Kharkiv, Ukraine, March 2022. A Nordic technology company has 200 people employed at a software development studio. The board convenes an emergency meeting. The immediate questions are operational: how do we ensure staff safety? How do we maintain business continuity?
But beneath these important issues sits a harder one: what is expected of us when we have operations and value chains in a zone of armed conflict? What are the legal and reputational ramifications if we get it wrong?
Ukraine is far from the only example. Companies sourcing minerals from the Democratic Republic of Congo—including cobalt and coltan that sit in the supply chains of virtually every major technology company—have faced the same governance questions for decades, in a lower-profile conflict that rarely makes European headlines. Fewer still recognise that the same expectations apply to companies operating in or sourcing from occupied territories. More companies than most boards realise have sourcing relationships in the Occupied Palestinian Territories.
It is not inherently illegal or wrong to operate in politically contested jurisdictions or conflict areas. But the complexities they present make for tough governance challenges.
Avoiding a Governance Gap
More foresight in such contexts will help companies avoid a governance gap if and when a crisis hits. Here are four key questions boards should ask—and legal, corporate risk, and sustainability teams should be able to answer:
- Do we have a robust, dynamic risk management system capable of capturing escalating conflict scenarios in markets where we operate or source?
Six weeks before Russia’s full-scale invasion of Ukraine in February 2022, interstate armed conflict did not appear as a near-term priority risk in the World Economic Forum’s annual Global Risks Report. The world’s most senior business and risk leaders, surveyed in late 2021, did not flag interstate armed conflict as a near-term priority.Equity market research suggests markets had in fact begun pricing in the conflict at least fifty days before the invasion. Nonetheless, few companies had governance frameworks in place that would allow them to respond to armed conflict as a legal and human rights governance question—which is a board-level responsibility.
- Does our risk system integrate geopolitics, conflict, and human rights alike?
Among companies that do have such risk frameworks, few have integrated them with their human rights due diligence processes — meaning that when conflict escalates, the people tracking geopolitical risk engage with those who can assess what it means for workers, communities, and rightsholders on the ground. - Is it clear to us what the UNGPs and legal obligations require in conflict situations?
Even companies with mature due diligence processes may not have fully worked through what the UN Guiding Principles on Business and Human Rights (UNGPs)—and legally binding frameworks—specifically require in conflict-affected contexts, and what is at stake if those requirements are not met. - Do our due diligence processes and governance systems enable us to effectively address human rights risks and impacts—in line with these frameworks?
The human rights due diligence methodology in the UNGPs is risk-based. Conflict is always high-risk, and there are specific expectations of conduct, governance, and transparency in situations of armed conflict.
What the UNGPs and Legal Frameworks Actually Say
The corporate responsibility to respect human rights was established as a global standard with the unanimous endorsement of the UNGPs by the UN Human Rights Council in 2011. This standard has been widely understood—and is the basis for the EU Corporate Sustainability Due Diligence Directive (CSDDD).
What is less widely understood is that in situations of armed conflict, including occupied territories, companies are expected to extend the scope of their due diligence to also include relevant standards of International Humanitarian Law. In other words, this is not a separate obligation layered on top of the UNGPs, but an extension of how they apply in conflict-affected contexts. Relevant parts of the Geneva Conventions, their Additional Protocols, and related International Humanitarian Law standards become part of the framework for companies’ human rights responsibility when they operate in or source from these areas.
In addition, there are heightened expectations with respect to governance, due diligence and transparency.
This matters enormously for boards. It means the question is not only “are we complying with our responsibility to respect?” or even “are we meeting our CSDDD due diligence obligations?” It is: “do we understand what responsible conduct looks like when our operations or value chains are present in areas of armed conflict, and are we governing that question at the right level, in the right way and at the right time?”
For most companies, the honest answer is no. Not because of bad intent, but because internal processes for proactively assessing and governing these risks have not been calibrated for conflict-affected contexts.
When Things Go Wrong: The Cost of Inadequate Governance
Following the February 2021 military coup in Myanmar, Telenor faced an acute governance crisis: how to operate responsibly under a regime engaged in systematic violence, and ultimately how to exit the market without making things worse? In December 2025, the Norwegian National Contact Point for Responsible Business Conduct issued its final statement on Telenor’s exit from Myanmar.
The NCP concluded that Telenor had not carried out human rights due diligence commensurate with the severity and likelihood of the adverse impacts. It also found that the company’s risk assessments had not encompassed the possibility of full military rule and corresponding responsible exit scenarios.
In October 2025, Myanmar victims and civil society organisations formally notified Telenor of their intention to file a lawsuit in Norway in connection with the company’s disclosure of customer data to the military junta. According to a published account of the notification, available at somo.nl, the intended proceedings allege that the data was used to track, detain, torture, and in some cases kill political opponents and human rights defenders. They further allege that Telenor’s management and board were likely fully informed of the decisions taken. The formal lawsuit had not yet been filed at the time of writing.
