The Director’s Dilemma – March 2020 Edition
This edition of the newsletter was first published on The Director’s Dilemma website and the full newsletter is available for viewing here. To subscribe to future editions of the newsletter, click here
The Director’s Dilemma - March 2020
This month our dilemma concerns a director who had assumed the governance was good enough and then discovered that – when things went wrong – it wasn’t. Although the thing that went wrong on this occasion was a technology issue, the failings would probably have been thrust into the spotlight if the issue had involved inappropriate culture, supply chain, payroll, or any number of other topics.
Trevor is a director of a listed company that has been a ‘market darling’. The company provides credit assessments and data verification. The founders both have a strong background in the sector and a healthy network of contacts that led to a growing client list which included governments and financial institutions.
After the listing, two years ago, the company has met or exceeded forecasts and Trevor has been proud to be the only independent director on the board alongside the two founders and the CEO. He chairs the audit committee and, unofficially, has been the guiding force behind establishing governance processes and documentation.
The founders have remained very active in the business and Trevor has occasionally worried that they make strategic decisions and tell him about them afterwards at the board meetings. As Trevor’s background is audit and assurance, he assumes he wouldn’t add much value beyond ensuring sound processes and keeping records.
Three weeks ago, everything changed. A large amount of the company’s data was ‘dumped’ on the dark web. It included the financial details of people who had been assessed as well as identification details such as tax file numbers and residential addresses. Worse, the company initially claimed that the information had not come from their systems and then admitted that they had received ransom demands indicating that data had been filched as long as a year before this disaster.
Clients have withdrawn their business, shareholders are dismayed, the share price is in free fall, and the press are clamouring for information.
How should Trevor help the company weather this storm?
This is a listed company; Trevor must ensure appropriate disclosure. A trading halt may give the company time to investigate, and respond to, the events and then give the market time to disseminate the information. His customer liaison at the stock exchange should assist with implementing a halt and issuing a brief statement saying what has happened and that the company will issue more information when it becomes available.
This will be a costly and distracting exercise that could derail the company from its current successful track.
Three of the four board members are executives. That doesn’t mean the fourth can rely on their efforts. Trevor must add value by asking intelligent questions that people involved in the operations will possibly not think to ask. This board must work as a team rather than a group of individuals who each contribute their own expertise and then come together to document decisions that were not made rigorously or jointly.
Trevor has now learnt that there is more to good governance than just having meetings and documenting processes. He needs to get involved and truly understand the business. If his fellow directors do not welcome this, he needs to consider whether they are taking him seriously or just using him as window-dressing. He should ensure that the whole board is never again left out of the information flow when something important happens (or even when it perhaps might happen).
He should also take the lead on procuring legal advice (they are going to need it), liaising with the regulators, and establishing crisis communications. Engaging a specialist communications firm may help.