Check against delivery

Is it impossible for directors to comply with their obligations?

A tough question. We’re all well aware of the ever-increasing complexity of the business world, and it’s pretty clear that this complexity carries over into the role of directors and boards – and this continues to put pressure on the traditional division of governance responsibilities between boards and senior executive management.

If we also add changes to regulatory settings, mandatory climate disclosure, cyber security, and AI – just to name a few – it may seem to some that being a director is like Sisyphus in the Ancient Greek myth: Forever pushing a boulder up the hill, only for it to roll back down again each time it seems the task is complete.

But is that the reality? I think not.

This is not to say there has been no increase in the demands on directors over time. There has. It’s hard work, no doubt about it. And so today I’m asking the same question that you probably ask yourselves much more frequently: Is it impossible for directors to comply?

Spoiler alert – I’m going to say it’s not impossible to comply. It’s tough love but being a director isn’t easy – if it were, anyone could do it. Good directors run successful, profitable businesses. That’s not going to happen unless every director takes an active stance of curiosity and asks the right questions – to understand their business, and how that business makes money. When that happens, you have a good chance of having a business that doesn’t just comply – it thrives.

Why it matters

But before I get into that, I’d like to say a little about directors in general. As I’ve said before, company directors play an integral role in the Australian economy. In fact, much of a director’s entrepreneurial effectiveness comes from being curious. This means a continuous commitment to learning about new and emerging matters and issues essential to the future profitability and success of the company.

And on that note, I’d like to commend the AICD for its sustained commitment to good governance, and to building the capability of Australian directors. I’d also like to recognise the long-established relationship of collaboration and partnership between ASIC and the AICD.

Thank you to the members of the AICD for your ongoing focus on these important issues.

As I was saying, you all play an important role in the Australian economy. There are over 3 million companies in Australia – public and private, large and small, family businesses, start-ups, not-for-profits. They employ millions of Australians and contribute hundreds of billions annually in GDP.

The directors who run those companies operate in a complex and high-stakes environment, characterised by an array of sometimes labyrinthine statutory obligations, significant community, social and ethical expectations, and a dynamic and evolving set of challenges and risks to manage.

The evolution of directors’ duties

But this hasn’t always been the case – at least not to the extent we see today. As recently as the early 1970s, the late Professor Harold Ford – who as many of you will know, was a giant in the field of corporate law – was able to say that the obligations imposed on directors were ‘not very demanding’.[1]

But that soon changed. Specifically, in Australia, it began to change from the late 80s and early 90s, when it was said that the days of the ‘passive’ or ‘sleeping’ director were over.[2]

In 1988, for example, a leading practitioner wrote that:

‘We are approaching the stage where we can no longer afford to be lenient toward inattention on the part of company officers, and it is time our legal system developed sophisticated standards to deal with it. In short, the inattentive company officer deserves all the liability he gets and at present, he is getting nowhere near the liability he deserves.’[3]

Now, that seems a little too tough on directors, and perhaps unlikely to reflect current sentiment.

In any case, the requirements for directors have changed a lot since Ford’s day. Emeritus Professor Ian Ramsay, another giant of Australian corporate law, last year published the second edition of a book[4] that, as he put it, ‘deals with principles of law and governance as they relate to company directors.’ He then requires 1,229 pages to ‘deal with’ those principles.

The fundamental requirements for directors are set out in the Corporations Act – I’m sure you’re all familiar with them. What’s important to highlight about these duties is they’re not specific. They’re principles based. They rely on judgement to apply them to an infinite range of specific circumstances.

Now, some might consider this very breadth, and reliance on principles, to be a problem. In that conception, broad equals vague. Some might point out that the principles don’t actually tell a director what to do. I’ll come back to this point later on, but for now suffice to say that I don’t think principle-based duties are a problem – I think they’re part of the solution.

Regardless, I think everyone would agree that asking directors to act with care, diligence, and integrity shouldn’t be too tall an order.

But of course, talking only in broad terms doesn’t address the details of the day-to-day. In a recent podcast, an executive in the United States voiced a concern that I think is on the minds of a lot of company directors; namely that:

‘With all the new challenges coming up, from geopolitics to generative AI and digitization to sustainability, being a board director is probably more complex than ever. New topics pile onto the board agenda almost by the day. We’ve also seen a massive increase in the expectations of the board to engage on strategy, investments and M&A, performance management, risk, talent, and the organization.’[5]

That’s every bit as true here in Australia. Directors have to be across developments in the use of AI and other technology in their companies.

Speaking of technology, we regularly see that even well run, well-resourced companies become targets of a cyber attack. Let me be especially clear here, it is a foreseeable risk that your company will face a cyber attack. 

And, since you can’t protect what you’re not aware of, as a director you have to make it your business to be across questions of cyber resilience and make cyber security a priority. History shows that even robust defence systems can be circumvented, and resilience demands you be prepared for that possibility.

Then there are the issues of sustainable finance and ESG, and the commensurate demands on directors’ time. Investors have a right to know what they are investing in and, if ESG is driving their investment decision making, they will want to know their money is being invested in products and projects that genuinely support sustainability. Which means directors need to respond to the calls for transparency and disclosure in this area.

Finally, of course, while directors’ duties are relevant to the decision making and actions of directors and officers, there are other specific conduct, privacy and data security laws that apply to their companies’ operations. As I’ve said before,[6] directors need to be aware of the links between the obligations on them personally and the obligations on their companies.

Judgement and curiosity: Meeting the compliance challenge

So, being a director is a tough gig. The fundamental reality is if you’re acting in good faith and want to run a profitable business, and not fall foul of what’s expected of you in terms of the law, that’s hard work. You have to get the balance right: You have to put customers’ interests first, show them you’re not just there to make a profit, that you are acting with integrity, that you are doing the right things by your staff and by your local community. Absolutely that’s hard work. But with an attitude of curiosity about your businesses, it’s not impossible.

