on Human Rights Policy (2002) Beyond voluntarism: human rights and the developing international legal obligations of companies, February 2002. Available at

  • Johns FE (1994) The invisibility of the transnational corporation: an analysis of international law and theory. Univ Melb Law Rev 19:893–923

    Google Scholar 

  • Koh HH (1999) How is international human rights law enforced? Indiana Law J 74:1397–1417

    Google Scholar 

  • Koh HH (2005) Internalization through socialization. Duke Law J 54:975–982

    Google Scholar 

  • Krahmann E (2007) Transitional states in search of support: private military companies and security sector reform. In: Chesterman S, Lehnardt C (eds) From mercenaries to market: the rise of and regulation of private military companies. Oxford University Press, Oxford, pp 94–114

    Chapter  Google Scholar 

  • Likosky M (2009) The privatization of violence. In: Chesterman S, Fisher A (eds) Private security, public order: the outsourcing of public services and its limits. Oxford University Press, Oxford, pp 11–24

    Chapter  Google Scholar 

  • MacLeod S (2011) The role of international regulatory initiatives on business and human rights for holding private military and security companies to account. In: Francioni F, Ronzitti N (eds) War by contract: human rights, humanitarian law, and private contractors. Oxford University Press, Oxford, pp 343–361

    Chapter  Google Scholar 

  • Murphy T (2013) Health and human rights. Hart Publishing, Oxford

    Google Scholar 

  • Nollkaemper PA, Jacobs D (2013) Shared responsibility in international law: a conceptual framework. Mich J Int Law 34:359–438

    Google Scholar 

  • O’Brien KA (2007) What should and should not be regulated? In: Chesterman S, Lehnardt C (eds) From mercenaries to market: the rise of and regulation of private military companies. Oxford University Press, Oxford, pp 29–48

    Chapter  Google Scholar 

  • Ogus A (1995) Rethinking self-regulation. Oxf J Leg Stud 15:97–108

    Article  Google Scholar 

  • Page AC (1986) Self-regulation: the constitutional dimension. Mod Law Rev 49:141–167

    Article  Google Scholar 

  • Parker C (2007) Meta-regulation: legal accountability for corporate social responsibility. In: McBarnet D, Voiculescu A, Campbell T (eds) The new corporate accountability: corporate social responsibility and the law. Cambridge University Press, Cambridge, pp 207–240

    Google Scholar 

  • Pellet A (2008) The second death of Euripide Mavrommatis? Notes on the International Law Commission’s Draft Articles on Diplomatic Protection. Law Pract Int Courts Trib 7:33–58

    Article  Google Scholar 

  • Quirico O (2011) The criminal responsibility of PMSC personnel under international humanitarian law. In: Francioni F, Ronzitti N (eds) War by contract: human rights, humanitarian law, and private contractors. Oxford University Press, Oxford, pp 423–447

    Chapter  Google Scholar 

  • Ratner S (2001) Corporations and human rights: a theory of legal responsibility. Yale Law J 111:443–545

    Article  Google Scholar 

  • Rawlings R (2010) Testing times. In: Oliver D, Prosser T, Rawlings R (eds) The regulatory state. Oxford University Press, Oxford, pp 1–14

    Chapter  Google Scholar 

  • Shelton D (2002) Protecting human rights in a globalized world. Boston Coll Int Comp Law Rev 25:273–322

    Google Scholar 

  • Singer PW (2006) Humanitarian principles, private military agents: some implications of the privatised military industry for the humanitarian community. In: Wheeler V, Harmer A (eds) Humanitarian policy group report 21, resetting the rules of engagement: trends and issues in military–humanitarian relations, chapter 5, pp 67–79. Available at

  • Singer PW (2011) Corporate warriors: the rise of the privatized military industry. Cornell University Press, Ithaca

    Google Scholar 

  • Slaughter A (1995) International law in a world of liberal states. Eur J Int Law 6:503–538

    Article  Google Scholar 

  • Slaughter A (2000) A liberal theory of international law. ASIL Proc 94:240–248

    Google Scholar 

  • Spearin C (2007) Humanitarian non-governmental organizations and international private security companies: the ‘humanitarian’ challenges of molding a marketplace. Geneva Centre for the Democratic Control of Armed Forces (DCAF) Policy Paper No. 16. Available at

  • Vagts D (1970) The multinational enterprise: a new challenge for transnational law. Harvard Law Rev 83:739–792

    Article  Google Scholar 

  • Vierucci L (2011) Private military and security companies in non-international armed conflicts: ius ad bellum and ius in bello issues. In: Francioni F, Ronzitti N (eds) War by contract: human rights, humanitarian law, and private contractors. Oxford University Press, Oxford, pp 235–261

    Chapter  Google Scholar 

  • White ND (2011) The privatisation of military and security functions and human rights: comments on the UN Working Group’s Draft Convention. Hum Rights Law Rev 11:133–151

    Article  Google Scholar 

  • White ND, MacLeod S (2008) EU operations and private military contractors: issues of corporate and institutional responsibility. Eur J Int Law 19:965–988

    Article  Google Scholar 

  • Whitty N (2011) Human rights as risk: UK prisons and the management of risk and rights. Punishm Soc 13:123–148

    Article  Google Scholar 

  • Wulf H (2005) Internationalizing and privatizing war and peace. Palgrave Macmillan, Basingstoke

    Book  Google Scholar 

  • Zerk J (2006) Multinationals and corporate social responsibility limitations and opportunities in international law. Cambridge University Press, Cambridge

    Book  Google Scholar 

Download references


I would like to thank the editors for inviting me to present a version of this article at a SHARES seminar on ‘Shared Responsibility and Organised Non-State Actors’ at Utrecht University on 13 December 2013. I would also like to thank them for their valuable comments during the seminar and subsequently. Thanks are also due to Nicola Jägers and Iain Scobbie for their helpful comments on the draft. Flaws, of course, remain my own.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Sorcha MacLeod.

Additional information

This article is part of the collection of articles on Organised Non-State Actors, edited by Jean d’Aspremont, André Nollkaemper, Ilias Plakokefalos and Cedric Ryngaert. The collection was organised with support of the research project on Shared Responsibility in International Law (SHARES) at the Amsterdam Center for International Law (ACIL) of the University of Amsterdam, the Utrecht Centre for Accountability and Liability Law, and the Leuven Centre for Global Governance Studies. All websites were last accessed on 15 February 2015.

Rights and permissions

Open Access  This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made.

The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

To view a copy of this licence, visit

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

MacLeod, S. Private Security Companies and Shared Responsibility: The Turn to Multistakeholder Standard-Setting and Monitoring through Self-Regulation-‘Plus’. Neth Int Law Rev 62, 119–140 (2015).

Download citation

  • Published:

  • Issue Date:

  • DOI:


  • Private Security Companies
  • Human rights
  • Regulation
  • Shared responsibility
  • Self-regulation
  • Auditing
  • Standard-setting