Aligning the organisation’s risk profile with governance and liability awareness among directors and officers
Organisations must navigate the evolving risks and opportunities in today’s world in order to be successful. Business and economic transformation, the digital revolution and changing social attitudes are producing a world in constant flux. Rising geopolitical tensions, within and between countries, are presenting further challenges to organisations in how they work with governments and conduct trade.
As a result, businesses and boards that can anticipate threats, prepare for them and adapt accordingly will be best placed to thrive. This will require strong corporate governance that allows organisations to innovate and take the risks they need to. Directors and officers who are in tune with the organisation’s risk profile will also develop a greater understanding and awareness of their own personal liabilities. Insurance should be used to enable, as well as protect directors and officers.
The boardroom and senior leaders are facing a wider variety of risks than ever before. Data security is the top concern within the boardroom according to Airmic members, but directors and officers are also facing more collective US shareholder actions against non-US firms and an increase in activity involving corruption and bribery claims.
Appearing on the horizon, new laws in the European Union are likely to facilitate groups of consumers launching collective actions and seeking compensation. While activity from regulators and enforcement agencies increases, legal defence costs are also going up. As a result, risk and insurance professionals must understand the D&O cover purchased and ensure directors and officers understand the policy, where it applies and the limits available.
We hope the survey will inform those involved in the purchasing and usage of D&O insurance. We recommend reading this report in conjunction with the Guide to Directors & Officers Liability published with Airmic in 2018.
Head of Financial Lines
This study is part of a wider research project into the future of the risk management professions, entitled Risk Management: Vision 2020. While the main report summarises the full findings of the research project, this is one of five deep dives into the core themes within Risk Management: Vision 2020.
The five reports are:
Assessing risk, realising opportunity and taking reward. Examining the techniques available to risk and security professionals.
Understanding external threats to an organisation. An analysis of the interconnected nature of geopolitical risks and how they can be managed.
The value of boardroom engagement. Aligning an organisation’s risk profile with governance and liability awareness among directors and officers.
Turning data into information. Assessing the current and future role of data analytics in managing risk and insurance.
Transforming insurance for tomorrow’s risks. Encouraging collaboration between customer, broker and insurer to move risk forward.
This report, produced by Airmic in collaboration with Longitude, is based on the responses of 157 members. While their job roles and the size of their organisations vary, the respondents primarily come from the risk and insurance management and enterprise risk management functions at large multinational businesses. Due to rounding, and the use of multiple-choice questions, some figures and charts in this report may not add up to 100%.
As organisations face increasingly turbulent times, scrutiny of the decisions made by directors and officers is intensifying. The unpredictable political environment, increasing regulation focusing on personal liability and social trends for increased boardroom accountability are producing more circumstances in which business leaders could find themselves the subject of investigations or legal actions.
The Financial Reporting Council’s latest UK Corporate Governance Code came into effect on 1 January 2019. The updated code puts a greater emphasis on the alignment and monitoring of corporate culture, as well as diversity and inclusion. These provisions reflect the changing risk landscape for organisations’ senior leaders.
While risk professionals should be aware of emerging threats to senior members of their organisations, the traditional sources of claims against directors, such as misstatement in financial reporting, bribery and other forms of corruption, and breaches of fiduciary duty, continue to be the focus of the plaintiffs’ bar, prosecutors and regulators. Strong governance is as important as ever.
Although risk and insurance professionals should consider how they can contribute to and lead efforts internally to mitigate these risks, understanding and purchasing appropriate D&O insurance and making use of it effectively can be an invaluable tool to protect directors and officers. Working with an experienced D&O insurer can also provide expert guidance regarding the claims process, insights on common claims to help reduce the personal exposure of individuals, tactics to contain costs and access to specialist knowledge when required.
In 2018, Airmic published a Guide to Directors & Officers Liability in partnership with AIG and Marsh. In our annual survey, members’ responses demonstrate that further work is needed to ensure that directors and officers are aware of the evolving threats, that directors, officers and their organisations are sufficiently covered and that the correct protocol is in place in the event of a claim.
Risk professionals should be aware of emerging threats to senior members of their organisations
In our survey, members were asked about the outlook for managing risks related to six megatrends. The risks associated with digital transformation and geopolitical tensions have been identified as becoming significantly harder to manage in the last 12 months (Figure 1), while climate and environmental disruption is expected to become harder, or significantly harder, to manage over the next three years (Figure 2).
Directors need to guide their businesses through this ever-changing landscape and any false move can lead to accusations of mismanagement. Even if the board has done nothing wrong, refuting accusations or responding to regulatory inquiries can take up management time and result in unexpected legal bills.
