Tag: Board of Directors

Categories
Blog

Brewer v. Turner: When Board Delay Becomes Bad Faith

In corporate governance, timing is everything. A board’s oversight failure does not always come from what it does not see; often, it comes from how long it waits to act once the warning lights flash red. This cautionary tale originates from the shareholder action in the case of Brewer v. Turner, a Delaware Court of Chancery decision that permitted a Caremark claim against the directors of Regions Financial Corporation to proceed. The opinion marks another milestone in the court’s expanding interpretation of fiduciary “bad faith.” It offers an unmistakable message to compliance professionals: delay can be fatal, and now it can also lead to exposure.

A New Chapter in Caremark

In the article in the Harvard Law School Forum on Corporate Governance, titled Caremark Claim Survives Board’s Delay in Ending Illegal Practices, lawyers from Fried Frank considered the case. At issue was the board’s handling of a whistleblower complaint from its former Deputy General Counsel, Jeffrey A. Lee, who alleged that Regions’ overdraft-fee practices violated CFPB regulations. Eighteen months after receiving his detailed complaint, the bank finally ended those practices. By then, the Consumer Financial Protection Bureau had investigated and levied $191 million in penalties and restitution.

The court concluded that the board’s delay could itself amount to bad faith. Hiring outside counsel and forming committees did not shield the directors from liability. As Chancellor Kathaleen McCormick wrote, “Everyone knows that delay can be intentional and a tactic to avoid the consequences of acting appropriately.” For compliance officers, this ruling signals that boards can no longer hide behind process if the substance and speed of oversight fall short of expectations.

Today, examine the lessons compliance leaders should take from the case.

1. Red Flags Require Immediate, Documented Response

Historically, Delaware courts were reluctant to treat whistleblower complaints as “red flags.” They often viewed such claims as speculative unless corroborated by concrete evidence of wrongdoing. But in Regions, the whistleblower’s position mattered: he was a lawyer responsible for assessing legal risk. His complaint was detailed, specific, and sent to the Audit Committee, a combination that the court found impossible to ignore. That shift widens the compliance risk perimeter. A whistleblower who possesses subject-matter authority, particularly someone in compliance, legal, risk, or audit, can now trigger a board-level duty to act.

For the CCO:

Implement a rapid-response framework for any internal report that raises concerns about legal or regulatory violations. Require escalation to the board or relevant committee within days, not weeks. Then document every step: receipt, investigation, deliberation, and resolution. When courts review the record, speed and transparency become your strongest defenses.

2. Delay Can Be the New Bad Faith

Perhaps the most groundbreaking element of this case is the court’s recognition that delay itself can constitute bad faith. The board did not ignore the red flag; it simply took 18 months to address the illegal conduct while seeking to offset the lost revenue. That conscious hesitation, prioritizing profits over compliance, transformed a mere oversight lapse into a potential breach of fiduciary duty. This is a paradigm shift. Previously, a board’s response, no matter how sluggish or ineffective, was often enough to defeat Caremark liability. No longer. The court has now drawn a line between discretionary pacing and strategic stalling.

For the CCO:

Build timelines into remediation plans. When an investigation confirms illegality, establish a clear corrective-action schedule, present it to the board, and insist on documented follow-through. If management requests “time to replace lost revenue,” remind them and the board that regulatory risk compounds with every day of delay.

3. Law Firm Engagement Is Not Absolution

The region’s board tried to defend its actions by noting that it had hired a law firm to review the overdraft program. But the court found that “merely hiring an attorney” does not immunize directors from bad faith findings. What mattered was not the hiring, but what the board did with the firm’s advice, and the minutes didn’t say.

For compliance professionals, this point should feel familiar. Retaining outside counsel is prudent, but outsourcing judgment is perilous. A board that commissions a report yet fails to discuss or implement its recommendations appears, in the eyes of Delaware law, to be checking boxes rather than managing risk.

For the CCO:

Whenever outside counsel is engaged, insist on:

  1. The written scope of work aligned with the suspected violation.
  2. Formal delivery of findings to the full board or its committee.
  3. Recorded deliberations on next steps.
  4. Follow-up updates tracking implementation of counsel’s recommendations.

