Five-Year Overview + Company Efforts to Implement Specific Components of the Principles
Risk Assessment
Companies rely on a variety of different tools and sources of information to conduct risk assessments and conflict analyses: Many companies indicated that they employ one or more commercial services, including Global Insight, Control Risks Group and the Economist Intelligence Unit, to provide insight into a particular area or region’s potential for, or history of, conflict and/or human rights abuses. Other companies employ other sources, such as the U.S. State Department, information available in the public domain (e.g., news and internet sources), home and host country embassies, subscription services and information available through membership organizations. Some companies also look to other companies already operating in the area as a key source of information.
The Human Rights Compliance Assessment Tool (HRCA) developed by the Danish Institute for Human Rights and the Conflict Analysis Tool developed by Fund for Peace were also both identified as tools used during the risk assessment process by some companies.
Many companies rely on the expertise of local country and regional managers who regularly engage with local stakeholders and local and international NGOs: Other companies mentioned coordinating stakeholder forums, which include community members and local and international NGOs. Both forms of engagement offer valuable input that can greatly assist in making an informed assessment of security and human rights risks. One company has also instituted stakeholder mapping as part of its risk assessment process, and dialogue with these entities forms part of the process of risk mitigation.
For many companies, assessing risks associated with security and human rights is part of a larger risk or impact assessment: For one company, this includes 19 risk elements, of which security and human rights are but two specific items. Another company noted that incorporation of the Voluntary Principles into social impact assessments is a useful strategy because approval by government authorities translates into commitment to implementation, and consequently engages the host government. One company conducts a general risk assessment for any major new investment and then their security team conducts a more detailed security risk assessment.
Yet another company shared its specific guiding principle behind assessing risk:
The guiding principle for risk assessment and mitigation is to build up a sound understanding of local conditions as early as possible in the business process, to allow identification, prioritization and mitigation of all significant risk elements. This early risk capture is important not least because at an early stage building understanding and a robust knowledge platform may in fact be the most important form of risk mitigation.
One company reported that it examines political, social and economic factors and their security ramifications, which may trigger risks as the basis of their assessment. For this company, security risks are a combination of the following: Threats + Vulnerabilities + Impact = Security Risk.
This includes an examination of the potential for and impact of violence, conflict analysis, equipment transfers and terrorist activities. Full-scale assessments are conducted on an annual basis as a minimum, although certain countries require a much more active assessment and management process.
A final company noted that their risk assessment tool used in one country of operation was developed and carried out with the support of a local NGO partner. The NGO also helped train company staff on using the tool to conduct the risk assessment. This process will be used in the company’s other countries of operation. The company hopes to participate in 3rd party assessments of their operations in the future, and to have the results reviewed by their NGO partner.
Public Security Arrangements
Some companies noted that they have had limited exposure to public security arrangements in their countries of operation, or in some cases, none at all: One such company explained that in the case of a joint-venture operation with a national company, where there is a regional or sectoral presence of government forces, local company managers regularly communicate the company's support for and commitment to the Voluntary Principles to both the joint-venture partner and government officials during the normal course of business.
Another company with limited exposure explained that expectations regarding the use of force, company codes of conduct, and transparency of security arrangements are conveyed by the country manager, supported by a professional liaison team. This company has an established policy that requires asset managers to convey expectations to, and seek assurance from, its security provider on training standards, use of weapons and ammunition, open-fire criteria and human rights abuses.
One company consults with host government and local communities about the impact of security arrangements at least once per year. This includes meeting with NGOs and other stakeholders and conducting regular evaluations of security trends, training and procedures as part of its monitoring activities.
Another company communicates ethical conduct and human rights policies to public security providers by way of employee orientations and training programs, thereby treating public security personnel as company employees with the same expectations and review processes. The company utilizes regular internal audits to monitor security's adherence to company policies. Currently these processes are in the development phase, but high risk operations have already implemented regular internal audits. This company also indicated that it generally tries to avoid the use of public security forces, however, if there is a potential for conflict, local police are informed. The company, which also believes that in many countries it has little influence in public security’s role, usually makes its own security arrangements using company personnel or contractors. Interestingly, in times of conflict, the company will usually choose to close an operation rather than call in public security forces, which can result in use of force that must be carefully regulated. The company believes the former approach is more likely to secure longer-term operation.