Digital infrastructure is increasing the risk and severity of data breaches and cyber attacks that can lead to regulatory action across multiple jurisdictions, heavy fines and scrutiny of boardroom responsibility. For instance, contravention of the European Union General Data Protection Regulation (GDPR) can result in fines of up to €20m or 4% of worldwide annual revenue, and directors, if found to have not exercised reasonable care and diligence, could face criminal charges or lawsuits from the company’s shareholders.
Digital infrastructure is increasing the risk and severity of data breaches
In addition, where the board or management was perceived to have delayed action or failed to make full disclosures to consumers and the financial markets about data breaches, shareholders have filed securities class actions against their companies and their directors and officers.
The unpredictability of geopolitical tensions and a trend towards populist parties in elections increases the possibility of governments and authorities intensifying their scrutiny of large institutions and those who run them. If a long-standing regime is replaced with a more hostile one, the relationships that local directors have built up over time may become worthless overnight.
Moreover, the regulatory and legal environment in which a company operates may become uncertain or unpredictable as regimes change. As discussed below, risk professionals must ensure that their organisation is monitoring developments in all jurisdictions in which it operates, especially where there are directors and officers on the ground.
As climate and environmental disruption increases, shareholders and customers want to see more action taken to show that directors are not only preparing for the impact on their organisations but also that they are behaving as a responsible corporate citizen.
In the US, ExxonMobil has faced fraud investigations from New York and Massachusetts, with the former ultimately issuing a lawsuit that named former chairman and CEO Rex Tillerson as a defendant. Organisations across many sectors are waking up to the likelihood of increased scrutiny headed their way from governments, shareholders and consumers if they are viewed as not acting responsibly on this and other issues of corporate social responsibility.
Activity from the Serious Fraud Office (SFO) in the UK and other prosecutors around the world has increased significantly during the past decade. The UK’s National Crime Agency has become more proactive in its investigations, evolving into the UK’s FBI equivalent, and is spending time and resources uncovering cyber crime. And the increased activity is not limited to the UK.
There is more co-operation between various national governments as well as supranational bodies. The focus of these investigations include accountancy fraud, bribery and other forms of corruption, environmental violations, and health and safety breaches.
“Regulators and enforcement agencies became much more active after the financial crisis than they had been in the past,” says Kevin M. LaCroix, a US-based D&O attorney and Executive Vice President of RT ProExec. “They have begun collaborating more with each other in the past five years. Regulators have discovered their powers, they are using them more and, as a result, there is much greater claims frequency in the market.”
The Deferred Prosecution Agreements entered into by the SFO with Standard Bank (2015), Rolls-Royce (2017) and Tesco (2017), for example, may have caught the headlines, but activity and defence costs are increasing in multiple territories around the world.
In the US, securities class actions remain a common source of large claims, as do group litigation actions in other countries. The latter is expected to become more common and easier to execute closer to home after the European Parliament approved rules in March 2019 allowing groups of consumers harmed by illegal practices to launch collective actions and seek compensation.
Previously, only 19 member states had the legal framework for facilitating action from mass victims of harm.
More effort needs to be made to educate senior leaders about coverage and the process to access it in the event of a claim
The D&O risks facing small-to-medium enterprises (SMEs) may sometimes be overlooked, but they are no less important for the survival of the business. Claims can arise from the regulatory actions already discussed, but SME directors should also be mindful of employees, creditors and clients pursuing legal action against them as well as public relations crises.
SMEs should not underestimate the cost of defending a claim or responding to an investigation. When purchasing D&O insurance, £1 million in costs may sound like a lot of money, but if several directors are subject to a criminal investigation, then it is unlikely to be enough to cover all the defence costs.
When a D&O insurance policy is bought, more emphasis needs to be made on education for directors and officers about the coverage and the process to access it in the event of the notification of an event or a claim. It is more common among SMEs for their coverage and limits to go to waste because notification was made too late or not at all.
“This is more common than you might think. We have had brokers come to us two years after the event to say there has been a claim,” says Noona Barlow, Head of International Financial Lines Claims at AIG.
Regulators have discovered their powers and, as a result, there is much greater claims frequency in the market
D&O insurance typically provides liability cover for current, future and past directors and officers of a company, including its subsidiaries. Given the potentially significant costs and serious personal impact of a D&O claim, if something goes wrong with the insurance coverage, the relevant director will come to the risk manager for answers. There are common misconceptions concerning how a D&O policy responds that are important to understand before buying coverage.
Only 18% believe their directors are aware of their personal liabilities, and only 14% are confident that their directors have read and understood their D&O policy (Figure 4). This suggests a perception of complacency within the boardroom that an investigation or action will not happen to them.
