A new AICD practice statement will help directors deal with a growing number of non-financial risks and compliance responsibilities.
Are directors facing a growing burden of oversight? Section 180 of the Corporations Act 2001 (Cth) outlines the duty of care and diligence required of directors and officers of a corporation. Regulators have pulled sharper focus on whether directors are adequately discharging their duty in relation to the growing number of non-financial risks, from work, health and safety, employee entitlements, cybersecurity, data protection and AI to anti- money laundering, and anti-bribery and corruption laws. Many companies must also comply with regulation concerning sustainability, such as reporting on climate risks, emissions profiles, supply chain modern slavery risks, the gender pay gap and preventing workplace sexual harassment.
To help directors get to grips with these responsibilities, the AICD commissioned barristers Michael Hodge KC and Sonia Tame to examine the application of directors’ duty of care and diligence in overseeing non-financial risks. Their advice is the basis of new AICD practice statement Directors’ oversight of company compliance obligations.
The practice statement provides practical guidance for directors on discharging their duty of care and diligence effectively. It outlines the importance of understanding both the commercial fundamentals and key regulatory requirements, while not requiring directors to have expert knowledge. There are a number of potential “red flags” identified for directors to note, such as gaps in reporting, unresolved internal control deficiencies and increasing policy exceptions that may signal compliance issues requiring further inquiry or action.
The guidance also covers effective director monitoring and oversight, including critical engagement with management reports, clear accountability for risk management, and regular compliance reporting. It highlights the importance of board minutes in documenting directors’ involvement in compliance discussions and provides guidance on when reliance on advice from management or external experts is appropriate, emphasising the need for independent assessment of that advice.
“A non-executive director should not be expected to get down to the minutiae of every risk, but rather be in a position to effectively monitor how management is dealing with relevant risks,” says Tame. “This could involve regular reports from management, discussions to constructively challenge or assess the information provided to the board, and seeking further information and advice where warranted. However, finding time to do this meaningfully can be a challenge.”
Identifying risk
Directors need to understand risks to the organisation and the scale of each threat.
“Risks have more than one dimension,” says Hodge. “Some have a low probability but, if they were to manifest, the consequences would be catastrophic. Others might have higher probability but a less significant impact. These are things directors need to think about. In large companies, you’d expect the risk committee to be overseeing, identifying and assessing risks to assist the board.”
Along with the commercial fundamentals of the company’s business, directors must also understand key compliance obligations and risks. This doesn’t mean they must have detailed knowledge of the relevant regulation — although Tame does advise anyone joining a board to make understanding risk a priority.
“You need to be in a position to make a critical assessment of any information that comes to you about risks and ask relevant questions,” she says. “For that, you need to be very familiar with the environment in which the company operates.”
ESG can be a particularly thorny area. Australian companies are now expected to achieve standards that were unknown two generations ago. And, once again, cutting through the complexity starts with identifying your own particular risks.
“If a major risk is environmental, for example, you need to understand what’s involved with that,” says Tame. “It’s a question of balancing the seriousness of the potential harm against the likelihood that it will occur, the expense and difficulty of taking alleviating action, and also considering the countervailing benefits to the company of taking the risk. That’s what shareholders looking for value would expect you to do — and it’s also what the court will look at if a risk materialises and you’re being judged on whether you could and should have done more to prevent it.”
Hodge reminds directors that they aren’t guarantors of the performance of the company.
“If a risk manifests for the company, it doesn’t automatically mean directors have breached their duty. However, it might indicate that the directors weren’t adequately overseeing and managing the risks, and a different director, acting reasonably, would have done more to avoid the breach.”
He also cautions that once an event is viewed with hindsight, it can appear clearly inevitable. “The danger here is that hindsight will result in directors ending up being treated as guarantors of the performance of the company because it looks as though they could have prevented the event. In fact, they may have been doing the best they could with the information they had, the risk was not apparent, or the degree of risk was not apparent at that time.”
