Professional Documents
Culture Documents
DRAFT
July 2016
Assessing and
Managing Securityrelated Risks and
Impacts
Guidance for the Private Sector
in Emerging Markets
DRAFT
July 2016
Table of Contents
Acknowledgements
IFC Performance Standard 4 - Security
ANNEX
A. Template Invitation to Bid (ITB) and Request for Proposals (RFP) for Security Risk Assessment
and Security Management Plan
B. Guidance for Drafting a Security Management Plan
C. Template Contract with a Private Security Provider
D. Sample Incident Report Summary Template
Acknowledgements
[TBC]
Including practice consistent with the United Nations (UN) Code of Conduct for Law Enforcement Officials, and
UN Basic Principles on the Use of Force and Firearms by Law Enforcement Officials.
Paragraphs 12-14 outline IFCs requirements with respect to the assessment and management of
security risks, related to both private and public security forces. Many projects are protected by private
security guards, while in some contexts public security forces (i.e., military forces, police, or
gendarmerie) may be tasked by the state to provide some or all of those security functions. The
expectations placed on companies with respect to managing private security and engaging with public
security are based on companies expected level of control over each, as summarized in the box below.
Private Security
Company has greater control over private
security and therefore is subject to greater
expectations on hiring, conduct, training
Contract is key
Assessment of risk and implementation of
good practice in hiring, training, and
employment of private security guard forces
Use of force
Grievance mechanism
Consideration of allegations of abuse
Public Security
Often outside the companys control and
therefore the focus is more towards
engagement
MOU is ideal but in many cases not possible
Assessment of risk of a response by military
or police
Encouragement of military and police to
disclose security arrangements (and by
implication, to influence those arrangements)
Consideration of allegations of abuse
Key Principles
Interconnectedness of Security Issues with other Performance Standards
As IFCs work with clients on security issues evolves, a key lesson has been on the interconnectedness
between security and a wide range of issues covered by other Performance Standards. Experience has
shown how company-community tension on any issue whether water, lack of perceived benefits,
pollution, or working conditions can suddenly turn into a spontaneous protest at the project gates or a
blockade of an access road, resulting in a security situation for which a company may not be prepared.
Making the link between community relations and security is therefore key. Similarly, the ways in which
security personnel comport themselves in the context of labor union gatherings or strikes (PS 2),
involuntary resettlement of households (PS 5), or activism by Indigenous communities (PS 7) is essential
to ensuring the rights and safety of local communities and to the reputation of companies and
governments worldwide. Against this backdrop, Performance Standard 4 should be read in conjunction
with all of the other Performance Standards.
Community Engagement and Grievance Mechanism for Security-Related Issues
Often security issues are thought of as separate from environmental and social aspects, and therefore
de-linked from the community relations function. Functional responsibility for security may be handled
by a different department and, as such, dialogue about security issues may get left out of community
engagement processes. Communities also may not know that the companys grievance mechanism can
and should be used as a channel for concerns or complaints about security personnel. Performance
Standard 1 is particularly relevant here as it relates to assessment and management of risks, disclosure
and consultation, and access to project-level grievance mechanisms. These aspects should also apply to
security issues.
5
Community engagement is a central aspect of a good security program as good relations with
employees and local communities can substantially contribute to overall security in the project area.
Companies can achieve this by making sure that their Community Relations and Security staff coordinate
regularly. Given that security guards are usually the first point of contact with community members at
the project gates, they should be given guidance on messaging about relevant issues. Similarly, through
its Community Relations function, a company can provide timely information to communities about
those aspects of security arrangements most likely to affect them. They can also communicate the
companys security policies, including the expected conduct of security personnel. Dialogue with
communities about security issues can help a company to identify potential risks and local concerns it
may have not considered, and can serve as an early warning system.
Gender-related impacts of security are also an important consideration. Men and women usually have
different experiences and interactions with security personnel, so consulting them separately can be a
good way to understand these different perspectives. For example, the potential for sexual harassment
or sexual violence against women can increase from an expanded presence of private or public security
forces in a project area. At the same time, awareness of and respect for culturally-specific gender issues
on the part of security personnel may help to enhance their acceptance by the local population.
Finally, communities should know where to go if they have complaints about the conduct of security
personnel. Depending on the situation, this could be done through the companys general community
grievance mechanism or through one targeted specifically for security concerns. Equally important is the
ability of community members to make such complaints without fear of intimidation or reprisal.
The Principle of Proportionality
The principle of proportionality, referenced in Performance Standard 4, requires that the intensity of
any security response correspond to the nature and gravity of the threat or offense. The principle of
proportionality is a concept from International Humanitarian Law that is generally used in a military
context, but can be interpreted and applied any time use of force is contemplated. Performance
Standard 4 explicitly states that companies will not sanction any use of force except when used for
preventive and defensive purposes in proportion to the nature and extent of the threat. 2 Security
personnel should be instructed to exercise restraint and caution, and to prioritize peaceful resolution of
disputes and the prevention of injuries and fatalities. 3
Security and Human Rights
The conduct of security personnel should be based on the principle that providing security and
respecting human rights can and should be consistent. 4 The connection between human rights and
security is echoed throughout the Voluntary Principles on Security and Human Rights (see Other
International Standards on Security below) and is aligned with the commitment to respect human rights
in Performance Standard 1 that: Business should respect human rights, which means to avoid infringing
on the human rights of others and address adverse human rights impacts business may cause or
contribute to. 5
IFC: Performance Standard 4, paragraph 12.
IFC: Guidance Note 4, paragraph 29.
4 IFC: Guidance Note 4, paragraph 29.
5 IFC: Performance Standard 1, paragraph 3.
2
3
In the context of security and Performance Standard 4, human rights considerations reflect the fact that
interactions with security forces have the potential to impact the rights and safety of individuals and
communities. At the most extreme, the use of lethal force can jeopardize the right to life. The use of
excessive force, along with unlawful detention, also have the potential to impact rights to liberty and
security of the person. Other impacts include limitations to freedoms of movement or assembly, or
possibly restrictions on employees freedom of association, among others.
Companies have a responsibility to demonstrate their respect for human rights through proper hiring,
training, and supervision of private security forces, and should encourage public security forces to also
act accordingly when responding to situations related to the project. For example, if community
members decide to associate, assemble, and speak out in opposition to the project, the company and
any security personnel who interact with them should respect the right of the local communities to do
so. These principles are embedded within Performance Standard and Guidance Note 4 and are
elaborated in more detail in the remainder of this Handbook.
www.ohchr.org/EN/ProfessionalInterest/Pages/LawEnforcementOfficials.aspx
www.ohchr.org/EN/ProfessionalInterest/Pages/UseOfForceAndFirearms.aspx
8 www.voluntaryprinciples.org
9 www.voluntaryprinciples.org/wp-content/uploads/2013/03/VPs_IGT_Final_13-09-11.pdf
6
7
Voluntary Principles Initiative is the formal membership organization of the VPs, restricted to
extractive companies, governments, and NGOs but companies in any sector can implement
the VPs
10
11
www.icoca.ch/
www.business-humanrights.org/en/un-guiding-principles
When the client retains direct or contracted workers to provide security to safeguard its personnel and property, it will
assess risks posed by its security arrangements to those within and outside the project site. IFC: Performance Standard 4,
paragraph 12.
13 The client will assess and document risks arising from the projects use of government security personnel deployed to
provide security services. IFC: Performance Standard 4, paragraph 13.
