Good Practice Handbook

Assessing and Managing

Security-related Risks and Impacts
Guidance for the Private Sector in Emerging Markets

DRAFT
July 2016

Good Practice Handbook

Assessing and
Managing Securityrelated Risks and
Impacts
Guidance for the Private Sector
in Emerging Markets

DRAFT
July 2016

Table of Contents

Acknowledgements
IFC Performance Standard 4 - Security

I. Introduction: Security Issues in the Context of the Performance Standards

II. Assessing Security Risks
Security Considerations in Different Phases of a Project

III. Managing Private Security

IV. Managing the Relationship with Public Security
V. Preparing a Security Management Plan
VI. Assessing Allegations or Incidents Related to Security Personnel

ANNEX
A. Template Invitation to Bid (ITB) and Request for Proposals (RFP) for Security Risk Assessment
and Security Management Plan
B. Guidance for Drafting a Security Management Plan
C. Template Contract with a Private Security Provider
D. Sample Incident Report Summary Template

Acknowledgements
[TBC]

IFC Performance Standard 4 - Security

Security Personnel
When the client retains direct or contracted workers to provide security to safeguard its personnel and property,
it will assess risks posed by its security arrangements to those within and outside the project site. In making
such arrangements, the client will be guided by the principles of proportionality and good international practice1
in relation to hiring, rules of conduct, training, equipping, and monitoring of such workers, and by applicable law.
The client will make reasonable inquiries to ensure that those providing security are not implicated in past
abuses; will train them adequately in the use of force (and where applicable, firearms), and appropriate conduct
toward workers and Affected Communities; and require them to act within the applicable law. The client will not
sanction any use of force except when used for preventive and defensive purposes in proportion to the nature
and extent of the threat. The client will provide a grievance mechanism for Affected Communities to express
concerns about the security arrangements and acts of security personnel.
The client will assess and document risks arising from the projects use of government security personnel
deployed to provide security services. The client will seek to ensure that security personnel will act in a manner
consistent with paragraph 12 above, and encourage the relevant public authorities to disclose the security
arrangements for the clients facilities to the public, subject to overriding security concerns.
The client will consider and, where appropriate, investigate all allegations of unlawful or abusive acts of security
personnel, take action (or urge appropriate parties to take action) to prevent recurrence, and report unlawful
and abusive acts to public authorities.
_______________________
1

Including practice consistent with the United Nations (UN) Code of Conduct for Law Enforcement Officials, and
UN Basic Principles on the Use of Force and Firearms by Law Enforcement Officials.

Performance Standard 4 requires companies to:

Assess the security risk their operations may have or create for communities
Develop ways to manage and mitigate these risks
Manage private security responsibly
Engage with public security
Consider and investigate any allegations of abuse by security personnel

Chapter I. Introduction: Security Issues in the Context of the

Performance Standards
Companies around the world commonly hire or contract security personnel to protect their employees,
facilities, assets, and operations. In low-risk environments, security arrangements may consist of
fencing, sign-posting, lighting, and perhaps a night watchman. In higher-risk environments, however,
companies may need a correspondingly higher level of security, requiring them to engage private
security contractors or even work directly with public security forces. In determining their security
needs, companies will typically assess the types and likelihood of risks
and threats posed by their operating context, but are increasingly called
upon to also consider the impacts their security arrangements might have
Level of effort should
on local communities. In more complex security environments, the
be based on risk
presence of the project itself might affect the security risks for a range of
stakeholders.

IFCs Sustainability Framework and Security Issues: Performance

Standard 4
The Sustainability Framework articulates IFCs strategic commitment to sustainable development and
is an integral part of its approach to risk management. At its core are eight Performance Standards
(PSs), which address a range of environmental and social issues arising in private sector projects. The
Performance Standards are designed to help companies avoid, mitigate, and manage risk as a means of
doing business in a sustainable way.
Security issues, while intersecting with environmental and social aspects in other Performance
Standards, are primarily covered in Performance Standard 4: Community Health, Safety, and Security.
The objectives of Performance Standard 4 are: (i) to
anticipate and avoid adverse impacts on the health and
safety of Affected Communities during the project life from
Performance Standard 4 expects
both routine and non-routine circumstances and (ii) to
companies to consider security
ensure that the safeguarding of personnel and property is
risks TO communities as well as
carried out in accordance with relevant human rights
security risks FROM communities
principles and in a manner that avoids or minimizes risks to
1
the Affected Communities.
The second portion of Performance Standard 4 focuses on Security Personnel, in recognition of the
potential risks to communities from the existence and actions of security forces. It outlines IFCs
requirements with respect to the assessment and management of security risks, related to both private
and public security forces. An assessment of risk which considers security risks to both the local
community and the company is the foundation and first step of good security management. Other
security-related requirements outlined in Performance Standard 4 are described in greater detail
throughout this Handbook. While all companies with some type of security force safeguarding their
personnel and property are expected to assess and manage their risks, the level of effort should be
commensurate with the level of risk, and therefore will vary from one company to another.

IFC: Performance Standard 4, Objectives.

Paragraphs 12-14 outline IFCs requirements with respect to the assessment and management of
security risks, related to both private and public security forces. Many projects are protected by private
security guards, while in some contexts public security forces (i.e., military forces, police, or
gendarmerie) may be tasked by the state to provide some or all of those security functions. The
expectations placed on companies with respect to managing private security and engaging with public
security are based on companies expected level of control over each, as summarized in the box below.

Private Security
Company has greater control over private
security and therefore is subject to greater
expectations on hiring, conduct, training
Contract is key
Assessment of risk and implementation of
good practice in hiring, training, and
employment of private security guard forces
Use of force
Grievance mechanism
Consideration of allegations of abuse

Public Security
Often outside the companys control and
therefore the focus is more towards
engagement
MOU is ideal but in many cases not possible
Assessment of risk of a response by military
or police
Encouragement of military and police to
disclose security arrangements (and by
implication, to influence those arrangements)
Consideration of allegations of abuse

Key Principles
Interconnectedness of Security Issues with other Performance Standards
As IFCs work with clients on security issues evolves, a key lesson has been on the interconnectedness
between security and a wide range of issues covered by other Performance Standards. Experience has
shown how company-community tension on any issue whether water, lack of perceived benefits,
pollution, or working conditions can suddenly turn into a spontaneous protest at the project gates or a
blockade of an access road, resulting in a security situation for which a company may not be prepared.
Making the link between community relations and security is therefore key. Similarly, the ways in which
security personnel comport themselves in the context of labor union gatherings or strikes (PS 2),
involuntary resettlement of households (PS 5), or activism by Indigenous communities (PS 7) is essential
to ensuring the rights and safety of local communities and to the reputation of companies and
governments worldwide. Against this backdrop, Performance Standard 4 should be read in conjunction
with all of the other Performance Standards.
Community Engagement and Grievance Mechanism for Security-Related Issues
Often security issues are thought of as separate from environmental and social aspects, and therefore
de-linked from the community relations function. Functional responsibility for security may be handled
by a different department and, as such, dialogue about security issues may get left out of community
engagement processes. Communities also may not know that the companys grievance mechanism can
and should be used as a channel for concerns or complaints about security personnel. Performance
Standard 1 is particularly relevant here as it relates to assessment and management of risks, disclosure
and consultation, and access to project-level grievance mechanisms. These aspects should also apply to
security issues.
5

Community engagement is a central aspect of a good security program as good relations with
employees and local communities can substantially contribute to overall security in the project area.
Companies can achieve this by making sure that their Community Relations and Security staff coordinate
regularly. Given that security guards are usually the first point of contact with community members at
the project gates, they should be given guidance on messaging about relevant issues. Similarly, through
its Community Relations function, a company can provide timely information to communities about
those aspects of security arrangements most likely to affect them. They can also communicate the
companys security policies, including the expected conduct of security personnel. Dialogue with
communities about security issues can help a company to identify potential risks and local concerns it
may have not considered, and can serve as an early warning system.
Gender-related impacts of security are also an important consideration. Men and women usually have
different experiences and interactions with security personnel, so consulting them separately can be a
good way to understand these different perspectives. For example, the potential for sexual harassment
or sexual violence against women can increase from an expanded presence of private or public security
forces in a project area. At the same time, awareness of and respect for culturally-specific gender issues
on the part of security personnel may help to enhance their acceptance by the local population.
Finally, communities should know where to go if they have complaints about the conduct of security
personnel. Depending on the situation, this could be done through the companys general community
grievance mechanism or through one targeted specifically for security concerns. Equally important is the
ability of community members to make such complaints without fear of intimidation or reprisal.
The Principle of Proportionality
The principle of proportionality, referenced in Performance Standard 4, requires that the intensity of
any security response correspond to the nature and gravity of the threat or offense. The principle of
proportionality is a concept from International Humanitarian Law that is generally used in a military
context, but can be interpreted and applied any time use of force is contemplated. Performance
Standard 4 explicitly states that companies will not sanction any use of force except when used for
preventive and defensive purposes in proportion to the nature and extent of the threat. 2 Security
personnel should be instructed to exercise restraint and caution, and to prioritize peaceful resolution of
disputes and the prevention of injuries and fatalities. 3
Security and Human Rights
The conduct of security personnel should be based on the principle that providing security and
respecting human rights can and should be consistent. 4 The connection between human rights and
security is echoed throughout the Voluntary Principles on Security and Human Rights (see Other
International Standards on Security below) and is aligned with the commitment to respect human rights
in Performance Standard 1 that: Business should respect human rights, which means to avoid infringing
on the human rights of others and address adverse human rights impacts business may cause or
contribute to. 5
IFC: Performance Standard 4, paragraph 12.
IFC: Guidance Note 4, paragraph 29.
4 IFC: Guidance Note 4, paragraph 29.
5 IFC: Performance Standard 1, paragraph 3.
2
3

In the context of security and Performance Standard 4, human rights considerations reflect the fact that
interactions with security forces have the potential to impact the rights and safety of individuals and
communities. At the most extreme, the use of lethal force can jeopardize the right to life. The use of
excessive force, along with unlawful detention, also have the potential to impact rights to liberty and
security of the person. Other impacts include limitations to freedoms of movement or assembly, or
possibly restrictions on employees freedom of association, among others.
Companies have a responsibility to demonstrate their respect for human rights through proper hiring,
training, and supervision of private security forces, and should encourage public security forces to also
act accordingly when responding to situations related to the project. For example, if community
members decide to associate, assemble, and speak out in opposition to the project, the company and
any security personnel who interact with them should respect the right of the local communities to do
so. These principles are embedded within Performance Standard and Guidance Note 4 and are
elaborated in more detail in the remainder of this Handbook.

How to Use This Handbook

Who is the audience for this Handbook?
This Handbook is designed for IFC clients or other private-sector companies, and their consultants,
particularly those operating in emerging markets and wishing to implement Performance Standard 4.
Ideally, the individual responsible for security within the company the Security Manager or other
employee tasked with overseeing security will refer to parts of this Handbook at different points of
assessing and managing security-related risks.
What is the objective of this Handbook?
This Handbook is designed to help companies better understand and implement the requirements in
Performance Standard 4, to conform to good international practice, and to protect their operations
while safeguarding local communities from adverse impacts. It provides practical, project-level guidance
for companies at any stage of the process.
Which companies should use this Handbook?
Performance Standard 4 applies to companies of any size, and in any country or sector. Similarly, this
Handbook provides guidance and resources that companies should be able to adapt and incorporate
regardless of context. Ideally, companies will use this Handbook from the initial stages of the project,
but this advice can be incorporated at any point. Regardless of when a company develops and
implements its security risk assessment and management plan, continuous monitoring is encouraged to
adapt to any changing circumstances.
How is the Handbook organized?
The relevant security-related paragraphs of Performance Standard 4 are included at the beginning of
this Handbook, followed by an introduction to Performance Standard 4 requirements and key principles.
This is followed by a brief summary of other international standards on security, and then chapters on:
Assessing Security Risks
Managing Private Security
Managing the Relationship with Public Security
Preparing a Security Management Plan
7

 Assessing Allegations or Incidents Related to Security Personnel

Finally, several Annexes provide additional practical guidance and templates.

Other International Standards on Security

In addition to Performance Standard 4, it is important for companies to be aware of other international
standards related to security. If a company is considering engaging a private security provider who
references compliance with the Voluntary Principles, works for a member of the Voluntary Principles, or
belongs to the International Code of Conduct Association, this does suggest a level of awareness of and
commitment to international standards and good practice. However, it does not replace the companys
responsibility to undertake due diligence in accordance with Performance Standard 4.
UN Code of Conduct for Law Enforcement Officials 6 (1979)
Principles and prerequisites for law enforcement officials to perform their duties while
respecting and protecting human dignity and human rights
Includes limitations on the use of force; prohibitions on inflicting, instigating, or tolerating acts
of torture or other cruel, inhuman, or degrading treatment or punishment; commitments to
ensuring the protection of the health of detainees; opposition to corruption; and respect for the
law
UN Basic Principles on the Use of Force and Firearms by Law Enforcement Officials7 (1990)
Sets out principles on use of force by law enforcement officials and calls for governments and
law enforcement agencies to incorporate these within their national legislation and practice
Includes rules and regulations on the use of force and firearms; prioritization of restraint and
non-violent means; minimization of damage and injury, and provision of assistance and medical
aid; and standards for vetting, training, and reporting and review
Outlines expectations regarding policing unlawful assemblies and policing persons in custody or
detention
Prohibits invoking exceptional circumstances to justify departure from these principles
Voluntary Principles (VPs) for Security and Human Rights8 (2000)
Internationally recognized set of principles designed to guide companies in maintaining the
safety and security of their operations within an operating framework that encourages respect
for human rights
Three main components: Security Risk Assessment, Relations with Private Security Providers,
Relations with Public Security Forces
VPs themselves are high-level principles implementation guidance includes Implementation
Guidance Tools 9, developed with the support of IFC

www.ohchr.org/EN/ProfessionalInterest/Pages/LawEnforcementOfficials.aspx
www.ohchr.org/EN/ProfessionalInterest/Pages/UseOfForceAndFirearms.aspx
8 www.voluntaryprinciples.org
9 www.voluntaryprinciples.org/wp-content/uploads/2013/03/VPs_IGT_Final_13-09-11.pdf
6
7

Voluntary Principles Initiative is the formal membership organization of the VPs, restricted to
extractive companies, governments, and NGOs but companies in any sector can implement
the VPs

Performance Standard 4 and the Voluntary Principles

The Voluntary Principles on Security and Human Rights are considered to be good international
practice and provide helpful guidance to companies. While implementation of the Voluntary
Principles is not a requirement of Performance Standard 4, the two have significant overlap, and
proper implementation of one generally suggests broad conformance with the other. While the
Voluntary Principles were originally focused on extractive industries, a growing number of
companies in a range of sectors are choosing to implement them.
International Code of Conduct for Private Security Service Providers 10 (ICoC) (2010)
Set of principles and standards applicable to private security companies (i.e., companies
providing guard forces)
Key components are commitments and processes
Currently over 700 signatory companies (publicly commit to operate in accordance with the
Code) however, signatory currently does not equal certified
ICoC Association is governance and oversight mechanism established in 2013 to promote the
ICoC initiative and its implementation and support the development of certification and
monitoring procedures
UN Guiding Principles (GPs) on Business and Human Rights11 (2011)
Global standard for preventing and addressing the risk of adverse human rights impacts linked
to business activity
Most human rights documents regarding private sector operations now reference the GPs