Stay informed
Tame believes directors can benefit by paying attention to information outside their board packs. “It’s important to stay generally aware of what’s happening in the market. For example, a few years ago, you might have been reading about cyber threats. If that prompted you to make inquiries about how your organisation was managing cybersecurity and led to it ramping up its cybersecurity position, you might have helped to avert a huge risk from materialising. Generative AI is something else many directors are likely to need to know about. The AICD has useful information on governance in these areas.” While there are several ways for a director to breach their duty of care and diligence, a reasonable approach can mitigate them all.
“Ultimately, directors are expected to behave like a hypothetical reasonable director in their position,” says Hodge. “When it comes to risks, you need to be engaged, pay attention, be prepared to ask questions, think about the risks the company is facing and help to ensure those risks are being adequately managed. It’s easy to say, but it requires work, thought and a willingness to be active and alert.”
Director viewpoint
David Gonski AC FAICDLife and Ilana Atlas AO MAICD on the new opinion’s key takeaways and the future of the corporate governance landscape. As told to Laura Bacon GAICD
Fundamentals
DG: The first thing I took from the practice note is that we must be more than just familiar with the business fundamentals of the operations and entities on whose boards we serve. We need to understand the regulation, although we are not responsible for all regulatory matters, nor are we there to indemnify the company fully. You can do your job and still encounter issues with the company. However, it requires understanding and a lot of questioning.
IA: The law and the duties of directors haven’t changed, but what has clearly changed is the complexity of the role. There’s been an explosion of regulatory requirements, increased operational risks and a deeper understanding of conduct risks. All this adds to the complexity of discharging our duties. Another significant change is the heightened scrutiny directors face, whether from regulators, the media or other external stakeholders. This scrutiny can have serious consequences. The opinion is a timely reminder of what it takes for directors to fulfil their duties effectively.
Individuals and the group
DG: I also took from it that while we are viewed collectively, we are assessed individually. A director’s obligations may differ, depending on their role, but this does not mean a director can delegate responsibility or ignore issues. Directors have an obligation to question and must be seen to be doing so.
IA: One important takeaway from the practice note is that directors have individual duties, which is something they must always keep in mind. While decisions are made collectively, liability is individual. Directors need to be conscious of their knowledge, their role in the company and how long they’ve been on the board to understand their personal liability. This is particularly relevant for those in specific roles, such as committee members and the chair, who often have more knowledge and responsibility than others.
Monitoring compliance in practice
DG: A good director questions, but doesn’t try to run the company. They seek answers, analyse the situation and, if things are in order, do not interfere just to appear tough or contributory. However, if issues arise, the director must raise concerns, seek further advice if necessary, and continue questioning. Even when advice is received, it must still be scrutinised.
IA: Directors must not only understand the business, but must also have a clear view of the processes and systems that underpin it from a risk perspective.
It’s crucial to deeply understand the business culture. In large, complex organisations, it’s impossible to know everything, but having confidence in the culture — knowing that people are doing the right thing — is fundamental to ensuring directors can satisfy their obligations.
When you notice a risk or red flag
DG: When I notice a risk, the first step is to ask those managing the issue. If I’m not satisfied with the answers, I raise it with the chair or the board. If still not satisfied, I seek further advice or investigation. Ultimately, you must take action unless you are completely reassured.
IA: When a director identifies a significant issue that could result in foreseeable harm, it’s important to speak with colleagues and other directors, as multiple perspectives can help solve a problem. Directors need to ask management lots of questions to gather as much information as possible. Sometimes, it is necessary to get external advice, and directors must persist until the issue is fully resolved.
Advice for chairs
DG: A board chair is primarily responsible for managing the flow of information. When reviewing the agenda, the chair should think about what’s missing and what the board needs to know. The chair should regularly speak with the CEO, ensuring all relevant information reaches the board and addressing any concerns. Above all, the chair ensures that directors are given the opportunity to ask questions and receive answers. IA: The role of the chair is well-described in the opinion and is a valuable resource for understanding the breadth of their responsibility. The chair plays a key role in ensuring adequate information flows and that meetings allow sufficient time for discussion.
A constructive, transparent and trusting relationship with the CEO is crucial for addressing issues and ensuring the board has the information needed to manage operational and non-financial risks effectively.
This article first appeared under the headline 'Easing the Burden’ in the November 2024 issue of Company Director magazine.
Latest news
Already a member?
Login to view this content