Skip to main content

S2E1 – In this episode, we welcome Andrew Clapham, professor of international law at the Geneva Graduate Institute, and member of  ICoCA’s Advisory Group. Having been involved in the development and drafting of the International Code of Conduct, he will walk us through the context, as well as the process of the negotiations that have preceded the Code’s establishment. 



Hello, I’m Chris Galvin. Welcome to ICoCA’s Podcast series Future Security Trends Implications for Human Rights. This year, ICoCA celebrates its 10th year, and so in this season of podcasts, we’re stepping back in time to investigate the origins of the Association and explore the journey over the last decade.

Today, I’m honored to introduce Andrew Clapham, professor of international law at the Geneva Graduate Institute. Prior to joining the institute, he was the representative of Amnesty International at the United Nations in New York and worked as a special adviser on corporate responsibility to the High Commissioner for Human Rights. He was elected as a commissioner of the International Commission of Jurists in 2013 and served as a member of the UN Commission on Human Rights in South Sudan from 2017 to 2023.

So, Andrew, you’re also a member of ICoCA’s Advisory Group, and I understand that you were involved in the initiative since the very beginning, going back to the development and drafting of the International Code of Conduct itself. So can you take us back to the context of the negotiations that took place at that time? Why was there a call for more oversight of the private security sector? And, what options were on the table in terms of regulating the industry at that time?

Well, I can take you back to a particular memory I have of sitting in a hotel in Montreux, and it was the final stages of the adoption of the Montreux Document, which, as you know, is the interstate document, which was supposed to reflect the obligations of states in the context of private security companies. And, at the last session, when they were actually going to sign the document, those of us, like myself, who were sort of academic observers, but also the private security companies themselves who had been participating in the process up till then, were, I suppose, booted out – would be a way to best explain how the feeling was. So, we were sort of expelled from the room and told that now it was the states who are going to sit amongst themselves.


Expelled by governments, that is? By the states?

Governments, indeed yes. And the ICRC, of course, was in the room. As you may know, there was a last-minute hitch in the adoption of the Montreux Document. My memory is that the Russians, at the last minute, decided, and I suppose this is rather pertinent, that they didn’t think that states had any business using private security companies at all, and these would remain illegal in Russia, and therefore they were not joining. And that sort of threw a spanner in the works. But, all of this is to say there was quite a long period when a group of us were drinking orange juice, there was a vending machine just outside the meeting waiting to see what would happen and I remember one or two of the private security companies said: “Well, this is all very well, but, you know, where do we fit in and what are our obligations? And we really would like to have our own code of conduct”. Of course, there were code of conducts around from the sector, but they wanted something which had a bit of an international imprimatur, or a Geneva flavor to it. That really was the moment when the idea was born that although the Montreux Document was interesting, it was for states alone, and we had been a bit disempowered and excluded, it was time to have something for the actual private security companies themselves. I have to say, there was civil society also around at this point that had been following Montreux quite carefully. So, there was a triptych of private security companies, academics, and NGOs that were interested in taking something forward while the governments were doing their own thing in a closed room next door.


So, that’s fascinating. And, so what you’re saying is that it was actually the private security companies really, who put their hand up and said they wanted to be self-regulated or not self-regulated at the time, but regulated. And presumably, there was a question about what that regulation would look like.

I think they felt that there was plenty of regulation for them. It wasn’t a sort of masochistic idea. You know, “We need to be regulated”. If you want a sort of insight into the logic, at the time, one of them said to me: “Look Andrew, we want to keep the Cowboys out”. The idea was that if there was a group that signed up for a code of conduct, and were known to try to abide by it, companies that were less enthusiastic about rules and regulations wouldn’t get involved, and wouldn’t sign the code. And, this would be a signal to people like Oxfam or the United Nations, or certain governments not to use those companies. So, it was a bit like having, you know, the red tractor or some sort of dolphin-friendly signal on the tuna. This would be a way of indicating that you were dealing with a company that was at least serious about human rights. Obviously, it couldn’t guarantee that they would never violate human rights, but at that time, it was felt that there were some groups – this is all, of course, in the wake of the Blackwater incidents – that were serious about this, and wanted to show that it was possible to be in this industry and not be a criminal.