What makes this case instructive—regardless of its ultimate legal outcome—is the structural governance failure identified by the NCP. It found that Telenor’s risk assessments had not modelled a full military takeover as a scenario requiring pre-planned human rights responses. Such a governance gap would not be unique to Telenor. It is common.
At the far end of the legal risk spectrum, corporate leaders can even face allegations of personal criminal liability for complicity in war crimes. Two former executives of Swedish oil company Lundin Energy are currently standing trial at Stockholm District Court for alleged complicity in war crimes in Sudan.
The outcome of the trial is not the point: the point is that the legal and reputational risks are real and considerable—and can be mitigated if adequate risk management systems and human rights due diligence processes are aligned.
The Hardest Question: Stay or Leave?
When a company operates in a zone of active armed conflict, or under a regime engaged in systematic repression, the question often becomes: do we stay or do we leave?
If you stay, you must be prepared to accept that leverage over perpetrators of violence is often limited or non-existent. The ability to engage with affected stakeholders, prevent or mitigate harm—even with the best due diligence—will often be constrained by realities on the ground that no governance framework can fully address. Providing remedy—now a potential legal obligation under CSDDD—is harder still.
The UNGPs are clear-eyed about this: they do not expect companies to achieve perfect outcomes in conflict context. They do, however, expect companies to engage early with the real risks, use available leverage, and be honest about what they can and cannot do.
If you leave, the UNGPs—and the CSDDD—make clear that exit, or suspension of a business relation, must itself be responsible. An exit that abandons workers, leaves communities exposed, or transfers assets and data to parties that will use them to cause harm can itself constitute a failure of the corporate responsibility to respect human rights.
The Telenor case appears, among other things, to be a case about exit governance. TotalEnergies in Myanmar, and dozens of European companies facing exit decisions in Russia after February 2022, all navigated versions of the same dilemma with varying degrees of governance rigour.
Neither staying nor leaving is inherently right. What matters is that the decision is made with adequate due diligence, meaningful engagement with affected stakeholders—often difficult to pursue while maintaining the safety of those involved—and proper governance oversight of the rationale and the risks, to both people and the company.
A key insight from my own advisory work is that the quality of decision-making in a crisis is largely determined by the quality of preparation before the crisis arrives.
Companies that map their conflict exposure and model realistic deterioration scenarios early have more options when situations escalate. Russia invaded parts of Ukraine in 2014—eight years before the full-scale invasion. The warning signs were not hidden, neither of Putin’s intention on Ukraine, nor about his willingness to suppress his own people. Yet many companies were caught off guard.
This is precisely why the UNGPs expect companies to conduct risk assessments early and update them as the operating context changes—because early action consistently reduces risk to people, and by extension, to the company. The UNGPs Interpretive Guide (2012) remains as relevant as ever as a guide to what responsible decision-making looks like when there are no clean options.
What Good Governance Looks Like
The companies that have proven most effective in navigating conflict-affected contexts share several characteristics:
- They have integrated their risk management and human rights due diligence processes, so that conflict escalation automatically triggers a human rights or humanitarian law lens—not just a legal, financial, or operational one.
- They understand that conflict-affected and high-risk areas require enhanced frequency and depth of assessment applying the methodology in the UNGPs.
- Their boards receive specific, actionable information about operations, sourcing, and sales in high-risk geographies–not aggregate sustainability risk reports that mask the detail.
- They have thought through, in advance, what responsible presence and responsible exit would look like in the jurisdictions where they operate—as a governance scenario the board has actually considered, not as a theoretical exercise.
- They have proactively negotiated contract language that gives them the freedom to act as necessary.
This is not beyond reach. It requires legal, risk, and sustainability teams to work together rather than in parallel. It requires boards to ask harder questions about the geographies and realities for people behind the strategies and deals they approve. And it requires companies to treat the UNGPs as a genuine governance tool—one designed precisely for situations like these.
A Final Thought
In 2004, I wrote my LLM dissertation at LSE on the legal responsibility of companies under International Humanitarian Law. At the time, the question felt intellectually important, but not yet urgent for most boardrooms. The UNGPs did not yet exist. CSDDD was two decades away. The idea that boards would one day be legally required to govern human rights due diligence in conflict-affected areas was not mainstream.
It is now.
The question is whether governance practice has caught up with the law—and whether boards, their legal counsel, and their sustainability teams are working together to close that gap before the next emergency meeting is called.
Malin Helgesen is the founder of Rights Advisory and a corporate lawyer specialising in sustainability governance and human rights due diligence. Before founding Rights Advisory, she spent years as lead counsel for human rights at Equinor, advising the board and senior leadership on human rights strategy and governance across the company’s global operations—focused on conflict-affected and high-risk areas. She works with large corporations on business and human rights strategy, CSDDD implementation, and governance integration.
