Board members and the general counsel have long enjoyed a close working relationship. The company’s highest-ranking legal officer provides expert legal counsel to directors to navigate complex risks. When these risks evolve into a tangled web of convoluted information, the board leans more on the GC, straining their close relationship.
To flatten their learning curve on the strategic and operational risks caused by generative AI, cybersecurity and technology innovation, many boards have formed dedicated committees, task forces and ad hoc committees. As they conduct deep dives into these topics, directors are requesting voluminous business records and other documents from the GC. “Board members perceive greater responsibility and want to be conscientious, but in some cases the information they request could be a work in progress that the GC is uncomfortable disclosing to them—for their own sake,” says Lawrence Cunningham, board director at publicly traded companies Markel and Constellation Software, where he serves as vice chair.
Delving so deeply could push directors into dangerous legal territory. “If a dedicated committee says it wants a report on an investigation concerning the treatment of employees or a report on the company’s emission standards and performance or the consequences of its lobbying activities, some of that might be sensitive information that could hurt the company and the directors,” says Cunningham. “The reviews might indicate violations of law or policy that are continuing. If the company is sued, lawyers for the other side will try to pry information from a director that could look terrible in front of a jury, potentially jeopardizing the liability of both directors and officers.”
This concern, while not always central, is one of several that can make GCs hesitant to share certain information, he says. “From what I’m hearing, there may be growing tension in some cases between directors and the GC over the information board members need to provide effective risk oversight and what the GC is comfortable in sharing.”
Other board directors and legal experts perceive the same tension at play. The priorities of dedicated board committees to understand and assess the growing number of impenetrable risks are colliding with the GC’s focus on legal compliance and avoiding potential litigation. “The purpose of a board committee is to create a structure allowing directors to take a deeper dive into the topics assigned to that committee,” says veteran directors and officers liability attorney Dan Bailey, partner at Columbus, Ohio-based law firm Bailey Cavalieri. “More committees mean more work by both the directors and the GC to support the deep dives. The challenge for the GC is to provide enough information helping the board members do their job, without inundating them and getting them into the weeds.”
Once in the weeds, directors struggle to find their way out and request even more detailed data from the GC. Too much information can make it harder for board members to satisfy their concerns, causing frustration, confusion and a loss of focus on the core issue. This is the case with AI and cybersecurity, two of the most confounding areas for directors to oversee, according to Corporate Board Member’s “What Directors Think Survey,” conducted in partnership with Diligent Institute and BDO.
As directors peel one layer of the onion, another layer appears, followed by more. Inevitably, the information provided by the GC piles up into a rubble of baffling data. “I’ve seen instances where the GC is trying to keep the company books, records and other business data ‘neat and tidy’ and not jeopardize board members by providing documents that should be attorney-client privileged,” says Butch Hulse, general counsel and chief administrative officer at MiMedx, a publicly traded provider of healthcare products made from human placental tissue. “Boards that get too deep in the weeds can put themselves in harm’s way, focusing on the wrong risks [and] giving short shrift to the real threats.”
LEARNING CURVE
There’s no doubt that boards confront an evolving array of singularly complex risks testing the resilience of the organization’s risk management policies and their own oversight structure. A case in point is the whipsawing effects of President Trump’s lightning-fast actions on trade and federal DEI initiatives and efforts to influence monetary policy. Although candidate Trump’s campaign pledges clearly suggested these moves, few people anticipated such alacrity in their implementation.
In tandem with this locomotive are other rapidly changing topics for board attention—generative AI, cybersecurity, technology innovation and corporate DEI policies. “The demand signal from the board is higher because every board member needs to stay forward in their thinking and education to understand what is going on in our changing world,” says Suzanne Vautrinot, board member at CSX, Wells Fargo, Ecolab and Parsons.
Cunningham, whose day job is director of the Weinberg Center for Corporate Governance at the University of Delaware, agrees that boards have a responsibility to oversee the company’s risk management and systems. “The challenge is the scope of that responsibility has magnified as the risks have evolved in complexity and scale,” he says.