And can I ask, were Blackwater in the room?

No, they were definitely not involved in those early stages. Now, of course, later on, they changed their name. And they did eventually. I don’t know what the status is now, but they were not part of the driving force. They were always seen as this was why one had to have a code so that one wouldn’t be confused with companies like Blackwater at the time.


So that was the genesis of the idea. Could you fast forward a year or so, and tell us a little bit about the negotiations that took place for the Code itself?

There were a series of meetings. Whereby they were held in Switzerland, but we also went to the United States and London. And, the final negotiations, which was what I would call a proper negotiation, where you had a text and people were arguing about the language, was held in a hotel in, I think Chavannes-de-Bogis out towards Nyon. We had a couple of days there and they went like a proper negotiation sort of late into the night with various versions circulating, and we went article by article and at that meeting, you had the key private security companies, key NGOs, the ICRC, Swiss government, British government, US government. There may have been the Canadian and Swedish observers, but they weren’t really the key players, as I remember. I’m not even sure, we didn’t vote things, but they weren’t considered to be members of the group that was drafting, if my memory is correct.

As you know, it’s a text which reflects a lot of human rights types obligations, but it also goes beyond human rights in many respects. And those, for me, were some of the more interesting aspects of the negotiations where private security companies at one point were saying: “Well, we would like to have an obligation on this. It would look good, and we want to be held to that”. And I can remember quite clearly states saying: “No, but you know, that’s not really an international obligation”. And they were like, “But we want to have the obligation”. And I think states were worried that they might, by being part of this process, be seen to be creating obligations for themselves. But, the private security companies pointed out to them: “Well, look, this is binding on us. It’s not binding on you”. So, they didn’t say butt out, but they would sort of say: “You know, you’ve got nothing to worry about. This is what we are assuming. It doesn’t matter whether you’re bound by this”.

That was very interesting in terms of the sort of history of drafting obligations for private actors in the sense that, one tends to assume that you sort of adapt and dilute what states have to do. But in fact, in some contexts, private actors might be prepared to take on more obligations than they might have already under international law, or even that states might have. So one could think about, obligations on sexual harassment or trade union rights, which might go beyond what the United States might consider as a binding obligation under international law. There was an interesting moment when people were suggesting that torture was only an obligation for the state and not for private actors, at which point the private security company said: “We’ve got to have no torture in our code. I mean, the idea that we could torture and it wouldn’t be a violation of the code is absurd”. So obviously, it went in and that’s interesting in the history of explaining that torture is not an exclusively state-like obligation.


Now, we’ve been doing quite a bit of work recently on working conditions within the sector, and we’ll get a bit later on in the conversation. I want to talk about, you know, the industry as it stands now and some of the trends. But, I’d be interested to know what the emphasis was at that time in terms of key issues, because looking back at Blackwater, obviously, the use of force must have been forefront in everybody’s minds. And when we look at the code now, doesn’t say a huge amount on working conditions and labor rights. Is that just because that wasn’t at the forefront of people’s minds?

I think so, yes. Although it may have also been considered to be an area where one would not necessarily be able to get Switzerland, the UK, and the US on the same page for a progressive standard, with the US being nervous about an encroaching idea of the obligation to recognize unions and collective bargaining and that sort of thing. But, I may be overinterpreting the situation. Certainly, the key issues in my memory were definitely treatment of detainees, questions of the use of force, and issues of how to ensure accountability. The idea that working conditions were related to privacy, sexual harassment, equality, and proper pay, but less maybe to the sort of other fundamental labor rights, which of course would apply as a matter of law wherever you were. But, it wasn’t seen as something that was essential to bring to the attention of groups as a way of including them or excluding them from the Code.


And related to the mechanism itself, ICoCA, but also the Code. Was there any discussion at that time about different regulatory options? I mean, this is a soft law, a voluntary initiative. Was there any discussion at all about hard law or something in between?

