Abstract

In this episode, Mr John Bray, with his vast experience, discusses how private sector companies are evolving in their approach to security and human rights, particularly when operating in complex or conflict-affected environments.

This podcast series is presented by Dr Alessandro Arduino, Principal Research Fellow and Dr Ameem Lutfi, Research Fellow, at the Middle East Institute, National University of Singapore.

Listen to the full podcast here:

Full Transcript:

[Alessandro Arduino]: Welcome to the 18th episode of the National University of Singapore–Middle East Institute’s podcast series Boots Off the Ground: Security in Transition in the Middle East and Beyond. In this series, we look at the future of warfare; we will see uniformed soldiers — or “boots on the ground” — being replaced by private military companies, autonomous weapon systems and cyber warfare. My name is Alessandro Arduino and I am the co-host for this series, along with my colleague, Ameem Lutfi.

[Ameem Lutfi]: We’re very excited to have with us today Mr John Bray, Director at Control Risks, here in Singapore. Mr Bray is a risk consultant and policy specialist with more than 35 years of experience. His areas of expertise include but are not limited to business and human rights, private sector policy issues in conflict affected areas and anti-corruption strategies for the private sector. He’s also a longstanding specialist on Myanmar.

[Alessandro Arduino]: John, thank you for being with us today. Control Risks provides its clients a wide range of risk consultancy. It includes political and regulatory analyses, integrity due diligence, security support in high-risk environment and kidnapping ransom response. If I recall correctly, Control Risks was born out of kidnapping ransom response in South America. On the surface, they seem very different things – we are talking about physical security and policy analysis – and it doesn’t immediately strike one as being very similar things. So, what is the basic philosophy and goals of the company that allow you to bring these different things together, under the same umbrella?  Also, what kind of different experts and professionals does Control Risks have on board?

[John Bray]: Thank you, Alex and Ameem, for inviting me to contribute. First, in summary, who we
are – Control Risks is a specialist international risk consultancy. In one sentence, our role is to help clients build organisations that are secure, compliant and resilient. So, from that come various things. We work internationally and for a full range of different private sector companies but at times government agencies and civil society organisations as well. Integrity – including human rights – is a key part of what we do.

So, you alluded to our history so maybe I could say something briefly about that. It’s true, we started way back in the 1970s, working in the areas of crisis management, specifically extortion and kidnap. In fact, we still have our response team working on crisis management in various places worldwide. Naturally, that leads to   prevention of security risk and in that context, I should say, we do have “boots on the ground”. Specifically in Iraq, we have quite a few “boots on the ground”. That’s an important part of our overall business – helping companies operate in complex, sometimes high-risk environments on the ground but we do have a complimentary range of services. Again, prevention naturally leads to political risk and also policy analysis, which is my role. It also leads to due diligence – for example, finding out who your clients are as well as cyber risk.

Briefly I could briefly mention how my own role has evolved. I joined the company way back in the 20th century. I was and still am a political analyst but that has led on to two things –
I became interested not only in country risk but also in quite detailed, practical, on-the-ground risk that led to anti-corruption and human rights, as part of my portfolio. I look at those issues from both the micro and macro perspective – what happens on the ground and also macro – what happens on the international policy environment. Just a final set of comments again on my role within Control Risks – my role is both internal and external. Externally, I work with a wide range of clients, not only here in Southeast Asia but also with colleagues globally within my areas of speciality. Internally, I also advise our colleagues on these issues; I’m the main author of our human rights policy.  Specifically, with regard to Iraq, I wrote our baseline human rights impact assessment and I am also somewhat of an internal advisor when we have regular conference calls on human rights management.

[Ameem Lutfi]: Thank you, John, for the response. You mentioned that you’ve been writing these reports and working in the field of human rights for a long time.  I’m keen to know about your own experience in the field and how you’ve really seen it evolve over the past 30 years because in our podcast, we’ve been very interested in issues of transparency and accountability particularly in the private security sector and on a more broader level as well.  Human rights issues are at the centre of it and from our discussion with others, it seems like there’s no clear answer to how to deal with the issues of transparency and accountability. So, I’m wondering if you could elaborate on those.