I mentioned before that, to some, the breadth of directors’ duties under the Corporations Act might be misconstrued as vagueness, because the principles don’t specifically tell you ‘Do this, do that’. But I think the reality is, that this principles-based approach is the key to a director finding that right balance. Running a business necessarily involves judgement. And judgement means using high-level principles to help find the best way forward.

I often get asked what advice I’d give directors on this compliance question. They don’t want to be at risk of being investigated, prosecuted or sued. And I understand that.

But the first thing I’d say is – not all new obligations on directors necessarily mean an increased burden. Nor do they necessarily make it harder to balance the scales between profit and legal requirements.

Let me give you an example. Yes, new climate-related reporting requirements will impose new obligations on directors and reporting entities. But they also create opportunities. The reporting requirements need to be seen in the overall context of the objective of the reporting regime – which is to disclose ‘information about … climate-related risks and opportunities that is useful to primary users of general purpose financial reports in making decisions relating to providing resources to the entity’.[7]

In plain English, this means directors and the boards they sit on and the companies they run will actually and ultimately benefit from more disclosure across the economy. Why? Because you yourselves are in fact users of the information prepared by other entities. Access to more climate-related information on these other entities in your value chain can support you in better managing climate change-related risks and opportunities, and in potentially preserving or enhancing shareholder value.

The same is true of increased scrutiny of cyber preparedness. Because a major attack could destroy or at least erode consumer confidence in your company, being better prepared and more cyber resilient can only be a benefit. But also, as with climate disclosure, if directors in general have to be more focused and deliberate about cyber preparedness, this should also shore up the cyber resilience of associated entities like third-party suppliers.

The point is that increased expectations don’t mean decreased profits or a meaningless list of endless tasks. They mean better business.

But the question remains: How do you actually go about fulfilling your role as directors, given the complexity of the business and regulatory environment?

This is where the principles-based approach comes in – and the key skill of asking the right questions.

So let me lay out some of those key questions you should be asking yourselves. As a director, ask yourself: Are you acting honestly? Are you putting the company first?

If you are, if you’re acting with honesty and integrity, you’re probably avoiding improper use of position or information, and you’re probably disclosing interests that are relevant.

What about acting with care, diligence, and in good faith? Here, ask yourself: Do you have a continuous curiosity to understand all aspects of the company's core business and the risks associated with it?

That means making a genuine effort to understand how you make money. And that’s not trivial. Because you’ll recall that during the GFC we learned that a number of bankers evidently didn’t know how they made money nor understood how key financial instruments worked. So I ask everyone – do you know how your company makes money? What are the key drivers of your profitability and who are your customers, where’s your data? These may seem like basic matters. They are. That’s why they matter.

And when you’ve demonstrated to yourself that you know how your company makes money and you’re acting with honesty and integrity, then hopefully you’ll be able to have a sensible conversation with yourself, and with your fellow directors, about the risks and what can go wrong.

Which brings me to my fourth question to ask yourself as a director: Are you challenging management to ensure your understanding is well-founded, and getting trusted professional advice?

This last question, of course, goes to the question of reasonable reliance by the board on the advice of senior management, and the role that that plays in the overall landscape of directors' duties. It’s relevant, for example, to consider whether a director has reasonably relied upon, say, their general counsel or CFO.

That reasonable reliance will of course play out differently depending on a range of factors, not least the size and the resources of the entity. That is, smaller companies may not have those layers of senior management and specialist expertise to advise their board, which I acknowledge can make the challenge of this last question greater for those directors.

Conclusion

In conclusion, I am not suggesting to you that being a director isn’t tough. It is challenging, and it can be complex – but it is not impossible.

History tells us that it’s the directors who don’t employ curiosity and judgement, who don’t apply themselves to asking questions about their business, who are at risk of not understanding the risks of that business. And if you don’t understand the foreseeable risks, that’s when you run into trouble.

If, on the other hand, you keep asking the right questions, do all you can to understand your business and act accordingly, you have a reasonable likelihood of compliance. You can not only comply, but thrive.

Asking these questions is precisely how the winding roads of judgement are made straighter, and the thickets of decisions along the way, made a little less thorny.

Four questions – all of them important:

1. Are you acting honestly?
2. Are you putting the company first?
3. Do you have a continuous curiosity to understand all aspects of the company's core business and the risks associated with it? and
4. Are you challenging management to ensure your understanding is well-founded, and getting trusted professional advice?

Ask these questions, not just once, but again and again.

If the answer is yes – not just once, but again and again – then you will get to a point where concerns about complying with your directors’ duties won’t keep you up at night.

And you’ll go a long way toward meeting the compliance challenges, and seeing past them to the opportunities and benefits.

[1] Harold Ford, Principles of Company Law (Butterworths, 1974) ch 15

[2] Cf. Naffai v Haines (Unreported, NSW Supreme Court, Rogers AJA, 26 November 1991)

[3] Leigh Warnick, “The Liabilities of The Inattentive Company Officer”, Western Australian Law Review, Vol. 18 (1988), pp. 117-118

[4] Ian Ramsay, Company Directors: Principles of Law and Corporate Governance, 2nd edition (2023)

[5] https://www.mckinsey.com/capabilities/strategy-and-corporate-finance/our-insights/the-rising-complexity-of-board-directorship#/

[6] Joe Longo, Speech, Marconi’s illusion: What a 120-year-old magician’s trick can teach us about cyber preparedness | ASIC

[7] Cf. The AASB [Draft] Australian Sustainability Reporting Standard ASRS 1 General Requirements for Disclosure of Climate-related Financial Information at paragraph Aus 1.1