14 IFC: Guidance Note 4, paragraph 25.
12
10
Impact on
Company
Impact on
Community
Security
Response
Severity
Severity
Security
Risk
Likelihood
Step 1
This chart is based on the Risk-Response Chart frequently used by security professionals to assess a
projects security risks. However, these often focus exclusively on the company perspective.
Performance Standard 4 asks companies to consider potential impacts on communities in addition to
impacts on companies. Many companies implementing Performance Standard 4 have found integrating
community aspects into their existing processes to be the most efficient approach.
Step 8
Mitigation
Risk 1
Risk 2
Risk 3
For many companies, this process and information can be sufficient to ensure that they understand and
are responding appropriately to potential security risks. For companies with significant security risks,
especially those operating in high-risk contexts, additional depth of analysis and detail may be required
(see Key Components of a Security Risk Assessment for High Risk Contexts at the end of this section).
1. Identify Potential Risks to the Project that May Require a Security Response
11
Start by listing all potential risks that may require action by private and/or public security forces.
These include risks:
Some potential risks are listed for reference in the table below (other risks may also apply).
Potential Risks to a Project that May Require a Security Response
More common risks
Most projects have at least
some risk of these occurring
Trespassing
Robbery
Vandalism
Assault
Riot
Petty theft
Armed protest
Hostage-taking
Road block
Kidnapping
Community protests
Bombing
12
Guards stationed at access points to process ingress and egress, but who also
serve as a visible deterrent
Active Deterrents
13
Verbal instructions
warning / refusal of
passage/entry
Show of force
Intimidation or
harassment
Guards use their position (or, in particular, their weapons) as a tool for
intimidating or harassing community members, especially where no immediate
risk or threat is present
Reasonable detention
Escalation
Use of non-lethal force
Inappropriate detention
Arrest by public
authorities
Torture
Guards use lethal force offensively, or outside of acceptable use of force protocols,
or for illegitimate reasons
security, these often focus primarily on risks and impacts to the company. Performance Standard 4 asks
companies to also consider security risks and impacts to local communities as a result of their security
arrangements. 15 This includes impacts from a security response to an incident as well as impacts from
the introduction of (potentially new) security arrangements such as fences, checkpoints, or armed
security guards.
Assess the severity of the potential impacts on local communities identified in Step 6, based on how
grave, widespread, and irremediable the impacts are expected to be. The sample chart following this
section utilizes a scale from 1 (very little noticeable impact) to 5 (severe impacts, such as injuries to
community members).
Impacts from a Security Response
A security response can impact the community member(s) involved in the incident and response, but
in some instances could also impact the wider community. For example, if a private security guard or
the local police are likely to use excessive force or engage in unlawful behavior when interacting with
the local population related to a security issue, this type of potential risk should be flagged and
corresponding mitigation actions developed (see Step 8 below).
While companies do not control the police or military, they should nevertheless assess the risks
associated with public security involvement, since any actions public security undertakes on behalf of a
company or on company property may reflect directly on the company. To the extent possible, and
preferably before any incident happens, companies engaged with public security can express their
expectations about how community members should be treated, such as how a suspect is treated while
in custody or how a community protest is dispersed. (For further discussion please see Chapter IV on
Managing the Relationship with Public Security).
Impacts from the Presence of Security
When a project comes into a largely undeveloped area, its very presence can create security-related
issues or impacts. Security fences or other physical barriers may impede access to water or other
important communal areas or routes. Population influx as a result of the project and associated rises in
crime rates or community tensions can have indirect and direct impacts on security. The introduction of
security personnel into the area may also generate tensions where guards interact with community
members. As part of security is to control key access points, security guards often are the first point of
contact when community members come to the area to request (or demand) access to land,
thoroughfare, or employment. These interactions can be a risk to the guard and/or the community
member if not handled appropriately.
Both physical security measures and security guards can have particularly significant impacts on
women, who are likely to be traversing distances for domestic tasks. They are also disproportionately
affected by the presence of (typically male) security guards, whom they may encounter daily in following
their routine. In some cases, women may be subjected to gender-related harassment or intimidation or
may be the victims of sexual violence. Because companies may not always be aware of the full range of
security concerns felt by local communities, it can be helpful to consult with community representatives,
including women, when assessing risks.
15 Note that community members may include individuals who contribute to a security risk (e.g., protesters, alleged thieves,
etc.), as well as those not involved with the project in any way.
15
This type of information and analysis is important for a comprehensive assessment of security risks. It
can also be included in the Risk-Response Chart, by providing analysis in the relevant community-related
columns.
Dynamic Nature of Security Risks and Responses
In considering Security Risks, it is important to understand that a security response to an incident can
in turn create new risks. For example, if a previous transit route is restricted by a new security fence,
a community member circumventing the fence may be considered to be trespassing by security
guards. If the guards intercept and handle him roughly, he is likely to feel disrespected. He and other
community members who also object to the restricted access may protest, creating a road block to
draw attention to their grievance. Police are usually
called to deal with such a protest, which can increase
the potential for violence for example, a
confrontation that might result in a discharge of
firearms. If this type of escalation is observed by local
civil society or the media, it is likely to lead to reports
that police shot at local community members on the
company site. While it is impossible to consider every
extrapolation from every incident, this type of scenario
reinforces the need to recognize how security
reactions in turn engender other reactions, and
potentially escalation. It is therefore critical that
security forces attempt to de-escalate security
situations as much as possible.
which underscores the importance of involving Community Relations staff and consulting with
local communities. Companies should also ensure that community members have access to a
grievance mechanism, as required by Performance Standard 4. 16
Improve the Outcome of a Security Response
Theft
Access controls to
prevent theft;
private security
guards may
Impact on
Company
Loss of company
property; potential
danger to
employees if
Impact on
Community
Alleged thieves risk
injury or mistreatment
during apprehension
and/or detention
Severity
Security
Response
Severity
Security
Risk
Likelihood
In this sample chart, hypothetical examples are listed for illustrative purposes, but actual results should
be based on specific company contexts.
Mitigation
Ensure guards have
clear guidelines for
apprehension and
short-term
16 Performance Standard 4 states that companies will provide a grievance mechanism for Affected Communities to express
concerns about the security arrangements and acts of security personnel. IFC: Performance Standard 4, paragraph 12.
17
Protest
Trespass
apprehend
suspected thieves
and turn them over
to authorities
Prevent or control
access to site; public
security may
respond physically if
protest becomes
violent
thieves take
property by force
Disruption to
operations,
particularly staff
access to site and
transportation;
possible injury to
employees
Access controls to
prevent access,
including clear
signage; guards may
confront individuals
attempting to walk
through site
Potential safety
hazard and
disruption to
operations
Frustration among
community that preexisting access/transit
routes are no longer
available; Injuries
sustained by
community members
entering hazardous
areas of the site
detention;
encourage police to
treat suspects
appropriately
Ensure guards and
police have clear
protocols on dealing
with protesters,
particularly regarding
use of force;
community relations
staff may be able to
address issues with
community to
prevent need for
protest
Community relations
staff consult with
community on issues
of access; guards
have clear protocols
on how to
appropriately
confront trespassers
and lead them away
from secured areas
Summary of Steps:
1. In listing Security Risks, consider how a threat (either emanating from a company's operating
environment or stemming from a company's relationship with local communities) may manifest
itself into a security incident.
