Observer View: Adrian Powell, Solicitor/Partner, Proelium Law LLP

What does Proelium Law do?

We are a commercial / corporate law firm that focuses on providing legal advice to the security, defence, governments, international development and insurance industries. We also work on pre-litigation investigations where a particular understanding of a high-risk environment is needed. From time to time we also do capability or capacity building projects in the rule of law field but only really on specific areas such as the legal aspects of counter terrorism.

What kinds of risks do your clients expose themselves to when operating in challenging high-risk and complex environments?

Lots of our clients, by definition of the services they provide, have a particularly high tolerance for risk. Risks such as those presented by terrorism are their bread and butter and to some extent are taken in the stride of lots of our clients. However, all the same problems, particularly as a result of regulation, extra territorial aspects of law, increase in duty of care themes and a willingness of UK courts (for instance) to accept jurisdiction on cases that may not have even been entertained in the past, are increasingly being seen with our clients.  We now see lots of issues ranging from shareholder disputes, to lack of corporate structures causing contractual issues for clients. These are the risks we see clients exposing themselves to, unnecessarily.

When working in high-risk and complex environments where the rule of law may be weak, what are strengths and weaknesses of relying on legal and regulatory safeguards to defend human rights?

Human rights are universal and so thinking they do not apply to a certain country would be wrong. Quite often local laws, or maybe better described as host nations laws, will not have the stream of human rights legislation running through them that is common place in UK legislation or countries that have the benefit from major rule of law development programmes. It is no longer as simple as thinking that complying with host nation law will cover your company or operations from criticism regarding a failure to adhere to human rights. Much larger PSCs often have the ability to ensure their SOPs consider human rights at all levels, but smaller ones may think they cannot comply. Our view, is that weaving human rights into a company SOPs is a process available to all companies. We have a mixed view on regulatory safeguards, however. The relatively new ISO standards and their equivalents are ultimately only as good as the managers that ensure they are implemented.

Why do you have a mixed view on regulatory safeguards? If standards are ultimately only as good as the managers who are tasked with ensuring they are implemented, what are implications of this for private security companies themselves as well as ICoCA?

Firstly, I should say that I fully understand the purpose behind regulatory safeguards and their origins and in large part agree with them. I sat on one of the Montreux Document meetings. But the industry has progressed and there needs to be a more accessible stream of standards running through the industry. We are not seeing this as an option yet for lots of security providers. Our view is that whilst undoubtedly a positive, ISO standards remain only as effective as the management that ensures they are adhered to.

Let’s not forget, the origins of the voluntary regulation stem from incidents involving unlawful application of lethal force in Iraq and Afghanistan and rightly, the ensuing outrage. But the industry was very young in relative terms and certainly not the size it is now, so it was natural that in time, self-regulation would kick in and standards would be adopted or at least much more adherence to the rule of law would happen naturally. It was, after all, a rather unusual set of circumstances in Iraq with lots of money, requirement for security and extreme violence around. Some companies got it wrong, but they have learnt. The industry developed very quickly and the pressure from International Organisations, which was absolutely needed, worked.

What we see now is lots of security companies working in lots of different places who would like to be ISO certified but the cost can be prohibitive and the level of work involved to get to the standard disproportionate to the risk of whether or not the revenue will be generated from achieving it. So, there is a disparity between security companies wanting to show they are capable, and the only real way to do it, which seems is obtaining PSC.1/ISO 18788 certification. This is not to say that these regulatory safeguards should be done away with, but there needs to be something that is more accessible and recognised without the excessive cost. My view has been for some time that there needs to be a base standard. Lots of industries have it, and the legal world is no different. In order to practice as a company, we have to show a minimum standard and cannot do so without obtaining that. I don’t believe that an entry standard is needed, but a set of very strong minimum recommended operating standards.  If a ‘monitored light touch’ level of compliance in order to be a Member of ICoCA could be achieved, this in our view, could assist the industry hugely. The private security industry is now mature enough to develop these norms for ‘standard’ or ‘best practice’.

How do your clients approach working with private security companies particularly from a risk perspective?

PSCs are an important aspect of a lot of clients’ daily activities. As the principle of duty of care has become much more prevalent a consideration for many different industries, not just those sending clients to high risk or complex environments, we have seen the usage of PSCs becoming almost automatic and somewhat routine. This is very good for the industry. Certainly, in some places, it would be difficult to see how, for the foreseeable future PSCs will be anything other than part of normal daily life.

Of course, if a PSC is found to be violating human rights this increases their client’s exposure to reputational/legal/financial risk. However, there has been a lot of activity recently in improving the understanding of companies and NGOs regarding the extent to which a duty of care is owed when sending their staff overseas to high-risk locations where PSCs are utilised. Until quite recently, there was this misunderstanding of who owns the duty of care when employing a private security company. A lot of organisations thought that the duty of care was effectively transferred or indeed shared when using a PSC. We have gone to great lengths to explain, through various mediums, that this is not the case. Certainly, under English law, the duty of care remains with the client regarding its staff and how they use a PSC. There has been an increase in the understanding of the PSC’s role and what they do. Whether this is translating into more scrutiny by the clients of PSC companies we do not yet know, but the education is there. In turn, this will, or should mean that clients of PSCs are more likely to understand when the PSC is approaching a problem that could be violating human rights, or at least can ask the questions of the PSC prior to engagement of their understanding of and adherence to human rights. It’s not just about improving the PSC, it’s about educating their clients.

What role can and should security companies and their clients play in minimising their exposure to risk, and what role can organisations like ICoCA play?

Security companies play a vital role in minimising exposure to risk of their clients. We have seen an interesting growth in the ‘crisis management’ company which is a different offering to straight forward security, or at least seems to be. There is a risk of confusion for clients on who to go with and why maybe this presents a dilemma for the industry to consider. We continue to see a misunderstanding in the ability to assess risk by non-security related clients of ours. Universities for instance are increasingly seeing the value of security in general but are leaning towards the crisis management type of company. However, we believe it is the front end of the risk assessment process that is lacking when they take that approach so security companies can play a vital role in assisting clients in their risk mapping. ICoCA is well placed to act as a voluntary regulatory body and, in the same way that say for us, the Solicitors Regulation Authority acts as a signposting capability and distinguishes the type of company available, it maybe that ICoCA can do the same.