Welcome to ICoCA’s podcast series, Future Security Trends: Implications for Human Rights, as we celebrate the 10th anniversary of the International Code of Conduct Association. We are pleased to be speaking with Anne-Marie Buzatu, Vice President and COO of ICT4Peace Foundation. As one of the project’s principal architects, Anne-Marie played a pivotal role in the development of the International Code of Conduct and the establishment of ICoCA, where she also served as Interim Executive Director.
Join us as we continue with our deep dive into ICoCA’s origins with Anne-Marie Buzatu.
In recent years, we’ve seen a significant increase in private actors operating in conflict zones. From your experience, what challenges does this pose to international regulatory frameworks like International Humanitarian Law (IHL)? How did you approach these challenges, particularly in the context of the Montreux process, which is considered a precursor to the International Code of Conduct for Private Security Providers (ICoCA)?
The Montreux process was looking at how IHL could be interpreted and adapted to consider more private actors on the battlefield. It was a process led by the Swiss government and the ICRC that took over nearly three years. That is already a kind of an interesting public-private partnership. They were talking with a lot of different people, different experts, people in the military, people in private security companies, academics, DCAF, think tanks that were looking at security sector governance, as well as civil society organizations. When I joined DCAF, they were already actively contributing to the Montreux process, which was focused on defining the obligations of States—specifically, how they could adapt their existing responsibilities under IHL and Human Rights law to address the growing role of private actors. When the document was finally adopted in September 2008, several participating companies raised a crucial question: “What about us? What are our responsibilities? How should we operate in accordance with international law?”
This feedback from the private security industry was instrumental in the creation of the International Code of Conduct. It was developed in response to the industry’s demand for clear guidelines on how to provide services legally and ethically. Switzerland also recognized this as an opportunity to address the governance gaps related to private security companies, offering strong support to ensure the code addressed these issues comprehensively.
Prior to that, how were these companies regulated, especially in such complex environments?
There’s a whole body of international law, including IHL and human rights law, that in principle, applied to these situations. However, to break it down a bit, first, the main subjects under international law are States. It is the States that have obligations under international law, and they are supposed to enforce these obligations within their territories or in areas where they have effective control.
So private actors are typically not direct subjects of international law, particularly where you’re going in complex situations.
In areas plagued by war, civil unrest or weakened rule of law, the ability of States to enforce regulations, oversee operations and hold actors accountable was often severely compromised. Despite this, private actors—often foreign and operating under different nationalities—were increasingly active in these territories, sometimes with devastating consequences for local populations. This led to concerns about a legal vacuum, but it was more accurately an oversight and accountability vacuum.
Second, there was a challenge in translating the obligations under these legal frameworks into actionable guidelines for private companies. States, when unable to fulfill their duties due to conflict or unrest, left a gap in governance. So that was the genesis of the Code of Conduct. First, to come up with clear standards for companies—guidelines on how to provide services in compliance with human rights and humanitarian law and what to avoid doing. Second, to have an oversight framework, something that had some teeth, albeit within the limits of what a non-state organization could achieve. That is the kind of space this Code tried to fill, particularly in situations where governments were unable to effectively govern and regulate them.
A tricky problem arises with individuals or companies operating in a country temporarily and then moving to another, making it difficult to hold them accountable under any single jurisdiction. How can we establish effective oversight for these companies when they frequently cross borders and evade jurisdictional control?
You’ve mentioned DCAF a couple of times, can you tell us about the organization and what it does?
DCAF is now known as the Geneva Center for Security Sector Governance, based in Geneva. It was formed under a Swiss mandate to look at the security sector and security sector governance – how to oversee and hold accountable elements of the security sector. It includes the police and military but also the justice and legal systems, all the things that go into the national and international frameworks to keep people safe and secure. They also started looking into how much the private sector was starting to impact security systems.
How did the negotiation for the Code progress and how did the governance and oversight mechanisms come about?
The project to create the Code really started in the beginning of 2009. To keep in mind the timing a little bit: Montreux had been finalized in September of 2008 and then, in those intervening months, there was a discussion with the Swiss government. At the time, the representative from Switzerland was Niels Rosemann. Together, we launched this project at a private security industry meeting in the UK.
So, until the summer of 2009 we had a series of meetings, each with different stakeholder groups so we met with companies, with civil society organizations, with other governments and of course, academics. We also had a big series of meetings with different important clients of private security companies. Initially, we kept these meetings separate, believing that doing so would encourage more candid and comfortable discussions. The main goal of these early meetings was to identify the challenges each group saw in the operations of private security companies.
In the summer of 2009, we organized a meeting with all the different stakeholders together. To our surprise, the discussions became even more open and dynamic when everyone was in the same room. Participants began to respond to each other’s viewpoints, leading to more productive and progressive conversations. From that point on, we conducted all subsequent meetings within a multi-stakeholder framework. Despite having different, and sometimes opposing, viewpoints, stakeholders who might not typically agree often found common ground. This multi-stakeholder approach proved important in making progress and encouraging interactions among the various actors involved.