2. For every Security Risk, consider the Likelihood of such an incident occurring, on a scale from 1
(low probability) to 5 (nearly certain).
3. For every Security Risk, consider the likely Security Response, e.g., the steps the company, its
guards, or even public security forces take to prevent an incident occurring, or to deal with a
situation if it does occur.
4. For every Security Risk, consider the Impact on the Company, e.g., what effect a security
incident will have on a companys people, property or production should it occur.
5. For the Severity of Impacts on the Company, consider the seriousness of the impacts emanating
from a specific Security Risk, on a scale from 1 (very little noticeable impact) to 5 (shut down or
suspension of operations, and/or injuries to employees).
6. For the Severity of Impacts on Communities, consider the severity of the impacts on the
community emanating from the security response to potential incidents, on a scale from 1 (very
little noticeable impact) to 5 (injuries to community members).
7. Taking into account the potential Security Risks, Impacts on the Company, and Impacts on
Communities, then consider steps to Mitigate those impacts.
8. Plot the Likelihood scores on the X-axis and the higher of the two scores for Company
Impact and Community Impact on the Y-axis.
18
Diagram X
High
Impact
X
Protest
Impact/Severity
4
X
Theft
3
X
Trespass
2
Low
Impact
1
1
Unlikely
2
Likelihood
5
Near
Certain
19
In low-to-medium risk contexts, the process outlined above often will suffice to ensure that a company
is aware of and prepared to mitigate any likely security risks. In high-risk contexts, the preceding steps
constitute the first stage of a more detailed and formalized risk assessment and management process. A
full Security Risk Assessment (SRA) is recommended if:
(i) security risks to the company are high, and/or the potential impacts on communities from a
security response may be severe, and/or
(ii) the context is particularly complicated, or if public security forces are likely to have a
significant role.
1. Desktop review
2. On-site assessment (typically 3-5 days, depending on the size of the project)
Interviews with:
o Company representatives
Regarding the existing security program, relationship with communities and any
community development programs, operation of grievance mechanism, etc.
o Community Representatives
To understand their general concerns about the project, specific concerns about the
projects security arrangements, any specific impacts or concerns related to women or
vulnerable groups (e.g., IPs), familiarity with grievance mechanism, etc.
o Private security provider (as applicable)
To discuss policies and procedures, such as employment policies, policies on appropriate
conduct and use of force, ethics and/or human rights policies;
To review training agenda, roster, and materials; and
To directly observe practices, such as appearance, level of technical and professional
proficiency, etc.
o Local officials (as applicable and feasible)
To assess local public security, general relationship with company and with
communities, potential for requests for equipment or services, etc.
3. Scenarios
developed in direct consultation with both the companys security management and community
relations functions.
4. Mitigation Measures
22
II. During the Operations Phase, the major construction contractor(s) will completely demobilize
their work force. The project footprint and associated economic and employment impact on the local
area may diminish.
Management of expectations and good communications is key. Information (or
misinformation) about project changes that will impact community members particularly
regarding labor and jobs tends to spread quickly among the local population. Raised
23
expectations for job continuity and benefits that are not fulfilled can lead to local tensions
and protests, which is a risk for security. It is important to understand what promises were
made at various stages and by the different actors involved in the project.
Historically, this transition period has created widespread uncertainty among affected
communities. Groups seeking to extort continued economic opportunities (jobs, service
contracts, etc.) often try to take advantage of the uncertain atmosphere.
The Security Risk Assessment should anticipate the potential for security issues arising, both
random and coordinated labor strikes and slowdowns, harassment and detention of
transportation and project personnel, legal challenges or other disruptions from concerned
groups, and provocations by various factions.
While this period of heightened threat is unavoidable, it typically is of relatively short
duration. The risk can be greatly diminished with proactive communications and a good
community engagement strategy and grievance mechanism.
Before the transition from the Construction Phase to the Operations Phase, the following should be in
place or completed:
A mature security environment with access controls, physical security measures, plans, and
procedures.
A security guard force with a high level of training and experience. Note that the guard force
will also gradually reduce manpower as the site becomes operational.
In the Operations Phase:
Management is likely to scrutinize the security function for cost efficiencies and work force
reductions.
The greatest risk in the Operations Phase is sometimes complacency.
24
2. Contractual Agreement
A companys relationship with private security should be managed through a formal process. For
security personnel who are company staff, this should be through an employment contract and internal
18
25
company policies and procedures. For external private security providers as with any contractor a
company should make its performance expectations explicit in the form of a detailed contract, and
ensure that the providers own policies and procedures are adequate. It is recommended that the
contract include provisions for the company to review relevant documents and materials (e.g., training
materials see section on Training below) and to audit the security provider periodically. A contract
also allows a company to terminate a providers services if its standards are not met.
Companies should specify that private securitys role is defensive and protective only, with no law
enforcement authority. It is important that a companys contract with a private security provider include
standards of performance for security tasks and expectations of conduct, as the possible use of
protective force is often included in the list of duties. Paragraph 12 of Performance Standard 4 outlines
these standards and expectations for private security, which are described in greater detail below.
4. Code of Conduct
Companies should require the appropriate conduct of security personnel they employ or engage. 21
This means a company should have a clear Code of Conduct policy for its employees and contractors.
In this or other company policies, security providers should commit to ethical standards, to not engage
in corrupt practices, to maintain the confidentiality of sensitive information, to treat employees in
accordance with the law, and to protect life and health (including that of individuals in custody). 22
Security personnel should have clear instructions on the objectives of their work and permissible
actions, with the level of detail being dependent upon the scope of permitted actions and the number
IFC: Performance Standard 4, paragraph 12.
IFC: Guidance Note 4, paragraph 31.
21 IFC: Guidance Note 4, paragraph 28.
22 In addition to Performance Standard 4 and Guidance Note 4, these principles are also outlined in the UN Code of Conduct for
Law Enforcement Officials. www.ohchr.org/EN/ProfessionalInterest/Pages/LawEnforcementOfficials.aspx
19
20
26
of personnel. 23 These instructions should be based on good international practice and applicable law.
Companies are responsible for ensuring security personnel they employ or engage are aware of the
companys internal code of conduct.
27
are permitted to carry their own personal weapons on the project site, the same rules on licensing,
recording, and storage still apply.
6. Training
Companies should use only security professionals who are, and continue to be, adequately trained. 30
Performance Standard 4 calls for companies to train [those providing security] in the use of force (and
where applicable, firearms), and appropriate conduct toward workers and Affected Communities. 31
Training on use of force and appropriate conduct typically focuses on reinforcing respectful behavior,
often illustrated through examples. Use of force training includes less lethal weapons, as well as training
for any firearms in cases where guards are armed.
Instructions on security guards objectives and permissible actions, based on applicable law and
professional standards, should be communicated as terms of employment and reinforced through
periodic professional training. 32 For example, national law may include provisions for licensing or
certification related to private security providers and/or firearms. 33 International standards include the
UN Basic Principles on Use of Force and Firearms by Law Enforcement Officers and UN Code of Conduct
for Law Enforcement Officials practices consistent with these are considered to be examples of good
international practice in Performance Standard 4. 34
Depending on the level of need, security training can range from a review of policies and procedures to
in-depth sessions practicing appropriate responses to various security threats. Comprehensive programs
typically include several different types of training. Many companies have found scenario-based,
performance-oriented (learning-by-doing) training to be the most effective method for security guards
to internalize proper response techniques. This typically includes information on where, in which
circumstances, and under what conditions it is lawful and in accordance with company policy to use
force of any kind, and what is the maximum level of force authorized. Instructions should emphasize
that security personnel are permitted to use force only as a matter of last resort and only for
preventive and defensive purposes in proportion to the nature and extent of the threat, and in a manner
that respects human rights. 35
Training programs can be provided by the company, the security provider, and/or qualified third parties.