Well, there was an incredibly complicated discussion about the American standards and the ISOs, and we did spend a long time contributing to those. I know that’s not quite what you’re referring to as hard law, but the idea of putting all this into a treaty, no, because it was seen that this was something that should bind the groups themselves and the Montreux process was the closest that states were interested in getting towards some sort of internationally binding agreement. This was much more to create a group, which if you weren’t in it, would be an indicator to the market that you were not human rights appropriate, and you didn’t necessarily need hard law to do that. I mean, anybody who violated the national law could obviously go before a national court and complaints could be made at the international level through the various UN mechanisms. The idea was to have a sort of industry standard that the groups themselves were happy with, rather than having something that was imposed from outside and often perhaps for political reasons to highlight a particular situation in a particular country, rather than focusing on the behavior of a particular group.


And now, there’s a reference in the Code itself to a governance and oversight mechanism, which is what became ICoCA. So, what were the next steps in terms of setting up this mechanism? And, you know, it was a multi-stakeholder structure that took place. How were those decisions made and what was the genesis of the Association itself?

I do remember very clearly that on the sort of day of the adoption of the Code, there had to be this new entity that was going to take things forward. And, it was fairly obvious who the governments would be and even who the non-governmental organizations would be. But interestingly, and I don’t know if this is reflected anywhere in the minutes or anything, the private security companies decided that there would be a secret ballot to determine which of their representatives would go on to be part of this new entity, which eventually became the core group that was involved in drafting the articles of Association.

And so, instead of it just being the big three saying, you know, “We will now take this from here”, say people were elected, I think, on the grounds of how well it was thought they would represent, for example, the interests of smaller companies, or companies from different countries and so on, rather than this being a self-selecting group. And then, there were, as I say, secret ballots but by the name of the person, not by the group. So, they were originally elected in a very sort of individual capacity. And the individuals who were elected took it very seriously. It involved a huge amount of time traveling, as I said, to the United States, to London, to Geneva, to develop this. And they would say to me: “Oh, you know, my company is not that happy about how many hours or days I’m taking out to do this”. But it was a very serious, I would say in retrospect, exercise where the academics, the NGOs, the governments, and private security companies, all pulled their weight in terms of the actual legwork that went into it. And that, then culminated in a final meeting again in Montreux in a huge hotel, again running quite late into the night with last-minute problems that had to be ironed out in sort of breakout groups and so on, like a big international treaty drafting process. Obviously, not every state in the world was represented, but there were dozens of people representing the different sectors.


There’s a three-year hiatus between the Code being developed and signed and the Association finally getting up and running. We’re now celebrating the ten-year anniversary, as I say. So, it was in 2013 when the Association was finally formed. But, there were around 700 companies in the end that in that intervening period, I believe, signed up to the Code. One of the commitments that they made as a signatory, would be to join the governance and oversight mechanism, ICoCA, and in the event, that maybe 100 or so did do so. Many, didn’t. So, do you have any insights on why that was, and what the discrepancy is between those numbers?

Well, there was always a sort of hard core of companies that took this seriously and wanted it to work as a mechanism. And then there were free riders that wanted to be able to say we’re part of this: “Look, we’ve ticked the box. You can see that we’ve signed this, so you know, you can trust us”. But, we were always wary of having people burnishing their image by saying “I’ve signed the Code of Conduct”, and that obviously was never going to be enough. The whole idea was that you would be liable to exclusion, and there would be some monitoring of your behavior. So, precisely negotiating how intrusive that mechanism would be is what took the three years. There was also a parallel set of negotiations going on for the Pentagon in the United States and that put a brake on things with, I think, some American companies and the American government thinking, “Well actually we could organize this ourselves and this international thing bit out of our control and companies waiting to see whether the whole thing would, in the end just be a US-driven initiative”. At that time, the US was seen as the sort of place that was going to be the other side of the contract for a contractor. We were in the period of Iraq and Afghanistan and Halliburton and all of that folklore of big contracts in the context of those theaters of war. Whereas, of course, more recently it became obvious that this was going to become a much more diffuse group of entities that wanted to contract with humanitarian organizations, the UN, international organizations, the EU, and others wanting to contract, and therefore, the role of the Pentagon and the United States, I think, diminished for a lot of companies around the world that realized it wasn’t all about the US, and that probably helped to give the association the sort of final push, I would say.


And it wasn’t all about government contracts either. I’d be interested to know why within the governance structure, the users of these companies, which are not just governments, but they’re across every sector, including the corporate sector, of course, we think of extractors as big users, which they are, but big agribusiness. Everybody uses private security, but they’re not within the governance of the Association.

