The French law on the duty of vigilance (French law) was adopted in 2017 as one of the most comprehensive statutes addressing companies’ duty to uphold human rights in a context where there was no equivalent at the European level. It represented a fundamental shift in the regulatory landscape, diverging from traditional reporting laws and calling for a reorientation of businesses’ internal processes. While seven years is still too early to understand the full potential of the law, one can already measure some of its effects. So far, civil society and scholars have focused on the text of the law and its judicial implementation and little research has been done on the impact of the French law on corporate practice. This blog post aims to provide an initial assessment of the transformative effects of the law on corporate structures and on risk management processes in businesses subjected to the law through a case study focused on TotalEnergies, which looks at how its internal structures and processes related to human rights have changed. This assessment is being conducted through a desk analysis of TotalEnergies public reporting on human rights before and after the entry into force of the French law.

Risk management under the duty of vigilance

An appropriate risk mapping under the French law requires measuring many different types of risks and impacts. The challenge is to obtain a complete and comprehensive representation of them. The identification of risks to rights-holders is not as simple as in financial accounting, where currency serves as the unit of measure, or in environmental accounting, where objective measures, such as kg of CO2 emissions, can capture and quantify a company’s environmental impact. Therefore, companies must tailor their risk-management processes to new types of risks they are not used to reporting on or accounting for.

Sherpa, a French NGO specialised in business and human rights issues, released a detailed Vigilance Plan Reference Guidance to help all stakeholders understand the legal requirements and contribute to a proper implementation of the law. It highlights that risk mapping, from the point of view of the NGO, requires a distinct process that must involve stakeholders and be performed continuously to respect the temporal scope of the obligation. The identification of risks must cover the organisational perimeter, which includes the controlled companies, as well as the suppliers and subcontractors; and the substantial perimeter, i.e. the impacts on which vigilance must be exercised. The company should list the human rights it must respect, determine their content and potential breaches in the different countries where the group operates. The same applies to environmental, health, and safety risks.

Companies must think systematically about the various risks they are linked to in order to establish suitable processes and adjust their internal structure accordingly. Seven years after its implementation, the question is: did the French law trigger a shift in the companies’ risk management approach?

How transformative was the duty of vigilance law? The case of TotalEnergies

While the full impact of judicial review on the implementation of the French Duty of Vigilance Law is still unfolding, it is already possible on the basis of the vigilance plans to assess whether the law has triggered a transformation within companies’ internal structures and processes. To evaluate this potential transformation, I analyse TotalEnergies’ governance framework over a six-year period, comparing its 2017 CSR report, formulated before the law, with the 2023 vigilance plan. This comparison focuses on the governance of risk mapping and the organisational structure related to human rights.

In terms of risk identification and mapping, the 2017 vigilance plan relied on consultations with stakeholders and pre-existing risk mapping frameworks. The approach was relatively comprehensive, focusing on environmental, safety, and human rights concerns. However, it heavily depended on traditional environmental and safety audits, standardized risk assessment procedures, and long-standing stakeholder engagement practices, rather than implementing new methodologies. By 2023, the risk mapping process has changed. It now includes continuous updates, sector-specific analyses, and refined tools for prioritising risks. Notably, climate change has become a core component of risk assessment. This shift demonstrates an evolution in the way risks are assessed and prioritized by TotalEnergies, highlighting a more sophisticated risk management framework in 2023.

The scope and coverage of TotalEnergies’ vigilance plans have also expanded. In 2017, the focus was limited to the company’s subsidiaries and select key suppliers, with an emphasis on pre-existing, established commercial relationships. In contrast, the 2023 plan broadens its coverage, incorporating more detailed assessments of both suppliers and subcontractors, especially in high-risk sectors. This expansion reflects a deeper acknowledgement of the company’s responsibility across its entire supply chain, not just within established networks but also accounting for broader impacts. The enhanced scope suggests that TotalEnergies has shifted towards a more comprehensive and accountable approach to risk management despite the narrow focus of the law on the “established commercial relationships”.

Preventive measures and principles of action have also evolved considerably. The 2017 plan focused on adhering to international standards like the UN Global Compact and the OECD guidelines. The measures included regular audits and strict compliance with safety and environmental rules. By 2023, TotalEnergies introduced preventive measures, placing a stronger emphasis on sustainability and environmental protection. The 2023 plan includes specific action initiatives, such as biodiversity conservation efforts and emissions reduction strategies, supported by the One MAESTRO framework, which represents a continuous improvement mechanism. This progression underscores a shift from general compliance to a more rigorous, environmentally focused approach aligned with global sustainability objectives.