When designed and delivered by contractors, companies should periodically review the training
materials, and the person responsible for security can also attend a training session. Upon request, the
security provider should be able to provide logs to demonstrate what training has been provided and to
whom, along with a copy of the training agenda and materials.
7. Equipping
All security guards need to have or be provided with the appropriate equipment to undertake their
responsibilities. This equipment typically includes a proper uniform with appropriate identification,
28
radio or other communications device, and any other equipment determined to be necessary by the
security risk assessment and required by the security management plan.
Where security guards are armed, companies are counseled to request evidence of legal permits for
staff to carry firearms.
8. Decision to Arm
The decision whether or not to arm security guards is a consequential one and usually should be
based on an assessed threat that supports the necessity of arming guards to protect lives. While
equipping guards with firearms in some contexts is well justified, in others, companies may have armed
guards because everyone has armed guards or its just the way things are done here. Current good
practice encourages the default position to be against having armed private security unless risk analysis
shows this to be necessary and appropriate. Depending on the type of weapon and the level of training,
arming private security can sometimes increase risk rather than decrease it. In some countries,
legislation may prohibit the use of armed private security (e.g., prohibited in Nigeria, Ghana, Democratic
Republic of the Congo, Timor-Leste; and heavily restricted in China, Turkey).
If a company elects to use armed private security, good practice encourages that it be:
In many countries and contexts, firearms are perceived less as a method for mitigating risks and
more as a standard-issue piece of equipment. However, arming guards does not always increase
safety the decision should be made based on proportionality to the assessed risks.
In one recent example from Central America, a company had issued firearms to their guards. Under
national law, guards were limited to carrying shotguns. The company was confronted by a severe
threat of violence from organized crime and militant groups who were armed with more powerful
automatic firearms. While it could have been seen as reasonable for guards to possess firearms to
meet the threat of potential attackers, a careful assessment demonstrated that the guards
possession of firearms actually increased the risk to the guards, the company, and the community.
Beyond the safety risk from accidental discharge, the armed guards were at risk because they were
targeted by attackers who sought to neutralize the threat they posed. Having armed guards also
presented an intimidating barrier between the company and the local community, and made it
easier for the operations detractors to link the guards (and the companys operation) to any gunrelated incident in the area. Presented with the balance of risks, the company elected to disarm its
guards. In the years following that decision, the company witnessed a significant reduction in gunrelated incidents, and over time the guards and their families actually reported feeling safer.
allegations of unlawful or abusive acts of security personnel, take action (or urge appropriate parties
to take action) to prevent recurrence, and report unlawful and abusive acts to public authorities. 36
This begins with having policies and procedures to accept and assess security incidents, credible
security-related allegations, and use of force incidents of any kind.
It is good practice for companies to be able to: (i) accept security-related reports or complaints; (ii)
gather and document relevant information; (iii) assess the available information; (iv) protect the identity
of victim(s) and those reporting the allegation or incident, and (v) report unlawful acts to state
authorities. See Chapter V on Preparing a Security Management Plan and Chapter VI on Assessing
Allegations or Incidents Related to Security Personnel for further elaboration.
10. Monitoring
It is good practice for companies, as part of their oversight responsibilities, to monitor site
performance of their security contractors on an ongoing basis to ensure professional and appropriate
conduct. This may include reviewing policies and materials, undertaking periodic audits, potentially
assisting with or supporting training, and considering any allegations of unlawful or abusive acts by
security personnel (see Chapter VI on Assessing Allegations or Incidents Related to Security Personnel).
Speaking to employees and local community members who come into regular contact with security staff
can also provide valuable insights. Ensuring that both employees and community members know that
the existing grievance mechanism can be used to report any security-related allegations or incidents is
an important component of on-going monitoring (see next section on Community Engagement and
Grievance Mechanism for Security-related Related Issues).
Companies are advised to consider including sanctions in contracts with security providers to maintain
leverage in cases where contractors do not meet performance expectations. This may include
withholding payment for services, or, in case of multiple failures or credible evidence of unlawful or
abusive behavior, termination of the contract.
30
Many companies have improved their security situation and their relationships with local
communities through greater collaboration and coordination between their Community Relations
and Security staff. The demeanor and conduct of security staff vis--vis the local population usually
reflects directly on the company and has the potential to impact company-community relationships,
either positively or negatively. Community relations officers can pass on community grievances or
security concerns, alert security staff to sources of contention between local communities and the
company that could pose security risks, and help to communicate important information on security
aspects to the local population. Community members, in turn, are often in a position to identify
potential risks and local concerns the Security department may have not considered, and can help
improve security by providing local information and early warnings.
The grievance mechanism required under Performance Standard 1 provides an important avenue for
workers, affected communities, and other stakeholders to address concerns about security activities
or personnel within the clients control or influence. 39 Concerns may come from a wide range of
sources (e.g., communicated directly to Community Relations staff, through a hot line telephone
number, via tip boxes outside the project site, etc.), but companies should ensure that security-related
complaints are channeled to the person or department responsible for security.
Both Performance Standard 1 and Performance Standard 4 cross-reference one another regarding the
establishment of a grievance mechanism, and should be read together. It is good practice for the
grievance mechanism to facilitate prompt resolution of concerns, and to use a consultative process that
is understandable, easily accessible, culturally appropriate, available at no cost, and free of retribution. 40
Companies should emphasize to staff, including security staff, that intimidation of or retaliation against
those lodging complaints will not be tolerated.
39
40
31
32
defensive approach. In some countries there are also specialized units within the military tasked with
protection of certain sectors or assets. Though less common, in some contexts there are also legal or
illegal armed militia or other groups that may play a role protective and/or problematic relative to
business.
Police
At the local level, police are the most common security personnel. Police have a general law
enforcement role, typically with a crime-reduction focus, and in many cases with the authority to
conduct criminal investigations. In some localities, there is an additional layer linking police with
community through community policing, in which police have an interactive relationship with
community members.
know a units reputation and potential problem areas); and direct observation of comportment and
performance (for units already operating at a site). It is always good practice to cross-reference
information by checking with multiple sources.
34
low-risk contexts, where the person responsible for security in the company regardless of title or
background often can manage the engagement with local police).
Choosing the right representative can be especially important in high-risk situations where a company
feels that frank conversations with public security forces may be sensitive or cause offense. Someone
with a security background or expertise, knowledge of the country, and a network of contacts may be
best positioned to understand the public security and/or government hierarchy, identify the most
effective partner, and develop the most effective outreach strategy.
From public security:
Companies should try to identify the most appropriate counterpart within the public security forces
ideally someone with sufficient rank and authority as well as willingness to engage constructively with
the company. Finding an individual champion within the national or local security forces greatly
enhances the chances of productive engagement. In some cases, an individual who participated in a
military exchange program can be a great counterpart.