Several companies noted that it would be extremely difficult politically to audit the performance of public security.
Private Security Arrangements
Companies reported having a variety of policies and practices for identifying, screening and securing private security forces. For example, one company shared its process as follows:
- The company has an existing policy requiring security agreements to include clauses obliging the contractor to have in place ethics policies consistent with the company’s own policies, and to observe ethical conduct, human rights and applicable laws. Ensuring professional standards and best practice is an integral element of the pre-qualification process, and occasionally may exceed the standards of the host country.
- Pre-qualification of security contractors requires bidding companies to demonstrate that they are reputable and offer high standards of service; that they provide a satisfactory training program for their staff; that they have established and implemented satisfactory environment, health, safety, ethics and human rights policies; that they have clear policies addressing use of force and the protection of human rights; and that these are properly covered in employee training programs. The company requires that all company-employed security staff undergo formal training on company security policy and procedures; company ethics policy; relevant law; human rights; use of force; roles, duties and responsibilities; and first aid. In one country where employees and contracted security staff are hired, guards receive a minimum of 85 hours of basic training, and the main contractor is certified to ISO 9001-2000.
- Additionally, prospective security providers are subject to pre-contract integrity due-diligence. The track record, performance and reputation of both company and key officers are examined. Once approved, the company will secure services with a security contract containing ethical and human rights clauses. Monitoring of private security is achieved at the daily operational level by interaction with company management. Security reviews conducted by corporate staff are carried out at key sites and assets once every two years, and regular internal audits include audits of security.
- The company also noted that armed guards are not used unless a risk assessment confirms the necessity of doing so, or unless the company has no choice in the matter, for example in the case of government imposition. In the former instance, written authority of an executive vice president is required before armed guards are deployed.
Another company reported that its corporate security personnel and local management screen proposed private security providers, and/or individuals providing such services, with other local companies, stakeholders, consultants and the U.S. State Department to ensure that none have been credibly implicated in the abuse of human rights. The company has begun the process of including compliance with the Voluntary Principles as a requirement in contractual agreements with private security companies, and local company managers are responsible for monitoring private security compliance with these requirements.
One member also stated that it utilizes contracts, annual assessments by external auditors and internal audit processes to ensure that private security observe the provisions of the Voluntary Principles, record all allegations of human rights abuses, and properly investigate all credible human rights allegations. Additionally, security mangers engage in best practice knowledge-sharing globally.
Another company stated that it maintains a record of private security providers and uses external data to verify past conduct, such as that available from government agencies, NGOs, other companies and local stakeholders. The company's country chair and legal advisor are responsible for ensuring that private security activities adhere to local laws and regulations, which vary by country. The company also shares best practices and learns from others through local engagement with industry, civil society and governments, and international initiatives such as the Voluntary Principles. In certain countries, the company does not employ private sector security providers. For its contractors, suppliers and other partners, however, the company engages in regular monitoring and evaluation of tasks, behavior, training and procedures. Some of the methods employed include: reporting of physical force cases to authorities; ensuring that standard operating procedures and rules of engagement exist, especially use of force guidelines; confirming that preventative and defensive services are provided; and detailing investigations into credible allegations of abusive or unlawful acts.
Deployment and Conduct of Public Sercurity
Companies identified several tactics for ensuring that public security service providers adhere to an acceptable standard of appropriate and proportional deployment of security forces, use of force, appropriate use of equipment, and that security services are not provided by individuals credibly implicated in human rights abuses.
One company stated that even in areas where it does not employ public security services, local company managers are instructed to monitor the activities of public security forces and to identify any instances of human rights abuses that could potentially impact the company’s reputation or operations. As such, local management maintains close contact with other companies and security providers to increase awareness of any credible allegations of human rights abuse by a military unit or individual.
Another company reports that it communicates its values and expectations regarding human rights and security in ongoing dialogue with local authorities and other stakeholders. Where there is a potential risk that the company’s requirements may not be met, it develops a mitigation plan in co-operation with relevant counterparts to address and rectify the situation. This usually involves education and training, and may target security personnel or at a higher level, such as judges.