Compliance is not a spectator sport. Documenting action, not merely delegation, demonstrates good faith.

4. Central Compliance Risks Deserve Central Oversight

The court emphasized that overdraft-fee compliance was a “central risk” for a retail bank and thus a board-level responsibility. This reasoning expands the range of risks boards must personally monitor, rather than delegate entirely to management. Each industry has its equivalents: drug safety in the pharmaceutical industry, anti-bribery in global operations, and data security in the tech sector. When violations occur within these core domains, the argument that “management had it under control” will no longer be a sufficient defense for directors.

For the CCO:

Regularly update your board on the organization’s central compliance risks. Tie each risk to explicit board-level monitoring responsibilities. Provide metrics, internal audit findings, incident counts, and regulatory inquiries that show oversight in action. In the post-Brewer v. Turner environment, silence equals exposure.

5. Meeting Minutes Are Compliance Evidence

A striking aspect of the case was the court’s observation that the board minutes were “largely redacted” and recorded only cursory discussions. This absence of detail undermined the directors’ defense that they had acted responsibly. The court essentially inferred neglect from the lack of written proof. Compliance officers should view board minutes as the audit trail of integrity. If your minutes merely note that “the issue was discussed,” you may have built a weak defense for a strong case.

For the CCO:

Work with your corporate secretary to ensure that minutes:

  • Record substantive deliberation, not boilerplate.
  • Reference specific documents reviewed, such as legal opinions or risk assessments.
  • Capture decisions, follow-ups, and accountability for each item.

When regulators or plaintiffs seek evidence of good-faith oversight, well-crafted minutes speak louder than affidavits.

Broader Compliance Takeaways

The Brewer decision reflects a judiciary that is increasingly willing to look beyond formality and assess intent. In the compliance world, this mirrors what the DOJ’s 2024 Evaluation of Corporate Compliance Programs emphasized: that outcomes matter, but so do the timeliness and sincerity of response. A compliance program that detects misconduct yet allows it to persist for months or years cannot claim to be effective.

The ruling also underscores why Caremark risk is a personal matter. Because these claims rest on findings of bad faith, neither the DGCL Section 102(b)(7) exculpation clauses nor most D&O insurance policies will shield directors or officers from liability. The best protection remains proactive compliance, not post-hoc coverage. Finally, note the procedural context: new DGCL amendments restrict shareholder access to corporate books and records, potentially reducing frivolous oversight suits. Yet for legitimate claims supported by detailed facts, as in Brewer, the bar has been lowered. Courts are signaling that they will continue to allow well-pled Caremark cases to proceed when evidence shows a conscious disregard.

What It Means for the Chief Compliance Officer

For the CCO, Brewer v. Turner is both a warning and a roadmap. It is a warning that oversight delay equals liability. You can no longer rely on the board’s procedural comfort—hiring counsel, forming committees, or debating endlessly—to prove good faith. Results and responsiveness now define the legal standard.

But it is also a roadmap for strengthening your partnership with the board. You can help directors stay ahead of Caremark exposure by:

  1. Defining red flags. Work with Audit and Risk Committees to set escalation thresholds for legal-risk incidents.
  2. Accelerating action. Create escalation SLAs with responses within 24 hours for high-severity issues.
  3. Documenting diligence. Ensure every board discussion about misconduct is supported by complete, unredacted minutes.
  4. Tracking remediation. Maintain a dashboard showing when each issue was raised, investigated, and resolved.
  5. Aligning incentives. Reinforce that executive bonuses and promotions depend on compliance performance, not just profitability.

At its heart, Caremark is not about punishing hindsight; rather, it is about enforcing foresight. The compliance professional’s role is to make foresight possible by ensuring that red flags are identified quickly, decisions are properly documented, and illegal conduct is corrected before it metastasizes into corporate trauma.

