As if business leaders did not have enough to contend with in the current economic and geopolitical climate, the trend towards increased personal accountability for company directors is continuing and can be expected to increase further. How can directors protect themselves? As a start it is important for both executive and non-executive directors to understand the overarching principles involved and how they link together.
Part 10 of the Companies Act 2006 sets out the following general duties owed by all directors to a company:
A director who commits a breach of duty may face civil action by the company for which he may be held personally liable to pay damages, or other orders. He may be the subject of investigation by a third party, for example the Department of Trade, for breach of any of his duties and may be qualified for a period of up to 15 years under the Company Directors Disqualification Act 1986. For more information about directors' duties, see here.
Actions can also be brought by shareholders in the name of the company with prior consent of the court.
Other legislation, such as the Financial Service and Markets Act 2000, the Insolvency Act 1986, the Corporate Manslaughter and Bribery Acts all impose additional duties. Breach of other types of regulation, such as those made under the health and safety legislation and data breach etc, can give rise to both civil and criminal action. Directors and senior managers can be prosecuted for breach of a large number of safety regulations made under the Health and Safety at Work Act 1974.
The Corporate Governance Code 2016 provides that it is part of a director’s duty to safeguard the assets of the company. Where a company is exposed to claims, penalties and reputational damage as a result of a director’s negligence or failure to ensure regulatory compliance, this will affect the value of the company and hence amount to breach of duty.
The assessment of whether a particular decision or course of action was negligent or non-compliant will always be a matter of detailed evaluation of the facts. For a director to protect himself in advance he must ensure that decision processes are well documented, showing how and why decisions were reached. A defence to an allegation, that a decision was not reasonable or diligent, will be greatly assisted if the detailed reasoning is clearly set out in minutes with supporting papers showing how the decision was arrived at, and any advice that was obtained and where appropriate consultation with relevant stakeholders, such as shareholders or possibly trade unions.
In the last quarter century the general approach to managing risk has been focused on internal procedures aimed at satisfying detailed prescriptive regulations, rather than the risks a particular organisation faces in the round. This approach is now regarded as outdated because it produces little real understanding of the real risks faced by an organisation and how they should inform strategic decisions and investment.
The modern view is that risk exists both within and without an organisation and directors must consider not only internal compliance but also the fluctuating risk posed by contextual threats such as political uncertainty, energy price volatility and weather. A large number of detailed safety regulations have been abolished, but this by itself does not allow companies to ignore basic precautions whilst contemplating the wider world. By way of example, the Working at Height Regulations have been abolished, but employers will still find themselves responsible for accidents caused by dangerous ladders. It is now the responsibility of the directors to set procedures based on the risk assessments which have actually been made. The responsibility for designing compliance has therefore been shifted onto the shoulders of directors. As a result good compliance may not look the same in every organisation, but the procedure for achieving it will be.
Failure to pay enough attention to risk could now lead directly to a personal civil claim for breach of duty, and possibly also prosecution. There is however no single protective step to be taken in this area and it would be a mistake to approach regulatory risks in a purely defensive spirit. Good management of risk may enhance the value of the business and make it more competitive. Positive engagement, regular review, follow up and attention to detail are required here, as is good record keeping.
It is important to remember that in law safety can never be subjected to the profit motive: if an activity is dangerous and too expensive to make safe then the company must stop doing it.
Physical safety, whether of people or the environment, is the arena in which regulatory authorities have for some time been adopting a more aggressive approach to the enforcement of old rules but other regimes are going the same way. Personal prosecutions of directors under the Health and Safety at Work Act and the Environmental Protection Act have become more common, fines have increased dramatically and other remedies available to courts, including prison sentences, are more likely to be imposed. A similar approach will be adopted under the GDPR and is possible amongst a variety of other specific regulatory regimes.