In most cases, the local security force commander is the most appropriate contact, though it is
recommended that companies reach out to others in the hierarchy as well. Engaging, to the extent
possible, with public security personnel at higher headquarters level, as well as at local or more
subordinate levels, can help avoid gaps in communication and resolve problems that require efforts
at multiple levels of the government hierarchy.
Where both the police and the military may be involved in security provision to the project,
companies are encouraged to seek to establish relationships with both.
When to Engage
Early engagement with public security forces before incidents arise is key. It is always advisable
to build capital in a relationship before stressing it with problems. Police or military commanders often
complain that they are only informed or asked to get involved after there is a problem.
Initial meetings are best used to identify appropriate counterparts, develop rapport, and facilitate
access. Once a relationship is established, the full range of issues, both positive and negative, can be
regularly discussed in a cordial and diplomatic manner. This includes both the companys needs and the
security forces logistical needs. These meetings are also an opportunity for ongoing assessment of
security risk and threat analysis.
How to Engage
Set the Right Tone
A constructive and respectful tone taken at the outset can establish a positive trajectory for the entire
relationship. Because public security forces are accountable to their sovereign government, private
companies may have little to no leverage over the actions of those forces. Typically, deployment
decisions are at the discretion of the government, and the chain of command runs through the public
security forces, not through the company. Even if the company assesses the government to be
relatively weak or the public security forces to be lacking, it is advisable to take into consideration
their full context. Depending on the background and interests of public security command,
discussions about how to support government security forces in their own goals of professionalization
can sometimes be a constructive way to open a conversation.
35
What to Discuss
Depending on the relationship developed with public security, potential topics for discussion include any
concerns or issues arising from the risk assessment, as well as many of the same issues covered in the
companys contractual engagement with its private security forces, such as deployment, vetting, use of
force, and training. The possibility of a Memorandum of Understanding (MOU) is another potential
item for discussion.
1. Engagement Itself
A companys first topic of discussion with public security forces is often simply the relationship
between the company and public security forces. Early engagements should focus on personal
introductions and the basics of the potential relationship and collaboration. Conversations often explore
the willingness to engage, identify appropriate individuals on both sides, and establish a regular
pattern of meetings. If the situation allows it, companies may wait to develop an ongoing
engagement before incorporating discussions of individual and mutual security concerns. In building
rapport, companies can gain an understanding of the public security approach, as well as the best way
to broach various potentially sensitive subjects.
36
Companies have a responsibility to demonstrate their respect for human rights through proper
hiring, training, and supervision of private security forces, and should encourage public security
forces to also act accordingly when responding to situations related to the project
Small Acts of Disrespect Can Escalate into Serious Security Situations
While issues related to security forces may bring to mind a high-profile, contentious interaction at a
pressure point (e.g., protests at the front gate or access road), in many cases these arise after
repeated, lower level behaviors eventually incite escalation. In one example from a country in Africa,
a military force frequently escorted a commercial convoy through narrow rural roads also used by
local community members riding bicycles and motorbikes. Frustrated at being stuck behind slowmoving local traffic, officers often threw water bottles at the community members in an effort to
have them move out of the way. Not only was this disrespectful, but in an effort to speed up the
convoy by a minute or two, those actions clearly upset community members, and resentment
eventually led hostility toward the security forces and the commercial project.
4. Use of Force
As part of the conversation around the public security response and any interaction with private
security, if applicable companies can ask about what forces will be deployed and how they will
respond to an incident. This can be a good entry point for discussing the use of force and for
communicating the companys desire that force be used only for preventive and proportional responses
44
37
and in a manner that respects human rights. Here it can be helpful to share applicable company policies
(on ethical conduct, human rights, use of force, etc.) and to ask about public security forces policies
and practices.
Often these conversations also touch on broader references, such as contextual risks and local,
national, and international law. They typically benefit from considering specific examples, such as
protests, which usually are a source of great concern for both companies and public security.
Discussion of possible likely scenarios and responses offer an opportunity to collaborate and
prepare. Public security forces may be surprised that a company would rather allow a protest to
take place peacefully and for protesters to disperse voluntarily companies should be clear about
their preferences, and are advised to express their concern for the safety of all, including security
personnel and protesters.
5. Security Personnel
Companies should attempt to understand the background and reputation of public security forces as
part of their assessment of security risks (as described above), and monitor the situation so that they
can respond if any issues arise with certain individuals or units. While companies do not control public
officer or unit assignments, they often have more influence than they might expect. Discussions about
concerns regarding individuals or units can be quite sensitive, so companies are advised to assess their
relationship with public security forces to determine the most effective way to proceed.
If there has been sufficient time to build a relationship of mutual trust, companies can often be frank,
but diplomatic, in discussing actual or potential problems with subordinate units or leaders. In general,
higher level leaders are better positioned to understand the scrutiny and pressure that inappropriate or
unlawful actions can bring, and to understand and appreciate the financial contribution the company
makes at a national level.
Companies are recommended to document any such engagements and efforts to mitigate risk even if
unsuccessful. Where company influence is limited, it can still be possible to attempt to address potential
problems by filling gaps through training or equipment, or to avoid asking support from units that have a
record of abuse.
6. Training
Training is central to capacity building, but it also potentially offers an opportunity for engagement
and support, particularly where public security forces aspire to meet international standards but lack
capacity and resources.
Where public security forces provide their own training, companies should attempt to establish that
they have adequate professional, technical, tactical, and equipment training, ideally including reference
to use of force, human rights, and appropriate conduct. This can be done through reviewing the training
agenda, attendance roster, and materials, and, where possible, by attending the training itself.
Where public security forces do not provide their own training, companies are advised to consider ways
in which they may support this objective. Depending upon the context and the receptivity of public
security, this may include training public security forces directly, inviting public security forces to join
training exercises designed for the companys private security, or offering to support training done by a
third party (e.g., International Red Cross or an NGO). Where feasible, joint training can be particularly
38
effective at building relationships and ensuring that transitions from private to public security forces are
well coordinated, professional, and practiced. In some cases, companies have found it useful to invite
public security forces to observe their own training sessions, without undertaking a formal joint
training program.
Many companies find scenario-based exercises to be the most successful form of training.
7. Equipment transfers
Government may request or require) private companies to provide logistical, monetary, and/or
equipment support to assist police and military units as necessary. This action carries risks for the
company in the event that such equipment is misused in an unlawful or abusive manner or implicates
the company in actions undertaken by public security forces. However, companies may feel that they
are given little choice but to agree to such requests. Companies should try to implement restrictions,
controls, and monitoring, as necessary and possible under the circumstances, to prevent
misappropriation or use of the equipment in a manner that is not consistent with the principles and
requirements set out in Performance Standard 4. 45 At the same time, a request for support can offer an
opening for conversation and engagement, and companies are strongly encouraged to ask for a written
agreement (see Memorandum of Understanding below), wherever possible. Consultations with
community members regarding any potential support provided to the security forces are also advisable,
as they may have concerns that are not otherwise considered.
Consider in-kind compensation
If companies are required or requested to compensate public security forces or to provide them with
equipment and if the option of declining the request is not available or desirable they may wish to
provide in-kind contributions, such as food, uniforms, or vehicles, rather than cash or lethal weapons.
Nevertheless, even when providing in-kind contributions, companies should still be aware that even
otherwise benign equipment (such as a vehicle or shipping container) can be misused by security
forces if not monitored effectively.