Final Thoughts

The Brewer case stands as a modern parable of fiduciary patience gone wrong. A board that meant to deliberate found itself accused of delay; a company that tried to plan found itself punished for profit-driven hesitation. For compliance leaders, the moral is clear: you cannot strategize your way out of illegality. When a red flag rises, the clock starts, and every tick is a test of integrity. The essence of compliance is not preventing failure. It is ensuring you act decisively when failure appears. In the wake of Brewer, that truth has never been more legally or morally binding.

Categories
Blog

From Good to Great Governance: How Aspiring Directors Can Master the Art of Board Leadership

Exceptional boards do not happen by accident. They are the result of disciplined, emotionally intelligent, and strategically minded leadership —the kind that transforms oversight from a duty into an engine of organizational performance.

For anyone seeking a seat at the board table, the message from PwC in their Harvard Law School Forum on Corporate Governance article Effective Board Leadership: The Art of Doing It Well and the Risks of Getting It Wrong could not be clearer: you are not applying for a title;  instead, you are accepting a stewardship. Board leadership is about building trust, balancing competing priorities, and guiding organizations through uncertainty with integrity and foresight.

Today, I want to explore what aspiring board leaders can learn from PwC’s insights and how you can start cultivating the mindset and behaviors that distinguish a “good” director from a transformative one.

The Leadership Mindset: From Governance to Guidance

A company’s long-term health depends as much on its board as on its CEO. In a world of activist investors, digital disruption, and ESG scrutiny, the boardroom is no longer a ceremonial space. It’s where strategy, risk, and purpose intersect, and that intersection demands leaders who are curious, decisive, and adaptable. Board leaders, whether they are chairs, lead directors, or committee heads, do not lead by authority. They lead by influence. They unite peers, challenge management constructively, and maintain independence while working together with executives to deliver sustainable value.

For those preparing to join a board, it is important to understand early that governance is not about “watching management.” It’s about partnering with management to ensure that the organization not only complies but thrives. The most successful board leaders approach oversight like coaches, not referees, creating the conditions where CEOs and directors alike can perform at their best.

Emotional Intelligence Is a Strategic Advantage

PwC’s research emphasizes a trait too often overlooked in governance: emotional intelligence (EQ). Great board leaders cultivate psychological safety, encourage diverse viewpoints, and model humility. They admit when they do not know something. Aspiring directors should take note. Technical expertise, such as in finance, law, or operations, may get you into the boardroom. But EQ keeps you there. The best chairs and lead directors are skilled listeners who can defuse conflict, mediate divergent views, and maintain composure under pressure.

In practice, that means building trust one conversation at a time. It’s asking the right questions without posturing, pushing back without condescension, and fostering a tone of curiosity over certainty. When you can balance empathy with accountability, you create what PwC calls a “high-functioning relationship” between the board and CEO, one where issues are addressed early, tensions are managed constructively, and decisions are made with confidence.

Strategic Foresight: Thinking Beyond the Quarter

Boards exist to safeguard long-term value creation. Yet too many still fall into the trap of quarterly thinking, consumed by immediate performance metrics rather than strategic trajectory. Exceptional board leadership requires foresight: setting agendas that focus on the future, integrating strategy into CEO evaluation and succession planning, and regularly revisiting assumptions about risk and opportunity.

For future board members, this means you should always be thinking beyond compliance. During your candidacy, articulate how your experience contributes to forward-looking oversight. Can you connect market trends to strategic implications? Can you help a board think differently about innovation, sustainability, or geopolitical risk? Directors who elevate the conversation from “what happened” to “what’s next” are the ones who stand out and make a difference.

The Discipline of Continuous Improvement

The PwC framework underscores a powerful truth: even great boards can stagnate. Effective leadership is not static; it must evolve with the organization, industry, and stakeholder landscape. That’s why outstanding boards embrace structured self-assessment and external evaluation. They seek feedback not as a formality but as a growth mechanism. PwC’s data reveals that while 59% of directors believe their leadership manages board assessments well, only 34% think their leaders effectively address underperforming directors. That gap is where complacency grows.

For those aspiring to join boards, this insight is gold. It means that the best directors are learners, not lecturers. They reflect on their own blind spots, solicit feedback, and model a growth mindset. As a future board leader, consider developing a personal feedback practice now, whether through executive coaching, peer mentorship, or 360° reviews. Self-awareness today is preparation for stewardship tomorrow.

