Responsible Business Conduct Regarding Security Providers: Legal and Non-Binding Frameworks for Practical Implementation

About the authors:

Margarita Cuervo is a PhD candidate at the University of the German Federal Armed Forces in Munich. She holds an MA in Development Studies with a major in corporate responsibility and sustainability. Through previous roles in international cooperation organisations, she gained experience in the intersection between business, security and peace.

Daniel Schönfelder is a lawyer and lecturer in BHR. He recently co-authored the first handbook on the new German Supply Chain Due Diligence Act.


1. Context and Relevance

Companies operating in fragile settings (e.g. weak local institutions, conflict-affected areas) are often highly vulnerable to security risks but also are prone -directly or indirectly- to human rights abuses. Moreover, in their interaction with local governments and industries, companies can be target of reputational and security risks if communities feel that their business activities are worsening grievances or supporting a party in conflict. Though not exclusive to business operating in fragile contexts, contracting security providers to enable operations in host countries can pose serious challenges regarding human rights observance. This is why measures to identify, prevent and mitigate and account for adverse human rights impacts when businesses acquire security services is key to ensure a responsible corporate conduct and risk management. The recent German Supply Chain Due Diligence Act (GSCDDA) adopted in June 2021 is the first Due Diligence Act that explicitly foresees provisions requiring companies to take specific actions when working with security providers. Existing voluntary guidelines offer concrete methods to implement such a responsible business conduct. This post aims to present the requirements under the German Act and how existing guidance can help companies comply with…


2. Requirements under the German Supply Chain Due Diligence Act

The GSCDDA obliges companies to conduct human rights due diligence (HRDD). Generally, this is restricted to the first tier of the chain, with two important exceptions. First, and widely discussed, if a company has “substantiated knowledge” of a possible violation of human rights in any tier of their supply chain it needs to address this situation via HRDD (Section 9 (3)). Secondly, if a company has to expect significant changes in the risk situation “in its supply chain”, for example due to changes in its business (the law names the introduction of new products, projects and new business fields) or in the surroundings of the business (e.g. because of political upheaval), it needs to conduct a risk analysis (Section 5 (4)). Consequently, it needs to analyse the risks in the whole supply chain that relate to this event. The risks to be managed relate to 12 defined human rights and 3 environmental risk situations (Section 2 (2 and 3)). These situations aim to translate the human rights obligations included in the ICCPR, the ICESCR and the ILO Core Conventions into concrete typical settings in which businesses put in danger human rights in international supply chains. The risks include obligations on child labour, forced labour, environmental damages and land rights.

The risks also include a provision on the use of security providers (Section 2 (2 No. 11), which companies operating in (post-)conflict zones need to put special emphasis on according to the official justification of the law. In order to avoid violations of the right to health, life and freedom of association, torture or exposure to inhuman and degrading treatment of the workers and the population in the country of production, Section 2 (2) No. 11 GSCDDA sets special requirements for the use of security providers. Therefore, it is forbidden to use private and public security guards if, due to a lack of instruction and control by the company, there is a risk of violations of the rights to health, to life and to the freedom of association or a risk of the use of torture. As a result, companies are obliged to check whether there is an increased risk of these human rights violations being committed when the security providers are deployed. Security providers for whom serious human rights violations have been documented or for whom a very high risk of doing so is determined are not to be commissioned. Security providers that are contracted must attend training courses on basic human rights standards when using violence. Companies must ensure that contracts include obligations to ensure compliance with these standards and the adequate control measures with which they can check compliance.


3. Guidelines for Businesses Working with Security Providers

Existing instruments like the Voluntary Principles on Security and Human Rights (VPs) and, more specifically, the International Code of Conduct for Private Security Service Providers (ICoC) give guidance on how to comply with these requirements. The ICoC can also be used as a model for contractual obligations in security contracts. Additionally, the Toolkit “Addressing Security and Human Rights Challenges in Complex Environments” developed by the Geneva Centre for Security Sector Governance (DCAF) and the International Committee of the Red Cross (ICRC) offers concrete best practices for the different stakeholders that face risks in this area.

Like the GSCDDA, these guidelines propose a proper risk assessment and analysis that informs further actions regarding contractual, procurement and labour standards, as well as issues related to training, equipment, and use of force. The following lines summarise some critical actions that security service providers should implement and issues to consider when conducting HRDD.


Human Rights’ Sensitive Practices for Security Providers

Private companies that offer security services should ensure that the security personnel respects human rights. The code of conduct (CoC) to prevent human rights abuses should be part of all personnel onboarding and re-training programmes. For employees that are directly concerned with the direct use force, theoretical and practical training with real-life scenarios is necessary in topics such as:

– Human rights law, national criminal law and (if applicable) international humanitarian law (IHL);

– Use of force and firearms regulations;

-De-escalation techniques, conflict-management, crowd-control and procedures in public order disruption situations;

– Apprehension of persons.

The security provider should not only have the proper equipment to ensure the company’s security but also have explicit standards on the use of force and how to handle weapons and ammunition. Some key guidelines are:

– Proportionality between security equipment and the existing threats and risks in the operational context (which should be assessed against the backdrop of changing threats too);

– Compliance with national private security laws, local authorisation and guidance on use of security equipment (e.g. licences, registration and specific permits for providers and personnel);

– Existence of mechanisms to control and manage how weapons, firearms and ammunition are handled and used (e.g. registers, licenses, systems for handing over, transportation).