10
11

www.icoca.ch/
www.business-humanrights.org/en/un-guiding-principles

Chapter II: Assessing Security Risks

Assessing and evaluating potential security risks is the first step in determining what level and types
of security arrangements a company might need. Decisions on whether guards should carry firearms or
whether fences should be electrified, for example, should be based on an informed analysis of whether
the level of risk calls for such measures, and consideration of how these arrangements might impact
employees, local communities, and security personnel themselves. An upfront assessment of risks can
also help companies to anticipate and proactively manage adverse consequences that could arise from
private and public security responses to a range of security incidents linked to their project.
Performance Standard 4 outlines requirements for assessing a companys security arrangements,
including both private security 12 and public security. 13 Assessment is a critical first step to responsible
security management. It can be a useful exercise to document and communicate risks both vertically
to management and horizontally to other departments, who can integrate this information into their
own functional responsibilities (e.g. Community Relations staff may communicate security-related
information or consult on security concerns when engaging with local stakeholders).
The level of effort in assessing security risks should be commensurate with the level of security risk
associated with the project and its operating context. For clients with small operations in stable
settings, a review of risks in the operating environment can be relatively straightforward. For larger
operations in higher risk environments, the level of analysis merited will be a more in-depth and
comprehensive Security Risk Assessment (SRA) that may need to consider political, socio-economic, or
military aspects, patterns and causes of violence, and potential for future conflicts. 14
Key Company Documents
Companies of any size, operating in any context, should have some level of documentation that
reflects internal risk-management policies, including those related to security. In addition to the
project-level Security Risk Assessment and Security Management Plan (both described in this
Handbook) many companies also have the following types of documents: (i) Corporate Security Policy,
(ii) Ethics and/or Human Rights Policy, and (iii) Use of Force Policy, as these typically contain
important aspects related to security. While it is not necessary to have these exact, discrete policies,
it is good practice to cover this information in some form, with the scope based on the projects
particular situation. For example, larger companies operating in complex environments typically have
a comprehensive Use of Force Policy as a standard document, while small companies operating in low
risk environments may simply enumerate protocols relating to use of force in a security guards
employment contract.

When the client retains direct or contracted workers to provide security to safeguard its personnel and property, it will
assess risks posed by its security arrangements to those within and outside the project site. IFC: Performance Standard 4,
paragraph 12.
13 The client will assess and document risks arising from the projects use of government security personnel deployed to
provide security services. IFC: Performance Standard 4, paragraph 13.
14 IFC: Guidance Note 4, paragraph 25.
12

10

Key Steps in Assessing Security Risks

Companies can initiate an initial assessment of security risks with staff from their own internal
departments. This exercise can be undertaken by the person, or team, in charge of security in the
company, but ideally will include input from different functions within the company, such as Community
Relations, Human Resources, etc. Some companies also find it useful to consult with external
stakeholders, such as community representatives, local authorities, and public security, in order to
incorporate a broad range of perspectives on security issues in the local context.
Companies can undertake an initial assessment of security risks by following the process outlined below.
It is important to document the outcomes of this risk assessment exercise, both to demonstrate that
this process was undertaken and to record the results both for immediate incorporation in mitigation
efforts (See Chapter V on Preparing a Security Management Plan) and for future comparison. Many
Security Managers use a simple Risk Register a security-specific type of Risk-Response Chart to
record potential risks and expected security responses.
A Risk-Response Chart can be constructed by following the steps outlined below each of the first eight
steps described in this section contributes a new column of information to complete the chart. The
graphic immediately below depicts a blank example of such a chart. A sample completed chart, with
example responses filled in for illustrative purposes, is included at the end of this section.

Impact on
Company

Impact on
Community

Security
Response

Severity

Severity

Security
Risk

Likelihood

Step 1

This chart is based on the Risk-Response Chart frequently used by security professionals to assess a
projects security risks. However, these often focus exclusively on the company perspective.
Performance Standard 4 asks companies to consider potential impacts on communities in addition to
impacts on companies. Many companies implementing Performance Standard 4 have found integrating
community aspects into their existing processes to be the most efficient approach.
Step 8

Mitigation

Risk 1
Risk 2
Risk 3

For many companies, this process and information can be sufficient to ensure that they understand and
are responding appropriately to potential security risks. For companies with significant security risks,
especially those operating in high-risk contexts, additional depth of analysis and detail may be required
(see Key Components of a Security Risk Assessment for High Risk Contexts at the end of this section).

1. Identify Potential Risks to the Project that May Require a Security Response

11

Start by listing all potential risks that may require action by private and/or public security forces.
These include risks:

Arising from a companys operating environment

These include risks that arise indirectly from contextual circumstances like poverty, corruption,
crime, or legacy issues (e.g., unsettled political claims, unresolved land disputes, etc.), as well as
direct threats from sources such as organized crime (including drug trafficking), anti-industry
movements, terrorism, violent/armed conflict, etc. For example, if there is a high level of
poverty in the local community, or a high level of crime, this may manifest itself in a heightened
risk of petty theft.

Arising from a companys relationship with local communities

These include issues stemming from tensions related directly to company operations, such as
labor and workplace relations; community health and well-being (including accidents, dust,
noise); access to land or natural resources, resettlement, compensation, or livelihoods. There
can also be agitation from actions the company does not take, as when the community has
unmet expectations (e.g., regarding employment or other benefits) or when benefit sharing is
perceived to be lacking or unfair. For example, if there is a high level of community discord,
either with the site or even with the state, this may manifest itself in a heightened risk of
protest.

Arising from a companys security response to an incident

In some cases, a single point of conflict can lead to further escalation if the way in which security
personnel respond to and handle an incident creates new grievances and risks, rather than
defusing a situation (e.g., if security personnel overreact and use excessive force against an
otherwise peaceful protest by the community). For example, if past interactions have increased
tensions with communities, this may manifest itself in a heightened risk of vandalism or protest.

Some potential risks are listed for reference in the table below (other risks may also apply).
Potential Risks to a Project that May Require a Security Response
More common risks
Most projects have at least
some risk of these occurring

More serious risks

Rare, severe risks

Projects in more complex security

environments may face these risks

Few projects face such intense

security risks, which typically are
found only in more conflicted areas

Trespassing

Robbery

Invasion/occupation of company land

or property

Vandalism

Assault

Riot

Petty theft

Armed protest

Hostage-taking

Road block

Sabotage of company property or

operations

Kidnapping

Community protests

Shooting or other use of offensive

weapons

Bombing

12

2. Determine the Likelihood for Each Identified Risk

For each of the risks listed in the chart as a potential risk for the project, assess the likelihood of its
occurrence. This is often quantified using a Likert scale (0-5 or 0-10), but can also be categorized with
high-medium-low or red-yellow-green (stoplight model). The sample chart at the end of this section
utilizes a five-point scale, ranging from 1 (low probability) to 5 (nearly certain).

3. Anticipate the Likely Security Response

Identify the security response most likely to occur for each of the risks. In other words, how would the
companys private security or local public security react to each type of security incident? In many
cases, the expected security response may be relatively straightforward. For example, at a project site
without physical barriers such as fences or barricades, and without tense community relations, the
anticipated response to an individual trespassing on company property may be as simple as a private
security guard approaching the individual, communicating that this is private property, and remaining
present to ensure the individual leaves without incident. In other situations, interactions may
reasonably be expected to be more confrontational, such as police responding to a community protest,
where emotions are high, people are acting collectively, and the risk of escalation and violence appears
possible.
It is important to consider both who (private or public security) is likely to respond as well as how
they are likely to respond. For example, will private security handle the issue themselves (as is often the
case with trespassing, petty theft, or labor disputes)? Or are public security forces such as the local
police likely to be the first to respond, such as to a community protest or roadblock? Are there
situations where private security is expected to respond first and then hand off to public security (for
example, with some theft, on-site traffic accidents, or land incursions)? If private security is likely to
apprehend and detain a suspect until public security arrives to assess the situation and possibly make an
arrest, an appropriate security response to record could be Reasonable detention by private security
until arrest by public authorities.
Some hypothetical responses are listed for reference in the table below (other responses may also be
possible). Note that responses in italics are never appropriate, but nevertheless may be likely responses.
Potential Responses by Security Personnel
Passive Deterrents
Access Control

Physical measures to prevent access to or passage through restricted areas, such

as gates, guards, fences, surveillance systems, etc.

Visual presence of security

Guards stationed at access points to process ingress and egress, but who also
serve as a visible deterrent

Observe and report

Guards observe, report, and record activity

Active Deterrents

13

Verbal instructions
warning / refusal of
passage/entry

Guards issue verbal warnings to individuals who attempt or threaten to attempt

to circumvent physical security measures. The warnings may include notice that
additional security is being called.

Show of force

Guards increase their numbers or demonstrate their weapons as visual indications

of potential escalation of security response

Intimidation or
harassment

Guards use their position (or, in particular, their weapons) as a tool for
intimidating or harassing community members, especially where no immediate
risk or threat is present

Reasonable detention

Guards detain individual(s) discovered to have trespassed or committed theft, etc.

on the company site for only as long as it takes for police to arrive and assume
responsibility

Escalation
Use of non-lethal force

Guards use non-lethal force defensively (i.e., batons, non-lethal ammunition) in

order to repel an external physical threat, subject to existing use of force
protocols

Inappropriate detention

Guards detain individual(s) either for no legitimate reason, or for longer/in

conditions other than what is acceptable

Arrest by public
authorities

Guards request the intervention of police to apprehend and/or arrest individual(s)

alleged to have committed criminal acts such as theft, trespass, assault

Inappropriate use of force

Guards use non-lethal force offensively, or outside of acceptable use of force

protocols, or for illegitimate reasons

Lethal force (to protect

life)

Guards use lethal force defensively to protect against an immediate threat to

human life, subject to existing use of force protocols

Torture

Guards detain individual(s) and physically or psychologically harm a detainee

Inappropriate use of lethal

force

Guards use lethal force offensively, or outside of acceptable use of force protocols,
or for illegitimate reasons

4. Estimate Potential Security-Related Impacts on the Company

Assess what likely effects a security incident may have on a companys people, property, or
production, should the incident occur. For example, a road block may be likely to impede access to the
site, which could disrupt operations and/or production. Impacts may arise either from the incident itself
(e.g., loss of property from theft) or from the security response to the incident (e.g., aggressive
opposition to a protest could provoke a violent confrontation and risk causing injury to company
employees or damage to company property).

5. Determine the Severity of Potential Security-Related Impacts on the Company

Gauge the seriousness of the potential impacts on the company identified in Step 4. As with the
Likelihood determination in Step 2, this may be presented through quantitative or qualitative rankings.
In the sample chart following this section, the scale runs from 1 (very little noticeable impact) to 5
(cessation or suspension of operations, and/or injuries to employees).

6. Identify Potential Security-related Impacts on Local Communities and their Severity

Consider how local community members may be impacted by security personnel or arrangements and
the severity of such impacts. While many companies undertake some form of risk assessment related to
14

security, these often focus primarily on risks and impacts to the company. Performance Standard 4 asks
companies to also consider security risks and impacts to local communities as a result of their security
arrangements. 15 This includes impacts from a security response to an incident as well as impacts from
the introduction of (potentially new) security arrangements such as fences, checkpoints, or armed
security guards.
Assess the severity of the potential impacts on local communities identified in Step 6, based on how
grave, widespread, and irremediable the impacts are expected to be. The sample chart following this
section utilizes a scale from 1 (very little noticeable impact) to 5 (severe impacts, such as injuries to
community members).
Impacts from a Security Response
A security response can impact the community member(s) involved in the incident and response, but
in some instances could also impact the wider community. For example, if a private security guard or
the local police are likely to use excessive force or engage in unlawful behavior when interacting with
the local population related to a security issue, this type of potential risk should be flagged and
corresponding mitigation actions developed (see Step 8 below).
While companies do not control the police or military, they should nevertheless assess the risks
associated with public security involvement, since any actions public security undertakes on behalf of a
company or on company property may reflect directly on the company. To the extent possible, and
preferably before any incident happens, companies engaged with public security can express their
expectations about how community members should be treated, such as how a suspect is treated while
in custody or how a community protest is dispersed. (For further discussion please see Chapter IV on
Managing the Relationship with Public Security).
Impacts from the Presence of Security
When a project comes into a largely undeveloped area, its very presence can create security-related
issues or impacts. Security fences or other physical barriers may impede access to water or other
important communal areas or routes. Population influx as a result of the project and associated rises in
crime rates or community tensions can have indirect and direct impacts on security. The introduction of
security personnel into the area may also generate tensions where guards interact with community
members. As part of security is to control key access points, security guards often are the first point of
contact when community members come to the area to request (or demand) access to land,
thoroughfare, or employment. These interactions can be a risk to the guard and/or the community
member if not handled appropriately.
Both physical security measures and security guards can have particularly significant impacts on
women, who are likely to be traversing distances for domestic tasks. They are also disproportionately
affected by the presence of (typically male) security guards, whom they may encounter daily in following
their routine. In some cases, women may be subjected to gender-related harassment or intimidation or
may be the victims of sexual violence. Because companies may not always be aware of the full range of
security concerns felt by local communities, it can be helpful to consult with community representatives,
including women, when assessing risks.
15 Note that community members may include individuals who contribute to a security risk (e.g., protesters, alleged thieves,
etc.), as well as those not involved with the project in any way.

15

This type of information and analysis is important for a comprehensive assessment of security risks. It
can also be included in the Risk-Response Chart, by providing analysis in the relevant community-related
columns.
Dynamic Nature of Security Risks and Responses
In considering Security Risks, it is important to understand that a security response to an incident can
in turn create new risks. For example, if a previous transit route is restricted by a new security fence,
a community member circumventing the fence may be considered to be trespassing by security
guards. If the guards intercept and handle him roughly, he is likely to feel disrespected. He and other
community members who also object to the restricted access may protest, creating a road block to
draw attention to their grievance. Police are usually
called to deal with such a protest, which can increase
the potential for violence for example, a
confrontation that might result in a discharge of
firearms. If this type of escalation is observed by local
civil society or the media, it is likely to lead to reports
that police shot at local community members on the
company site. While it is impossible to consider every
extrapolation from every incident, this type of scenario
reinforces the need to recognize how security
reactions in turn engender other reactions, and
potentially escalation. It is therefore critical that
security forces attempt to de-escalate security
situations as much as possible.

7. Consider Mitigation Measures

Assessments of security risks typically conclude with identification of potential risk mitigation
measures, taking into account the potential security risks, impacts on the company, and impacts on
communities. There are a range of mitigation options companies can employ to decrease the risk itself
(and thereby remove the need for a security response) or to decrease a potential negative outcome
where a security response is necessary.
Decrease the Need for a Security Response

Make illegal behavior more difficult and less appealing

Some security responses can also be mitigation measures. A low-level security response such
as higher fencing or greater visual presence of security can reduce the need for a higher-level
security response.