Balancing Oversight and Partnership

Every new director eventually faces a defining moment when the line between governance and management blurs. Do you step in or step back? The authors remind us that great board leadership maintains clarity of role. Directors exist to guide, not to manage. The best board chairs coordinate with the CEO regularly but avoid micromanaging execution. They set thoughtful agendas, focus discussions on outcomes, and intervene only when governance or ethics are at stake.

For those aiming for the boardroom, influence comes from credibility and restraint. You’ll need to learn when to question, when to support, and when to challenge, all while preserving trust. The art of board leadership lies in that balance; firm yet fair, supportive yet independent.

Building and Refreshing the Board Itself

A strong board is not just a collection of impressive resumes. It is a living organism that must evolve with the company’s mission. Outstanding board leaders take ownership of composition and succession. They identify skills gaps, coach underperformers, and bring in fresh perspectives to maintain energy and relevance. They also plan their own exits. PwC suggests that leadership roles should peak within five years and refresh within eight to ten years. This timeframe should allow enough time to build mastery without stagnating new ideas. Aspiring directors should see this as an invitation, not a warning. Governance needs renewal, and you may be the fresh perspective a board needs. Bring both humility and courage to that opportunity.

Navigating Stakeholders and Reputation Risk

Today’s directors must be diplomats as much as strategists. Shareholders, employees, regulators, activists, and the public all expect transparency and accountability. PwC highlights that effective board leaders help define who matters most, coordinate messaging with management, and ensure the board’s voice aligns with corporate purpose. They understand that trust is not a given but rather is earned through credibility, communication, and consistency. If you are pursuing a board role, develop your own credibility now. Contribute thoughtfully in your industry, write, speak, and mentor. Build a reputation for substance over self-promotion. Boards increasingly seek directors who can represent them confidently in complex stakeholder environments.

When Leadership Fails — And How to Fix It

Even the best boards occasionally lose their rhythm. Groupthink sets in. The CEO relationship frays. Performance lags. PwC’s guidance here is pragmatic: act early. Use governance processes such as evaluations, nominating committees, and role clarifications to diagnose and correct the course before a crisis strikes. For future board members, this means understanding that courage is part of the job. You must be willing to speak uncomfortable truths, advocate for leadership transitions, and uphold the board’s fiduciary duty even when it is personally difficult. As one seasoned chair told PwC researchers, “An ounce of prevention is worth a pound of cure.” Effective directors prevent dysfunction through vigilance, not intervention after the fact.

The Final Lesson: Leadership as Legacy

At its core, Effective Board Leadership offers a simple but profound insight: governance is leadership at its highest level. It is about service over status, stewardship over self-interest, and purpose over politics. For those aspiring to board roles, the path forward is clear. Cultivate emotional intelligence, strategic foresight, and moral courage. Learn to listen as well as lead. And above all, remember that the board’s greatest power lies not in authority but in example.

Because great governance, like great leadership, is never accidental. It’s intentional, exacting, and indispensable.

Categories
Blog

Risk Management and the Board: Why Oversight is Now a Strategic Imperative

In today’s business landscape, boards of directors are navigating a storm of risks that would test even the most resilient organizations. This topic was explored in a recent article titled “Risk Management and the Board of Directors.” Geopolitical uncertainty, economic volatility, cybersecurity threats, climate change, and the uncharted waters of generative AI are no longer background noise. They have moved to the front and center in boardrooms. Against this backdrop, risk management has emerged not just as an operational necessity but as a governance and strategic imperative. For compliance professionals, this raises a critical question: what role should the board play in risk management, and how can compliance officers support them in fulfilling that role effectively?

Oversight, Not Management

A crucial distinction must be made: boards are not responsible for managing risk on a day-to-day basis. That responsibility belongs to management. But boards do carry the weight of oversight. This oversight includes monitoring the most significant corporate risk factors, ensuring that appropriate risk systems are in place, and verifying that those systems function in practice.