To ensure that personnel follow these principles, it is helpful to have a corresponding CoC as part of the employment contracts. This can be either a particular one formulated by the company itself or adopting existing model clauses like the ICoC. The CoC must be known by all personnel and be accessible to relevant external stakeholders, including client companies. Useful measures include:

– Background checks on employees and management staff to screen potential or effective links to human rights abuses and other criminal behaviour;

– Employment conditions, health and safety guidelines, insurance and protection, disciplinary procedures, and other labour policies;

– Procedures and qualified staff appointed to monitor and appraise compliance with human rights law, IHL and other ethical conduct aspects;

– Existence of whistleblowing mechanisms and protection for employees who report abuses;

– Internal vetting and monitoring mechanisms to prevent and address human rights issues.

Measures by Client Company

In order to ensure that the security companies contracted comply with the Human Rights’ Sensitive Practices, conducting early and ongoing risk assessment is key.  This is particularly relevant when operating in (post-)conflict settings and increases the ability to prevent and mitigate abuses and unintended impacts in the local dynamics. The risk assessment should include:

– Elaborating a baseline of the local security and human rights situation screening potential and effective risks of the socio-political environment where it operates, like conflicts with local populations, labour unions or indigenous population or presence of non-state armed forces;

– Identifying impact areas where company assets and personnel will be located;

– Consulting with local authorities, international and local non-governmental organisations, other companies or business associations (e.g. within the same industry). Embassies and media can also offer key information to conduct this assessment;

– Mapping relevant actors: identify particularly vulnerable groups in the community and, in cases of armed conflict, which are the parties in conflict, interests, needs and possible linkages to the company’s economic activity or other parts of the value chain;

– Clarifying existing regulation and mechanisms for dialogue with indigenous peoples and identify if they apply for the impact areas of the company.

The results of these consultations and risk analysis should then inform the following aspects of due diligence to prevent human rights abuses. Already in the bidding phase, companies should request information from potential security providers regarding their internal standards and compliance with relevant human rights regulations.  Being ICoCA certified is a good point of departure, but not enough to screen potential risks and points that need improvement. Therefore, information given by the security providers should be complemented by conducting independent background checks. Besides assessing compliance with the points mentioned in the previous section, the following aspects are key for procurement processes:

– Review of security provider and staff records regarding human rights and compliance with applicable local and international standards (e.g. labour law, use of force and firearms, torture);

– References from other client companies regarding human rights issues;

– If host country regulation demands that local personnel and/or contractors are prioritised for the provision of security services, conduct a particular risk assessment of these vs. external providers.

When evaluating potential contractors, some strong criteria for exclusion are breaches of local and international legislation, failure to provide necessary information to conduct due diligence, and the existence of relations with social or political groups that might lead to tensions or attacks if perceived negatively by any party to the conflict. After awarding a bid to the selected provider, the contract will have to explicitly mention local, human rights law and, if applicable, IHL obligations. Moreover, the contract should:

– Include the ICoC or the company’s own code of conduct following internationally recognised standards for security providers;

– Establish clear human rights responsibilities and liabilities for the contracting company and the security provider, which are included in contracts and policies;

– Ensure mechanisms to receive complaints concerning the security provider and procedures to escalate the company’s response to grievances. Ensure control and audit rights for the client company to be able to ask for relevant documentation and conduct visits on-site or let third parties do so;

– Determine deadlines for compliance, financial and contractual consequences in cases of non-compliance (e.g. withholding payments, termination of relationship) if the security provider does not comply with code of conduct and other relevant human rights standards.

Finally, oversight mechanisms are crucial to monitor compliance and introduce adjustments when necessary. In this respect, client companies should:

– Conduct regular performance reviews;

– Assess training gaps and conduct periodical refreshments with the security provider;

– Determining communication channels and practices with key local stakeholders regarding potential human rights abuses or risks emerging from security services contracted and have regular exchanges with them (e.g. annual stakeholder fora).


4. Key Take-Aways and Challenges Ahead

The German Due Diligence Act establishes concrete HRDD obligations when working with security providers. Although this obligation might also be derived from the general requirements of other supply chain due diligence laws, it is the first time that a legislator spells them out concretely. The requirements established by the German legislator closely follow international best practice established by the guidelines described in this post. At the same time, the guidelines are useful to implement the requirements set out above. The technique used by the German Legislator to concretize risk situation and not only stipulate general “human rights obligations” – as the French Loi de Vigilance does – helps companies implement the requirements in risk management practice and can also help NGOs and victims to understand what they can legally enforce. Therefore, the new obligations on security forces in the German law serve to inform any other legislative endeavours to regulate HRDD and should especially be considered in the current procedures to establish a legal obligation at the EU level.

Additional challenges may arise depending on the specific contexts in which companies are operating. Besides dealing with diverse, sometimes overlapping, local and global regulations, engaging in multi-stakeholder dialogue for risk assessment and accountability demands expertise, time and resources. From a short-term perspective, this can be at odds with optimisation goals and pressure from shareholders – although some established investment firms explicitly call for HRDD by the firms they invest in. However, based on international experience of corporate operations in conflict-affected and post-conflict regions, conducting enhanced human rights due diligence sensitive to the local dynamics certainly contributes to much more sustainable business practices.

Finally, it is worth considering sectorial guidelines and dialogue platforms that have been developed to respond to risks that affect certain industries in particular. The OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas is a good example of this. Indeed, fragile contexts usually coincide with nature endowments and some of these conflicts’ profound roots can be traced to natural resources. Companies from the extractive sector must therefore be attentive of human rights risks in such settings (see, for instance, the provisions of the European Union Conflict Minerals Regulation).


Suggested citation: M. Cuervo and D. Schönfelder, ‘Responsible Business Conduct Regarding Security Providers: Legal and Non-Binding Frameworks for Practical Implementation’, Nova Centre on Business, Human Rights and the Environment Blog, 25th January 2022.