While it was understood that all relevant parties—civil society, academics and the private security industry—needed to be involved, the exact structure wasn’t defined. It wasn’t clear whether one group would take the lead or if it would be an industry-led initiative with support from others. Since the industry originally called for this initiative, there was some thought that it might be industry-led. However, as consultations and feedback continued, it became evident that a multi-stakeholder approach was crucial for both credibility and effectiveness. This involvement was essential both for developing the standards that would become the code and for designing the oversight and governance framework for that code.
Were these two elements—the code and the oversight mechanism—seen as equally necessary from the outset, rather than just having companies sign up to a code without oversight?
Many codes and codes of conduct exist, but few are considered truly effective, particularly without strong oversight and accountability measures. In our initial research, it became evident that an independent and effective oversight and accountability mechanism was essential. Even the companies recognized this, stating that the code wouldn’t be worth much unless it had real enforcement value. All parties involved understood that such an oversight framework was critical to the success of the initiative.
When the code was agreed upon, companies signed up for it, correct?
Yes, they did. There were these “signatory companies,” which, in my experience, especially in the early years of my job, were a significant challenge—though we’ve since moved past that. Initially, around 600 to 700 companies signed up, but only about 100 joined the oversight mechanism, ICoCA.
Why was the decision made to have companies sign the code if you knew there would eventually be an oversight mechanism they would need to join?
To rewind a bit to 2010, when the code was adopted, we knew there would be some sort of oversight framework, but we had no idea what it would look like or how it would be structured. That was still a blank slate, aside from the understanding that it would be multi-stakeholder. We also didn’t know when it would be adopted.
The code itself came together relatively quickly—about 18 months from start to adoption, followed by a signing ceremony shortly after. At that time, we were still operating somewhat traditionally, following the usual process for international agreements, where a signatory process is standard. We adapted that model for private actors, allowing them to commit to the code by signing it.
We had so many companies sign up because signing was all they had to do. They committed to operating in accordance with the code, but without having to take further steps like training or certification. It was a simple way to show commitment. However, the much more challenging task of developing the oversight mechanisms took three years and it took several months just to start envisioning what that would look like.
We were dealing with something completely new and innovative, without clear models to follow. Developing a multi-stakeholder governance and oversight model required intense work over three years, with dedicated representatives from governments, companies and civil society. We met at least once a month, often in person, to work out the details that eventually shaped the oversight mechanism and the association’s articles.
At the end of the code’s development, we were simply looking for a way for companies to acknowledge their agreement with the code and their intent to implement it. That is how we arrived at the signatory process. I fully understand how challenging it was, because many companies signed up without really committing to the more rigorous aspects. Although when they signed, they were also committing to join the oversight mechanism once it was established, as we know, many ultimately did not follow through.
I’d like to revisit that intense three-year period. Could you walk us through some of the challenging issues you faced during that time? Were these challenges due to disagreements among the different stakeholder groups, and how did that play out?
As I mentioned, we didn’t have an existing model to follow and the few examples that did exist didn’t seem suitable for this kind of oversight mechanism. To tackle this, we formed a temporary steering committee made up of 12 members—four from government, four from industry and four from civil society—to develop the oversight framework.
One of the early challenges was figuring out how decisions would be made. For instance, when decisions needed to be taken about whether a company had violated the code or whether a visit to a code member company was necessary, we had to determine who would make those decisions and what the voting process would be. With three main stakeholder groups involved, we wrestled with how to balance their decision-making weight or influence. While there was a general understanding that each group should have meaningful input, finding the right formula was a long and difficult process.
Initially, we tried to operate on a consensus basis, meaning everyone had to agree or at least not strongly disagree. While this approach seemed straightforward, it often led to lengthy discussions, especially if one stakeholder group or even a portion of one group was not on board. This required deeper, more complex conversations to understand and address the concerns of each stakeholder.
Although this process was time-consuming and often delved into minute details, it ultimately added significant value. Each stakeholder’s expertise was critical in refining requirements and ensuring that proposed measures would be effective. For instance, while civil society and government representatives might advocate for certain certification requirements, companies could offer practical insights, pointing out when a requirement might not achieve the desired outcome. This back-and-forth was crucial in developing standards that were both rigorous and realistic.
However, the consensus approach also posed challenges when agreement was hard to achieve, especially if one group held out while others agreed. To address this, we developed a compromise: aiming for consensus but allowing for a fallback option. If consensus wasn’t possible after extended deliberations, decisions could be made by a supermajority vote—requiring at least eight out of 12 votes, including at least two votes from each stakeholder group. This ensured that no decision could be made without some level of buy-in from each group.
While not perfect, this approach created a necessary tension that encouraged stakeholders to work together, make reasonable compromises and understand each other’s perspectives.
You mentioned earlier the importance of engaging clients, the users of private security companies. In my role, most of my time is dedicated to this, as they are the ones who ultimately dictate whether these standards are upheld or not when they issue tenders for services. If clients do not prioritize these standards, it drives them down; if they do, it drives them up. However, clients aren’t part of the formal governance structure of this initiative, and I’m curious about why that decision was made. Were they involved in the negotiation process for the articles?
