Whether it’s the risk of cyber-attack, systems failures, or loss of data, hardly a day goes by without some headline about the threats posed to companies through computer networks and the internet. The need for board-level focus on these risks and threats has also received plenty of airtime. I wonder, though, how many board members consider the risk of the wrongful disclosure of the very board papers in which those risks may be spelled out.
Security Issues of Paper
The results of a recently published Thomson Reuters’ annual board governance survey suggest that current practices may not enough. The survey covered more than 125 general counsel and company secretaries across a range of industries and countries. Key findings include:
- Over 67% of respondents admit they do not know if their board members destroy or print copies of board materials
- 62% of respondents had heard of situations where board members had left sensitive information in public places
- Over three-quarters of organizations used unsecured personal email accounts to distribute board documents
- Almost half of boards still rely on paper-based board books
These figures suggest that board members are open to scrutiny by regulators (or conceivably in court proceedings) as to their grasp of security issues in relation to their own board papers.
But that’s not all! What’s perhaps even more worrying is what the survey reveals about the sheer extent of board material to which directors are exposed. The survey found that on average “board books” i.e. material prepared for board meetings are 179 pages in length (this is apparently up from 116 pages in the 2012 survey). 25% of respondent companies produce in excess of 100 board books per year.
This means that board members are expected to work their way through a staggering 16,010 pages of board materials a year! As the survey authors also point out, many organisations have board members serving on multiple boards across the world so it is possible that for some individuals the amount of board-related material is truly mind-boggling.
So from a director’s personal liability perspective, what we have here is a potentially toxic mix of inadequate safeguards around sensitive and confidential information combined with the (understandable) risk of gaps in the directors’ individual and collective knowledge as to the contents of the very documents on which they must rely to keep themselves informed.
What to do
What can be done about it? Here are three suggestions listed in ascending order of difficulty:
- Directors should ensure that their own copies of board packs are properly safeguarded and (when appropriate) securely disposed of.
- Directors should satisfy themselves as to the adequacy of procedures adopted centrally to safeguard board packs and ensure their colleagues on the board are attuned to the need to protect confidential information whilst the documents are in their possession.
- Most tricky of all, directors should find ways of resisting a phenomenon sometimes referred to as “delegation upwards.” This phenomenon can lead to the provision of too much paperwork to the board. It’s an attractive option to managers since it provides them with a ready-made defence that the board was in possession of “all relevant information” at the time the decision (whatever it was) was made. But that rationale, taken to an extreme, can be contrary to a sound corporate decision making process and risk management.