[John Bray]: From my perspective, this is an internal eternal issue with the Universal Declaration of Human Rights since 1948 and there isn’t precedence before that but for me, this particular topic – human rights in the private sector – the several starting points are maybe in the 1990s.  Actually, it’s not so much in the Middle East but it comes down to the Middle East but I’m thinking Columbia, Nigeria, Indonesia, Sudan and to some extent, Myanmar. A lot of the discussion in those areas in the 1990s were specifically about extractive companies – that’s to say oil, gas and mining and it was particularly about what companies themselves did, what governments did on the companies’ behalf and if something went wrong, who was responsible. Here, I’m thinking about what could be classified as a human rights incident where government security forces did something controversial, apparently, on behalf of the companies whom they were protecting – those were the kind of issues that surfaced in the 1990s. For me, a landmark incident would be in 1998 when we, Control Risks, together with Chatham House, a leading thinktank in London, organised a conference on business and human rights and I remember having to cross a picket line of people protesting about British Petroleum (BP) in Colombia, just outside the conference venue.

What that led on to was a key moment for me in 2000 and this was the voluntary principles on security and human rights. So, all those words are important: voluntary, principles and security and human rights. It was a multi-stakeholder initiative with UK and US government sponsors and companies – BP, in fact, was a leading driver but other big names we know are Rio Tinto and also NGO participants. The voluntary principles of security and human rights have three basic pillars: One, risk assessment and the second and third are to do with companies’ engagement with government security forces and then private sector security. It’s also an initiative – so we, as consultants, haven’t been a formal part of the initiative. The formal members are governments and they now have several more governments on board, including those of developing countries – Columbia was the first, Ghana is another one but I don’t think there is any from the Middle East and that’s a gap – companies are still mainly from the extractive sector and civil society organisations. We work for many of those companies so we apply the principles in our own work and we often advise them specifically on implementation.  For example, we refer to the voluntary principles in our own policy which is an initiative that is still going on and it’s important.

From 2003 onwards, the Middle East does not come to centre stage. In the aftermath of the Iraq war, there was a heightened focus on the role of private security not only in Iraq, but I would say, particularly in Iraq. So, Iraq was to some extent the stimulus for a lot that followed alongside the voluntary principles then. In this aspect, the Swiss government played a key role and there were two outcomes. The first was called the Montreux document – Montreux is a town in Switzerland – and again, it was a set of non-binding principles but it was basically about the standards that governments should apply in their engagement with private security companies. The second, which was also brokered by the Swiss government or rather, facilitated by them, was the international code of conduct for private security providers in 2010 and that is specifically for private security providers. It’s a set of standards, which include and indeed focus on human rights.  Again, it’s a multi-stakeholder initiative – governments were involved, private sector companies – including us, were founder signatories – and then there was civil society. There is also the International Code of Conduct Association, commonly known as ICoCA, and its role is to promote the code of conduct and the implementation of it especially, by applying and defining standards that they should follow and indeed, certifying their operations.

[Alessandro Arduino]: Thank you, John. You gave us a broad view of the evolution from the voluntary principles to Montreux and ICoCA. We have been talking a lot about ICoCA and with ICoCA too – Jamie Williamson was in one of our previous podcasts – as well as with the International Stability Operations Association (ISOA) from the US. I understand that Control Risks has been a strong supporter of the ICoCA so why does your organisation choose to adhere to the code?  In your personal opinion, do you think that self-enforcement, rather than multilateral great principle like an international code of conduct, remains the best strategy for regulating the private industry in security and risk management?

[John Bray]: First of all, our involvement – as I said, we were founder members so we were involved in it even before the start of it. Our retired colleague, Erik Wester, and another colleague Chris Anderson who is still with us, were on the board for many years. The ICoCA board stepped down recently but Chris is still involved. For example, just recently, we contributed to an ICoCA webinar on the topic of security and human rights and why is that important? It’s important for us because we have an interest in creating a responsible private security sector. We compete with our peers but we want them to do a good job because if (heaven forbid) there is a scandal, somebody infringes human rights or something goes wrong, then that affects the whole industry.  Therefore, we have a collective interest in the promotion, or rather, the development and expansion of high standards. We think that’s in our interests; our clients’ interests; in the governments’ and of course, in the interests of stakeholders on the ground who are arguably the most important group of all.