Understand and mitigate the underlying causes for security risks

Where possible, it can be very helpful to identify and address the motivations for actions. For
example, if community members are trespassing primarily to gain access to a specific area,
companies can consider whether there are ways to provide physical access (e.g., a dedicated
route to a sacred site), or whether it is possible to offer an acceptable alternative (e.g., by
providing a new water source). Many security risks can be addressed with a social solution,
16

which underscores the importance of involving Community Relations staff and consulting with
local communities. Companies should also ensure that community members have access to a
grievance mechanism, as required by Performance Standard 4. 16
Improve the Outcome of a Security Response

Reduce the risk of an inappropriate use of force

Potential outcomes can be improved by creating the conditions for a professional guard force
capable of an appropriate and proportional response, such as better vetting of guards, greater
oversight, strict control of weapons and ammunition, etc. One of the most common and most
effective mitigation measures is to ensure that all security personnel, both private and public,
receive use of force and human rights training. Note that human rights training in this context is
a practical exercise to encourage professional and respectful reactions to de-escalate, rather
than intensify, a security situation.

Reduce the risk of a more severe outcome of use of force

In some cases, the assessment of security risks may reveal that lethal weapons are not
warranted, and should be removed from regular inclusion in the equipment of private security
personnel. This action should be carefully considered, but in many cases, weapons may increase,
rather than decrease, a range of risks to both security personnel and communities.

9. Prioritize Risks based on Likelihood and Severity of Impact

Companies are encouraged to focus on addressing the most significant risks, which are most likely to
occur and which would have the greatest impact if they did occur. Some companies find it useful to
prioritize security risks by ranking the likelihood of each security risk occurring versus the severity of
each impact (the greatest potential negative impact on the company or the community or on both).
Diagram X on page 19 provides an example. The resulting simple grid can be used as an early indication
heat map for potential security risks to help guide and prioritize the most imminent and severe security
risks.

Sample Risk-Response Chart

Theft

Access controls to
prevent theft;
private security
guards may

Impact on
Company
Loss of company
property; potential
danger to
employees if

Impact on
Community
Alleged thieves risk
injury or mistreatment
during apprehension
and/or detention

Severity

Security
Response

Severity

Security
Risk

Likelihood

In this sample chart, hypothetical examples are listed for illustrative purposes, but actual results should
be based on specific company contexts.

Mitigation
Ensure guards have
clear guidelines for
apprehension and
short-term

16 Performance Standard 4 states that companies will provide a grievance mechanism for Affected Communities to express
concerns about the security arrangements and acts of security personnel. IFC: Performance Standard 4, paragraph 12.

17

Protest

Trespass

apprehend
suspected thieves
and turn them over
to authorities
Prevent or control
access to site; public
security may
respond physically if
protest becomes
violent

thieves take
property by force

Disruption to
operations,
particularly staff
access to site and
transportation;
possible injury to
employees

Injuries sustained from

any use of force
(justified or otherwise)
against a protest;
Community
resentment toward
company

Access controls to
prevent access,
including clear
signage; guards may
confront individuals
attempting to walk
through site

Potential safety
hazard and
disruption to
operations

Frustration among
community that preexisting access/transit
routes are no longer
available; Injuries
sustained by
community members
entering hazardous
areas of the site

detention;
encourage police to
treat suspects
appropriately
Ensure guards and
police have clear
protocols on dealing
with protesters,
particularly regarding
use of force;
community relations
staff may be able to
address issues with
community to
prevent need for
protest
Community relations
staff consult with
community on issues
of access; guards
have clear protocols
on how to
appropriately
confront trespassers
and lead them away
from secured areas

Summary of Steps:
1. In listing Security Risks, consider how a threat (either emanating from a company's operating
environment or stemming from a company's relationship with local communities) may manifest
itself into a security incident.
2. For every Security Risk, consider the Likelihood of such an incident occurring, on a scale from 1
(low probability) to 5 (nearly certain).
3. For every Security Risk, consider the likely Security Response, e.g., the steps the company, its
guards, or even public security forces take to prevent an incident occurring, or to deal with a
situation if it does occur.
4. For every Security Risk, consider the Impact on the Company, e.g., what effect a security
incident will have on a companys people, property or production should it occur.
5. For the Severity of Impacts on the Company, consider the seriousness of the impacts emanating
from a specific Security Risk, on a scale from 1 (very little noticeable impact) to 5 (shut down or
suspension of operations, and/or injuries to employees).
6. For the Severity of Impacts on Communities, consider the severity of the impacts on the
community emanating from the security response to potential incidents, on a scale from 1 (very
little noticeable impact) to 5 (injuries to community members).
7. Taking into account the potential Security Risks, Impacts on the Company, and Impacts on
Communities, then consider steps to Mitigate those impacts.
8. Plot the Likelihood scores on the X-axis and the higher of the two scores for Company
Impact and Community Impact on the Y-axis.
18

Diagram X
High
Impact

X
Protest

Impact/Severity

4
X
Theft

3
X
Trespass

2
Low
Impact

1
1
Unlikely

2
Likelihood

5
Near
Certain

10. Update Periodically to Reflect Current Risks

Ideally, risk identification and assessment should be done as early as possible before project
activities commence and should establish the rationale for security arrangements. However, an
assessment of security risk can be a valuable tool at any stage of operations. If an initial assessment of
security risk was not done, it is recommended that companies consider identifying and evaluating risks
in a simple Risk-Response Chart (see above) to confirm that their current security arrangements
represent an appropriate response to the assessed risks.
To be relevant and useful, a security risk assessment should be up to date for the projects operating
environment. It should be based on reliable and regularly updated information. 17 It is good practice for
these to be reviewed annually, or whenever major events or changes occur at the project level (e.g.,
transition from construction to operations) or in the operating context (e.g., a change in government,
escalating social unrest, health epidemic, economic crisis, etc.). Reviewing the assessment can be a
simple process of revisiting assumptions to ensure the analyses and conclusions remain valid. A new
assessment is only necessary when conditions change dramatically enough for the assessment to no
longer accurately reflect current risks.
When Things Change
Management systems are developed to cope with specific challenges and to take advantage of
identified opportunities. When the operating environment changes, companies should reassess risks
and opportunities, and potentially modify their overall corporate management system as well as
their security management system. For example, when the government changes whether by
democratic transition or otherwise the companys engagement strategy (with both government
officials and public security forces) may be impacted.

11. Determine if a full Security Risk Assessment (SRA) is needed

17

IFC: Guidance Note 4, paragraph 25.

19

In low-to-medium risk contexts, the process outlined above often will suffice to ensure that a company
is aware of and prepared to mitigate any likely security risks. In high-risk contexts, the preceding steps
constitute the first stage of a more detailed and formalized risk assessment and management process. A
full Security Risk Assessment (SRA) is recommended if:

(i) security risks to the company are high, and/or the potential impacts on communities from a
security response may be severe, and/or
(ii) the context is particularly complicated, or if public security forces are likely to have a
significant role.

Key Components of a Security Risk Assessment (SRA) for High Risk

Contexts
In complex, high-risk circumstances where it is determined that a full Security Risk Assessment (SRA)
is warranted, the assessment of security risks should be more comprehensive and include a more
detailed analysis of the operating environment and of the actual (or proposed) security arrangements.
Some relevant information may be obtained from other existing documents (e.g., Environmental and
Social Impact Assessment), but the SRA should always maintain a focus on aspects that could manifest in
security issues.
Key components of an SRA include background research, an on-site assessment, consideration of
scenarios, and development or refinement of mitigation measures. Importantly, the assessment
process in high-risk contexts typically considers a wider range of possible responses to security risks
(e.g., through brainstorming scenarios), as it can be more challenging to predict likely outcomes in
complex circumstances.

1. Desktop review

Review of the companys security policies, procedures, and other documents

This due diligence process includes previously referenced documents such as:
o Corporate Security Policy
o Ethics and/or Human Rights Policy
o Use of Force Policy
o If they already exist, the Project Security Risk Assessment and Security Management
Plan
Other relevant documents for a desktop review can include employment contract/policies of
private security provider, any Memoranda of Understanding or similar agreement with public
security (if applicable), any analysis on the background and reputation of individual guards or
units, previous incident reporting, inquiry procedures, and training materials and/or curricula
provided to security personnel (see also Chapter III on Managing Private and Chapter IV on
Managing the Relationship with Public Security). Should a company not possess any of these
documents, or the documents provided are insufficient, then this in itself will highlight gaps that
can subsequently be addressed, often as part of the Security Management Plan.
A desk review also may assess the historical and current security management processes and
their appropriateness to the level of risk present in the external environment.
20

Research and analysis of the country context

Consideration of potential risk in the broader operating environment includes, for example,
research on inherent country risk, general condition of rule of law, local level of criminality,
physical environment (environmental concerns or impacts on water quality or availability,
socioeconomic context (poverty, unemployment), governance (e.g., corruption, land disputes),
conflict situation (e.g., criminality or ethnic, religious, or other tensions), industry-specific
information that could impact the security situation.
In addition to country-specific risk, it is also advisable to review the strength and reputation of
existing public security forces.

Research and analysis of the national and/or local security situation

Analysis of the security situation often considers the availability and professional reputation of
private security, track record and human rights reputation of public security forces (military,
police, etc.), etc.

2. On-site assessment (typically 3-5 days, depending on the size of the project)

Observation of the project site and any existing security forces

This includes simple visual observation of such aspects of a projects guard force as appearance,
professionalism, actions, provision and storage of weapons and ammunition, as well as a review
of their knowledge/training, management and monitoring system, incident reporting system,
and process of recording of allegations or incidents.

Interviews with:
o Company representatives
Regarding the existing security program, relationship with communities and any
community development programs, operation of grievance mechanism, etc.
o Community Representatives
To understand their general concerns about the project, specific concerns about the
projects security arrangements, any specific impacts or concerns related to women or
vulnerable groups (e.g., IPs), familiarity with grievance mechanism, etc.
o Private security provider (as applicable)
To discuss policies and procedures, such as employment policies, policies on appropriate
conduct and use of force, ethics and/or human rights policies;
To review training agenda, roster, and materials; and
To directly observe practices, such as appearance, level of technical and professional
proficiency, etc.
o Local officials (as applicable and feasible)
To assess local public security, general relationship with company and with
communities, potential for requests for equipment or services, etc.

3. Scenarios

Consideration of various security scenarios and responses

In complex circumstances, there may be a range of possible likely security responses to each
identified risk. To build understanding and to be prepared for potential outcomes particularly
severe impacts requiring intensive responses the security team generally invests in an exercise
running through potential and appropriate responses to likely security threats. Such exercises
can simply be office-based brainstorming at the outset, but later can potentially form the basis
for physical drills. These exercises usually consider a variety of scenarios, which are ideally
21

developed in direct consultation with both the companys security management and community
relations functions.
4. Mitigation Measures

The development or refinement of mitigation measures often involves more complex

consideration of possible means of addressing the wider range of potential impacts coming out
of the scenarios, compared to a more straightforward analysis in the majority of lower risk
contexts. The initial recommendations for mitigation form the basis for a more elaborated and
formalized series of measures described in the Security Management Plan (see also Chapter V
on Preparing a Security Management Plan).

5. Engagement of Competent Professionals

In high-risk contexts, Security Risk Assessments and Security Management Plans (SMPs) should meet a
high professional standard. In some companies, it is possible to manage this exercise in-house, provided
a competent security professional is available with sufficient experience, expertise, seniority, and access
to individuals and information within the company. In other cases, companies may find it useful to hire
an external security expert or firm to undertake such assessments. In such cases, it is important to
ensure that the individual(s) tasked with preparing the SRA and SMP have the requisite experience and
skills to identify and analyze the range of risks and responses that could impact the project, the
surrounding communities, and the companys reputation; as well as have the capacity to propose
implementable risk-mitigation strategies that meet the requirements of Performance Standard 4.

22

Security Considerations in Different Phases of a Project

For medium to large-scale projects, the phase of the project whether construction or operations
will affect the security risks and needs. This section explains some of the issues that companies should
consider, based on the current phase and taking into account an upcoming transition to a new phase.
(Note that this section may not be as relevant for smaller projects.)
I. The Construction Phase comprises all activities prior to and during major construction. It is
characterized by intensive planning, preparation, and deployment of workers and construction
materials.
The large number of workers, often brought in from other areas, and major movements of
supplies and equipment, can pose significant risks of theft, extortion, pilferage, and internal
petty crime among the workforce.
This phase can also pose significant risks to local communities in the form of traffic accidents,
conflict between workers and community members, sexual exploitation, strain on natural
resources, and potential for introduction of alcohol and drug abuse, health risks, etc.
The Construction Phase typically will be the most challenging period of the entire project for
security. Security activities during this phase have several objectives, including:
Establishing the security framework (i.e., the system to manage security, including the
resourcing, management structure, and policies that are documented in the Security
Management Plan), including through consultation with key stakeholders, including local
communities.
Protecting the preparatory project activities.
Creating and building the capacity of the guard force.
Coordinating security plans and programs with the national regulatory agency and
government public security agencies.
Where Contracted Guards Have Responsibility for Site Security
The company must still maintain oversight responsibility. Communities typically do not
differentiate between security guards managed by contractors or by the company, and are
likely to hold the company responsible for any incident involving contracted personnel
The contractor should recruit, equip, pay, administer, and coordinate training for the guard
force consistent with the companys policies and programs. Ideally, all contractors will use
the same guard service contractor to prevent uneven standards and confusion with respect to
guard policies. If not, these aspects should be agreed and coordinated upfront.
Security during this phase must be carefully coordinated between the company and the
contractor to prevent gaps, confusion, and loss of accountability. The company will inherit
whatever precedents are set by the third-party contractor, so it is vital that these be
consistent with its own policies.

II. During the Operations Phase, the major construction contractor(s) will completely demobilize

their work force. The project footprint and associated economic and employment impact on the local
area may diminish.
Management of expectations and good communications is key. Information (or
misinformation) about project changes that will impact community members particularly
regarding labor and jobs tends to spread quickly among the local population. Raised
23

expectations for job continuity and benefits that are not fulfilled can lead to local tensions
and protests, which is a risk for security. It is important to understand what promises were
made at various stages and by the different actors involved in the project.
Historically, this transition period has created widespread uncertainty among affected
communities. Groups seeking to extort continued economic opportunities (jobs, service
contracts, etc.) often try to take advantage of the uncertain atmosphere.
The Security Risk Assessment should anticipate the potential for security issues arising, both
random and coordinated labor strikes and slowdowns, harassment and detention of
transportation and project personnel, legal challenges or other disruptions from concerned
groups, and provocations by various factions.
While this period of heightened threat is unavoidable, it typically is of relatively short
duration. The risk can be greatly diminished with proactive communications and a good
community engagement strategy and grievance mechanism.

Before the transition from the Construction Phase to the Operations Phase, the following should be in
place or completed:
A mature security environment with access controls, physical security measures, plans, and
procedures.
A security guard force with a high level of training and experience. Note that the guard force
will also gradually reduce manpower as the site becomes operational.
In the Operations Phase:
Management is likely to scrutinize the security function for cost efficiencies and work force
reductions.
The greatest risk in the Operations Phase is sometimes complacency.