No, you’re right. It was a topic of discussion over and over, whether there should be a fourth leg on the stool, or make it into a chair. The clients, as they were known as a group, were represented in the original drafting of the code. I have a sort of image in my mind of the “corner of the table” where the clients were sitting who would be consulted from a client perspective: “Would this work?” So, they were present throughout the whole process in our minds, but also physically present in the room. And, there was a discussion about whether they deserved a fourth spot. But I think, at one point, it was either they would fit well with the idea of the non-governmental organizations side. So Oxfam or the ICRC could be both a monitor and a client. Similarly, for governments, they also had a client aspect to their work. In the end, it was decided not to add a fourth section. And I’m not sure in retrospect, whether the clients themselves were sort of pushing for it. I mean, that’s a bit of “a chicken and egg” situation. If there had been more in the room and they had felt more involved, maybe they would have done. But, they weren’t as engaged and committed to the process as, for example, NGOs were as a block and as a sort of sector. And, there certainly wasn’t a sort of concerted push by Oxfam qua-client to say we need a separate role as Oxfam qua-client as opposed to Oxfam as an NGO being there as part of civil society. So, to the extent that a client is civil society, they were represented by NGOs to the extent that they’re represented by the governments. Of course, the international organizations as clients were not represented. In my memory, the UN, EU, et cetera, were not keen to have a separate role in this process qua-client. But maybe they’re asking for it now. I’m out of touch. Maybe you’ll tell me now, that’s the big thing.


Well, we’re in ongoing engagements with the EU and we are endeavoring to try and raise this issue. They are a big contractor of private security companies themselves, and of course, they’ve now got the EU directive on supply chain due diligence. And so, we feel that governments should walk the talk in their own contracting practices. But, the UN, of course, they do have a mandatory requirement for any armed security across the UN, that any private security company contracted for armed security must be a member of the Association.

We were very keen that they would feel the sense that, that was where this is heading all along. So, they were definitely consulted along the way to ensure that they felt a bit of ownership of this qua-UN. Obviously, I’m not talking about all the member states, but the people within the UN who worked on procurement and that sort of thing and who had expertise in security matters, were consulted, as I say, all the way and I think may have even been there for the drafting.


What were the expectations back then? As the Association got up and running, what did people feel would be the outcome of this?

Before the association even, was embryonic. I think one has to remember that it was drafted in a way that it could be included as an annex to a contract. So, the alternative codes of conduct that were around at the time were just too vague. So, if you were trying to hold a private security company to an existing code of conduct pre-the ICoCA, it would say something like “The company commits to uphold the values in the Universal Declaration of Human Rights and other related human rights standards”. And, the idea was to make this a bit more specific, so that you could point to this as a term and condition and say, “Well, the deal is off, because you’ve violated the terms of the contract”. And the governance thing was a way of ensuring that this would have some sort of proper monitoring. There was the standards for the extractive industry that were out there. I think you know what I’m referring to. And, there it was felt that there wasn’t a proper oversight where human rights were being violated. So the idea was twofold: one, to get more specificity and to make it look like a real code and not just a sort of commitment to human rights. And secondly, to beef up the possibility of monitoring or even expulsion.


Now, you mentioned the Montreux document before, and I just wanted to ask you because the Code references private security companies. Montreux, obviously, references private military and security companies (PMSCs). So, it looks like there’s a deliberate decision to leave out the military from the Code and the association. What was the reason for that?

It goes back to that period when the idea of having a private military company was rather horrific, in the sense that it seemed to be contracting out war fighting, and that, states were unenthusiastic about, as were the general public, as were, indeed, the companies who were trying to earn a living as private security companies and not with any enthusiasm for fighting wars, not least in Iraq or Afghanistan. And so, it was quite deliberate to distance themselves from the idea that these companies were being used for fighting for combat when they were not, and none of the companies that were involved were interested in combat or the laws of war at all.