Yes, clients were indeed involved in the process of drafting the articles and in the initial meetings surrounding the development of the Code. We engaged extensively with various clients to understand their needs, what was important to them and how we could convey the value of the Code. However, they were not included in the governance structure, primarily due to the nature of the business. While we could get clients to attend some meetings, forming a cohesive, dedicated group of clients was challenging.
In contrast, civil society organizations were very eager to participate, companies were naturally interested, and some governments were quite committed to making this initiative work. While clients showed interest, it wasn’t their primary focus. That said, if it were possible to organize a more committed group of clients who could contribute to the development of the Code by voicing their needs and concerns, it would be highly beneficial. As you mentioned, clients play a crucial role in driving standards.
Interestingly, many governments, which also act as clients, have incorporated these standards into their procurement policies, requiring companies they hire to adhere to them. However, this is an area that could be further explored and developed by the association, perhaps in the next decade.
Looking back at that whole process, if you were advising another industry going through one of these processes, is there anything that you would have done differently?
For one, I think it would have been beneficial to give clients a more defined and active role in the process. One of the biggest challenges we faced at the time, and this may be changing now, was the reluctance of some governments to engage on an equal footing with companies and civil society organizations.
More than a decade ago, many governments were uncomfortable with the idea of sitting at the same table and having a similar level of influence in decision-making and governance as non-state actors. However, I believe this is shifting as more governments recognize the significant influence the private sector has on security, human rights and even areas like election security and public opinion.
If I could go back, I would consider how we might have engaged governments in a way that would have encouraged broader participation in the governance structure. This is something I still think about when considering other areas that need better standards or governance frameworks. It is a challenge we continue to face since the government pillar in our initiative has remained stable but hasn’t expanded beyond the original seven members. We are still exploring what incentives could encourage more governments to step up and join the initiative.
DCAF essentially acted as an incubator for the project, which eventually became its own independent organization, or association. What was that transition process like?
The process was quite interesting—almost like raising a child, in a sense. You nurture and support it until it is ready to stand on its own. That was our goal with DCAF: to create something stable that could operate independently once it was spun off.
In the initial year after the association was established, DCAF played an important role in helping it get set up. This included supporting the hiring of key staff, such as the new director, and assisting with practical aspects like finding office space and filing the articles of association. We also worked on securing certain privileges and immunities to ensure that the organization could operate effectively and confidentially, particularly when handling sensitive information from companies.
This support continued for over a year as we worked to fully establish the new organization. Even after the formal transition, DCAF remained involved and provided ongoing support to the new entity. Sometimes we had the documentation or we had the institutional memory so there was a period of back and forth and of support, getting the organization stood up.
I want to quote something you wrote just a couple of years after ICoCA’s inception: “If the ICOCA is able to meet even some of its ambitious objectives, it has the potential to transform how the international community regulates commercial security actors and their activities.” With 10 years behind us, do you think it has been transformational yet? If not, why not, and what do you think needs to happen for that vision to be realized?
Defining “transformational” can be challenging. I do believe the ICOCA has had a significant impact on how security services are perceived, and the standards companies follow when providing these services, even if they are not members. It has exerted a normative influence on the conduct of private security. Whether that qualifies as transformational is debatable.
It is also difficult to assess if there would have been more human rights incidents without the code and the association. However, I do think it has influenced companies by offering a guide or norm for what they should and shouldn’t do in security services. I’ve heard this from some companies, even those outside of ICOCA, during various projects.
That said, there is still potential for greater impact. I wish the association continued success as it enters its second decade, and I hope it can further this process of slow transformation. This ongoing effort is crucial for ensuring safe and responsible security service provision.
How do you see the evolution of the security industry, particularly with the technological leaps that are happening? How is the industry applying these technologies, whether it is AI or machine learning? What are the implications for human rights, and what regulatory options are there? What role, if any, does ICOCA have in all of this?
Well, let me try to distill that into a few key points. Technology is indeed transforming our lives and the private security industry. This sector is increasingly using technologies in various ways, from more sophisticated surveillance cameras to AI and predictive algorithms. These technologies are being integrated into risk assessments and the delivery of security services. So, technology is reshaping the industry.
In terms of what needs to be done, it is another translation exercise. Previously, we focused on integrating the growing number of private security actors into existing international regulatory frameworks. Now, we need to address how new technologies fit into this framework. We need to understand the human rights implications of these technologies and how they affect existing regulations.
My organization, ICT for Peace, is collaborating with ICOCA to explore how these new technologies are transforming the security sector. We are working on adapting and translating human rights standards and regulatory frameworks to be relevant in this technological context. We are looking forward to deepening this collaboration and addressing the challenges that come with these technological advancements.
We thank Anne-Marie Buzatu for sharing her insight on this important topic! Stay tuned as we continue to unpack the origins of ICOCA through our interview series.
The views and opinions presented in this article belong solely to the author(s) and do not necessarily represent the stance of the International Code of Conduct Association (ICoCA).