The company’s stakeholder engagement and dialogue mechanisms have undergone notable changes as well. In 2017, engagement efforts primarily consisted of workshops and the Stakeholder Relationship Management (SRM+) system, with a strong focus on maintaining relationships with local communities. By 2023, the stakeholder engagement strategy had become more structured and inclusive. The updated plan emphasises the role of local mediators, the establishment of continuous feedback mechanisms, and engagement on pressing issues like climate change and community impact. This evolution seems to signal a more strategic and inclusive approach, suggesting that nowadays TotalEnergies tends to prioritise ongoing dialogue and deeper engagement with a wider array of stakeholders.

When it comes to monitoring, auditing, and remediation, the 2017 vigilance plan relied on standard compliance checks and audits to ensure adherence to established safety and environmental standards. By 2023, monitoring mechanisms had become more comprehensive, featuring regular updates, independent assessments, and collaboration with third-party organisations to evaluate human rights impacts.

Overall, the organisational structure related to human rights has experienced significant shifts. In 2017, TotalEnergies had a Human Rights Steering Committee that played a key role in overseeing human rights matters. This committee was responsible for presenting and reviewing the human rights roadmap with the Executive Committee and integrating human rights considerations across the company’s activities. However, its approach was primarily advisory rather than strategic, and the overall structure for managing human rights risks was somewhat fragmented. The Ethics Committee, while also involved, had a broader focus on ethical governance, with human rights forming just one aspect of its mandate. Various departments, such as human resources, security, and procurement, were tasked with integrating human rights considerations into their functions, but there was no centralised department solely dedicated to human rights risk management.

By 2023, TotalEnergies had made substantial organisational changes, reflecting a more centralized and systematic focus on human rights. A dedicated Human Rights Department was established within the newly created Sustainability and Climate Division. This department now plays a crucial role in supporting the company’s operational teams, managing human rights risks, and implementing action principles specifically related to human rights. The Ethics Committee’s role has also evolved, with a more direct link between human rights governance and ethical oversight. It now reports to the Executive Committee and has a clearer mandate to integrate human rights considerations into the company’s broader policies and practices. Additionally, there is now stronger inter-departmental coordination, with departments like security, procurement, and sustainability working together in a more integrated manner. The responsibilities of the Human Rights Coordination Committee have become more strategic and well-defined, further emphasising the company’s commitment to human rights.

The French law as catalyst for changes in corporate structures and processes

The analysis reveals a transformation in the company’s approach to human rights risk management, after the entry into force of the French Duty of Vigilance Law. Over these six-years, the shift from a fragmented and distributed governance structure to a more centralised and specialised system is evident. The creation of a dedicated Human Rights Department within the newly established Sustainability and Climate Division illustrates a strategic decision to consider human rights as a core element of corporate governance. By embedding human rights more deeply into its operational framework and linking these concerns to its broader sustainability strategy, TotalEnergies has moved toward a more holistic and integrated approach to managing its environmental and social responsibilities. In other words, the adoption of the French law has not led to a superficial “rebranding” of pre-existing CSR mechanisms; but, rather, to substantial organisational and procedural changes inside TotalEnergies. The 2023 plan showcases a more rigorous and proactive engagement with human rights, characterised by enhanced risk assessment tools, expanded supply chain oversight, and structured engagement with stakeholders. Whether these internal changes to the institutional structure and processes of TotalEnergies’ regarding human rights are meaningful in practice for affected stakeholders is another question, which this blog cannot answer.

Can these organisational changes be traced back to the introduction of the French law? This question is difficult to answer decisively, but it is undeniable that the law has been leveraged by civil society organisations to subject TotalEnergies to intense media scrutiny, especially in response to controversial projects like the East African Crude Oil Pipeline. Furthermore, two legal challenges have been brought against TotalEnergies before the French courts on the basis of the Duty of Vigilance Law. All in all, it seems that the adoption of the Law combined with its strategic use by civil society organisations has played a key role as a catalyst for the reshaping of TotalEnergies’ internal processes and structure.