Now, Montreux does actually talk about conflict situations. It was designed particularly, and obviously, it’s ICRC-led, so it relates essentially to international humanitarian law, which only applies in times of armed conflict. But, by the time the Code was being written, private security companies were being used outside of conflict situations where international humanitarian law wouldn’t apply at all. So, a particular rationale for having the Code was to talk about human rights law, which is almost absent in the Montreux text. And, that is why the human rights organizations and my role as a human rights lawyer swung it away from the rules of international humanitarian law which apply, and which were covered by Montreux into the rather more complex area of which human rights law is going to apply, and how do we talk about this in human rights terms.

This was at the time of the guiding principles which were being developed by John Ruggie, where he was getting this consensus document through the Human Rights Commission and then the council where the emphasis was on, “corporations have a responsibility”, but it’s not a legal responsibility. And this was really saying, well, that’s one way of looking at it. But the Code could create a legal responsibility by building this into contract law and creating a regime, whereby companies would be held accountable for not living up to the commitment they had made to the regime in this very narrow, specialized area. So, John Ruggie was saying companies have to respect all of human rights and the ILO declarations and so on. Whereas this code was talking about very specific obligations written as if they could be terms in a contract. So it was a very different approach, and none of the companies were really carrying out Wagner-type operations. They were not really private military companies, the ones that were involved, they were doing private security work, and they certainly saw their future as private security work. And the Pentagon itself was moving away from any kind of subcontracting of combat operations. So, you just have to see it in its historical context. It was at a time when it was considered this really was security work and not military work, and they didn’t want the reputation of being tarnished with the same brush as Blackwater operations or Halliburton that had gone wrong.


And we’ll come on to Wagner in a minute. But, the Code, maybe it’s unique, in that it does reference both international humanitarian law and human rights law. So, do you think that those two things complement each other or do they compete or confuse? And, when it comes to the private security companies themselves, what are the legal differences and distinctions that they need to keep in mind, whether they’re operating in a conflict or a non-conflict environment?

I think I would say that if a private security company was involved in combat operations, they would need some specialist advice because for them to get the privileges of prisoner of war status and to be entitled to combatant immunity for killing people is not as obvious as it might seem and is quite complicated. So, international humanitarian law provides a series of prohibitions and some protections, but those protections are against civilians. But in terms of protecting the private security company, for example, in giving prisoner of war status to an individual who’s captured, it’s rather complicated as to when that happens. You need an interstate armed conflict, and you need the private security company to be integrated into the armed forces of the state and so on. And that happens extremely rarely. So, it’s complicated.

Similarly, on capture, I’m not sure that they would have combatant immunity unless they are part of the armed forces of the state. There are a lot of assumptions by private security companies that when they’ve got a uniform and they seem to be fighting a war, they would have all the privileges of a soldier in the armed forces of a state. But the short answer is they don’t. And they would risk being in some circumstances prosecuted for mercenaries and certainly not getting prisoner of war status due to that mercenary status.

So, it’s a complicated area which is not dealt with in the Code. I did deal with it in another project on mercenaries but that’s for another day.


And I should just add a disclaimer that certainly none of our member or affiliate companies should be engaged in any military forward operational activities.

Exactly. It’s good that you point that out. That’s precisely why the Code doesn’t get into any of these questions because as you point out straight up, it was always assumed that the companies involved in this would not be doing that. And that, for all the reasons I’ve just explained, is extremely complex. But it’s not attempted to be regulated in the code because they shouldn’t be doing it in the first place.


I do want to draw on your expertise a little bit more on this issue of the evolution of conflicts and war, and you’ve already mentioned that, but most recently including the involvement of private military companies, the likes of Wagner Group, who’ve been operating not just in Ukraine, but they’re operating a growing number of countries around the world, especially in Africa. So, do you think Wagner’s rise marks a departure in the way wars and conflicts are initiated and conducted, and the role of private companies and what they play in this?

I think it’s very significant what’s happening indeed. I don’t think it means that the whole of the private security sector is going to start to look like Wagner or that Wagner will overshadow everything that’s going on. I think, it’s quite peculiar to the Russia situation and Russia’s role in the world, as you say now in Africa, but also in Syria, and with regards to Ukraine. So, I think it’s quite context-specific, but it will taint how private security companies are seen in some quarters, which in a way makes it even more important that ICoCA is able to do its job and show that it is possible to do this without becoming a Wagner-type operation, that private security doesn’t mean necessarily lawless war criminals. It’s a complicated moment. I don’t think it will go on forever that Wagner will play this role, but it’s obviously at the top of everyone’s minds. And it’s not restricted to Ukraine, Russia, or Belarus. It’s Syria, Sudan, Libya, Mali and Central Africa Republic. The extent to which African countries continue to rely on Wagner, we don’t know. I think it’s a bit too early to say.