24

Chapter III. Managing Private Security

Engaging some type of private security, whether in-house capacity (direct employees) or contracted
personnel (through a private security provider), is common practice for many private companies
operating in emerging markets. Depending on the context, this may involve guarding a building in the
center of a populated area or patrolling more remote territories, and can range from a single guard or
night watchman to a large force of armed guards reporting up through several layers of vertical
hierarchy. Decisions regarding the type, number, responsibilities, and arming of private security forces
should flow from an assessment of the security risks and appropriate responses.
While private security may vary in form and tasks, the objective of their presence should be about
protection of people and property and the reduction of risk typically through managing access to
property, deterring crime, protecting life, and reporting incidents when they occur.
Performance Standard 4 outlines several specific requirements when a
company retains direct or contracted workers to provide security to
safeguard its personnel and property. 18 Paragraph 12 describes the
A company can outsource
requirements for assessing risks (see chapter on Assessing Security Risks) its security, but it cannot
and for hiring; conduct, including use of force; training; equipping; and
outsource its responsibility.
monitoring. These expectations apply equally to direct and contracted
workers.

Key Considerations when Hiring Private Security

1. Oversight
Outsourcing security to contractors does not outsource a companys responsibility for managing
private security. Oversight and ultimate responsibility for the management of security rests with the
company, whether guards are in-house employees or contracted personnel. In contrast to the
relationship with public security, a companys leverage and oversight over the behavior and quality of its
employees or service provider is expected to be high. As such, conditions governing the selection and
conduct of the security personnel a company engages are correspondingly high.
While a private security provider will have its own management hierarchy, someone within the
company should have formal responsibility for security, which includes managing the private security
provider. This person may be a dedicated Security Manager or an individual with other responsibilities
in addition to security, who can lead the process of identifying, vetting, hiring, and managing the private
security provider. Companies in high-risk areas often have an experienced professional with a security
background on staff. In lower-risk contexts, an existing staff member with other functions can likely
manage security issues as long as they have the requisite training to effectively oversee this
responsibility.

2. Contractual Agreement
A companys relationship with private security should be managed through a formal process. For
security personnel who are company staff, this should be through an employment contract and internal
18

IFC: Performance Standard 4, paragraph 12.

25

company policies and procedures. For external private security providers as with any contractor a
company should make its performance expectations explicit in the form of a detailed contract, and
ensure that the providers own policies and procedures are adequate. It is recommended that the
contract include provisions for the company to review relevant documents and materials (e.g., training
materials see section on Training below) and to audit the security provider periodically. A contract
also allows a company to terminate a providers services if its standards are not met.
Companies should specify that private securitys role is defensive and protective only, with no law
enforcement authority. It is important that a companys contract with a private security provider include
standards of performance for security tasks and expectations of conduct, as the possible use of
protective force is often included in the list of duties. Paragraph 12 of Performance Standard 4 outlines
these standards and expectations for private security, which are described in greater detail below.

3. Vetting and Hiring Procedures

Who provides security is as relevant as how security is provided. Performance Standard 4 asks
companies to make reasonable inquiries to ensure that those providing security are not implicated in
past abuses. 19 This means that when employing or engaging any security personnel, reasonable efforts
should be made to review employment records and other available records, including any criminal
record, of individuals or firms. Companies should not knowingly employ or use any individuals or
companies that have abused or violated human rights in the past. 20 A company is advised to request to
see the security providers hiring procedures, and should periodically review these records to confirm
that guards have been properly vetted.
Companies should hire in accordance with national labor laws. In addition, they may wish to consider
giving priority to qualified local candidates, where appropriate, and to promoting diverse hiring
practices, reflecting gender and ethnic considerations. Some companies have had success in improving
cultural acceptance and reducing tensions by hiring female security guards, particularly in situations
where there are frequent interactions between guards and women from the community.
Expectations regarding conduct and use of force (see section on Code of Conduct below) should be
communicated as terms of employment, and reiterated through regular training (see section on Training
below).

4. Code of Conduct
Companies should require the appropriate conduct of security personnel they employ or engage. 21
This means a company should have a clear Code of Conduct policy for its employees and contractors.
In this or other company policies, security providers should commit to ethical standards, to not engage
in corrupt practices, to maintain the confidentiality of sensitive information, to treat employees in
accordance with the law, and to protect life and health (including that of individuals in custody). 22
Security personnel should have clear instructions on the objectives of their work and permissible
actions, with the level of detail being dependent upon the scope of permitted actions and the number
IFC: Performance Standard 4, paragraph 12.
IFC: Guidance Note 4, paragraph 31.
21 IFC: Guidance Note 4, paragraph 28.
22 In addition to Performance Standard 4 and Guidance Note 4, these principles are also outlined in the UN Code of Conduct for
Law Enforcement Officials. www.ohchr.org/EN/ProfessionalInterest/Pages/LawEnforcementOfficials.aspx
19
20

26

of personnel. 23 These instructions should be based on good international practice and applicable law.
Companies are responsible for ensuring security personnel they employ or engage are aware of the
companys internal code of conduct.

5. Use of Force Principles

Private security guards should be operating under a policy on the use of force, either from the company
(for directly employed security personnel) or from the private security provider (for contracted security
personnel). 24
Depending on the size and risk profile of the project, the policy on the use of force may vary in form. For
example, at small, low-risk sites, this may simply be outlined in a guards employment contract and/or
scope of work; at larger, high-risk sites, use of force may need to be enumerated as a stand-alone set of
protocols and/or included within the Security Management Plan. Regardless of how these ideas are
recorded, the key is that they are outlined by management and understood by guards. Guards should be
clear on how to respond and appropriately use available tools (e.g., weapons or other measures) in
addressing a threat.
Consistent with international guidelines on the use of force in particular, the UN Basic Principles on the
Use of Force and Firearms by Law Enforcement Officials 25 the policy on the use of force should specify
that force will not be sanctioned except when used for preventive and defensive purposes in
proportion to the nature and extent of the threat. 26 Force should be used only as a matter of last
resort and in a manner that respects human rights. 27 Non-violent means should be used before resorting
to force and firearms. When security personnel must use physical force to protect human life, they
should seek to minimize injury and to provide medical assistance as soon as possible when needed. Use
of force should be included in the security training program (see section on Training below) and any use
of physical force should be reported to and considered by the company (see Chapter VI on Assessing
Allegations or Incidents Related to Security Personnel). 28
When the provision and/or possession of firearms is necessary, any weapons issued, including
firearms and ammunition, should be licensed according to national laws, recorded, stored securely,
marked, and disposed of appropriately. 29 In addition to procedures for storage and disposal, the security
provider should have procedures for issuing weapons and safeguarding them while in a guards
possession. Companies are advised to review these procedures and periodically request records for
weapons issuance. Any security personnel authorized to carry a firearm should be appropriately trained
(see section on Training below).
In some contexts, guards (or other employees) may be permitted to carry personal firearms to the
workplace. In such circumstances, there should be a policy that dictates whether those firearms may be
carried on the work site, or whether they must be securely stored during work hours. Where personnel

IFC: Guidance Note 4, paragraph 28.

Where companies contract security personnel, they are responsible for ensuring that the private security provider has a policy
on the Use of Force. Many companies outline this in their Security Management Plan (see chapter on Managing Security Risks).
25 www.ohchr.org/EN/ProfessionalInterest/Pages/UseOfForceAndFirearms.aspx
26 IFC: Performance Standard 4, paragraph 12.
27 IFC: Guidance Note 4, paragraph 29.
28 IFC: Guidance Note 4, paragraph 29.
29 IFC: Guidance Note 4, paragraph 29.
23
24

27

are permitted to carry their own personal weapons on the project site, the same rules on licensing,
recording, and storage still apply.

6. Training
Companies should use only security professionals who are, and continue to be, adequately trained. 30
Performance Standard 4 calls for companies to train [those providing security] in the use of force (and
where applicable, firearms), and appropriate conduct toward workers and Affected Communities. 31
Training on use of force and appropriate conduct typically focuses on reinforcing respectful behavior,
often illustrated through examples. Use of force training includes less lethal weapons, as well as training
for any firearms in cases where guards are armed.
Instructions on security guards objectives and permissible actions, based on applicable law and
professional standards, should be communicated as terms of employment and reinforced through
periodic professional training. 32 For example, national law may include provisions for licensing or
certification related to private security providers and/or firearms. 33 International standards include the
UN Basic Principles on Use of Force and Firearms by Law Enforcement Officers and UN Code of Conduct
for Law Enforcement Officials practices consistent with these are considered to be examples of good
international practice in Performance Standard 4. 34
Depending on the level of need, security training can range from a review of policies and procedures to
in-depth sessions practicing appropriate responses to various security threats. Comprehensive programs
typically include several different types of training. Many companies have found scenario-based,
performance-oriented (learning-by-doing) training to be the most effective method for security guards
to internalize proper response techniques. This typically includes information on where, in which
circumstances, and under what conditions it is lawful and in accordance with company policy to use
force of any kind, and what is the maximum level of force authorized. Instructions should emphasize
that security personnel are permitted to use force only as a matter of last resort and only for
preventive and defensive purposes in proportion to the nature and extent of the threat, and in a manner
that respects human rights. 35
Training programs can be provided by the company, the security provider, and/or qualified third parties.
When designed and delivered by contractors, companies should periodically review the training
materials, and the person responsible for security can also attend a training session. Upon request, the
security provider should be able to provide logs to demonstrate what training has been provided and to
whom, along with a copy of the training agenda and materials.

7. Equipping
All security guards need to have or be provided with the appropriate equipment to undertake their
responsibilities. This equipment typically includes a proper uniform with appropriate identification,

IFC: Guidance Note 4, paragraph 31.

IFC: Performance Standard 4, paragraph 12.
32 IFC: Guidance Note 4, paragraph 28.
33 Even if not required by law, companies are advised to consider internal requirements (e.g., a pass/fail standard certification)
before security guards are issued a weapon.
34 IFC: Performance Standard 4, paragraph 12, footnote 3.
35 IFC: Guidance Note 4, paragraph 29.
30
31

28

radio or other communications device, and any other equipment determined to be necessary by the
security risk assessment and required by the security management plan.
Where security guards are armed, companies are counseled to request evidence of legal permits for
staff to carry firearms.

8. Decision to Arm
The decision whether or not to arm security guards is a consequential one and usually should be
based on an assessed threat that supports the necessity of arming guards to protect lives. While
equipping guards with firearms in some contexts is well justified, in others, companies may have armed
guards because everyone has armed guards or its just the way things are done here. Current good
practice encourages the default position to be against having armed private security unless risk analysis
shows this to be necessary and appropriate. Depending on the type of weapon and the level of training,
arming private security can sometimes increase risk rather than decrease it. In some countries,
legislation may prohibit the use of armed private security (e.g., prohibited in Nigeria, Ghana, Democratic
Republic of the Congo, Timor-Leste; and heavily restricted in China, Turkey).
If a company elects to use armed private security, good practice encourages that it be:

In defined and very particular roles;

With the appropriate weapon for the risk;
With the requisite training on use of firearms and clear rules for the use of force, and
Equipped with non-lethal methods of protection to utilize first.
Making the Counter-Intuitive Decision to Disarm Guards

In many countries and contexts, firearms are perceived less as a method for mitigating risks and
more as a standard-issue piece of equipment. However, arming guards does not always increase
safety the decision should be made based on proportionality to the assessed risks.
In one recent example from Central America, a company had issued firearms to their guards. Under
national law, guards were limited to carrying shotguns. The company was confronted by a severe
threat of violence from organized crime and militant groups who were armed with more powerful
automatic firearms. While it could have been seen as reasonable for guards to possess firearms to
meet the threat of potential attackers, a careful assessment demonstrated that the guards
possession of firearms actually increased the risk to the guards, the company, and the community.
Beyond the safety risk from accidental discharge, the armed guards were at risk because they were
targeted by attackers who sought to neutralize the threat they posed. Having armed guards also
presented an intimidating barrier between the company and the local community, and made it
easier for the operations detractors to link the guards (and the companys operation) to any gunrelated incident in the area. Presented with the balance of risks, the company elected to disarm its
guards. In the years following that decision, the company witnessed a significant reduction in gunrelated incidents, and over time the guards and their families actually reported feeling safer.

9. Incident Reporting and Inquiry

Performance Standard 4 requires companies to consider and, where appropriate, investigate all
29

allegations of unlawful or abusive acts of security personnel, take action (or urge appropriate parties
to take action) to prevent recurrence, and report unlawful and abusive acts to public authorities. 36
This begins with having policies and procedures to accept and assess security incidents, credible
security-related allegations, and use of force incidents of any kind.
It is good practice for companies to be able to: (i) accept security-related reports or complaints; (ii)
gather and document relevant information; (iii) assess the available information; (iv) protect the identity
of victim(s) and those reporting the allegation or incident, and (v) report unlawful acts to state
authorities. See Chapter V on Preparing a Security Management Plan and Chapter VI on Assessing
Allegations or Incidents Related to Security Personnel for further elaboration.

10. Monitoring
It is good practice for companies, as part of their oversight responsibilities, to monitor site
performance of their security contractors on an ongoing basis to ensure professional and appropriate
conduct. This may include reviewing policies and materials, undertaking periodic audits, potentially
assisting with or supporting training, and considering any allegations of unlawful or abusive acts by
security personnel (see Chapter VI on Assessing Allegations or Incidents Related to Security Personnel).
Speaking to employees and local community members who come into regular contact with security staff
can also provide valuable insights. Ensuring that both employees and community members know that
the existing grievance mechanism can be used to report any security-related allegations or incidents is
an important component of on-going monitoring (see next section on Community Engagement and
Grievance Mechanism for Security-related Related Issues).
Companies are advised to consider including sanctions in contracts with security providers to maintain
leverage in cases where contractors do not meet performance expectations. This may include
withholding payment for services, or, in case of multiple failures or credible evidence of unlawful or
abusive behavior, termination of the contract.