That leads on to a broader point about collective initiatives. None of the major problems that I spend a lot of time thinking about – anti-corruption, human rights, the climate – none of those can be solved by single actors or a single set of actors. It’s no longer the government that can do everything. Governments have a central role; we can’t do without governments –  I’ll return to this point – but the private sector and civil society also are essential.  What does ICoCA mean for us then? Well, we refer to the policy in our policy statements.  Our policy statement would say what  Control Risks does,  regardless of ICoCA but we think that ICoCA reinforces, and  to some extent, challenges us to think further. For example, one topic currently under discussion is gender-based violence and the prevention of it. ICoCA is perhaps, prompting us to give more thought to this issue t than we would, otherwise. Also,  this is particularly with regard to operations in Iraq – we are accredited and certified by ICoCA that we are in accordance with the policy and with the standards that come from the policy. The actual auditing is done by a third party called MSS Global. I was actually  surprised in a good way that my colleagues agreed to this certification. I thought they might say why do we need somebody else to certify us when we think we’re the best. We embrace the process,  learn from it and  get good feedback so we get better every time. This is part of a constant process of evolution – I stress on “evolution” – and it’s important for us. Again, I stress, specifically in Iraq, it’s somewhat a  badge of approval and we greatly value it.

[Ameem Lutfi]: If I could get you to elaborate on another set of guiding principles,  specifically the United Nations (UN) Guiding Principles on Business and Human Rights, if I’m right, this June marked the 20th anniversary since they came into being.  How does the UN Guiding Principles impact both the policy and the practical implementation in the private security sector?

[John Bray]: The UN Guiding Principles are really important. For me, if there is one foundation document in this area, it’s definitely the UN Guiding Principles. It complements the international code of conduct – they really complement and reinforce each other but the UN Guiding Principles is fundamental.  It’s so important because it applies to everyone in all sectors and I mentioned that, among other reasons, that I don’t think we should ever see the security sector in isolation. Basically, we’re service providers for other people and help them solve their problems so the security issues which apply to oil and gas is different from digital services, for example but the principles are actually the same. Another reason why I really value the UN Guiding Principles is that it’s brilliantly drafted. It’s very clear, it doesn’t tell you precisely what you should do in every situation – the new umbrella document can do that – but it gives a set of practical principles which you can apply.  Hence, I view the document and Professor John Ruggie, who drafted it along with others, with immense respect as well as what it says: There are three pillars and they are protect, respect and remediate.

Protect refers to governments having the responsibility to protect human rights. That’s really important because, again as I’ve emphasised, businesses can’t replace governments. It is the government that forms and draws legislation, responsible for enforcing regulation and creating an enabling environment but businesses are responsible for respecting human rights everywhere. Even if there’s no legislation in the country where they’re operating in, they have a global responsibility to respect human rights and remediate when something goes wrong. Governments, businesses and civil society need to find remediation. The UN Guiding Principles points to a variety of possible approaches to remediation. It’s a little bit flexible on how we get it done but the point is that if something goes wrong, we should attend to it. So then, what is the most vital bit of this important document?

For businesses, it’s about impact assessment. Classically, when you think about risk assessment, it’s about the risk to us, the rest of the business: what can bad people do to us? What can they do to our clients?  Do you need to think of terrorists? Impact assessment is turning that around. I should say this isn’t exactly new but it’s the evolution of the consolidation of thinking that was going on before the guiding principles but it’s a  clear consolidation and statement which also takes us forward. It asks: What is human rights due diligence? It’s about the impact on other stakeholders – not just the impact on the business but also that on communities, customers or people who live next to commercial operations, for example. That’s the crucial issue which we need to think about when it comes to human rights impact assessment.

