Tackling the difficult issues

An edited extract from Mark Rigotti’s address at the 2023 Australian Governance Summit. 

AGL chair Patricia McKenzie FAICD said in her keynote Australian Governance Summit address, “As a director, if you shy away from the difficult issues, you shy away from opportunities to make a difference.”

It begs the question, what does opportunity mean for your AICD? It means that we will move forward confidently to strengthen and grow the organisation — amplifying one of our most important roles, which is advocating for a regulatory environment that allows directors and their organisations to thrive in a rapidly evolving environment.

Our policy team is active on a number of issues, chief among them mandatory climate reporting, cybersecurity and the impacts for directors flowing from ASIC’s proceedings against the Star Entertainment Group board.

The forthcoming introduction of a mandatory climate reporting framework is a critical step forward for our nation in combating climate change, an accomplishment for furthering our purpose to better society and a win for directors. The AICD fully supports the government’s plans for mandatory climate reporting. Time is of the essence and we need a reporting framework that facilitates high-quality disclosures to support the achievement of Australia’s climate change goals.

Directors want clarity so that their organisations can move forward with confidence. An important step in achieving this outcome will be to tailor liability settings to create an environment where directors feel comfortable to make fulsome disclosure without undue fear of litigation risk.

Directors in Australia are not operating in an environment where there are appropriate protections for disclosures with some forward- looking element, and which are inherently made with limited knowledge, a notable difference to our overseas counterparts.

It’s important to note that directors don’t have a crystal ball and can’t be held to an unreasonable standard. Regulatory and regulator settings need to focus on punishing bad actors and giving clarity to the rest of the market of what is expected of them. We are advocating for safe harbours and allowing court actions to be left to the experts at ASIC rather than open-slather private litigation.

Building cyber resilience

Cybersecurity continues to be the number- one issue keeping directors awake at night, according to AICD’s most recent Director Sentiment Index. I’m incredibly proud of the resources the AICD have released on this issue, including our Cyber Security Governance Principles, which we released in partnership with the Cyber Security Cooperative Research Centre. Collectively, there have been more than 15,000 unique downloads of these resources.

An opportunity exists for industry to be a genuine partner with the government in driving a “Team Australia” agenda to build cyber resilience. The enemy is not the companies and boards which suffer cyberattacks. Rather, the enemy is the threat actors who mount these cyberattacks and data thefts. Also, the speed at which the cybersecurity threat has been evolving makes a “big stick” regulatory regime counterproductive. I am not convinced that imposing large penalties for directors of organisations suffering data theft is productive or conducive to collaborative behaviours to fight a common enemy. When incidents occur, organisations and their directors should feel protected to share information with regulators, to assist in the response and recovery phases. That includes disclosure without concern that the information will subsequently be used in enforcement action.

Clarifying legal responsibilities on cybersecurity is also essential, as organisations which have experienced a serious incident will concur that overlapping and unclear regulator roles have impeded their ability to appropriately respond. Recent announcements suggest improvements on this front.

Oversight is key

Finally, ASIC’s decision to take enforcement action against the board and executives of Star Entertainment is on our minds. Make no mistake, an action like this makes every board sit up and take notice. It’s a significant and complex case, and boards and their advisers will be looking closely at the implications for their organisation.

To me, directors set the cultural tone for the organisation — it is a role of oversight. Yet it must be active oversight, featuring regular, constructive challenges and asking the right questions. Broadly speaking, Star reminds us that directors should be aware of key risks, including non-financial risks, and should continually probe how those risks are being managed.

While we remain focused on these key issues for directors, I would emphasise that there is an accumulation effect occurring. While one straw doesn’t break the camel’s back in terms of new requirements, there’s a risk that new regulations are implemented without consideration of their cumulative effect.

Each new regulation from our parliaments, or indeed, enforcement action by regulators, rightly shifts the behaviour in boardrooms. We need to be conscious the growing regulatory burden does not lead to overly conservative decision-making and lost opportunities at both management and board levels.

It’s a tension we need to balance. How do we support and encourage good directors and stamp out the bad behaviour of a few?