Clarify Expectations & Specify Intended Use
Companies should seek to clarify upfront with government their expectations about reimbursement
for, or provision of, specific equipment, and specify and document the intended use of equipment
provided. If this is not possible, the company should determine the risks associated with providing such
support to public security forces, and balance the positive benefits against the possible consequences.
For example, if police assigned to the project are expected to face possibly violent confrontations but
have only firearms, it may be in the company's best interest for public security forces to have crowd
control options short of lethal force. Equipment transfers carry risks, but may be preferable to leaving
public security forces unable to perform their job in a safe and lawful manner.
Include Conditionalities in a Transfer Agreement
If companies provide equipment or support, it is recommended they insist that the equipment will only
be used only in a lawful manner, for the purposes agreed, and will not be transferred elsewhere without
the company's agreement. Companies are advised to document these conditions and include them as
part of the transfer agreement. It is also suggested that companies list anything provided to
governments, including to public security forces, in a Record of Transfer Register, and push for this to be
45
39
inventoried regularly to maintain accountability and serviceability. The Register identifies exactly what
the company provided, when, and for what purpose.
Risks Related to Equipment Transfers
Providing financial support or physical equipment (transportation, provisions, etc.) to police or
military may increase a companys exposure if it is seen as being in control of public security, even
while public security remains under government control. Even seemingly innocuous equipment can
be misused. In one case, public security forces requested the transfer of empty shipping containers,
for the purported use of storing their own equipment, but instead used the containers to detain
prisoners. In a second case, night vision goggles were requested to assist with perimeter patrols, but
were used to launch night-time raids against opposition forces. In a third case, public security forces
requested the use of a company vehicle when their own vehicles were unserviceable. Seeing the
military riding in identifiable company vehicles not only associated them closely with the company in
the communitys eyes, but when they later engaged in abuses, they did so with the company logo
prominently displayed on their vehicle. While companies cannot prevent every possible abuse or
incorrect association, they should consider their actual or perceived association with the actions of
public security forces, and make efforts to control the use of any equipment that they provide.
40
custody. This extended beyond Performance Standard 4 compliance, but successfully reduced risks to
the individuals as well as risks to the company, stemming from actions associated with their
operations in a particularly challenging country.
Voluntary Principles on Security and Human Rights: Model Clauses for Agreements between Government Security Forces and
Companies with Respect to Security and Human Rights. http://www.voluntaryprinciples.org/wpcontent/uploads/2016/06/VPI_-_Model_Clauses_for_Security_Agreements.pdf
47
41
from asking to have individuals removed from public security forces altogether, which exceeds a
companys remit.)
Most MOUs include references to company policies, national and international law, relevant UN
protocols (specifically the UN Basic Principles on Use of Force), and any applicable international
standards (such as the Voluntary Principles on Security and Human Rights). When necessary, it may be
important to clarify the applicable standard. For example, in some countries, national law allows for
public security to use lethal force in protection of property, which is not in accordance with international
law.
42
Key Components
A Security Management Plan should be developed in consultation with management, should clearly link
to the Security Risk Assessment, and should include all relevant policies and procedures to guide the
companys security provision over the life of the project. This document should include high-level
overviews, policies, and content on approaches and aspects related to security management, with
One of the two Objectives of Performance Standard 4 is To ensure that the safeguarding of personnel and property is carried
out in accordance with relevant human rights principles and in a manner that avoids or minimizes risks to the Affected
Communities. IFC: Performance Standard 4, Objectives.
49 IFC: Performance Standard 1, paragraph 5.
48
43
detailed procedures or design information following in an Annex. (For greater detail on topics commonly
included in comprehensive security management plans, see Annex B on Guidance for Drafting a Security
Management Plan.)
Objectives Security Management Plan is designed to protect against and mitigate security risks
at the project that could threaten communities, employees, facilities, and operations. It
provides direction, organization, integration, and continuity to the security program.
Mission Company securitys mission is to ensure that all staff, contractors, and visitors are able
to work at the project in a safe and secure environment, that all facilities are kept safe and
secure, and that all project operations are unhindered. Security and respect for the human
rights of employees and communities are fully compatible.
Approach Company security recognizes the links between social issues and security, and
consequently fosters interrelationships between project Operations, Government, Community
Relations, and Security staff. Companys approach also reinforces the importance of community
stakeholders and the projects grievance mechanism.
4. Physical Security
44
(See Chapter IV on Managing the Relationship with Public Security for further details.)
Describes the grievance mechanism, reporting requirements and structure, and inquiry
protocols with respect to security incidents; use of force incidents; and allegations of abuse,
misconduct, or other wrongdoing by security personnel.
Outlines the responsibilities and timelines for conducting inquiries on allegations and incidents.
(See Chapter VI on Assessing Allegations or Incidents Related to Security Personnel for more
information about serious allegations and incidents involving security personnel.)
Describes company efforts to engage with community members on matters related to security
(ideally in coordination with the Community Relations team).
Describes risk mitigation efforts related to potential security impacts on communities (e.g.,
regulations for guard off-site behavior, arrangements with public security, shared information
on security arrangements, as appropriate), grievance mechanism to receive and respond to
community complaints or concerns related to security personnel or issues.
(See Section on Community Engagement and Grievance Mechanism for Security-Related Issues in
Chapter III on Managing Private Security for further details.)
46
I.
Companies are encouraged to have systems in place to be able to receive and respond to allegations or
incidents this includes a grievance mechanism and relevant reporting and inquiry protocols.
50
47
II.
Companies should record and investigate security allegations and incidents with the objective of
determining whether company policies and procedures were complied with and if any corrective or
preventive actions are required for continuing security operations. Note that this requires companies
to have in place appropriate security policies and procedures if this is not the case, they should
institute these as soon as possible, and then follow good practice in considering any current allegations
or incidents. 51 Any incidents of a criminal nature should be reported to the appropriate government
authorities for investigation by the state.
All companies are encouraged to incorporate the good practices below in approaching this sensitive
topic, with the level of depth and breadth reflecting the severity and credibility of the allegation or
incident. This process is typically internal and company-led, and spans activities from recording and
assessing complaints, to initiating a more in-depth inquiry where appropriate, to documenting the
process and monitoring outcomes.
1. Record the Incident or Allegation
All incidents and allegations should be recorded, whether they come from an incident report, the
grievance mechanism, or any other formal or informal means of communication. While the initial
information can come from a variety of sources, the department responsible for security typically
maintains a registration or log of allegations and incidents. Serious allegations and incidents should
be reported to senior management within a specified timeframe. Criminal wrong doing should be
reported to the relevant authorities.
2. Collect Information Promptly
Information should be collected as early as possible following an incident or receipt of an
allegation. This may include noting details related to the circumstance, individuals involved,
location, timing, etc., and taking statements and/or photographs where relevant. Experience has
shown that as more time elapses, it becomes increasingly difficult to establish the sequence of
events, collect evidence, or locate relevant persons needed for an effective inquiry into the facts
surrounding an incident.
3. Protect Confidentiality
Companies are advised to consider confidentiality measures to protect victims, witnesses, and/or
complainants. For example, individuals can be identified by numbers instead of names, and their
role or relationship included only with their consent. Victims, witnesses, complainants, and other
51 Security personnel can be held accountable (by government authorities) to the law, and (by company management) to company
policy in place at the time of the event in question.
48
interviewees should be informed about if and how their identities will be protected, and whether
their names will be recorded and/or used.
4.