I should say, the guiding principles are from 2011 – ten years ago. The way I often express it is that they set an agenda and there’s been a lot of work on it such as how to apply it in certain sectors – we’re talking about security that ICoCA anticipated but it has also been fulfilling the guiding principles. One other development that is still ongoing is the general trend towards legislation on the need for due diligence. So, for example, Germany is in the process of introducing a legislation – Switzerland and France have already done this – and it is on due diligence, including human rights. The common theme is that companies should engage in due diligence but the trend is such that it’s moving from ‘should’ to ‘must’. In high-risk environments, the trend is that companies must demonstrate that they’ve done this due diligence, which includes human rights impact assessment and security. Again, I’d like to emphasise that this is part of a whole system – none of us work in isolation.

[Alessandro Arduino]: I’d like to follow up on the UN Guiding Principles, whereby you stressed the importance of impact assessment. My question is very straightforward: Why is human rights impact assessment very complicated for businesses with operations in complex environments?  How does a proper risk appraisal, monitoring and mitigation process help in making a difference? If you can possibly frame it with a very specific example, please?

[John Bray]: It’s challenging but I don’t want to say that it’s complicated because the principles are in fact, straightforward. In Iraq, one of our watchwords is “security by consent”. Not only in Iraq, but especially in Iraq, fundamentally, we can’t operate without the consent of local stakeholders which include the government as well as local communities and people. Why is that important? Again, the answers are very clear. We know from international experience, observation; and talking to our clients that if you get this wrong, you have a security that would lead to damaging the security of your environment and in the worst case, might make it impossible to operate at all. In Indonesia, I remember, a while ago, we had a case where local communities were blockading roads to a mine so it couldn’t operate at all as there was no access.  It was presented to us as a security problem but actually, it wasn’t primarily that but it had become one. It was a fairly basic failure in the company’s engagement with local communities because once identified, it wasn’t too difficult to address and restore operations.

You used the word complicated.  Why is it so? I think, for us and for complex environments, one of the particular challenges which the guiding principles set is this keyword called “consultation”. That means, it’s important to consult stakeholders before an operation or project takes place and they should emphasise during and after. In one recent project that I can think of, we were talking to a client and in fact, with another consultancy specialising in this area. It was a really interesting project and was specifically about consultation but I’m not going to name the country. It was something that we would have liked to doubt we were of the view that we actually couldn’t do it. We couldn’t do it in a meaningful way because this isn’t a highly militarised environment and it would have been impossible to do a meaningful stakeholder consultation with the military breathing over our shoulders, monitoring and basically telling people what to say, whether they liked it or not. So then, again, why is it difficult for us at Control Risks?  I want to be clear over here about where our role is: We are consultants; we almost never own projects. We’re advisors to projects, enablers, maybe but we don’t fundamentally own the project. So, we might be involved as outside consultants in that early stage of consultation but typically, we would become involved when the project is already agreed on, designed and up and running. In that respect, our name is Control Risks but we don’t control everything – we’re not owners.

Much of our role in those kinds of situations is less about the initial consultation and more about the ongoing liaison and monitoring. So, coming back to Iraq – and we put a lot of emphasis on community liaison and engagement – we have a whole team which specialises in that. One point that they should make is that, in that kind of environment, not only Iraq but also, for example, Kenya or even Nigeria, the security people are often the public face of the company. I’m downplaying our role because we’re not decisionmakers; we’re advisors but often, we are the people that others see. In Iraq, the situation was somewhat unusual, because we don’t ourselves set up guard forces, but in Iraq, we do and we’re an employer.  That is also part of our engagement so bringing all this together, the impact assessment is really important. It’s something that needs to be done by everyone. We individually do our own assessment before taking on a project; we do our own monitoring while we’re doing a project. In a complex project, we would have specially set up a risk management committee and advise our clients on the ongoing monitoring. So, the principles are simple but the practice is often complicated and it’s never a one-off; it’s constantly evolving because situations are such.

[Ameem Lutfi]: You mentioned the issue of working in a country with the military breathing down your neck and how the government has been recurring in many of the responses you’ve given. I’m wondering if you could give a more concrete answer on how you see the role of the government, or rather, the relationship between Control Risks and government security providers?  How do your clients collaborate and work with these government security agencies – be it the military or the police?

