Navigating Conflict Affected, and High-Risk Areas

According to attendees at this year’s World Economic Forum, escalating armed conflict is the single most urgent threat facing the world in 2025. Despite fragile ceasefire agreements and vaunted peace plans, armed conflicts continue to rage in Ukraine, Gaza, Lebanon, Sudan, Myanmar, and now the eastern DRC – and the list goes on. In each of these arenas, there is a heightened risk of gross human rights abuses being committed.

This post examines how companies operating in these and other conflict affected, and high-risk areas (CAHRAs) should respond to this risk.    

International standards and best practice on enhanced HRDD

Companies operating in CAHRAs are expected, and in some (limited) circumstances, required, to conduct enhanced due diligence. The OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from CAHRAs (link here),  Voluntary Principles on Security and Human Rights (link here), and the Responsible Security Association ICoCA HRIA Guidance (link here)  all provide a useful starting point for companies looking to meet these standards.

Across sectors, there are examples of good practice by companies operating in CAHRAs. On downstream impacts, a number of telcos have mainstreamed enhanced human rights due diligence into their operational policies and practices and adopted, through multi-stakeholder initiatives such as the Global Network Initiative (link here), industry-wide standards relating to network shutdowns. This provides a real-world illustration of what it means in practice to respect human rights to the greatest extent possible where the domestic context renders it impossible to meet the responsibility in full (UNGP 23). For shared learnings informed by its experience in Myanmar preceding and following the coup in 2021, in 2023 the telco Telenor established a Human Rights Expert Forum to explore dilemmas in this context. A summary report is available here.

On the circumstances in which it becomes impossible to exercise leverage, and a responsible exit must be considered, there are also important lessons to be learned from the telco sector. Patrik Hiselius, Telenor’s human rights expert and representative in the Global Network Initiative, points to the fact that Telenor’s forced exit from Myanmar was driven by the actions of the military regime, including significant pressure to activate sanctioned lawful intercept, which made it impossible for Telenor to stay in the country.

Businesses that choose to keep operating in CAHRAs have also had to improve their due diligence processes when deciding on their security arrangements in-country. Jamie Williamson, ICoCA Executive Director and IHL Expert, explains that where reliance on public security forces becomes problematic due to ongoing hostilities and tensions, businesses will have to turn to private security, in-house or contracted, to protect personnel and facilities. As a result, in many conflict and other high-risk environments, a growing number of multi-national corporations, including TotalEnergies, ABB, PMI, BarrickGold, Glencore, and BP are now working closely with ICoCA to vet and monitor their private security providers.

Jamie Williamson also notes that in contexts where businesses put in place more robust due diligence processes for their security providers, this can also contribute to an amelioration of human rights issues in the security industry in-country.  Business actors, as clients, can in effect drive local security providers to operate to internationally recognised human rights standards, thereby lessening the overall risk of human rights abuses in CAHRAs.

A tangled web of legal risk

These examples provide good illustrations of how companies can meet international standards designed to apply in CAHRAs. However, legal liability for a failure to meet these standards is a relatively new and rare phenomenon.

It may arise where a company is subject to mandatory human rights due diligence legislation (for example where it is within the scope of the existing Norwegian, German or French Acts). Or, where a company faces mandatory reporting requirements and fails to provide adequate or accurate information about its due diligence processes. Nevertheless, for many companies, the risk of failing to conduct adequate due diligence remains non-legal.

However, that is not the whole picture. Legal risk for involvement in an adverse human rights impact in a CAHRA is complex and multifaceted. Companies and their executives may face criminal liability for proceeds of crime offences under domestic law associated with their products. Payments by companies to actors involved in armed conflicts (for example for security or through the payment to authorities of royalties or taxation) could give rise to liability for sanctions or anti-terrorism offences. In extreme cases, company executives could face the risk of prosecution for individual complicity in crimes under international law (such as war crimes or crimes against humanity) perpetrated by armed forces, militia or private security. Companies also face the prospect of civil litigation, particularly in common law jurisdictions such as the UK and Canada where the courts have taken a relatively permissive approach to extra-territorial jurisdiction and litigation funding.