Community Engagement and Grievance Mechanism for Security-Related Issues

Community engagement is a key component of an effective security strategy. Proactive engagement
and positive relationships with communities and workers provide the best opportunity to ensure
security. Performance Standard 1 outlines the core aspects of stakeholder engagement, which is the
basis for building strong, constructive, and responsive relationships that are essential for the successful
management of a project's environmental and social impacts. 37
As part of their overall approach to stakeholder engagement, companies should communicate their
security arrangements to workers and communities, subject to overriding safety and security needs,
and involve them in discussions about the security arrangements that may impact them, through the
community engagement process described in Performance Standard 1. 38
Related Roles of Security and Community Relations
IFC: Performance Standard 4, paragraph 14.
IFC: Performance Standard 1, paragraph 25.
38 IFC: Guidance Note 4, paragraph 26.
36
37

30

Many companies have improved their security situation and their relationships with local
communities through greater collaboration and coordination between their Community Relations
and Security staff. The demeanor and conduct of security staff vis--vis the local population usually
reflects directly on the company and has the potential to impact company-community relationships,
either positively or negatively. Community relations officers can pass on community grievances or
security concerns, alert security staff to sources of contention between local communities and the
company that could pose security risks, and help to communicate important information on security
aspects to the local population. Community members, in turn, are often in a position to identify
potential risks and local concerns the Security department may have not considered, and can help
improve security by providing local information and early warnings.
The grievance mechanism required under Performance Standard 1 provides an important avenue for
workers, affected communities, and other stakeholders to address concerns about security activities
or personnel within the clients control or influence. 39 Concerns may come from a wide range of
sources (e.g., communicated directly to Community Relations staff, through a hot line telephone
number, via tip boxes outside the project site, etc.), but companies should ensure that security-related
complaints are channeled to the person or department responsible for security.
Both Performance Standard 1 and Performance Standard 4 cross-reference one another regarding the
establishment of a grievance mechanism, and should be read together. It is good practice for the
grievance mechanism to facilitate prompt resolution of concerns, and to use a consultative process that
is understandable, easily accessible, culturally appropriate, available at no cost, and free of retribution. 40
Companies should emphasize to staff, including security staff, that intimidation of or retaliation against
those lodging complaints will not be tolerated.

39
40

IFC: Guidance Note 4, paragraph 32.

IFC: Guidance Note 1, paragraph 11.

31

Chapter IV. Managing the Relationship with Public Security

Interaction with public security forces is often the most challenging aspect of security for companies.
This issue arises when government security personnel are deployed to provide security services related
to a private sector project. In such cases, even though the responsibility to maintain law and order lies
with government, and the company is not directly responsible for the actions of public security
personnel, it may nevertheless be associated with these actions including excessive use of force or
unlawful behavior in the eyes of local communities and other stakeholders. In some countries, this
perceived link between a company and the actions of public security forces can pose a significant
reputational risk and can increase tensions with the local population. As such, companies whose
operations are being protected by police or military personnel have an interest in encouraging those
forces to behave consistently with the requirements and principles set out for private security
personnel in Performance Standard 4. 41
However, it is not always easy for companies to know whether and how to engage with public
security, as it can be challenging to determine when and with whom to raise what are often sensitive
issues. Public security forces report to their sovereign government and their level of receptivity to
requests from a private company will vary from one context to another.
Performance Standard 4 recognizes that companies have far less leverage over public security forces,
compared to private security. However, it does outline expectations for companies where government
security personnel are deployed to provide security services. These focus on aspects within the
companys control (such as risk assessment and documentation) and on the companys relationship
with public security (encouraging appropriate behavior and public disclosure of security
arrangements).

Assessing Public Security Risks

Performance Standard 4 requires companies to assess and document risks arising from the projects
use of government security personnel deployed to provide security services. 42 This constitutes an
important part of understanding the projects operating environment and the full spectrum of potential
security-related risks, and, in most cases, is a task within a companys control. Companies can assess
public security risks by focusing on four key areas of inquiry and can document the results.

1. Identify the type of public security forces involved

First, companies should be aware of what type of public security forces will respond to different kinds
of incidents. There are many different types and roles of public security forces for example, the army
will respond quite differently than the police in most areas.
Military
At the national level, the military (generally army, navy, and/or coast guard) or gendarmerie are
responsible for protection this is especially true for projects identified as national assets by the
government. The role of the military is to protect the nation and national interests, typically with a
41
42

IFC: Guidance Note 4, paragraph 33.

IFC: Performance Standard 4, paragraph 13.

32

defensive approach. In some countries there are also specialized units within the military tasked with
protection of certain sectors or assets. Though less common, in some contexts there are also legal or
illegal armed militia or other groups that may play a role protective and/or problematic relative to
business.
Police
At the local level, police are the most common security personnel. Police have a general law
enforcement role, typically with a crime-reduction focus, and in many cases with the authority to
conduct criminal investigations. In some localities, there is an additional layer linking police with
community through community policing, in which police have an interactive relationship with
community members.

2. Understand the number and role of public security personnel to be deployed

Where public security forces are deployed to protect personnel, property, and assets, companies
should understand the number and nature of this deployment. This can range from a few individuals to
a large contingent, and from temporary protection to a permanent deployment. In some circumstances,
public security forces provide a secondary source of temporary security, primarily responding to
incidents either when private security is not able to manage a situation (e.g., a labor unrest escalates
into violence) or to take over where private security functions end (e.g., to arrest or detain suspects). In
other cases, public security forces are permanently deployed, in tasks such as guarding gates and
maintaining perimeter security; providing security for transportation convoys; protecting public
infrastructure assets like airstrips; and protecting and escorting dangerous and hazardous goods, such as
explosives. Sometimes these roles are performed solely by, or jointly with private security, but in other
cases there may be a legal, political, or even security need for these roles to be performed by public
security forces.

3. Assess the type of public security response likely to be used

In addition to knowing the number and type of public security forces providing protection, companies
should make an effort to understand the type of response public security forces are likely to use. For
instance, companies can attempt to ascertain whether public security forces are well trained and are
likely to respond professionally and proportionately to the threat, or whether there is a risk of
unprofessional conduct or excessive force. If possible, this analysis can be informed by discussions with,
or observations of, public security forces (see section on What to Discuss below). In other cases,
companies can get a sense of past practices and reputation from discussions with other companies
operating in the area and other stakeholders such as local authorities, community representatives, or
employees.

4. Research the background and track record of public security forces

To the extent possible, companies are advised to research the operational background of the
government security forces operating on or near the site, particularly related to any history of
previous abuses. While clearly sensitive and often difficult, this can be done in a very low-profile
manner, and through a variety of discreet sources. These vary by country, but include wire services or
newspapers reporting incidents; human rights organizations tracking allegations (which often maintain
files or publish reports); US, Canadian, or any EU embassy (which are required by their governments to
track and report on security and human rights); Military Attachs (who may be familiar with the
capabilities, strengths, and weaknesses of specific units and officers); local communities (who likely
33

know a units reputation and potential problem areas); and direct observation of comportment and
performance (for units already operating at a site). It is always good practice to cross-reference
information by checking with multiple sources.

5. Document Assessment of Risks

Companies should document their assessment of risks from public security forces. This can be as
simple as keeping a written record of the analysis of the public security forces undertaken as outlined
above, and including any relevant reports, photographs, and discussions.

Communications and Engagement with Public Security

Companies are advised to communicate their principles of conduct to public security forces, and to
express their desire that security be provided in a manner consistent with those standards, and by
personnel with adequate and effective training. 43 The degree and formality of this type of
communication will vary according to the companys evaluation of security risks and the nature (and
appropriateness) of the security arrangements involving local public security personnel. In all situations,
companies should keep a record of their communication and/or attempts at communication with
government security forces.
Low-Risk Contexts
If the number, type, and nature of the deployment appears appropriate and proportional to the
assessed risks, the company may wish, at a minimum, to simply maintain contact and communication
through check-ins with public security forces. This is particularly true in low-risk situations, where just
making introductions and initiating conversations with public security can help a company be
confident that police will respond quickly and professionally if an incident occurs, or that suspects
(including community members) caught trespassing or stealing will be treated fairly in police
custody. In this type of circumstance, periodic engagement or liaison activity from the company to
public security forces may be sufficient.
High-Risk Contexts
In high-risk contexts, having a more formalized and established relationship can be central to
ensuring that any potentially tense and dynamic situations do not escalate to become even more
volatile due to police or military involvement. The situation can be exacerbated if the risk of
excessive force by public security forces seems high. In such circumstances, the company is advised to
seek to influence arrangements, to the extent possible (see sections below for further guidance). Where
feasible, it may also be helpful to explore the possibility of having more in-depth engagements, such as
joint contingency planning and coordination mechanisms, with respective roles and responsibilities
potentially formalized in a Memorandum of Understanding (MOU).

Who Should Engage

From the company:
From the company side, having someone with a security background lead the engagement with
public security forces generally offers the best chance of success. Police and military often respect
one another regardless of background or cultural differences. (This is usually less of a concern in
43

IFC: Guidance Note 4, paragraph 33.

34

low-risk contexts, where the person responsible for security in the company regardless of title or
background often can manage the engagement with local police).
Choosing the right representative can be especially important in high-risk situations where a company
feels that frank conversations with public security forces may be sensitive or cause offense. Someone
with a security background or expertise, knowledge of the country, and a network of contacts may be
best positioned to understand the public security and/or government hierarchy, identify the most
effective partner, and develop the most effective outreach strategy.
From public security:
Companies should try to identify the most appropriate counterpart within the public security forces
ideally someone with sufficient rank and authority as well as willingness to engage constructively with
the company. Finding an individual champion within the national or local security forces greatly
enhances the chances of productive engagement. In some cases, an individual who participated in a
military exchange program can be a great counterpart.
In most cases, the local security force commander is the most appropriate contact, though it is
recommended that companies reach out to others in the hierarchy as well. Engaging, to the extent
possible, with public security personnel at higher headquarters level, as well as at local or more
subordinate levels, can help avoid gaps in communication and resolve problems that require efforts
at multiple levels of the government hierarchy.
Where both the police and the military may be involved in security provision to the project,
companies are encouraged to seek to establish relationships with both.

When to Engage
Early engagement with public security forces before incidents arise is key. It is always advisable
to build capital in a relationship before stressing it with problems. Police or military commanders often
complain that they are only informed or asked to get involved after there is a problem.
Initial meetings are best used to identify appropriate counterparts, develop rapport, and facilitate
access. Once a relationship is established, the full range of issues, both positive and negative, can be
regularly discussed in a cordial and diplomatic manner. This includes both the companys needs and the
security forces logistical needs. These meetings are also an opportunity for ongoing assessment of
security risk and threat analysis.

How to Engage
Set the Right Tone
A constructive and respectful tone taken at the outset can establish a positive trajectory for the entire
relationship. Because public security forces are accountable to their sovereign government, private
companies may have little to no leverage over the actions of those forces. Typically, deployment
decisions are at the discretion of the government, and the chain of command runs through the public
security forces, not through the company. Even if the company assesses the government to be
relatively weak or the public security forces to be lacking, it is advisable to take into consideration
their full context. Depending on the background and interests of public security command,
discussions about how to support government security forces in their own goals of professionalization
can sometimes be a constructive way to open a conversation.
35

Make Requests, Not Demands

Initial meetings are best framed as discussions, rather than requests, with the company representative
acknowledging recognition of how the companys presence in the area may be impacting security and
resources. Many companies are surprised that public security officials often appreciate a companys
outreach, particularly if the project is increasing the need for security in an area. It can be helpful for
companies to ask questions of their public security counterparts, to fully understand how the project
increases the workload of public security forces in the area, what issues and concerns they may
perceive, and what type of relationship they have with the local community.
Using Active Engagement with Government Authorities to Manage Security Risks and Avoid
Escalation
In one Eastern European country, protestors were blocking construction roads to the project and local
and national police were threatening to intervene and arrest people. The company clearly
communicated its wish to the authorities (starting locally, but willing to escalate to higher levels to
ensure sufficient attention was being paid) that any intervention be undertaken with a minimum of
force. They emphasized that the company's and shareholders reputations were on the line,
underscoring that this was not a simple domestic matter. They requested that use of weapons be
avoided at all costs, unless the police were under attack, which was deemed unlikely.
The company prepared to remove their personnel and company vehicles from the situation on the
ground when public security forces arrived. This mitigated the risk of association with government
personnel. They also sought a neutral third party (a local NGO) to witness the process. While the
company sought to disassociate themselves to the extent possible from the actions of government
security forces, they did not entirely disengage. Based on their established relationship with public
security forces, they were able to influence the situation to avoid escalation and achieve peaceful
resolution.

What to Discuss
Depending on the relationship developed with public security, potential topics for discussion include any
concerns or issues arising from the risk assessment, as well as many of the same issues covered in the
companys contractual engagement with its private security forces, such as deployment, vetting, use of
force, and training. The possibility of a Memorandum of Understanding (MOU) is another potential
item for discussion.

1. Engagement Itself
A companys first topic of discussion with public security forces is often simply the relationship
between the company and public security forces. Early engagements should focus on personal
introductions and the basics of the potential relationship and collaboration. Conversations often explore
the willingness to engage, identify appropriate individuals on both sides, and establish a regular
pattern of meetings. If the situation allows it, companies may wait to develop an ongoing
engagement before incorporating discussions of individual and mutual security concerns. In building
rapport, companies can gain an understanding of the public security approach, as well as the best way
to broach various potentially sensitive subjects.
36

2. Deployment of Public Security Forces

One straightforward topic for initial discussions is the government deployment of forces, including the
type and number of guards, and the adequacy of this deployment for the situation, in terms of
competency, appropriateness, and proportionality. In addition to the basic facts regarding
deployment details, this can include any workplace health and safety issues, and any expectations
about reimbursement for or provision of facilities, equipment, or services for guards (see below for
more detail on equipment transfers). It is also advisable to discuss procedures for the interaction
between private and public security forces, including for a hand-over, if necessary.

3. Community Relations and Impacts

Conversations between companies and public security forces should include consideration of
potential security impacts on local communities. Topics could include existing or planned
community engagement efforts by the company or by government, or any joint efforts and any
known community concerns regarding the deployment, along with any available process for
receiving grievances from community members.
Performance Standard 4 also requires a company to encourage the relevant public authorities to
disclose the security arrangements for the clients facilities to the public, subject to overriding security
concerns. 44 Transparency is a central component to community relations, and companies are advised
to support any efforts to provide relevant information to local communities.

Companies have a responsibility to demonstrate their respect for human rights through proper
hiring, training, and supervision of private security forces, and should encourage public security
forces to also act accordingly when responding to situations related to the project
Small Acts of Disrespect Can Escalate into Serious Security Situations
While issues related to security forces may bring to mind a high-profile, contentious interaction at a
pressure point (e.g., protests at the front gate or access road), in many cases these arise after
repeated, lower level behaviors eventually incite escalation. In one example from a country in Africa,
a military force frequently escorted a commercial convoy through narrow rural roads also used by
local community members riding bicycles and motorbikes. Frustrated at being stuck behind slowmoving local traffic, officers often threw water bottles at the community members in an effort to
have them move out of the way. Not only was this disrespectful, but in an effort to speed up the
convoy by a minute or two, those actions clearly upset community members, and resentment
eventually led hostility toward the security forces and the commercial project.

4. Use of Force
As part of the conversation around the public security response and any interaction with private
security, if applicable companies can ask about what forces will be deployed and how they will
respond to an incident. This can be a good entry point for discussing the use of force and for
communicating the companys desire that force be used only for preventive and proportional responses
44

IFC: Performance Standard 4, paragraph 13.

37

and in a manner that respects human rights. Here it can be helpful to share applicable company policies
(on ethical conduct, human rights, use of force, etc.) and to ask about public security forces policies
and practices.
Often these conversations also touch on broader references, such as contextual risks and local,
national, and international law. They typically benefit from considering specific examples, such as
protests, which usually are a source of great concern for both companies and public security.
Discussion of possible likely scenarios and responses offer an opportunity to collaborate and
prepare. Public security forces may be surprised that a company would rather allow a protest to
take place peacefully and for protesters to disperse voluntarily companies should be clear about
their preferences, and are advised to express their concern for the safety of all, including security
personnel and protesters.