One company has developed a business and human rights primer and a series of human rights dilemmas — both of which address security concerns — to provide employees with practical examples of security and human rights issues they may potentially face and to give guidance on how to proceed. The company also consults regularly with host governments, other companies and civil society groups to discuss security and human rights issues and has a process for assessing performance of private security providers. The company added that in Colombia, verification is provided by the Surveillance and Security Superintendence, the principal regulating agency of the security sector in Colombia, which lists all approved and registered private security companies and provides an extra level of assurance.
Several companies mentioned that they do not provide “fighting materials” to public security forces and that the use of construction equipment, vehicles and other assets is handled on a case-by-case basis. One company noted that when such materials are offered, the operators are always provided with training on operating the equipment in an appropriate and environmentally sound manner. Another company mentioned that one of its joint venture partners is a state company that has provided financial and equipment support to state forces. The company, by default, contributes to these costs through its partnership; however, the use of funds and equipment is audited by the national audit office and equipment use is monitored by agreement.
Consultation and Advice
There is limited information available regarding the specifics of company consultation processes for engaging public security, host and home governments, civil society and other companies. However, in one positive example of NGO engagement, a company representative explained that while the company regularly engages with a number of international NGOs, it also coordinates an annual convening of local NGOs to discuss a range of issues, including security and human rights. The company has found this to be a very successful strategy for identifying stakeholder expectations, issues and concerns and for working collaboratively on solutions. Some companies also mentioned employing community liaison officers to engage with local community members and NGOs.
Additionally, one company requires that all of its operations establish a process for engaging with local human rights organizations and identifying human rights allegations reported in the area of operation and surrounding regions. Another company conducts ongoing dialogue and information-exchange with its stakeholders. This includes diplomatic networks, other foreign companies operating in the host country, national partner companies (joint ventures), local governments, NGOs and communities. The company encourages these groups to benchmark their activities against international principles such as the Voluntary Principles and the UN’s Basic Principles on the Use of Force.
Another company mentioned that it engages with other companies through the International Petroleum Industry Environmental Conservation Association (IPIECA) and other industry associations to share learnings and best practices, and develop training materials and other guidance documents.
Response to Human Rights Abuses
While almost all companies reported that they have a process in place for anonymously reporting human rights abuses and “whistle-blower” protection, some have not yet established a comprehensive set of guidelines for responding to alleged abuses. Many reported that development of such processes is currently underway. One company explained that in the case of a reported human rights abuse committed by public security working for or on its behalf, the company would write a formal report of the incident and would conduct an internal investigation. Professional internal resources would be used, though the company noted that if it felt that investigative objectivity would be compromised, the use of external resources would be given due consideration. The response would be similar if equipment provided by the company to public security is used inappropriately, resulting in a human rights abuse.
Another company stated that alleged human rights abuses are reviewed as soon as they are reported and an internal investigation is initiated if the claim can be substantiated. The investigation is coordinated by the company's Human Rights Compliance Officer. In addition, each department has a human rights delegate responsible for monitoring human rights abuse claims on an ongoing basis.
One company noted that local company managers are required to report any human rights abuses by security providers to corporate security and social responsibility departments, as well as to appropriate public agencies. Depending on the particular circumstances, including the use of equipment provided by the company, a decision on whether to conduct an investigation or issue other guidance is then made.
Another company, which does not employ public security forces, requires private security to report to local governments on issues involving abuse of local citizens. The company believes it has more power to act in cases where a human rights violation is committed by a company employee. After a report is submitted, the company generally follows up through its human resources, CSR or diversity department.
One company assigns compliance officers to all of their business units to verify unit compliance with the company’s human rights policy and the Voluntary Principles. The compliance officers, who report to the executive vice president and general counsel, are one avenue for individuals to report alleged human rights abuses, and they are also responsible for on-going monitoring of all legitimate complaints. The company was also established a third-party operated “hot line” to facilitate reporting of any suspected violations or concerns regarding compliance with the company’s human rights policy.
Finally, another company shared how its guidelines for handling allegations of abuse were tested when the company experienced two incidents of alleged abuse by state forces at one of its operations. In each case, the incident was investigated internally, information requests were made of the local forces (police), and an incident review was conducted and documented with third party involvement. The reviews were then shared with two leading human rights NGOs, with who the company was in contact when the events first occurred.