Think about the Boeing case. Regulators and auditors identified multiple failures in Boeing’s manufacturing controls and safety processes, resulting in devastating reputational and financial consequences that continue to unfold. The lesson is clear. It is not enough for a board to approve a risk framework and then step away. Boards must oversee, probe, and confirm that those frameworks are embedded in operations across the enterprise.

Compliance officers can support this by providing boards with accurate, timely, and actionable reporting. Minutes, board packets, and oversight documentation are not administrative afterthoughts. They are evidence of diligence that courts, regulators, and investors increasingly scrutinize.

Tone at the Top: Culture as the Foundation

If oversight is the board’s mandate, then culture is the foundation that determines whether risk management succeeds or fails. Boards set the “tone at the top,” and that tone resonates throughout the organization.

Transparency, consistency, and communication are essential. A board that prioritizes ethics, compliance, and stakeholder safety sends a clear message: compliance failures and corner-cutting will not be tolerated. Conversely, when boards tolerate delay or indecision in addressing risks, such as safety lapses, misconduct, or harassment, they erode employee trust, tarnish their reputation, and invite regulatory scrutiny.

Board Readiness in a Dynamic Environment

Boards must prepare not only for the risks they know but for those that are emerging. This means ongoing director training, scenario planning, and recruitment strategies that close knowledge gaps. While no board can house every kind of subject matter expertise, they must know when to bring in advisors, leverage external resources, and engage with stakeholders directly.

A readiness mindset also means anticipating the unexpected. Crisis response plans, covering a range of scenarios from cyberattacks to workplace misconduct, should be in place and regularly tested to ensure their effectiveness. Compliance leaders should be part of these conversations, ensuring that prevention, detection, and remediation are embedded into strategy, not bolted on as afterthoughts.

Investors, regulators, and even the courts of Delaware are sharpening their focus on board-level risk oversight. The Caremark line of cases continues to set a high bar, but boards that fail to engage in good faith with core risks run the risk of liability. Compliance officers can help directors demonstrate that their oversight is active, engaged, and documented.

Practical Recommendations for Compliance Professionals

What does this mean for compliance officers working with boards? Here are four takeaways:

1. Provide Clear, Actionable Risk Reporting

Boards cannot oversee what they cannot see, and too often, directors are presented with overwhelming data that obscures the real risks. Compliance should deliver reporting that distills information into clear, concise insights, showing not just what happened but why it matters. The most effective reports highlight trends, identify root causes, and directly connect risks to business strategy, enabling the board to act with confidence.

2. Integrate Oversight into Strategy

Compliance risk management should never be treated as an afterthought, bolted onto the business after decisions are made. Instead, compliance officers must help boards see how compliance oversight is deeply intertwined with growth, innovation, and operational resilience. By linking compliance considerations to strategy, compliance becomes a driver of sustainable success rather than a box-checking obligation.

3. Focus on Emerging Risks

Generative AI, biodiversity loss, and geopolitical fragmentation are no longer distant or theoretical; instead, they are reshaping risk landscapes as we speak. Boards need compliance officers to translate these complex issues into practical implications before they escalate into crises that erode value and reputation. A forward-looking compliance function enables directors to anticipate threats, allocate resources effectively, and avoid being blindsided.

4. Reinforce Culture and Ethics

Tone at the top must resonate throughout the organization, and compliance is the bridge that connects board-level values to everyday business practices. Compliance officers can help embed cultural expectations by weaving red flags, lessons learned, and behavioral standards into training, communications, and accountability structures. When done well, this alignment ensures that ethical behavior is not aspirational but operational, lived out across all levels of the enterprise.

Why It Matters Now

The expectations for board-level risk oversight are higher than ever. Regulators want evidence that boards are engaged. Courts are scrutinizing oversight failures with fresh vigor. Investors are pressing for transparency on ESG, cyber, and DEI risks. And employees, your most important stakeholders, expect boards to prioritize safety, inclusion, and integrity.

For compliance professionals, this creates both a challenge and an opportunity. The challenge is to help boards stay ahead of complex risks in an environment of constant change. The opportunity is to elevate the compliance function as a strategic partner in governance, resilience, and corporate integrity.