5. Security Personnel
Companies should attempt to understand the background and reputation of public security forces as
part of their assessment of security risks (as described above), and monitor the situation so that they
can respond if any issues arise with certain individuals or units. While companies do not control public
officer or unit assignments, they often have more influence than they might expect. Discussions about
concerns regarding individuals or units can be quite sensitive, so companies are advised to assess their
relationship with public security forces to determine the most effective way to proceed.
If there has been sufficient time to build a relationship of mutual trust, companies can often be frank,
but diplomatic, in discussing actual or potential problems with subordinate units or leaders. In general,
higher level leaders are better positioned to understand the scrutiny and pressure that inappropriate or
unlawful actions can bring, and to understand and appreciate the financial contribution the company
makes at a national level.
Companies are recommended to document any such engagements and efforts to mitigate risk even if
unsuccessful. Where company influence is limited, it can still be possible to attempt to address potential
problems by filling gaps through training or equipment, or to avoid asking support from units that have a
record of abuse.

6. Training
Training is central to capacity building, but it also potentially offers an opportunity for engagement
and support, particularly where public security forces aspire to meet international standards but lack
capacity and resources.
Where public security forces provide their own training, companies should attempt to establish that
they have adequate professional, technical, tactical, and equipment training, ideally including reference
to use of force, human rights, and appropriate conduct. This can be done through reviewing the training
agenda, attendance roster, and materials, and, where possible, by attending the training itself.
Where public security forces do not provide their own training, companies are advised to consider ways
in which they may support this objective. Depending upon the context and the receptivity of public
security, this may include training public security forces directly, inviting public security forces to join
training exercises designed for the companys private security, or offering to support training done by a
third party (e.g., International Red Cross or an NGO). Where feasible, joint training can be particularly
38

effective at building relationships and ensuring that transitions from private to public security forces are
well coordinated, professional, and practiced. In some cases, companies have found it useful to invite
public security forces to observe their own training sessions, without undertaking a formal joint
training program.
Many companies find scenario-based exercises to be the most successful form of training.

7. Equipment transfers
Government may request or require) private companies to provide logistical, monetary, and/or
equipment support to assist police and military units as necessary. This action carries risks for the
company in the event that such equipment is misused in an unlawful or abusive manner or implicates
the company in actions undertaken by public security forces. However, companies may feel that they
are given little choice but to agree to such requests. Companies should try to implement restrictions,
controls, and monitoring, as necessary and possible under the circumstances, to prevent
misappropriation or use of the equipment in a manner that is not consistent with the principles and
requirements set out in Performance Standard 4. 45 At the same time, a request for support can offer an
opening for conversation and engagement, and companies are strongly encouraged to ask for a written
agreement (see Memorandum of Understanding below), wherever possible. Consultations with
community members regarding any potential support provided to the security forces are also advisable,
as they may have concerns that are not otherwise considered.
Consider in-kind compensation
If companies are required or requested to compensate public security forces or to provide them with
equipment and if the option of declining the request is not available or desirable they may wish to
provide in-kind contributions, such as food, uniforms, or vehicles, rather than cash or lethal weapons.
Nevertheless, even when providing in-kind contributions, companies should still be aware that even
otherwise benign equipment (such as a vehicle or shipping container) can be misused by security
forces if not monitored effectively.
Clarify Expectations & Specify Intended Use
Companies should seek to clarify upfront with government their expectations about reimbursement
for, or provision of, specific equipment, and specify and document the intended use of equipment
provided. If this is not possible, the company should determine the risks associated with providing such
support to public security forces, and balance the positive benefits against the possible consequences.
For example, if police assigned to the project are expected to face possibly violent confrontations but
have only firearms, it may be in the company's best interest for public security forces to have crowd
control options short of lethal force. Equipment transfers carry risks, but may be preferable to leaving
public security forces unable to perform their job in a safe and lawful manner.
Include Conditionalities in a Transfer Agreement
If companies provide equipment or support, it is recommended they insist that the equipment will only
be used only in a lawful manner, for the purposes agreed, and will not be transferred elsewhere without
the company's agreement. Companies are advised to document these conditions and include them as
part of the transfer agreement. It is also suggested that companies list anything provided to
governments, including to public security forces, in a Record of Transfer Register, and push for this to be

45

IFC: Guidance Note 4, paragraph 33.

39

inventoried regularly to maintain accountability and serviceability. The Register identifies exactly what
the company provided, when, and for what purpose.
Risks Related to Equipment Transfers
Providing financial support or physical equipment (transportation, provisions, etc.) to police or
military may increase a companys exposure if it is seen as being in control of public security, even
while public security remains under government control. Even seemingly innocuous equipment can
be misused. In one case, public security forces requested the transfer of empty shipping containers,
for the purported use of storing their own equipment, but instead used the containers to detain
prisoners. In a second case, night vision goggles were requested to assist with perimeter patrols, but
were used to launch night-time raids against opposition forces. In a third case, public security forces
requested the use of a company vehicle when their own vehicles were unserviceable. Seeing the
military riding in identifiable company vehicles not only associated them closely with the company in
the communitys eyes, but when they later engaged in abuses, they did so with the company logo
prominently displayed on their vehicle. While companies cannot prevent every possible abuse or
incorrect association, they should consider their actual or perceived association with the actions of
public security forces, and make efforts to control the use of any equipment that they provide.

8. Recording and Reporting Allegations of Abuse by Public Security Forces

Companies receiving allegations of unlawful or abusive acts by public security personnel are advised to
record and report these to the pertinent authorities. Where appropriate, companies should consider
encouraging government authorities to investigate and take action to prevent any recurrence.
Companies are encouraged to actively monitor the status of investigations and press for their
proper resolution. 46
Companies are advised to endeavor to understand in advance of any allegation or incident public
security forces procedure for reporting physical use of force and any allegation of abuse, excessive
force, or unlawful behavior, as well as any process for investigation by state authorities that is likely
to follow any such report.
Reducing Risks Related to Public Security Forces
Even though companies are not directly responsible for the actions of public security forces, they may
be linked to their behavior in the eyes of community members or other stakeholders. This can be
particularly true where private security hands off to public security, or where the perception is that
public security is acting at the request or on behalf of the company. It is advisable for companies to
take into consideration their potential association with inappropriate actions, and to take measures
to mitigate these risks, to the extent possible. As an example, one security manager concerned about
the well-being of individuals transferred to public law enforcement because of crimes committed at
the project site established an internal company protocol when transferring suspects from the
companys private security guards to the local police. In an attempt to reduce risks of physical harm to
these individuals, the company handed suspects over to the police with a documented medical
examination and photographs of their physical condition at the time of transfer. He ensured that
authorities were informed about this protocol in advance of instituting it, and he voluntarily followed
up with police regarding the health of incarcerated individuals following their transfer from company
46

IFC: Guidance Note 4, paragraph 32.

40

custody. This extended beyond Performance Standard 4 compliance, but successfully reduced risks to
the individuals as well as risks to the company, stemming from actions associated with their
operations in a particularly challenging country.

Document Engagement Efforts

Companies should document their attempts to engage with public security forces, whether or not
these are successful. Companies able to establish a relationship with ongoing engagement should
record both the process and any outcomes. It is good practice to keep a log of all relevant meetings and
note the major topics discussed. This record does not need to be cleared or counter-signed by public
security or any other parties to the discussion, as it is only for internal information purposes, and to
provide documentation for lenders or other external stakeholders of appropriate engagement in case an
incident occurs.
Companies unable to engage successfully with public security should also document their efforts and
should incorporate into their assessment of security risks the fact that the company does not have a
collaborative relationship with public security forces.

Consider a Memorandum of Understanding (MOU)

A Memorandum of Understanding (MOU) is a formal, written agreement between the company and the
government and/or its public security forces, which establishes and documents agreed-upon key
expectations and decision-making processes and procedures. It allows the company, government, and
public security forces to delineate their respective roles, duties, and obligations regarding security
provision.
While an MOU can be a valuable record clarifying respective commitments, it is the process of
engagement and discussion of critical issues between the company and the government that is most
important. Depending on the government, context, and even national law, in some cases a signed MOU
is not always achievable (or even legally possible). Companies are encouraged to focus on the
communication and collaboration with public security forces as the primary objective, and on a formal
(or even informal) agreement as the secondary goal.
There are many different ways to construct an MOU, and no one-size-fits-all approach. MOUs typically
are not public documents, so the Voluntary Principles Initiative has adopted some sample language to
offer one publically available example for companies see Model Clauses for Agreements between
Government Security Forces and Companies with Respect to Security and Human Rights for reference. 47
An MOU typically also includes any financial or resourcing issues (e.g., housing, food, stipends,
transportation, etc.). Where possible, it is recommended that companies include a provision allowing
them to request the removal of individuals from their area of operations. (Note that this is different

Voluntary Principles on Security and Human Rights: Model Clauses for Agreements between Government Security Forces and
Companies with Respect to Security and Human Rights. http://www.voluntaryprinciples.org/wpcontent/uploads/2016/06/VPI_-_Model_Clauses_for_Security_Agreements.pdf

47

41

from asking to have individuals removed from public security forces altogether, which exceeds a
companys remit.)
Most MOUs include references to company policies, national and international law, relevant UN
protocols (specifically the UN Basic Principles on Use of Force), and any applicable international
standards (such as the Voluntary Principles on Security and Human Rights). When necessary, it may be
important to clarify the applicable standard. For example, in some countries, national law allows for
public security to use lethal force in protection of property, which is not in accordance with international
law.

42

Chapter V: Preparing a Security Management Plan

A Security Management Plan (SMP) is an important industry standard tool that describes what the
companys security function should do, how it will be undertaken, what resources (in broad terms)
will be required, and how security will be managed and delivered. The Security Management Plan is
the companys overarching guidance document for all other procedures and protocols related to
security. It also provides continuity when there is a change of personnel in the security management
structure. The Security Management Plan responds to identified risks and provides direction,
organization, integration, and continuity to the companys security and asset-protection program. In line
with the Objectives of Performance Standard 4, it should be driven by the principle that effective
security and regard for human rights are compatible. 48
Companies should consider the identification and management of security risks to be part of the
overall Environmental and Social Management System (ESMS) described in Performance Standard 1.
The ESMS is the foundation for a companys approach to identify and mitigate environmental and social
risks and impacts. It should be appropriate to the nature and scale of the project and commensurate
with the level of its environmental and social risks and impacts. 49 Any company that employs direct or
contracted security personnel should consider not only the risks and impacts of its security program, but
also how it plans to manage these.
The level of effort in assessing and managing security risks should be commensurate with the level of
security risk associated with the project and its operating context. For clients with small operations in
stable settings it may not always be necessary for their approach to be captured in a formal, standalone
document, but companies should be able to demonstrate their decision-making processes and
provisions regarding their management of security risks. For larger operations in less secure
environments, the proposed program to mitigate potential security risks and impacts should be detailed
in a more extensive, formally documented plan.
Security Management Plans should also consider community risks and impacts posed by a companys
security arrangements and include provisions and mitigation measures to address these. Historically,
Security Management Plans have focused primarily on mitigating the security risks to companies and
company assets, and less on risks to local communities, as required by Performance Standard 4. In this
regard, companies have found it useful to coordinate these aspects between their security and
community liaison teams and include security issues in their community engagement and grievance
processes.

Key Components
A Security Management Plan should be developed in consultation with management, should clearly link
to the Security Risk Assessment, and should include all relevant policies and procedures to guide the
companys security provision over the life of the project. This document should include high-level
overviews, policies, and content on approaches and aspects related to security management, with
One of the two Objectives of Performance Standard 4 is To ensure that the safeguarding of personnel and property is carried
out in accordance with relevant human rights principles and in a manner that avoids or minimizes risks to the Affected
Communities. IFC: Performance Standard 4, Objectives.
49 IFC: Performance Standard 1, paragraph 5.
48

43

detailed procedures or design information following in an Annex. (For greater detail on topics commonly
included in comprehensive security management plans, see Annex B on Guidance for Drafting a Security
Management Plan.)

1. Objectives, Mission, and Approach of Company Security

Objectives Security Management Plan is designed to protect against and mitigate security risks
at the project that could threaten communities, employees, facilities, and operations. It
provides direction, organization, integration, and continuity to the security program.
Mission Company securitys mission is to ensure that all staff, contractors, and visitors are able
to work at the project in a safe and secure environment, that all facilities are kept safe and
secure, and that all project operations are unhindered. Security and respect for the human
rights of employees and communities are fully compatible.
Approach Company security recognizes the links between social issues and security, and
consequently fosters interrelationships between project Operations, Government, Community
Relations, and Security staff. Companys approach also reinforces the importance of community
stakeholders and the projects grievance mechanism.

2. Company Policies and Standards relevant to Security

References to company policies and documents

Cites company policies or documents which guide security management, such as: Project
Security Risk Assessment, Corporate Security Policy, Ethics and/or Human Rights Policy, Use of
Force Policy, etc.
Other relevant laws and standards
Cites other relevant laws or standards related to security that the company will follow, such as:
national laws, applicable international laws, IFC Performance Standards, Voluntary Principles on
Security and Human Rights, UN Code of Conduct for Law Enforcement Officials, Basic Principles
on the Use of Force and Firearms by Law Enforcement Officials, etc.

3. Overview of Security Situation

Summary of key findings from the Security Risk Assessment

Briefly reviews key security risks to the project (both internal and external) and to communities.
Note this can also include a summary of proposed mitigation measures, however the Security
Management Plan itself should represent an elaborated program to address the identified
security risks to the company and communities. Links to Security Risk Assessment.
Security arrangements
Provides an overview of the nature and role of private and public security arrangements, as
applicable. (Note that additional details on supervision and control, comportment and
management, procedures, and training, are covered throughout the rest of the Security
Management Plan.)
o Private Security
Describes the private security provider. Clarifies that their role is defensive and
protective only, and that they have no law enforcement authority.
o Public Security
Describes local public security forces that would be called on to assist the project.
Clarifies that public security has primary responsibility for responding to and
investigating all criminal activity, controlling demonstrations or civil disorder, etc.

4. Physical Security
44

Overview of project security approach and systems

Describes security barriers, surveillance/electronic security systems, and security control center
(the means for reporting and controlling responses). Detailed design information (e.g., CCTV
camera positioning) belongs in an Annex.

5. Security Operating Procedures

Key security operating procedures

Describes key procedures, and how these fit together. Common procedures include, if
applicable: Boundary security (e.g., perimeter and access control), Access point operations (e.g.,
screening of people and vehicles), Incident response (e.g., who will respond, and how), Security
patrols, Travel security, Materials storage and control, Information and communications, and
Firearms security (e.g., firearms policy and procedures for issuing and storing any security
firearms, ammunition, and less lethal weapons).

6. Security Supervision and Control

Management structure and responsibility

Describes lines of control, accountability, and supervision.
Responsibility for conducting security risk assessments
Identifies who is responsible, who participates, and what is covered.
Cross-functional coordination
Describes interdepartmental coordination and any planning/coordination activities with other
relevant functions, such as Community Relations, Human Resources, and Government Relations.