Whilst directors can rely on expert advice and day-to-day compliance can be delegated to appropriate levels, responsibility always remains with the board and must be regularly reviewed, action taken and followed up. The whole board is responsible for this, not merely the director individually charged with administration of relevant areas. Reviews must be thorough, frequent and relevant, because these days, demonstration of compliance depends on evidence of audited risk assessment, which is regularly reviewed, and commitment to achieving compliant outcomes.
Against this background, appropriate insurance assumes central importance and must be kept up to date to reflect regulatory changes and perceived risks. There must be adequate cover for both the company, under a commercial general liability policy (CGL) and for directors under a Directors and Officers liability (D&O), to leave no gaps in cover for the potential exposures. Where possible, indemnities from the company to its directors may also be important. Standard CGL and D&O policies are unlikely to provide sufficiently broad cover to meet all the potential contingencies, so attention must be paid to getting the right cover.
However, it is unlawful for a company to indemnify a director in respect of any liability to the company for his own negligence, default, breach of trust and any such provision in a service contract will be invalid. The company can however lawfully obtain insurance against its own liability under these headings and pay premiums for D&O cover although there are limits on the extent of the cover that can be obtained.
Whilst insurance will cover liability for the costs of investigation of regulatory breaches, fines imposed on either the company or directors personally following criminal prosecution will not as a matter of public policy be recoverable under either CGL or insurance under D&O cover. The director concerned has to pay the penalty for his own wrongdoing. Personal assets are therefore at risk.
D&O cover will usually cover the legal costs of directors protecting their interests in relation to regulatory investigations, but may be restricted to formal external investigations by regulatory authorities, not covering internal investigations (which are common) and which may nonetheless require a director to get independent legal advice.
CGL policies are designed to protect against liability claims for physical injury and against damage to property arising out of the occupation of premises, operations, products, completed operations and advertising.
However, many CGL policies describe ’property damages’ as ’physical injury to tangible property, including all resulting loss of the use of that property’. This does not include intangible property and cannot extend to losses involving electronic data. Such policies will not therefore cover data breach or cyber intrusion. Many policies also exclude liability for criminal acts. These policies would potentially leave a company totally exposed in the event of a major cyber incident. It is essential therefore to review CGL insurance cover for cyber related risks and purchase technology and cyber related cover. Failure to address this issue would amount to breach of duty by the directors.
Technology insurance covers problems such as business interruption expenses as well as third party cover designed to protect a company from legal claims. Endorsements on existing policies said to provide technology and cyber cover may not be as wide as a bespoke policy and may not be sufficient to cover crisis management and legal fees. It is therefore very important that if necessary the company buys a stand alone product tailored specifically for cover for those risks.
However, this improved CGL cover is not enough if D&O cover is not also appropriately extended. Furthermore, directors should also look out for geographical and aggregate limits on liability to all the directors so as to ensure that there is sufficient cover for everybody everywhere.
The importance of this cannot be overstated. If insurance is inadequate, directors may have to face the costs of fighting a long and complex legal action and meet any judgments awarded against them. They may equally face a claim for breach of duty.
Although most developed economies will have broadly similar approaches to such issues as directors’ duties, there may be significant differences in detail. There is no substitute for taking specific advice about directors’ duties and related insurance issues in any jurisdiction where you operate. There is also a considerable amount of general information available in the commercial market. So, for example, in Saudi Arabia, directors are responsible to the company for issues arising from misconduct of the company’s affairs, but also jointly with the company for damage to third parties. In Switzerland the extent to which the directors’ administrative functions can be delegated to managers is restricted. These differences may not seem to be significant, but depending upon the business activities involved, may have considerable significance. The insurance problem is compounded by the fact that few standard policies will cover cross jurisdictional investigations. Furthermore, some jurisdictions require that a local policy is obtained to comply with local insurance regulations.
If there is one single message here, it is that directors cannot be passive in the face of a changing world and must be constantly assessing risk in all areas as well as opportunities. They may, in some circumstances, amount to the same thing, and careful investigation of the legal landscape to assess risk may well reveal opportunities for future developments, protection, and sustainability of the business, as well as keeping you out of court.