Longtime board member Gaurdie Banister characterizes the situation as a “state of perma-crisis.” Every year, he says, “there’s always something you have to be paying attention to that turns out to be a bigger deal than you thought. Directors need to be sufficiently aware of these challenges to apply the proper level of governance.” Banister serves the boards of three publicly traded companies, Russell Reynolds, Dow Chemical and Enbridge Inc. Prior board positions include Marathon Oil and Tyson Foods.
Asked what constitutes “sufficiently aware,” Banister explains, “You’re not there to run the company. Board members can’t be involved in all the details, in all the dimensions of risk. At a macro level, we can analyze how gen AI impacts the business or assess the risks inherent in the use of genAI internally, sticking our noses in but keeping our fingers out.”
His reference to NIFO, the acronym for “Noses In, Fingers Out,” is apt. The board of a publicly traded company has the right to request access to internal documents to fulfill their fiduciary duty of overseeing the company’s operations and make informed decisions. However, highly confidential information might be restricted depending on the specific circumstances and jurisdiction.
Banister says the board should have access to any information “reasonably needed” to effectively perform their oversight role. Asking the GC for sensitive, covert or clandestine data on cybersecurity, however, may be sticking too many fingers into the pie. “We’re supposed to have a 50,000-feet-elevated responsibility for material issues and shouldn’t be asking for everything,” he says.
Nicholas Donofrio, former board member at Bank of New York Mellon, Liberty Mutual, Delphi Automotive and AMD, agrees that board members must accept that they don’t run the enterprise. “We don’t need to know where every transistor is placed on a chip, where every wire is fastened to a tool or where every nickel and dollar is transferred, but we’re still fully enabled to render opinions about things that don’t make sense,” Donofrio says. “The problem is when people get mesmerized by the fireflies before the storm, when the real risk is the storm behind the fireflies.”
COMMITTEE CONCERNS
To focus on the actual storm, some boards form dedicated committees, subcommittees or ad hoc committees narrowly overseeing topics like risk management, compliance, sustainability, technology innovation and corporate social responsibility, to mention a few of these new committees (other boards embed these topics into the traditional three-committee structure). In making this decision, Vautrinot says, “The question is whether an acute risk is existential for the company and requires an immediate deep dive by a committee to understand its ramifications, or a chronic ‘forever risk’ that can be addressed once or twice a year without the need of a dedicated committee or subcommittee.”
Another purported reason to form a dedicated committee is if the board members lack expertise in understanding a particularly complicated and rapidly evolving operational risk. “If the risk is not in the experience stable for the board members, the solution is, ‘Let’s create a committee to invest in a level of confidence around these issues that are distorting the business,’” says Ed Magee, board member at publicly traded WD40 Company, a global manufacturer of household and industrial products.
Would it be more useful for the board to recruit an expert in generative AI or cybersecurity to help directors better understand and assess the risks? Not necessarily. “The way I see it, every director has to be a digital-cyber-AI director because that is the context for business,” says Magee. “We have to rise to the occasion for what is going on, diving into technological opportunities and risks and global economic shifts. Do I need to be an expert on all things cyber, no. But I do need to be able to ask good questions and understand the answers.”
Every board member, says Cunningham, should have a baseline ability to discern business matters, challenges and risks and render judgments about them, “probing managerial execution without micro-oversight.” Retaining an expert in cybersecurity on the board may be seen by other directors as providing special advantages and judgment to that person, he says. “If the director says, ‘I’m the person here who really knows this stuff and can tell you how it works,’ the rest of the board may defer too much to them,” he explains.
When a determination is reached by the board to form a dedicated committee, committee members quickly learn they need more detailed information to draw clearer conclusions on the risks under review. As D&O attorney Bailey explains, “A board committee, by definition, is a mandate for a deeper dive. The more committees there are, the more work for the directors and management to support them. As the number of committees rise, the responsibilities of the members may overlap, causing confusion and a greater risk of inefficiency.”