7. Private Security Force Management

Security guard force role

Underscores private securitys role is preventative and defensive, with no law enforcement
authority. The use of force by private security is only sanctioned when it is for preventive and
defensive purposes in proportion to the nature and extent of the threat.
Provision and composition
Confirms whether guards are in-house or provided by a third party, and specifies hiring policies.
Where private security is contracted, the project assumes responsibility for security oversight.
As applicable, additional sections describe private security provider selection, contract
provisions, and active oversight of contractor performance.
Background screening
Describes vetting procedures.
Equipment
Describes equipment to be provided to guards, including radios, less lethal weapons, and any
firearms and ammunition. Includes a justification, based on the security risk assessment, if
guards are armed with lethal weapons.
Use of force
Confirms the use of force by private security is only sanctioned when it is for preventive and
defensive purposes in proportion to the nature and extent of the threat, and reiterates the need
for proper training on using force effectively, proportionally, and with respect for human rights.
Training
Describes training program related to: Basic guarding skills, Guard post orders and procedures,
Proper conduct and ethics/human rights, rules of engagement, use of force, weapons training
(as applicable), and Health, Safety, and Environment (HSE) training. Also outlines audit
procedures.
45

(See Chapter III on Managing Private Security for further details.)

8. Managing Relations with Public Security

Public Security Force Role

Reiterates the public security forces have responsibility for responding to and investigating
criminal activity, controlling demonstrations or civil disorder, and responding to incidents
involving criminal violations or potentially violent confrontations or demonstrations.
Engagement
Describes company efforts to maintain constructive relations with public security, and includes
any Memorandum of Understanding (MOU), if applicable.

(See Chapter IV on Managing the Relationship with Public Security for further details.)

9. Incident Reporting and Inquiry

Describes the grievance mechanism, reporting requirements and structure, and inquiry
protocols with respect to security incidents; use of force incidents; and allegations of abuse,
misconduct, or other wrongdoing by security personnel.
Outlines the responsibilities and timelines for conducting inquiries on allegations and incidents.

(See Chapter VI on Assessing Allegations or Incidents Related to Security Personnel for more
information about serious allegations and incidents involving security personnel.)

10. Community Engagement and Grievance Mechanism

Describes company efforts to engage with community members on matters related to security
(ideally in coordination with the Community Relations team).
Describes risk mitigation efforts related to potential security impacts on communities (e.g.,
regulations for guard off-site behavior, arrangements with public security, shared information
on security arrangements, as appropriate), grievance mechanism to receive and respond to
community complaints or concerns related to security personnel or issues.

(See Section on Community Engagement and Grievance Mechanism for Security-Related Issues in
Chapter III on Managing Private Security for further details.)

46

Chapter VI: Assessing Allegations or Incidents Related to Security

Personnel
Performance Standard 4 states that companies will consider and, where appropriate, investigate all
allegations of unlawful or abusive acts of security personnel, take action (or urge appropriate parties
to take action) to prevent recurrence, and report unlawful and abusive acts to public authorities.50
The scope and level of effort should be commensurate with the severity and credibility of the allegation
or incident.
It is good practice and part of sound risk management for companies to have clear policies and
procedures for receiving, assessing, and documenting security-related allegations or incidents. This
pertains to events occurring at the project site, as well as off-site, if linked to the project, or involving
public security forces providing security for the project. While companies should normally have internal
protocols for dealing with the anticipated range of security-related incidents such as traffic accidents,
theft or protests, and use of force incidents of any kind, especially use of firearms, this chapter focuses
more narrowly on procedures for handling allegations of misconduct or unlawful behavior involving
security personnel, in line with Paragraph 14 of Performance Standard 4.

I.

Policies and Procedures

Companies are encouraged to have systems in place to be able to receive and respond to allegations or
incidents this includes a grievance mechanism and relevant reporting and inquiry protocols.

Establish a Grievance Mechanism to Receive Security-Related Concerns or Complaints

Whether the company receives complaints about security personnel through its general projectlevel grievance mechanism for affected communities (required by Performance Standard 1) or
creates a separate grievance channel for this purpose, it is important to have a structured and
accessible process for receiving and responding to security-related grievances, and to make
community members, workers, and other stakeholders aware of it. Users of the grievance
mechanism should be able to bring forward complaints without fear of intimidation or reprisal.

Clarify Reporting Requirements and Structure

Good procedures normally specify which type of security-related allegations and incidents should be
reported, to whom, and in what timeframe. Procedures should clearly identify the person(s)
responsible for accepting and processing allegations or incidents, and the escalation hierarchy to
management. For example, security supervisors typically immediately report all security allegations
or incidents to the Security Coordinator, who in turn reports serious allegations or incidents to
senior management within a specified timeframe.

50

IFC: Performance Standard 4, paragraph 14.

47

II.

Develop Inquiry Protocols

In addition to a routine process for recording all incidents (see Chapters III & V) more serious
incidents or allegations related security personnel may require a more in-depth inquiry to determine
whether policies and procedures were followed and if any corrective, disciplinary, or preventive
actions are warranted. Key components are elaborated below.

Key Steps in the Process

Companies should record and investigate security allegations and incidents with the objective of
determining whether company policies and procedures were complied with and if any corrective or
preventive actions are required for continuing security operations. Note that this requires companies
to have in place appropriate security policies and procedures if this is not the case, they should
institute these as soon as possible, and then follow good practice in considering any current allegations
or incidents. 51 Any incidents of a criminal nature should be reported to the appropriate government
authorities for investigation by the state.
All companies are encouraged to incorporate the good practices below in approaching this sensitive
topic, with the level of depth and breadth reflecting the severity and credibility of the allegation or
incident. This process is typically internal and company-led, and spans activities from recording and
assessing complaints, to initiating a more in-depth inquiry where appropriate, to documenting the
process and monitoring outcomes.
1. Record the Incident or Allegation
All incidents and allegations should be recorded, whether they come from an incident report, the
grievance mechanism, or any other formal or informal means of communication. While the initial
information can come from a variety of sources, the department responsible for security typically
maintains a registration or log of allegations and incidents. Serious allegations and incidents should
be reported to senior management within a specified timeframe. Criminal wrong doing should be
reported to the relevant authorities.
2. Collect Information Promptly
Information should be collected as early as possible following an incident or receipt of an
allegation. This may include noting details related to the circumstance, individuals involved,
location, timing, etc., and taking statements and/or photographs where relevant. Experience has
shown that as more time elapses, it becomes increasingly difficult to establish the sequence of
events, collect evidence, or locate relevant persons needed for an effective inquiry into the facts
surrounding an incident.
3. Protect Confidentiality
Companies are advised to consider confidentiality measures to protect victims, witnesses, and/or
complainants. For example, individuals can be identified by numbers instead of names, and their
role or relationship included only with their consent. Victims, witnesses, complainants, and other

51 Security personnel can be held accountable (by government authorities) to the law, and (by company management) to company
policy in place at the time of the event in question.

48

interviewees should be informed about if and how their identities will be protected, and whether
their names will be recorded and/or used.
4.

Assess the Allegation or Incident and Conduct further Inquiry if Warranted

After receiving and recording an allegation or incident report, companies typically assess the
seriousness and credibility of the claim to determine if and how security policies or procedures were
potentially violated by security personnel and whether further investigation is needed. Routine security
incidents, and minor instances of misconduct (e.g., a guard falling asleep on the job) are generally
handled by following the protocols outlined in Chapter V on Preparing a Security Management Plan.
A more in-depth inquiry process, however, should be conducted in cases of serious allegations or
incidents, such as instances of unlawful or abusive acts by security personnel, and / or where severe
impacts result from a security incident, such as injury, sexual violence, use of lethal force, or fatalities.
Criminal behavior should be referred to the relevant authorities (see Report Unlawful Acts below).
For serious incidents, senior management generally determines next steps and what level of inquiry or
action is needed. Generally, such inquiries are internal although companies may choose to bring in an
external party to conduct the inquiry in the case of more significant or challenging situations. Either way,
companies should demonstrate a good-faith effort to actively seek, consider and catalog all relevant
available information and inputs, as well as document unsuccessful efforts to obtain information or to
interview specific individuals.
In the case of parallel processes which may overlap with a government investigation, companies or
third-parties conducting an inquiry on their behalf should coordinate with the relevant authorities to
ensure that they cooperate, rather than interfere, with any criminal investigation.
5. Document the Process
The inquiry process should be documented, including sources of information, evidence, analysis
conclusions and recommendations. Where it is not possible to reach a conclusion (e.g., due to limited
or contradictory information or evidence), this should be stated clearly, along with any efforts to fill gaps
and make assessments. It is good practice for information related to security allegations or incidents to
be classified and handled as confidential. The tone and language of any report should be objective,
impartial, and fact-based.
6. Report Any Unlawful Act
Criminal wrongdoing or unlawful acts of any security personnel should be reported to the appropriate
government authorities. 52 Companies are advised to cooperate with criminal investigations, and to
ensure that internal processes do not interfere with formal government-led proceedings. Companies
should also follow up on reported unlawful acts (see Monitor and Communicate Outcomes below).
7. Take Corrective Action to Avoid Recurrence
Action should be taken to ensure that negative impacts are not repeated. This may entail
corrective and/or disciplinary action to prevent or avoid recurrence if the incident was not handled
according to instructions. 53 Where appropriate, companies may also consider remedial actions for
52
53

IFC: Guidance Note 4, paragraph 32.

IFC: Guidance Note 4, paragraph 32.

49

impacted parties. In general, companies are encouraged to identify lessons learned from the
incident and take the opportunity to revise internal company policies and practices as needed. They
may also wish to review and amend contractual policies and procedures, and particularly to update
clauses related to the conduct of private security forces where relevant. In many cases, additional
training can support the incorporation of lessons learned.
8. Monitor and Communicate Outcomes
Because companies control their own internal processes, they can help to ensure that consideration of
any allegation or incident is professional and progresses in a timely manner. Additional oversight may be
needed with respect to third-party inquiries, such as those undertaken by private security providers.
It is good practice to communicate outcomes to relevant parties, keeping in mind confidentiality
provisions and the need to protect victims. To the extent possible and applicable, it can be constructive
to also share relevant lessons learned and any efforts to incorporate these into company policy and/or
practice. Follow through on any specific commitments made by the company or private security
provider following an incident and communication of such is key for good stakeholder relations.
With respect to active criminal investigations led by government authorities, companies are advised to
actively monitor the status until assured of proper completion, and to press for proper resolution. 54

54

IFC: Guidance Note 4, paragraph 32.

50

ANNEXES
Annex A. Template Invitation to Bid (ITB) and Request for Proposals
(RFP) for Security Risk Assessment and Security Management Plan
This RFP is designed for a company seeking to hire an external consultant. The parts in blue italics should
be completed by the company. As with any template, the content should be reviewed and adapted for
the specific situation.
1

Introduction

[Project] in [location] is seeking a consultant to conduct a security risk assessment and a security
management plan that will increase the projects capacity to mitigate and manage risk for the project
[and the neighboring communities]. This work should be undertaken in conformance with the securityrelated aspects of IFC Performance Standard 4 [and the Voluntary Principles on Security and Human
Rights and/or guidance provided by the Voluntary Principles on Security and Human Rights
Implementation Guidance Tool].
1.1

Project Background

[basic info about project, not necessarily security-related]

2

Objectives of the Security Risk Assessment and Security Management Plan

Identify inherent security risks to the project.

Identify potential risks to local communities created by the project.
Provide recommendations for managing risks associated with security management that will be
in conformance with IFC Performance Standard 4, paragraphs 12-14.
In consultation with management, develop procedures and document these in a security
management plan that is based on corporate policy and takes into account the risks to the
company (people, property, assets, and reputation) and risks to communities identified in the
security risk assessment.

Overview of Security Risk Assessment

The security risk assessment should ensure the company has accounted for all foreseeable threats to
both the project and communities, stemming from the projects presence and activities, so that it can
develop effective mitigation measures. It is expected to include document review, a site visit, and
interviews with key internal and external security stakeholders, along with a final report with
recommendations.
It should include a security due-diligence review of the project and provide a detailed due-diligence
report describing the level of conformance with local laws, applicable security requirements, the
Voluntary Principles on Security and Human Rights, and security-related aspects of IFCs Performance
Standard 4.

51

The security risk assessment should include information regarding relations with public security and the
ability of the company to contract appropriate private security and any risks and recommendations
regarding either of these issues.
The security risk assessment should include a catalog of all known risks and evaluate their likelihood to
occur, document the likely response(s), and their potential impacts. For the report, the consultant will
articulate risks in either risk statements or risk scenarios. Mitigation measures to reduce these risks
should be identified.
Proposals should outline the consultants methodological approach and ability to gather and analyze the
information described above. The consultant should include the types of documents they would request
as well as an illustrative list of the types of stakeholders the consultant would want to meet to
undertake the security risk assessment.
4 Overview of the Security Management Plan
The consultant will develop a security management plan that is based on integrating the principles of
socially responsible security into management systems. The following components must be included,
but the structure can be determined in conjunction with management:

Purpose of Security Management

Policies and Standards
Situation Overview
Physical Security
Procedures
Security Supervision and Control
Guard Force Management
Security Contractor Management
Managing Relations with Public Security
Incident Reporting and Inquiry
Community Engagement

Proposals should demonstrate the consultants knowledge of and experience with the topics and
general principles that would guide the consultant in developing the security management plan.
5 Project Deliverables
The project deliverables include:

At the conclusion of the site visit, a close-out review meeting with management [and lenders] to
discuss findings and recommendations.
A security risk assessment report that conforms to Performance Standard 4 and the Voluntary
Principles on Security and Human Rights.
A security management plan, written in conjunction with company management.

Consultant Background

The consultant can be an individual or a firm. The consultant is expected to have at least ten years of
experience in security management. The following background is preferable:
52

[Language skills]
Knowledge and experience in [region/country]
Experience in the management of security at projects in [industry sector]
Familiarity with IFCs Performance Standards, in particular Performance Standard 4, and the
Voluntary Principles on Security and Human Rights

Timeframe

The consultant should outline a schedule that will demonstrate how this project can be completed in 6-8
weeks.
8

Proposed Budget

The proposed budget should include labor and all projected expenses.

53

Annex B. Guidance for Drafting a Security Management Plan

There are many ways to structure a security management plan. The topics below are commonly
included in comprehensive security management plans. These can be used by companies developing
their own security plans in-house, or by companies evaluating the security plans delivered by external
consultants.
Text in black is sample text to use or modify. Text in blue italics is guidance to be considered and then
replaced or removed.

A. Objectives, Mission, and Approach

Objectives of Security Management Plan

o The plan is designed to guide the companys actions in protecting against and mitigating
risks of a security (as well as a human rights) nature at the project that could threaten
communities, employees, facilities, and ability to operate, as well as the reputation of
the company and its global operations.
o The plan provides direction, organization, integration, and continuity to the security and
asset-protection program. It is written with the understanding that effective security
and regard for human rights are compatible.
o The systems outlined in the plan will be maintained throughout the lifetime of the
project.
o The plan will be reviewed on an annual basis.

