Foreward by Andrew Chilvers
As companies continue to look for opportunities in global markets, directors from diverse jurisdictions are hired to serve on the boards of foreign businesses as well as domestic ones that have operations and assets in other countries.
Enterprises across the world look for directors from other jurisdictions for any number of reasons. Hiring board directors from other countries can help to build investor confidence, for example. Likewise, an enterprise that is headquartered in a different jurisdiction but with a subsidiary in the US or Europe could seek directors to gain expertise and credibility. The director may have valuable international or local geographic expertise regarding business objectives, strategy, operations and risk management.
Nevertheless, serving as a director on the board of a global enterprise can bring major challenges. It’s true that during the past few years corporate governance laws and regulations have started to converge across regions, but there remain critical international differences regarding the responsibilities and liabilities of directors.
With recent data protection legislation across different jurisdictions, companies are now being held to account regarding their use of personal data. Will this result in a more litigious culture for companies and what does this mean for boards?
The GDPR has introduced onerous standards on companies which process personal data, with significant financial penalties for non-compliance. The GDPR further offers privacy activists as well as employees, litigants, consumers, shareholders and members of the media a strong tool to address privacy concerns or breaches.
The introduction of the GDPR signifies in itself a shift towards a more litigious culture with respect to the processing of personal data and may translate into an increased risk that board members are held personally liable. However, current Dutch case law published so far in relation to the GDPR mainly relates to the right to be forgotten (removal from Google searches or financial ratings data bases) and labour law cases regarding employee privacy concerns and up to this date has not led to liability of individual board members.
Nonetheless, the introduction of the GDPR and similar laws has caused substantial changes to the landscape of privacy law. Companies and their boards can no longer escape from their responsibilities and need to familiarise themselves with the regulations applicable across the various jurisdictions where their companies are active and ensure compliance. This means that boards of companies should ensure that IT systems are secured, processes are installed that enable timely detection of data breaches and ensure that these are dealt with appropriately internally and reported to the regulators when necessary.
Although regulatory action until now has been relatively limited, it has become evident that the Dutch regulator will become more active and issue significant fines (of up to EUR 20 million or 4% of global turnover) and it only seems a matter of time before class action law suits will be brought forward by affected consumers.
While regulatory actions are brought against the company rather than board members, such actions will put the spotlight on board members and whether they have fulfilled their fiduciary duties to comply with data protection legislation.
With global directors now increasingly in demand, how important is it for boards and directors to understand the different expectations of directors and different cultures of governance?
In an ever-increasing digital world and era of faster globalisation companies operate in a more global context. This also drives the demand for directors with a global outlook. Global boards will need to have an extensive skill set to ensure that the company acts in accordance with the (fiduciary) rules and values in all jurisdictions where it is active as a board will strive to “think globally and act locally”.
While the OECD has developed Global Governance Principles to advocate a common global approach to directors’ fiduciary duties of care and loyalty, in the end governance practices will be anchored in the legislation of the country where the company is headquartered.
In the Dutch jurisdiction, the board carries a broad responsibility from guiding the interests of the company and its business to the interests of shareholders, employees, creditor, suppliers and society as a whole as well as compliance with a variety of good governance codes. In addition to personal exposure to all these groups, Dutch directors may, amongst other reasons, also become personally liable for the whole deficit in bankruptcy in case annual accounts have not been filed timely.
Dutch boards are expected to be populated with high performing directors who carry a broad responsibility. The expectations of high performance of a Dutch director should not be underestimated and underperformance may have severe consequences. Therefore, a foreigner who becomes a Dutch director who thinks of the board service as largely advisory or ceremonial may have little to contribute and be unqualified for such task and be exposed to significant financial consequences. A Dutch board is allowed to divide their duties among themselves. This can help the board to take away responsibilities from directors that have no affinity with certain subjects (f.e. GDPR or foreign/domestic matters).
How important is an effective board that follows core principles of international corporate governance? Does this give boards a shield against litigation and other issues such as bankruptcy and bribery?
Global leadership and corporate culture are closely connected and, therefore, it is paramount that directors create proactive oversight and take the lead in setting global corporate culture standards for the company to ensure effective implementation of corporate compliance. This is not only limited to risk assessment standards but applies to all fields that are relevant to the company, such as GDPR. Implementation of risk management frameworks not only mitigates the exposure of directors but may also avoid reputational damage to the company.
Whilst a variety of international bodies (such as IFC, ICGN and OECD) have been developing international standards for the harmonisation of governance codes that also affect the codes in the EU, governance codes remain fragmented from an international perspective.
As the applicable codes for global companies vary from jurisdiction to jurisdiction, compliance can be a daunting challenge. A combination of central top/ top-down risk assessment and in-country/bottom-up risk assessment processes are generally viewed by directors as an effective approach for global companies. Creating an effective risk management system starts with leading by example and being armed with the right information from the right sources within the company. The Dutch Corporate Governance Code contains an extensive set of principles and best practices that help to implement an effective risk management system and uses a comply or explain mechanism which may help to balance the Dutch Code with other codes that may apply.
It goes without saying that complying with corporate governance codes mitigates the exposure to director’s liability. That is not to say that the board can suffice with a check-the-box mentality. Boards need to keep up to date on governance developments within the regions the company operates and allocate enough time to be updated in this area on an annual basis.