[John Bray]: There are a range of issues. Firstly, reaffirming the guiding principles and the role of government in protecting human rights is essential. That’s maybe an aspirational statement because governments don’t always do this but we should never lose sight of the aspirations. Businesses can never replace government – we can support but we can’t replace them. The second issue stems from “security by consent”. We can never operate in a country without, at bare minimum, the consent of the host government and that again means, in Iraq, we placed a lot of emphasis on compliance with government regulations. We didn’t design the regulations that the government did – we have to comply with them, which we do rigorously. That is an important part of our own business continuity. Our Iraq team is proud of always having a consistent record of business continuity with no interruptions and service compliance is a key aspect of that. This partly comes back to the voluntary principles of security and human rights. Here, our role is more often advisory. We are advising companies on their own engagement rather than doing it ourselves, under our own name. It’s the clients who own this, while we advise. One of the challenges in particular – a cross-cutting one, in fact – is about the responsibilities of companies.

In a complex environment where companies provide the security in their compound and they’re in operation not too far away and government security forces are providing broader regional security, which may include protecting a strategic asset – a big mine or a big oil operation. So, the complexity arises because companies cannot tell government agencies what to do; they cannot tell a sovereign government what to do. They can influence them, establish common understandings and the standard recommendation is for companies to be aligned with government security, in this regard. They should establish a memorandum of understanding which lays down what is expected and when it comes to problem solving, it also lists down what happens when there is a problem.  These are the broad approaches and applying them is a constant ongoing challenge; a lot of work has been done in this area. Perhaps, I could mention DCAF – Geneva Centre for Security Sector Governance, which has been doing really good work on how to tackle these challenges.

[Ameem Lutfi]: If I could now ask you somewhat of a long-winded question that has two parts to it – first is, we had a conversation with a representative from Lloyds Maritime Insurance and they mentioned that one of the emerging trends is taking more proactive approaches to risk reduction. Do you see some elements of that, or even within Control Risks, do you sense more proactive strategies being used to reduce risk? The second part is about post-incident grievance mechanisms. Are there any systems established for locals who might have any issue with a client of yours after they’ve left, to file a grievance or harm report? How do you see both pre-incident and post-incident management and systems developing?

[John Bray]: The first question is, I think, straightforward and it’s absolutely not new. I mentioned that we owe our historic origins to problem solving and crisis response but from there, you very quickly come to crisis prevention. We hope we have helped people – how do they avoid getting into hot soup in the first place? So, from very early on, a major part of our work has had to do with prevention and that leads to everything else that we’ve been talking about. Prevention is not only, or even mainly, about putting up fences; it’s about preventing the grievances which lead to anger and subsequently, hostile reactions. Companies can’t do that single-handedly, of course but they can and should take responsibility for their own operations – that is what all this impact assessment and consultation is about.

Then, on grievance mechanisms, I should say, I am emphasising client ownership. Arguably, there are two tracks: I’m emphasising client ownership but we can’t avoid responsibility for the things that we ourselves might do. Although this may sound minor, from a villager’s point of view, it is not. One of the major impacts from a village perspective of a large project has to do with traffic, vehicles – trucks might be thundering through villages and there is a risk of traffic accidents. This is not a geopolitical issue but it’s a basic local political, community issue. Getting that right is really important but then, what happens if something goes wrong? For our people in Iraq, in anticipation of something that might go wrong – heaven forbid it does but we hope it doesn’t – we have prepared a set of cards, a bit like business cards in Arabic, for example. If there is such an incident, our immediate priorities will be to safeguard our clients.  These cards provide information on who to contact and if there’s a complaint or a concern, we try to address that. We are doing this because we think we should but I should also say, in practice, it is often a client requirement that we should have this sort of grievance mechanism.