Final Thoughts

Risk management is no longer just an operational function; it has become a strategic imperative. It is a governance issue that sits squarely in the boardroom. Boards do not need to manage risk, but they must actively oversee it, document their oversight, and ensure that culture and strategy align with risk management systems.

As compliance professionals, we are uniquely positioned to support this mandate. We provide the frameworks, reporting, and insights that help boards meet their obligations and protect the enterprise. In doing so, we not only maintain compliance but also enhance resilience, protect reputation, and foster trust with stakeholders.

The message is clear: oversight is not optional, culture is not cosmetic, and preparation is not a luxury. For today’s boards and for the compliance professionals who advise them, risk management is a strategic imperative that can no longer be ignored.

Categories
Blog

Cybersecurity Oversight at the Boards

Cybersecurity risk is no longer a back-office IT issue. It is a board-level governance priority, a regulatory compliance challenge, and a reputational minefield. From ransomware attacks to regulatory enforcement actions, the stakes have never been higher. In an article in the Harvard Law School Forum on Corporate Governance, titled “Risk Management and the Board of Directors,” the review focused on the NACD’s 2025 survey. It showed that over three-quarters of boards now discuss the material and financial implications of cyber incidents. While that is progress, awareness alone is not enough.

For compliance professionals, the message is unmistakable: cybersecurity oversight is now a central pillar of governance. In this post, I will explore the evolving regulatory landscape, lessons from enforcement actions, and practical steps compliance teams can take to help boards discharge their responsibilities effectively.

A National Priority with Global Reach

Cybersecurity has moved to the top of national agendas. The Biden Administration’s 2023 National Cybersecurity Strategy set the tone, and the Trump Administration’s 2025 Executive Order reinforced it, emphasizing protections against foreign cyber threats and secure technology practices. But this is not just a U.S. issue. The EU’s GDPR, California’s CCPA, Virginia’s CDPA, and Illinois’s biometric data laws all impose sweeping obligations with high-stakes enforcement. Settlements under Illinois’s biometric privacy law alone have reached into the hundreds of millions.

For compliance professionals, this expanding patchwork of regulation means that cyber oversight cannot be siloed by geography or business unit. Boards must ensure management understands and complies with both domestic and international requirements.

The SEC Steps into the Spotlight

If boards needed any reminder of their cyber responsibilities, the SEC has provided it. In 2023, the SEC finalized disclosure rules requiring companies to report material cyber incidents on Form 8-K within four business days (subject to limited delays approved by the Attorney General). Companies must also disclose in their 10-Ks their processes for identifying and managing cyber risks, the material impacts of prior incidents, and, critically, the board’s role in oversight.

The SEC has coupled disclosure mandates with enforcement actions. From Robinhood in 2025 (failure to implement identity theft protections) to SolarWinds in 2023 (alleged fraud and internal control failures), to Blackbaud’s ransomware misrepresentations and Morgan Stanley’s vendor monitoring failures, the Commission is signaling that cyber lapses are securities law violations. The key takeaway for compliance is that disclosures must be accurate, controls must be effective, and boards must demonstrate active oversight. Anything less may well invite regulatory scrutiny.

DOJ, FTC, and State Regulators Join In

The SEC is not alone. The DOJ has used the False Claims Act to address software vulnerabilities sold to government agencies. The FTC has pursued cases against GoDaddy and other providers for failing to implement adequate protections. The New York Department of Financial Services (NYDFS) has enforced its prescriptive cybersecurity rules since 2019, with actions as recent as August 2025. And globally, regulators like Ireland’s Data Protection Commission have issued blockbuster fines, such as the €530 million penalty against TikTok for unlawful data transfers.

The compliance implication is clear: multi-layered enforcement is now the norm. Cybersecurity and data privacy risks span agencies, jurisdictions, and statutes. Boards must assume that regulators will coordinate, cross-reference, and pursue failures aggressively.