WHEN ENOUGH ISN’T ENOUGH
Too many board committees, each with their own information demands, can be overwhelming for the GC of a publicly traded company, says Hulse, the GC at MiMedx. “It’s the GC’s obligation to make sure both management and the board fulfill their respective risk management responsibilities, but when there is overlapping jurisdiction from one committee to the next—each with a range of information requests—it causes confusion over which committee has risk ownership,” he contends.
Matt Gorham, leader of PwC’s Cyber and Risk Innovation Institute, agrees the role of the GC has expanded beyond providing traditional legal advice. “The GC is much more engaged in the broader risk space—not just legal risks but handling broad portfolios of risk,” he says. In this expanded role, requests from dedicated board committees for detailed information on a particular risk can frustrate and wear thin the patience of GCs.
“It’s not uncommon for the GC to feel overwhelmed by the volume of [information] requests, while simultaneously trying to navigate what is management’s role and the board’s role,” Gorham says.
The interviewees offered a range of comments on how to ease the flow of information requests from the board, without undermining directors’ need for transparent and comprehensible information. “While board members need to keep their fingers out of running the company, that doesn’t mean the GC should withhold information they need to see,” says Bailey, advising that the GC “present the information to the directors in a format that is not too high or too low in terms of detail. I’ve always been an advocate for less is more.”
Gorham offered a similar opinion. “For the board and the GC to see eye-to-eye on risk, they just need to be looking at the same thing,” he says. Rather than provide directors with a pile of confusing documents, the GC needs to consolidate and edit the information for easier accessibility and comprehension. He provided the example of the SEC’s cyber risk disclosure rule requiring publicly traded companies to disclose a material cyber incident within four business days (the rule may be relaxed or eliminated by the Trump administration). The disclosure rule produced a multitude of requests from board members to the GC on what constitutes materiality.
“In evaluating materiality, imagine a triangle,” says Gorham. “You have the CISO in one corner, the CFO or controller in another corner, and the GC in the third corner. Since materiality requires a legal judgment, the GC needs to quarterback the shrinking of that triangle. That’s an expanded role for the GC, but it can help ensure a level of transparent information for the board to assess, as directors wrestle with understanding and assessing this issue.”
To help the board wrestle with the risks facing Telix Innovations, the radiopharmaceutical solutions provider hired its interim auditor to assess and rate both the risks and its tolerance levels. “We receive a quarterly report detailing where we are with some risks and what we’re doing about it, which informs our internal audit,” says Tiffany Olson, board member at the publicly traded company and two other public companies, Castle Biosciences and MiMedx. “It’s factually based with a good software metric system.”
In situations where directors need more detailed information for risk oversight, Olson says, “It’s up to the GC to tell us when it’s too detailed and not necessary. The challenge for boards is knowing when enough information is enough. The GC is so vitally important from an information disclosure standpoint, given the potential financial risk to members. Do we need to know all the nitty-gritty? Probably not.”
To keep board members out of dangerous legal territory, Cunningham advises that sensitive reports flow through the GC’s office first before distribution to the committee. The GC can then characterize the information as a communication between an attorney and a client, making it privileged in future proceedings with adverse parties, he explains. “If, for example, the treatment of an employee blows up into a scandal and the company is sued by the government or shareholders and the other side goes after the committee members, they won’t have access to the GC’s report to the board,” he says.
Undoubtedly, the board ought to be able to reasonably see everything related to strategy, operations and risks. “No manager can say this [piece of information] is proprietary to management,” Cunningham says, “but it is the GC’s role to design the information cycle to the board so that certain items are stamped as attorney-client privileged.”
Bailey concurs with this advice. “Management should not be withholding information from the board, but it is better for the GC to give the directors summaries, metrics and key performance indicators to monitor the red flags, rather than a full dump of all kinds of information.”
Simple and to the point should benefit all parties.