Mission of Company Security

o The mission of company security is to ensure that all staff, contractors, and visitors
working at the project site and in the project area are able to do so in a safe and secure
environment. It also ensures that all facilities are kept safe and secure, and that all
project operations are unhindered. It provides effective security-operational support to
all project activities.
o Project security will approach its mission with the understanding that good security and
respect for the human rights of employees and communities are fully compatible.
o If applicable, describe the relationship between and relative responsibilities of project
security and other third-party contractors and affiliated companies, such as Engineering,
Procurement, and Construction (EPC) contractors.

Approach of Project Security

o Discuss the projects overall integrated approach for security. For example:
o Many security risks flow out of both inherent local social issues, such as ethnic tensions,
and unrecognized issues between the project and local communities. As such, project
Operations, Government, and Community Relations staff are all involved in the security
process.
o Key stakeholders from local communities are also included in assessing security risks
and in considering how to mitigate and manage those risks. Security arrangements are
transparent, to the extent possible and appropriate, and are included in disclosure and
consultation with the local communities.
o The projects grievance mechanism is an important tool for reducing potential security
risks.

54

B. Policies and Standards

1. References to company policies and documents

The following company policies and documents guide security management:
o Project Security Risk Assessment
o Corporate Security Policy
o Ethics [and/or Human Rights] Policy
o Use of Force Policy
2. Other relevant laws and standards
The company adheres to the following guidelines, standards, and laws:
o National laws
o Applicable international laws
o IFC Performance Standards
o Voluntary Principles on Security and Human Rights
o UN Code of Conduct for Law Enforcement Officials
o Basic Principles on the Use of Force and Firearms by Law Enforcement Officials

C. Overview of Security Situation

1. Project Setting
Provide a general description of the national and project area security environment. This would
include description of:
o Crime levels and type;
o Endemic political, social, or labor unrest;
o Terrorism or insurgency; and
o General attitude towards the project and associated issues.
2. Security Risks
(Attach security risk matrix and security risk assessment as Annexes.)
This section should be based on the project security risk assessment and should discuss:
Internal Risks
o These are caused by the illegal, unethical, or inappropriate behavior of project
personnel, or those directly affiliated with it.
o Most common risks would be employee theft, workplace violence, and labor unrest, with
associated strikes or sabotage.
External Risks
o These are caused by the actions of individuals outside the project who seek to take
advantage of opportunities presented by the development and operation of the project.
o These may include common criminal activity; disruption of the project for economic,
political, or social objectives; and other deliberate actions that have a negative impact
on the effective, efficient, and safe operation of the project. In extreme cases, these
could include terrorism, armed insurgency, coups, or war.
3. Security Arrangements
Private Security
o Describe who provides basic site project protection, such as the project private security
force (in-house or contracted).
Public Security
55

Describe briefly the local public security forces that would be called on to assist the
project. This would briefly outline: location, capabilities, mission, and relation to the
project.

D. Physical Security

Provide overall description of project security approach and systems. More detailed design
information (such as exact CCTV camera positioning) belongs in an Annex. Ideally this section
includes a description of the projects:
o Security Barriers such as fences, gates, locks, hardening of facilities, and means of
access control.
o Surveillance / Electronic Security Systems including CCTV, Intrusion Detection
Systems, and surveillance guard posts and patrols.
o Security Control Center describing the means for bringing together reporting and
controlling response.

E. Security Operating Procedures

Provide a brief description of key security operating procedures. Detailed standards and
procedures that provide a transparent and accurate process for managing security functions
(such as checklists) should be contained in an Annex. Key procedures should include a brief
description of the following (as appropriate) and how they fit together:
o Boundary Security how security will maintain control of the projects perimeter and
channel people to access control points.
o Access Point Operations the types of checks and screening for both people and
vehicles at gates or other access points. Include entry and exit searches and purpose, and
who is subject to it. Outline key ground rules, such as:
o Searches will only to be conducted by security personnel who have received
instruction and information regarding the procedure and the legal aspects of
search and seizure;
o Body searches will only be conducted by security personnel of the same gender.
o Incident Response how security will respond to an incident and who is responsible for
responding. Responses should be based on proper and proportional use of force.
Describe the role of public security, including when they are called and by whom.
o Security Patrols what patrols check and how often.
o Travel Security (if applicable) any special procedure for off-site travel security,.
o Materials Storage and Control (if applicable) any controls over the transport,
inventory, and maintenance of any commercial explosives or chemicals (e.g., cyanide)
necessary for the project. Note that these are stored in accordance with appropriate
national laws and regulations.
o Information and Communications procedures for categorizing, handling, and
controlling sensitive information.
o Firearms Security project policy regarding firearms on site, as well as the
responsibilities and procedures for issuing and storing any security firearms,
ammunition, and less lethal weapons. This should include:
o Location for storage,
o How weapons are secured during storage,
o Records for issuance,
o Who they may be issued to,
56

o Safeguarding while in possession of the guard, and

o Audits.
Include in an Annex detailed standards and procedure for weapons issuance, storage,
and audit.

F. Security Supervision and Control

1. Management structure and responsibility

Explain the overall lines of control, accountability, and supervision for the security effort.
Define who supervises daily performance of the security guard force and who has authority.
Describe who has overall responsibility for security information sharing and communications.
2. Responsibility for conducting security risk assessments
Discuss the responsibilities for conducting risk assessments, who participates in them (e.g.,
senior management, community relations team, key stakeholders from communities, etc.), and
what the assessments cover.
3. Cross-functional coordination
Describe interdepartmental coordination. Community Relations, Human Resources, and
Government Relations are important partners in project security.
Outline any planning/coordination activities between security and other departments, which
may range from participation in security risk assessments to weekly meetings.

G. Private Security Force Management

1. Security Guard Force Role

Private securitys role is to provide preventative and defensive services, protecting company
employees, facilities, equipment, and operations wherever they are located.
They have no law enforcement authority and will not encroach on the duties, responsibilities,
and prerogatives reserved for public security forces.
2. Provision and Composition of the Security Guard Force
Describe whether the guard force are direct employees or from a third-party security provider.
In developing its guard force, the project (or its third-party provider) will:
o Hire in accordance with national labor laws,
o Give preference in hiring qualified local candidates where possible, and
o Promote diverse hiring practices, including gender and indigenous inclusiveness.
Security Contractor Management (if applicable)
o The project assumes responsibility for the oversight of security.
o Describe how the project will actively set the standards for and oversee private security
contractor selection and performance.
o Selection In selecting a security provider, the project will perform proper due diligence
that will include screening for institutional reputation, training standards, procedures
for screening employees, and any history of allegations of human rights abuses or other
criminal behavior.
o Contract Provisions Include any provisions (e.g., for uniforms and equipment).
o Active Oversight of Contractor Performance To insure proper performance, the
project will undertake audits, assist with training, inquire into any credible allegations of
abuse or wrongdoing, and monitor site performance on an ongoing basis.
57

3. Security Guard Background Screening

o The project will perform and/or require its security provider to perform valid background
checks on potential employees to screen for any allegations of past abuses, inappropriate
use of force, or other criminal activity and wrongdoing.
o No guard or employee who has credible negative information on these checks will serve on
the project.
o These checks will be documented and maintained in individual personnel records, which are
subject to review by the project.
4. Security Guard Force Equipment
Describe equipment to be provided to guards, including radios, less lethal weapons, and any
firearms and ammunition. Guards should only be armed if it is justified by the security risk
assessment and is the only viable and effective mitigation measure for a clear threat.
5. Security Guard Use of Force
The use of force by private security is only sanctioned when it is for preventive and defensive
purposes in proportion to the nature and extent of the threat.
When it is necessary to arm the guard force, the project will ensure that those who are armed
are provided with high levels of technical and professional proficiency and clear rules for the use
of force. This means being properly trained on using force effectively, proportionally, and with
respect for human rights.
6. Security Guard Force Training
The project commits to maintain the highest standards of guard force technical and professional
proficiency through a comprehensive training program. Outline the training responsibilities of
the either the security provider or the company, as applicable. The project will review any thirdparty security providers training program and, where necessary, augment the trainng through
the use of qualified third parties or direct instruction.
The project will ensure that security personnel receive site procedural or knowledge training in:
o Basic guarding skills,
o Guard post orders and procedures,
o Proper conduct and ethics/human rights,
o Rules of engagement,
o Rules for the use of force,
o Adequate weapons training (as applicable), and
o Health, Safety, and Environment (HSE) mandatory training.
Outline how training completion records will be kept. Training will be open to inspection/audit.

H. Managing Relations with Public Security

1.

Public Security Force Role

Public security forces have responsibility for responding to and investigating all criminal activity.
They also have the primary responsibility for controlling demonstrations or civil disorder. For
incidents involving criminal violations or potentially violent confrontations or demonstrations,
they are requested to respond to protect company personnel and property

2.

Engagement with Public Security Forces

58

Describe how the project will maintain constructive relations with public security (typically the
police, and under certain circumstances, the military) operating in the project area or responsible
for assisting project security. The depth of this section will vary with the security arrangements
involving local public security forces.
o If it is only normal law enforcement activities, such as investigating reported crimes or
responding to an incident, ongoing engagement or liaison activity may be sufficient.
o If public security forces are actually assigned to the project to provide some aspects of
security, then this should describe provision of any equipment or other support, the role
of the public security force, joint contingency planning, and coordination mechanisms.
o It should also discuss the establishment of any Memorandum of Understanding
necessary to make the arrangements transparent.

I. Incident Reporting and Inquiry

Outline the grievance mechanism, reporting requirements and structure, and inquiry protocols
with respect to security incidents; Use of force incidents; and Allegations of abuse, misconduct,
or other wrongdoing by security personnel.
Discuss the responsibilities and timelines for conducting inquiries on allegations and incidents,
including:
o The company makes a commitment to expeditious inquiry into any allegations of abuse
or wrongdoing.
o Private security contractor may conduct its own inquiry of an incident or allegation, but
the project can conduct an independent inquiry on any credible serious abuse allegation
or use of force incident.
o The inquiry findings will include a recommendation of any appropriate disciplinary
action and policy or procedure changes that may be needed.
o More detailed standards and procedures are included in the Annex.

J. Community Engagement

Describe how the company will engage with communities on matters relating to security. This
may be done in coordination with the community relations department, depending on the
project.
The project acknowledges that it may have an impact on communities and strives to mitigate
risks. It will do this by providing:
o Regulations for guard off-site behavior,
o Protocol for arrangements with public security,
o Shared information on security arrangements (as appropriate), and
o Grievance mechanism for community members to report issues.

59

Annex C. Template Contract with a Private Security Provider

This template is designed for a company seeking to hire an external private security provider. The parts
in blue italics should be completed by the company, based on the particular context. As with any
template, the content should be reviewed and adapted for the specific situation.
Company Name hereinafter referred to as company enters into this contract with Private Security
Contractor Name hereinafter referred to as contractor for the provision of services effective as of
Date.

A. Conduct

Contractor must adhere to the companys policies for ethical standards and human rights.
Contractor must maintain confidentiality of sensitive information.
Contractor must not employ torture, cruelty, or inhumane treatment.
Contractor must ensure health of those in custody and provide medical assistance when
needed.
Contractor must not engage in corrupt practices.
Contractor must treat its employees in accordance with national law.

B. Use of Force
Restraint and caution must be exercised in a manner consistent with international guidelines on
the use of force; in particular, the Basic Principles on Use of Force and Firearms by Law
Enforcement Officers and including the following key elements:

Use of force should be evaluated and use of weapons carefully controlled.

Non-violent means should be used before resorting to force and firearms.
When force must be used to protect human life, it should be proportionate to the threat
and should seek to minimize injury.
Medical assistance should be provided as soon as safely possible.

C. Policy

Contractor is required to have or produce key internal policies that commit the organization
to proper standards, to ensure their employees understand and adhere to the standards,
and to enforce them. This includes:
o Having written policies on conduct and use of force.
o Having a policy to perform pre-employment screening for all supervisors, guards,
consultants, security specialists, and other staff that identifies any history of abuse or
wrongdoing. At a minimum, these checks should include police records and criminal
litigation checks, as well as checks with former employers.
o Having a policy on reporting and inquiry into allegations of unlawful or abusive behavior
and all use-of-force incidents, followed by appropriate disciplinary action.
[Note while the contractor should be required to conduct an inquiry when their
people are involved, ultimate responsibility remains with the company.]

D. Training
60

1. Weapons training (This includes firearms, if issued, and any less lethal weapons systems, if used)
Each security guard must be certified as qualified for use of any weapon, by pass/fail standard,
before being issued a weapon.
Qualification should recur every six months.
2. Use of force training, to include:
Force continuum or proper use of force training.
Materials based on a framework such as the widely accepted force-continuum model.
Use of force technique training and practice through structured, scenario-based, performanceoriented (learning-by-doing) training.
Where, in what circumstances, and under what conditions it is lawful and in accordance with
company policy to use force of any kind.
The maximum level of force authorized.
Emphasis that any use of force must be used as a last resort and proportionate and appropriate
to the threat.
Emphasis that lethal force can only be used if there is an imminent threat to life or great bodily
harm.
3. Appropriate conduct
Training should emphasize avoidance of unlawful or abusive behavior. This training should clearly
define abusive behavior in relation to proper behavior and point out sanctions; it should also inform
them of national laws and international standards on human rights that the company and they as a
contractor must observe. Two important documents include:

UN Basic Principles on Use of Force and Firearms by Law Enforcement Officers.

UN Code of Conduct for Law Enforcement Officials.

4. Equipment
Contractor must ensure that all employees have or are provided with the appropriate equipment to
undertake their responsibilities. This equipment includes a proper uniform with appropriate
identification, radio or other communications device, and any other equipment as determined by the
security risk assessment or management plan as being required.
5. Auditing
The company reserves the right to conduct periodic audits of the security provider to:
Ensure contractors background check process.
Audit and review contractor employee background checks.
Review of the providers personnel records for all of the guards and security staff they provide.
The company further reserves the right to conduct both scheduled and unannounced reviews and audits
of the training program and observation of training events. This may include:
Review the providers training program to confirm the training is scheduled and being
conducted.
Review lesson plans to make sure they meet the proper standard.
61

Confirm the qualifications of the instructor.

Ensure there is a pass/fail performance test to verify the student mastered the material.
Review the certification process to guarantee that all the security personnel assigned to the
company attended the training and have passed a minimum standard.

6. Sanctions
The company will apply sanctions, including but not limited to withholding payment of services,
if the contractor does not meet performance expectations outlined in this contract.
The company will terminate the contract where there are multiple failures to meet expectations
or there is evidence of unlawful or abusive behavior by the contractors employees.
SIGNATURES OF BOTH PARTIES
DATE

62

Annex D. Sample Incident Report Summary Template

Incident Report Summary

Reference #:

Month:

Year:

Incident type:
Date and time of incident:
Location of incident:
Description of the incident (include situation leading up to the incident):

Individuals involved (include contact details):

Assessed consequences (include a description of injuries or damage sustained, if applicable):

Management actions:

Prepared By:

Approved By:

Date:

Date:

Distribution:

63