And  this is probably not a very simple question to answer either, but just given the complete disregard for any international norms by the likes of Wagner, can they be held accountable? And if so, how? And is there any role for existing mechanisms, perhaps like ICoCA?

The short answer is absolutely. They can be held accountable. One just has to think a little bit outside the box. All action in Ukraine, for example, is covered by the International Criminal Court. So, any member of Wagner, whatever their nationality, who is committing a crime in Ukraine or assisting a crime in Ukraine or even arguably responsible as a matter of command, responsibility for failing to punish crimes committed in Ukraine can be held accountable in the International Criminal Court. Now, of course, the prosecutor has a lot of cases to deal with, but many of the crimes committed in Ukraine just to stick in that context, will count as grave breaches under the Geneva Conventions because it’s an international armed conflict between two states. And therefore, their acts could indeed. Mistreating, for example, a prisoner, a detainee, or prisoner of war, or a civilian in occupied territory is going to constitute a grave breach. And, the grave breaches regime is a regime that applies in every single state in the world because every single state in the world has ratified the Geneva Conventions. And, in many states, a Geneva Conventions Act will create a crime so that it can be prosecuted in that state regardless of where the crime took place or the nationality of the individual.

So, any member of Wagner who traveled, for example, to the United Kingdom could be prosecuted in the UK courts under the Geneva Conventions Act for a grave breach. And that applies similarly in the United States, even though they’re not parties to the protocol or to the International Criminal Court. The legislation, which was passed this year in January, allows for the prosecution of grave breaches, whatever the nationality of the perpetrator. So, the net can easily be closed on the individual perpetrators, very easily. And of course, Central African Republic and other states in Africa have ratified the ICC statute as well. So it’s not impossible that there could be prosecutions for crimes committed in those countries as well.


So there is hope on that front. I just want to bring us back to the Association for a last final question and kind of looking forward into the future of the Association. How do you see the private security industry as having changed since the Code was developed? And, how do you think the Code should be amended or perhaps implemented differently to kind of reflect the new operational realities on the ground?

One of the things, which I have thought about, and which I’m told is being adjusted, but which we did spend quite a lot of time on post-adoption of the Code is adapting it so that it would apply on the high seas. So, a lot of private security companies are involved in counter-piracy work. And there we did try to come up with some quite specialized rules relating to warning shots and shots across the bows, literally for dealing with piracy. And that, I think, probably needs some attention. And one could imagine similar work to do with aerial hijacking and so on. So, I think that would be important. I think, probably, there is going to need to be some work that might not necessarily involve amending any text, but in differentiating the members of the Association from a group like Wagner and maybe some thought given to explaining mercenarism and what it really means. Because it’s obviously bandied around as a term of abuse and it is assumed that if you, sort of, carry a gun and you’re paid for it, that is a crime and the crime of mercenaries. So, there probably needs to be some gentle PR work to explain that there might be good reasons for Oxfam to have armed guards on their food supplies in Somalia. And the fact that somebody is employed doing that does not necessarily mean they’re doing what Wagner are doing in the context in which they operate. So I think that is going to be a challenge, because in the public’s mind, being paid to carry a gun and protect stuff looks quite close to something called mercenarism, which sort of by definition is wrong because it’s a crime. And there’s probably needs to be some work in explaining that.


Well, that’s great food for thought. I should say that about a quarter of our membership do have operations, maritime operations. And so the Code, the compliance mechanism does cover that. I will say maritime security is an incredibly difficult thing to do compliance work on because it’s so distant and removed and offshore, but certainly an area of work that we are pursuing. So, thank you so much for your time today, Andrew. It’s great to get the backstory on the origins of the Code and the Association, and we’re delighted that you’re still engaging with the advisory group and we look forward to that continued engagement in the future.

Thank you for having me.




The views and opinions presented in this article belong solely to the author(s) and do not necessarily represent the stance of the International Code of Conduct Association (ICoCA).