After receiving and recording an allegation or incident report, companies typically assess the
seriousness and credibility of the claim to determine if and how security policies or procedures were
potentially violated by security personnel and whether further investigation is needed. Routine security
incidents, and minor instances of misconduct (e.g., a guard falling asleep on the job) are generally
handled by following the protocols outlined in Chapter V on Preparing a Security Management Plan.
A more in-depth inquiry process, however, should be conducted in cases of serious allegations or
incidents, such as instances of unlawful or abusive acts by security personnel, and / or where severe
impacts result from a security incident, such as injury, sexual violence, use of lethal force, or fatalities.
Criminal behavior should be referred to the relevant authorities (see Report Unlawful Acts below).
For serious incidents, senior management generally determines next steps and what level of inquiry or
action is needed. Generally, such inquiries are internal although companies may choose to bring in an
external party to conduct the inquiry in the case of more significant or challenging situations. Either way,
companies should demonstrate a good-faith effort to actively seek, consider and catalog all relevant
available information and inputs, as well as document unsuccessful efforts to obtain information or to
interview specific individuals.
In the case of parallel processes which may overlap with a government investigation, companies or
third-parties conducting an inquiry on their behalf should coordinate with the relevant authorities to
ensure that they cooperate, rather than interfere, with any criminal investigation.
5. Document the Process
The inquiry process should be documented, including sources of information, evidence, analysis
conclusions and recommendations. Where it is not possible to reach a conclusion (e.g., due to limited
or contradictory information or evidence), this should be stated clearly, along with any efforts to fill gaps
and make assessments. It is good practice for information related to security allegations or incidents to
be classified and handled as confidential. The tone and language of any report should be objective,
impartial, and fact-based.
6. Report Any Unlawful Act
Criminal wrongdoing or unlawful acts of any security personnel should be reported to the appropriate
government authorities. 52 Companies are advised to cooperate with criminal investigations, and to
ensure that internal processes do not interfere with formal government-led proceedings. Companies
should also follow up on reported unlawful acts (see Monitor and Communicate Outcomes below).
7. Take Corrective Action to Avoid Recurrence
Action should be taken to ensure that negative impacts are not repeated. This may entail
corrective and/or disciplinary action to prevent or avoid recurrence if the incident was not handled
according to instructions. 53 Where appropriate, companies may also consider remedial actions for
52
53
49
impacted parties. In general, companies are encouraged to identify lessons learned from the
incident and take the opportunity to revise internal company policies and practices as needed. They
may also wish to review and amend contractual policies and procedures, and particularly to update
clauses related to the conduct of private security forces where relevant. In many cases, additional
training can support the incorporation of lessons learned.
8. Monitor and Communicate Outcomes
Because companies control their own internal processes, they can help to ensure that consideration of
any allegation or incident is professional and progresses in a timely manner. Additional oversight may be
needed with respect to third-party inquiries, such as those undertaken by private security providers.
It is good practice to communicate outcomes to relevant parties, keeping in mind confidentiality
provisions and the need to protect victims. To the extent possible and applicable, it can be constructive
to also share relevant lessons learned and any efforts to incorporate these into company policy and/or
practice. Follow through on any specific commitments made by the company or private security
provider following an incident and communication of such is key for good stakeholder relations.
With respect to active criminal investigations led by government authorities, companies are advised to
actively monitor the status until assured of proper completion, and to press for proper resolution. 54
54
50
ANNEXES
Annex A. Template Invitation to Bid (ITB) and Request for Proposals
(RFP) for Security Risk Assessment and Security Management Plan
This RFP is designed for a company seeking to hire an external consultant. The parts in blue italics should
be completed by the company. As with any template, the content should be reviewed and adapted for
the specific situation.
1
Introduction
[Project] in [location] is seeking a consultant to conduct a security risk assessment and a security
management plan that will increase the projects capacity to mitigate and manage risk for the project
[and the neighboring communities]. This work should be undertaken in conformance with the securityrelated aspects of IFC Performance Standard 4 [and the Voluntary Principles on Security and Human
Rights and/or guidance provided by the Voluntary Principles on Security and Human Rights
Implementation Guidance Tool].
1.1
Project Background
The security risk assessment should ensure the company has accounted for all foreseeable threats to
both the project and communities, stemming from the projects presence and activities, so that it can
develop effective mitigation measures. It is expected to include document review, a site visit, and
interviews with key internal and external security stakeholders, along with a final report with
recommendations.
It should include a security due-diligence review of the project and provide a detailed due-diligence
report describing the level of conformance with local laws, applicable security requirements, the
Voluntary Principles on Security and Human Rights, and security-related aspects of IFCs Performance
Standard 4.
51
The security risk assessment should include information regarding relations with public security and the
ability of the company to contract appropriate private security and any risks and recommendations
regarding either of these issues.
The security risk assessment should include a catalog of all known risks and evaluate their likelihood to
occur, document the likely response(s), and their potential impacts. For the report, the consultant will
articulate risks in either risk statements or risk scenarios. Mitigation measures to reduce these risks
should be identified.
Proposals should outline the consultants methodological approach and ability to gather and analyze the
information described above. The consultant should include the types of documents they would request
as well as an illustrative list of the types of stakeholders the consultant would want to meet to
undertake the security risk assessment.
4 Overview of the Security Management Plan
The consultant will develop a security management plan that is based on integrating the principles of
socially responsible security into management systems. The following components must be included,
but the structure can be determined in conjunction with management:
Proposals should demonstrate the consultants knowledge of and experience with the topics and
general principles that would guide the consultant in developing the security management plan.
5 Project Deliverables
The project deliverables include:
At the conclusion of the site visit, a close-out review meeting with management [and lenders] to
discuss findings and recommendations.
A security risk assessment report that conforms to Performance Standard 4 and the Voluntary
Principles on Security and Human Rights.
A security management plan, written in conjunction with company management.
Consultant Background
The consultant can be an individual or a firm. The consultant is expected to have at least ten years of
experience in security management. The following background is preferable:
52
[Language skills]
Knowledge and experience in [region/country]
Experience in the management of security at projects in [industry sector]
Familiarity with IFCs Performance Standards, in particular Performance Standard 4, and the
Voluntary Principles on Security and Human Rights
Timeframe
The consultant should outline a schedule that will demonstrate how this project can be completed in 6-8
weeks.
8
Proposed Budget
The proposed budget should include labor and all projected expenses.
53
54
1. Project Setting
Provide a general description of the national and project area security environment. This would
include description of:
o Crime levels and type;
o Endemic political, social, or labor unrest;
o Terrorism or insurgency; and
o General attitude towards the project and associated issues.
2. Security Risks
(Attach security risk matrix and security risk assessment as Annexes.)
This section should be based on the project security risk assessment and should discuss:
Internal Risks
o These are caused by the illegal, unethical, or inappropriate behavior of project
personnel, or those directly affiliated with it.
o Most common risks would be employee theft, workplace violence, and labor unrest, with
associated strikes or sabotage.
External Risks
o These are caused by the actions of individuals outside the project who seek to take
advantage of opportunities presented by the development and operation of the project.
o These may include common criminal activity; disruption of the project for economic,
political, or social objectives; and other deliberate actions that have a negative impact
on the effective, efficient, and safe operation of the project. In extreme cases, these
could include terrorism, armed insurgency, coups, or war.
3. Security Arrangements
Private Security
o Describe who provides basic site project protection, such as the project private security
force (in-house or contracted).