These mechanisms were not originally designed to provide for corporate accountability for adverse human rights impacts in CAHRAs. But they have been developed and adapted to do so. And this has resulted in a tangled web of standards, not all of which are aligned with the international standards governing enhanced due diligence in a CAHRA. For example, an approach which ensures that a company’s board has full visibility on the operational context in a CAHRA may help to demonstrate alignment with international due diligence standards. However, it could also be used as a basis to fix executives with the necessary knowledge to substantiate a criminal charge, or as evidence relevant to the existence of a duty of care under common law.

Separately, companies that decide to terminate a contract or exit a CAHRA on the basis that it is not realistically possible to exercise the necessary leverage through their business relationships will often face legal and commercial consequences (e.g. for wrongful termination or breach of contract).

Untangling the web

It can be difficult for companies operating in CAHRAs to untangle this complex web of legal risks and plot a sensible way forward. The following suggestions draw on practical experience and may offer some assistance (both to companies and home governments seeking to provide a coherent, UNGP aligned approach to business operations in CAHRAs).

Businesses operating in CAHRAs should take a holistic approach to risk. While a “head in the sand” approach may provide a last line of defence in certain, specific legal contexts, by the point this becomes relevant, significant harm will already have been inflicted. On balance, the most effective means of managing legal (not to mention reputational) risk associated with operating in a CAHRA will usually be to know enough to adopt preventative measures to minimise the risk of an adverse impact arising in the first place. Where this fails, adherence to international due diligence standards will not provide a safe harbour. However, it can limit various forms of legal and reputational risk.

Companies operating in CAHRAs (or with supply chain or downstream exposure to CAHRAs) should give due prominence to human rights risks and violations of international humanitarian law associated with security (including State security forces and private security contractors) when conducting their prioritisation or salience exercises.

For Jamie Williamson, despite the critical role of private security in CAHRAs, there was still a tendency by many businesses to overlook and not fully evaluate the risks and liabilities associated with the use of sub-standard private security. His three recommendations are:

• Irrespective of the 'Omnibus' discussions on the Corporate Sustainability Due Diligence Directive (CSDDD), Corporate Sustainability Reporting Directive (CSRD) and other evolving regulatory development, businesses must ensure security providers uphold international standards, as incorporated into the International Code of Conduct for Private Security Service Providers.
• Law firms working with clients on Risk and Compliance would be well advised to incorporate a review of risks and mitigators related to the use of private security in supply chains.
• Private security providers should also seek legal advice before taking contracts in high-risk contexts to avoid inadvertently becoming complicit in gross human rights abuses or participating in hostilities.

For him, it is more cost-effective and legally prudent to mitigate risks in the use of private security than to face legal, financial and reputational harm when something goes wrong.

Governments also play critical role and businesses operating in CAHRAs should seek to engage in dialogue with their home governments on these issues. Vicky Bowman, former UK diplomat, and Director of Myanmar Centre for Responsible Business, an initiative funded by six European governments that operated in Myanmar between 2013 and 2023,  suggests that one request companies could make to their home governments is for development aid and diplomacy to be directed towards initiatives which address the three types of “challenging context” identified by the UNOHCHR in their 2023 paper on Business and Human Rights in Challenging Contexts (link here), namely:  

• Where the human rights situation is particularly grave, for instance due to conflict, political turmoil and or systematic violations of rights;
• Where national laws or regulations require actions that would be inconsistent with internationally recognised human rights standards; or
• Where national laws or regulations offer a level of human rights protection that falls short of internationally recognised human rights standards.

Governments should seek to ensure policy coherence, including by providing clear guidance to companies on the risks and expectations associated with operating in specific CAHRAs. Where a government determines that the risk to rightsholders associated with continued operations in a certain sector and/or geography is so extreme as to be unmanageable, an option is to introduce targeted sanctions (as the UK, EU, US and others did in relation to certain sectors of the Russian economy in response to the invasion of Ukraine). This at least provides a measure of certainty to businesses and may (depending on how their contracts are drafted) provide some relief from legal risks associated with breach or wrongful termination.

‍