“There is a perception in some businesses that ‘we don’t have the problem’, ‘it will not happen to us’ and ‘we don’t want to hear from anyone that suggests otherwise’,” says Neil O’May, Partner at Norton Rose Fulbright LLP.
“There are two camps. Those organisations that have experienced an investigation and are well prepared for the next one. And those that have never had an investigation and do not know what to expect. The latter will often not have the internal governance in place to know who in the organisation should be dealing with the investigator – that is absolutely essential, particularly when it is a criminal investigation.”
If directors do not fully understand the liabilities they face and the events that can lead to claims, then it is unlikely they will be prepared to respond appropriately when an action develops. It is essential that directors and officers are fully aware of the notification process to follow with any type of claim or circumstance that might give rise to a claim. As such, all named directors and officers in a policy should be fully aware of the coverage they have and the process to follow in the event of an action.
If reporting the claim is delayed because the subject or organisation did not believe that it would be covered under its policy, then legal costs incurred before the claim was reported to the insurer will generally not be covered under the policy. In addition, the insurer can provide critical guidance about steps to take in dealing with a claim, so there is no impact on the conduct of the claim or the defence.
If the risk manager, relevant directors and officers, and other internal stakeholders understand the policy and when it applies, then the organisation is more likely to notify brokers and insurers immediately, in order to set the claims process in motion.
The costs associated with an SFO investigation and prosecution can be hard to predict (figure 5) but will quickly escalate as lawyers are retained. While 45% of survey respondents believe that the average per director defence costs will reach £1 million, a similar 44% think it would be less than that.
The individuals concerned will want to retain the best defence lawyers possible in the event of a prosecution. Depending on the subject matter of the prosecution, a specialist lawyer may be required. In fact, SFO defence costs can be as much as £4m per director, and in some instances the costs are even higher.
Only 18% of respondents are confident there is a clear process in place for who gets paid first under their D&O policy (Figure 4). This is a common confusion and can result from not understanding the policy purchased, or the insurer’s obligations. If multiple directors and officers are targeted in a regulatory or enforcement action that is covered by the D&O policy, then each will likely retain a separate lawyer. Once the insurer has been notified and approval received, the insurer will begin paying the legal fees. The policy will not stipulate or prioritise which director’s claims are paid first. If the policy limit is exhausted, the insurer is under no obligation to continue paying defence costs.
A traditional D&O policy will provide cover for non-indemnifiable loss for directors and officers (Side A), indemnifiable loss (Side B) and sometimes loss to the company itself for securities claims (Side C). If an action takes place that results in Side B and Side C losses, it is possible that the limits will be exhausted before covering any potential Side A losses. As a result, Side A difference-in-conditions (DIC) can be bought to provide additional limits to named individuals and sit on top of the traditional D&O policy.
“Buyers need to determine their strategy and priorities when buying a D&O policy,” says Noona Barlow, Head of International Financial Fines Claims at AIG. “Some buyers will prioritise balance sheet protection in the event the company is sued. Some companies will only buy Side A or treat it as only Side A for the main board in a catastrophic event. Identifying and communicating the strategy from the beginning will avoid confusion when a claim arises.”
Buyers need to determine their strategy and priorities when buying a D&O policy
In most D&O policies, the insurer’s consent is required before lawyers are retained by the company or an individual director. If the insured does not follow this process, then it risks the insurer declining to cover these defence costs, when coverage may have been available if the correct protocols had been followed.
Moreover, most companies will not have experience in handling a D&O claim. A knowledgeable D&O insurer will have extensive experience with D&O claims, including which legal advisors can assist with specialist claims. Hiring the wrong advisor early in a case can increase the overall cost and prejudice possible defences.
In the UK and Europe, D&O insurers typically pay out more in defence costs for directors and officers than they do for settlements or indemnity payments, but our survey shows more than half of respondents did not know this (Figure 6).
In the US, the majority of large claims payments result from securities actions which will often lead to a settlement. D&O policies generally provide broad coverage that ensures defence costs are paid in full until the limit is exhausted, or the director admits fraud or is found guilty. At that point, coverage will end.
Risk professionals need to have an in-depth understanding of the product they are buying and how it will respond in the event of a claim. As emphasised above, time is of the essence, so having a clear plan in place when action is taken against the organisation or a director will pay off.
While risk professionals need to consider and assess the exposures facing their organisation’s directors, it is only through collaboration with the board that they will fully understand the risk profile.