Public Security
55
Describe briefly the local public security forces that would be called on to assist the
project. This would briefly outline: location, capabilities, mission, and relation to the
project.
D. Physical Security
Provide overall description of project security approach and systems. More detailed design
information (such as exact CCTV camera positioning) belongs in an Annex. Ideally this section
includes a description of the projects:
o Security Barriers such as fences, gates, locks, hardening of facilities, and means of
access control.
o Surveillance / Electronic Security Systems including CCTV, Intrusion Detection
Systems, and surveillance guard posts and patrols.
o Security Control Center describing the means for bringing together reporting and
controlling response.
Provide a brief description of key security operating procedures. Detailed standards and
procedures that provide a transparent and accurate process for managing security functions
(such as checklists) should be contained in an Annex. Key procedures should include a brief
description of the following (as appropriate) and how they fit together:
o Boundary Security how security will maintain control of the projects perimeter and
channel people to access control points.
o Access Point Operations the types of checks and screening for both people and
vehicles at gates or other access points. Include entry and exit searches and purpose, and
who is subject to it. Outline key ground rules, such as:
o Searches will only to be conducted by security personnel who have received
instruction and information regarding the procedure and the legal aspects of
search and seizure;
o Body searches will only be conducted by security personnel of the same gender.
o Incident Response how security will respond to an incident and who is responsible for
responding. Responses should be based on proper and proportional use of force.
Describe the role of public security, including when they are called and by whom.
o Security Patrols what patrols check and how often.
o Travel Security (if applicable) any special procedure for off-site travel security,.
o Materials Storage and Control (if applicable) any controls over the transport,
inventory, and maintenance of any commercial explosives or chemicals (e.g., cyanide)
necessary for the project. Note that these are stored in accordance with appropriate
national laws and regulations.
o Information and Communications procedures for categorizing, handling, and
controlling sensitive information.
o Firearms Security project policy regarding firearms on site, as well as the
responsibilities and procedures for issuing and storing any security firearms,
ammunition, and less lethal weapons. This should include:
o Location for storage,
o How weapons are secured during storage,
o Records for issuance,
o Who they may be issued to,
56
2.
Describe how the project will maintain constructive relations with public security (typically the
police, and under certain circumstances, the military) operating in the project area or responsible
for assisting project security. The depth of this section will vary with the security arrangements
involving local public security forces.
o If it is only normal law enforcement activities, such as investigating reported crimes or
responding to an incident, ongoing engagement or liaison activity may be sufficient.
o If public security forces are actually assigned to the project to provide some aspects of
security, then this should describe provision of any equipment or other support, the role
of the public security force, joint contingency planning, and coordination mechanisms.
o It should also discuss the establishment of any Memorandum of Understanding
necessary to make the arrangements transparent.
Outline the grievance mechanism, reporting requirements and structure, and inquiry protocols
with respect to security incidents; Use of force incidents; and Allegations of abuse, misconduct,
or other wrongdoing by security personnel.
Discuss the responsibilities and timelines for conducting inquiries on allegations and incidents,
including:
o The company makes a commitment to expeditious inquiry into any allegations of abuse
or wrongdoing.
o Private security contractor may conduct its own inquiry of an incident or allegation, but
the project can conduct an independent inquiry on any credible serious abuse allegation
or use of force incident.
o The inquiry findings will include a recommendation of any appropriate disciplinary
action and policy or procedure changes that may be needed.
o More detailed standards and procedures are included in the Annex.
J. Community Engagement
Describe how the company will engage with communities on matters relating to security. This
may be done in coordination with the community relations department, depending on the
project.
The project acknowledges that it may have an impact on communities and strives to mitigate
risks. It will do this by providing:
o Regulations for guard off-site behavior,
o Protocol for arrangements with public security,
o Shared information on security arrangements (as appropriate), and
o Grievance mechanism for community members to report issues.
59
A. Conduct
Contractor must adhere to the companys policies for ethical standards and human rights.
Contractor must maintain confidentiality of sensitive information.
Contractor must not employ torture, cruelty, or inhumane treatment.
Contractor must ensure health of those in custody and provide medical assistance when
needed.
Contractor must not engage in corrupt practices.
Contractor must treat its employees in accordance with national law.
B. Use of Force
Restraint and caution must be exercised in a manner consistent with international guidelines on
the use of force; in particular, the Basic Principles on Use of Force and Firearms by Law
Enforcement Officers and including the following key elements:
C. Policy
Contractor is required to have or produce key internal policies that commit the organization
to proper standards, to ensure their employees understand and adhere to the standards,
and to enforce them. This includes:
o Having written policies on conduct and use of force.
o Having a policy to perform pre-employment screening for all supervisors, guards,
consultants, security specialists, and other staff that identifies any history of abuse or
wrongdoing. At a minimum, these checks should include police records and criminal
litigation checks, as well as checks with former employers.
o Having a policy on reporting and inquiry into allegations of unlawful or abusive behavior
and all use-of-force incidents, followed by appropriate disciplinary action.
[Note while the contractor should be required to conduct an inquiry when their
people are involved, ultimate responsibility remains with the company.]
D. Training
60
1. Weapons training (This includes firearms, if issued, and any less lethal weapons systems, if used)
Each security guard must be certified as qualified for use of any weapon, by pass/fail standard,
before being issued a weapon.
Qualification should recur every six months.
2. Use of force training, to include:
Force continuum or proper use of force training.
Materials based on a framework such as the widely accepted force-continuum model.
Use of force technique training and practice through structured, scenario-based, performanceoriented (learning-by-doing) training.
Where, in what circumstances, and under what conditions it is lawful and in accordance with
company policy to use force of any kind.
The maximum level of force authorized.
Emphasis that any use of force must be used as a last resort and proportionate and appropriate
to the threat.
Emphasis that lethal force can only be used if there is an imminent threat to life or great bodily
harm.
3. Appropriate conduct
Training should emphasize avoidance of unlawful or abusive behavior. This training should clearly
define abusive behavior in relation to proper behavior and point out sanctions; it should also inform
them of national laws and international standards on human rights that the company and they as a
contractor must observe. Two important documents include:
4. Equipment
Contractor must ensure that all employees have or are provided with the appropriate equipment to
undertake their responsibilities. This equipment includes a proper uniform with appropriate
identification, radio or other communications device, and any other equipment as determined by the
security risk assessment or management plan as being required.
5. Auditing
The company reserves the right to conduct periodic audits of the security provider to:
Ensure contractors background check process.
Audit and review contractor employee background checks.
Review of the providers personnel records for all of the guards and security staff they provide.
The company further reserves the right to conduct both scheduled and unannounced reviews and audits
of the training program and observation of training events. This may include:
Review the providers training program to confirm the training is scheduled and being
conducted.
Review lesson plans to make sure they meet the proper standard.
61
6. Sanctions
The company will apply sanctions, including but not limited to withholding payment of services,
if the contractor does not meet performance expectations outlined in this contract.
The company will terminate the contract where there are multiple failures to meet expectations
or there is evidence of unlawful or abusive behavior by the contractors employees.
SIGNATURES OF BOTH PARTIES
DATE
62
Reference #:
Month:
Year:
Incident type:
Date and time of incident:
Location of incident:
Description of the incident (include situation leading up to the incident):
Management actions:
Prepared By:
Approved By:
Date:
Date:
Distribution:
63