What good looks like: Building an environmental governance programme for ecocide-level scrutiny
The ecocide legal framework raises the bar for what genuine environmental due diligence looks like. Here is a practical framework for boards and management teams assessing whether their current programme is adequate.
Raising the standard
Every governance challenge eventually produces the same practical question: what does good actually look like? For ecocide risk, the answer requires thinking about environmental governance not against the standard of current regulatory compliance but against the standard of what a credible criminal or civil liability defence would require. Those are different standards and the gap between them – for most organisations – is larger than most boards have been told. Regulatory compliance means meeting the minimum requirements of applicable law in the jurisdictions in which you operate. A credible liability defence means being able to demonstrate, with independently verified evidence, that you understood the risks, built appropriate systems to manage them, monitored their effectiveness and acted on what the evidence showed.
The foundation: ISO 14001
The foundation of any adequate environmental governance programme at this level of scrutiny is an independently certified environmental management system. ISO 14001 – the international standard for environmental management systems – provides the structural framework for identifying environmental aspects and impacts, assessing associated risks and opportunities, establishing objectives and controls, monitoring performance and driving continuous improvement. Certification to ISO 14001 requires independent third-party audit against the standard's requirements, creating a contemporaneous record of the organisation's environmental management approach that has been verified by a qualified external party.
Certification to ISO 14001 does not guarantee the absence of environmental harm – no management system standard does. What it creates is the documented, independently audited evidence that the organisation has built a systematic approach to identifying and managing the risks. In a criminal or civil liability context, the difference between a certified management system and an internally managed approach is the difference between documented due diligence and self-attestation. Courts, regulators and opposing counsel understand this distinction, and it is not a minor one.
It is worth noting that ISO 14001 certification alone, while necessary, may not be sufficient against ecocide-level scrutiny. The standard requires that an organisation identify its significant environmental aspects and manage them appropriately – but the definition of 'appropriate' is calibrated to current regulatory requirements and stakeholder expectations, not to criminal liability thresholds. Boards should ensure that their environmental management programme goes beyond certification compliance to address the specific risk areas most exposed to ecocide frameworks: ecosystem destruction, biodiversity impact and supply chain traceability.
Nature and biodiversity: the TNFD framework
The emerging nature accountability frameworks – particularly TNFD, CSRD and the Kunming-Montreal Global Biodiversity Framework targets – all converge on a requirement for credible, verifiable data about a company's relationship with the natural world. The TNFD framework, published in 2023, provides the first comprehensive structure for companies to assess, manage and disclose nature-related risks and opportunities. It uses a LEAP methodology – Locate, Evaluate, Assess and Prepare – that takes companies through the process of identifying their interface with nature, evaluating their dependencies and impacts on natural systems, assessing the material risks and opportunities that flow from those dependencies and impacts, and preparing governance and strategy responses.
Completing a rigorous TNFD assessment is not simply a disclosure exercise. It is an operational process that forces an organisation to genuinely understand where and how its activities interact with living ecosystems. For many companies, that process surfaces risks that were not visible in standard environmental management system scope. It also produces the substantive evidence of nature-related risk understanding that is increasingly expected by investors, insurers and – in the ecocide context – by courts assessing whether a company was aware of the risks its activities posed to ecosystems.
Assurance standards and what they mean
The standard of assurance over environmental and sustainability disclosure matters significantly and the distinctions between different levels and types of assurance are not widely understood outside the professional services community. 'Limited assurance' – the most common form currently applied to sustainability reports – involves primarily enquiry and analytical procedures. The assurer obtains evidence that nothing has come to their attention that indicates the information is materially misstated. 'Reasonable assurance' – the standard applied to financial audit – involves more extensive evidence-gathering, including testing of underlying data and systems and provides a positive conclusion that the information presents fairly in all material respects.[1]
The difference between these two levels of assurance is the difference between a cursory review and a genuine deep-dive into the quality of underlying data and systems. In a litigation or enforcement context, the level and scope of assurance applied to a company's environmental disclosures will be examined critically. An assurance report that covers only scope 1 and 2 greenhouse gas emissions, using limited assurance procedures and issued by a provider with limited environmental expertise, does very little to establish the credibility of a company's broader environmental performance claims.
Supply chain audit and traceability
The third pillar of an adequate programme is supply chain due diligence that goes beyond self-declaration. As Hausfeld noted in its 2025 analysis of climate litigation developments: 'corporate compliance with climate obligations has remained a key focus, with courts across Europe, the United States and Australia continuing to scrutinise companies' contributions to greenhouse gas emissions and taking an increasingly critical eye to climate-based greenwashing.' The same scrutiny is being applied to environmental performance more broadly.[2]
Verified supply chain due diligence requires audited evidence of supplier environmental performance against defined standards – not supplier questionnaires, not contractual warranty clauses and not periodic site visits by the procurement team. The EU Deforestation Regulation has set the bar at traceability to the plot of land of origin for specific high-risk commodities. The ecocide framework is setting the bar at knowing whether any activity in your value chain could be characterised as causing widespread, long-lasting, or irreversible environmental damage. Neither of those standards is met by existing supply chain management practices in most large organisations.
Disclosure quality and legal defensibility
The fourth pillar is disclosure quality. Norton Rose Fulbright has highlighted in its climate litigation analysis that 'the question of whether downstream or Scope 3 emissions from fossil fuel projects must be considered by decision-makers came into sharper focus in 2024, with courts increasingly insisting on more rigorous scrutiny for high-emission projects.' The same trajectory applies to nature and biodiversity – the claims a company makes about its environmental performance are not just stakeholder communications. They are potential evidence.[3]
Boards should be asking their assurance providers not just whether they can issue a report, but whether the assurance they are providing would withstand the scrutiny of a regulator, a court, or an opposing expert witness. That is a higher bar than most current assurance engagements are designed to meet. It is, however, the bar that the emerging legal environment is setting. The organisations that build their environmental governance to this standard are not just managing risk. They are building a genuine competitive and legal position that will become more valuable as the regulatory environment continues to tighten.
The organisations best positioned are not necessarily the ones with the most sophisticated sustainability strategies. They are the ones with the most rigorous governance.
The organisations best positioned for the legal environment being created by ecocide law, climate liability litigation and nature accountability frameworks are not necessarily the ones with the most sophisticated sustainability strategies. They are the ones with the most rigorous governance – the ones that have built independently verified, well-documented, continuously improving environmental management programmes and that can demonstrate, with evidence rather than assertion, that the risks were known, were taken seriously and were actively managed. That is what good looks like. And it is increasingly what the law requires.
References
[1] UCLA Law Promise Institute Europe / Ecocide Law Advisory, 'Working Group on National Criminalization of Ecocide' (2025). https://www.promiseeurope.law.ucla.edu/ecocide-law-advisory
[2] Hausfeld, 'Summer Review: A Watershed Moment for Climate Litigation' (26 August 2025). https://www.hausfeld.com/what-we-think/perspectives-blogs/summer-review-a-watershed-moment-for-climate-litigation
[3] Norton Rose Fulbright, 'Climate Change Litigation Update' (July 2025). https://www.nortonrosefulbright.com/en/knowledge/publications/674162d1/climate-change-litigation-update-july-2025