When buying coverage, those directors likely to be the subject of claims under the policy should be involved in the risk strategy and risk mapping process. This will ensure that all stakeholders relevant to the policy will have an early insight into the types of coverage available, and what may be excluded.
Only 38% of respondents believe the board is completely aware of their D&O policy, while 37% said boards were completely aware of the policy limits. There is even less confidence in board awareness of specific risks such as GDPR, social media and the #MeToo movement (Figure 7).
The risks resulting from GDPR, the rise of social media and the #MeToo movement should not be underestimated as these have all resulted in D&O claim notifications.
The risks facing directors and officers have evolved, and these changing priorities should be reflected in the risk management approach and insurance procured. When asked what topics were of most concern within the boardroom, data security (68%) emerged as the top threat (Figure 8). However, just 59% of respondents believe that the board is aware of the scope of D&O liability cover for GDPR issues. If boards view this risk as a top concern, they need to be prepared and informed of their liability and coverage should an action arise.
Workplace diversity and culture issues also appear low on the boardroom agenda. Since the #MeToo movement began in 2017, it has damaged severely, sometimes fatally, the reputations of numerous high profile business people and their companies. Directors do not need to be the perpetrators to be held to account. Several D&O claims have been brought where boards turned a blind eye to a culture permissive of discrimination or harassment, choosing to protect prominent business leaders or leave the details to HR rather actively manage the risk. Scrutiny and public monitoring of the gender pay gap should also be elevating these issues to the boardroom and be reflected in the attention given to the personal liabilities of individual directors for failure to act on these issues.
The organisation’s D&O risks and the policies bought to protect directors should be reviewed each year. As a part of this process, the legal environment, regulatory change and claims activity in the countries in which theyoperate should also be assessed to gauge trends and the priorities of national governments and law enforcement agencies. It is not uncommon for the regulatory environment to change and a country that was previously passive on D&O scrutiny to become more aggressive.
Similarly, while corruption and bribery are significantly lower on the boardroom’s priority list (20%), they remain a common (and expensive) source of claims activity.
Bringing emerging risks to the board’s attention will be more straightforward if other internal changes are made regarding risk culture. Risk committees will benefit from more diverse representation from across the organisation. Only a quarter of respondents said they have restructured risk committees in the last 12 months to include more representation from other functions, such as Public
Relations and Human Resources. Input from these functions would provide greater visibility on workplace issues, such as the #MeToo movement. Similarly, an organisational cultural assessment will bring these topics to the fore. Only 27% of respondents have executed this in the last 12 months.
The investigation, if managed inappropriately, can be as bad for the business as it is for the criminal investigation
Producing hypothetical scenarios concerning D&O exposures can help risk managers and the board understand any potential coverage gaps and obstacles in the claims process. If the board is given clear examples about how it could be at risk and the situations where liability might arise, it will heighten awareness and encourage the board to stay informed about how its D&O insurance policy works.
Despite the D&O insurance market hardening for certain industries immediately after the 2008 financial crises, rates have largely decreased during the last decade, with coverage becoming broader and capacity increasing. The global D&O market saw underwriting results deteriorate in 2016 and 2017, driven by increased claims activity resulting from issues such as securities class action claims in the US, greater cross-border co-operation on investigations, particularly those related to cyber crime, and a string of high-profile corporate scandals such as VW, Petrobas and the Equifax data breach.
More claims are arising and defence costs are spiralling. Costs vary across regions, however, making awareness and regular review of the countries the company is operating in essential. Today, defence costs are particularly expensive in territories one might expect, such as the US and the UK. However, costs can also be eye-wateringly high in territories that boards may not be as focused on, such as South Korea andn India. Accordingly, these trends should be monitored across the organisation’s footprint.
As a result, it is more important than ever that risk professionals fully understand the relevant risks to their directors and officers, and ensure the right protocols are in place for good corporate governance that can prevent a claim. Providing ample and accurate information on the evolving exposures, as well as compliance procedures to directors and officers would help elevate understanding. Issues to be covered could include anti-money laundering protocols, insider trading policy, and bribery and corruption training.
Those covered by the company-bought D&O policy should also be in no doubt about how, who and when to notify in the event of a claim. The insurer notification requirements must be clear, but there should also be a well-communicated process about who internally needs to be kept informed. For many companies, a sensible process may be to ensure that the general counsel is made aware of the policy and helps manage this process.
“The C-suite has to understand what a criminal investigation entails and there has to be teaching about it,” says Neil O’May, Partner at Norton Rose Fulbright LLP. “The investigation, if managed inappropriately, can be as bad for the business as it is for the criminal investigation. If it is badly handled, it is a business wrecker. It goes on for too long and ratchets up costs.”