We agree on that but point out to them that our grievance mechanism needs to be integrated with theirs – at the very least, on the reporting side and in practice, in the remediation as well because we’re acting on behalf of clients. So again, all this is, I should say, common sense. If, heaven forbid, there is an incident involving somebody who works with Control Risks, that is our responsibility but since we are often the public face of the company, our clients will be affected as well. So of course, we need to tell them straight away and of course, respond together – as they say, this is somewhat of a hot topic: industry associations. I really like how the International Council on Mining and Metals, an association from the mining industry, has excellent guidance on grievance mechanisms and so does ICoCA. We’re constantly aiming for continuous improvement on this topic but most of all, we don’t want to have any incidents. Prevention is most important but responding quickly is also vital.

[Alessandro Arduino]: We’ve come to one of the last few questions. As all the three of us are currently based in Singapore, please allow me to shift the conversation from the Middle East to Singapore. Basically, what is the role of Control Risks here? In our previous podcasts we were also talking about cyber security, protection of critical infrastructure, protection against ransomware etc. In your opinion, is there any growing interest in the cybersecurity realm?

[John Bray]: Here in Singapore, it’s a regional hub where we’re working across the region and we offer the full range of services –there are the political policy analysis, due diligence including integrity due diligence, practical security management and cyber. One observation about the direction in which the world is moving in is that   historically, a lot of our work and   discussion have been about oil, gas and mining companies but now, increasingly, our work is for tech companies.  This results in all sorts of cyber issues for both the tech companies and their clients. In relation to human rights, the single-most important part our work has probably got to do with digital rights, confidentiality and government regulations. In the sector, more broadly, thinking about this from a policy perspective, it’s the questions about how internet can be misused, for example or by propagating how social media can be misused.

Again, in this sector, more broadly, there are important questions on government surveillance, surveillance of private sector services and how these affect human rights. I don’t want to link that to any one country but it is a thematic issue that is arising in several high-risk jurisdictions – I’m emphasising that because I’m not talking about Singapore but more of the places outside of it and in relation to server security, more narrowly, yes, of course and we are primarily concerned with cyber fraud. We’re concerned with hackers and in some of the more high-profile cybersecurity cases, there may be concerns about government involvement in such incidents – and that’s a much broader topic.

[Ameem Lutfi]: This has been an exciting conversation and to wrap it up, I want to ask you a question that we’ve been asking all of our guests – In the coming 30 years, how do you see the future of risk management evolving in a complex environment?

[John Bray]: It’s a very broad question. Last week, I was asked a similar question but it was not a duration of 30 years; about five years and the word that instantly sprang to my mind was “fragmentation”. So, running with that stream of consciousness about what could happen in the next five years – potentially the next 30 years – we could see a world of increasing fragmentation – here I’m thinking recent events in countries like Afghanistan and Myanmar. What we don’t want to see but could is – heaven forbid – failed states which are places where our kind of clients can’t operate in but they are providing security threats, more broadly.  Using the word fragmentation, you could think of enclaves – enclaves of security. Housing estates which are safe, safe cities, commercial operations which are safe but are surrounded by highly unstable places. So, that’s a rather dire view of what 30 years’ time could look like.

What I hope it would be and what I would like to draw out of this discussion is the opposite – throughout this discussion, I’ve been emphasising collaborative, multi-stakeholder and cross-sector approaches, where security is part of a whole and not simply an independent actor. All of us are connected and in a good way. As an aspiration for how we could take this work stage further – we’ve mentioned risk assessment, impact assessment – I’d like to see more being done in the broader role of conflict sensitivity and conflict impact assessment. So, when large companies invest or when we set up services in a complex environment, we’re not passive actors but instead, we change things. All being well, we bring about change in a good way. However, sometimes, you change things for the worse because you create divisions and jealousy; one part of society benefits but another doesn’t. So, I’d like to hope and wish to be able to contribute more to the work in this area of complex impact assessment and how to avoid negative impact but establish constructive self-reinforcing positive impact. This will give rise to collaboration and not the worst-case scenario of fragmentation, which I mentioned.

[Ameem Lutfi]: Thank you so much, John. I hope that your optimistic outlook comes true. This has been a very enlightening and exciting talk. You have taken us through a very detailed analysis of not just Control Risks but also the risk and security landscapes, in general. Thank you so much for setting aside time for this. Last but not least, I’d also like to thank our listeners who’ve been tuning in diligently. Thank you all.