Frameworks That Matter

With enforcement risk high, companies need a structured approach. The National Institute of Standards and Technology (NIST) framework has become the de facto benchmark, with its five core functions: identify, protect, detect, respond, and recover. Both the SEC and FTC endorse it, and boards should expect management to benchmark their programs against it.

At the governance level, the NACD’s Director’s Handbook on Cyber-Risk Oversight and guidance from the Cybersecurity & Infrastructure Security Agency (CISA) provide clear expectations: boards should not manage cyber risk, but they must oversee management’s handling of it.

Lessons from Enforcement Actions

Every enforcement case tells a story, and compliance professionals should use these as teaching tools:

  • Vendor Oversight Matters – Morgan Stanley’s Failure to Monitor Vendors Exposed Data from 15 Million Customers.. Boards must ensure that vendor cyber risk is integrated into their oversight.
  • Accurate Disclosures Are Non-Negotiable – SolarWinds and Blackbaud faced allegations of misrepresentation around breaches. Boards must verify that management’s cyber disclosures are truthful and complete.
  • Controls Must Be Tested – Robinhood’s identity theft control failures remind us that having policies on paper is not enough. Boards should require evidence that controls work in practice.

Practical Steps for Compliance Professionals

So how can compliance officers help boards meet their obligations in this complex cyber landscape? Four steps stand out:

1. Educate and Engage the Board

Boards need ongoing, tailored education on cyber risks. Compliance should arrange regular briefings from CISOs, external experts, and regulators. This ensures directors can ask informed questions and challenge management effectively.

2. Strengthen Incident Response Preparedness

An incident response plan is only as strong as its execution. Compliance must test plans through tabletop exercises, ensure disclosure obligations are understood, and coordinate with law enforcement and advisors. Boards should be briefed on lessons learned after every drill or real incident.

3. Integrate Cyber Risk into Enterprise Risk Management

Cyber risk cannot be isolated from strategy, finance, and operations. Compliance should help boards see cyber threats as part of enterprise risk management, aligned with business goals and resilience planning.

4. Monitor Third-Party and Supply Chain Risk

Vendors, cloud providers, and contractors are often the weak link. Compliance should implement due diligence, ongoing monitoring, and contract requirements that address cyber obligations. Boards should receive visibility into these risks and the company’s mitigation strategies.

Why This Matters for Boards and Compliance

Cybersecurity is not just an IT challenge; it is a governance imperative. Regulators, courts, and investors expect boards to demonstrate active, documented oversight. For compliance professionals, the mandate is to help boards meet that expectation with clarity, structure, and evidence.

The reality is stark that a single breach can devastate a company’s reputation, stock price, and stakeholder trust. But boards that embrace active oversight, guided by compliance professionals, can transform cybersecurity from a vulnerability into a competitive advantage.

Final Thoughts

The cyber landscape is evolving faster than most organizations can keep pace. But boards do not have the luxury of waiting. As recent regulations and enforcement actions demonstrate, oversight failures will be punished, sometimes harshly.

For compliance professionals, this is both a challenge and an opportunity. By educating boards, strengthening incident response, integrating cyber into enterprise risk, and addressing third-party exposures, compliance can elevate its role from policy enforcer to strategic partner.

The bottom line: Cybersecurity oversight is no longer optional. It is the frontline of governance, and compliance professionals are the essential guides helping boards navigate it.

Categories
Blog

Directors and AI: Do’s, Don’ts, and Compliance Lessons

Artificial intelligence (AI) has rapidly become embedded in the daily workflows of executives, employees, and, increasingly, board directors. From drafting strategy summaries to analyzing industry data, directors are turning to AI chatbots and transcription tools in the same way they once adopted email, spreadsheets, or virtual board portals. However, unlike those earlier technologies, AI presents new risks, and for directors, these risks intersect directly with fiduciary duties and corporate governance obligations.

A recent memorandum by Skadden, Arps, Slate, Meagher & Flom LLP, published through the Harvard Law School Forum on Corporate Governance, outlines practical dos and don’ts for directors using AI in their board roles. The message is clear: while AI offers great promise, directors must use it with caution. For compliance professionals, this guidance provides important lessons not only for boardrooms but also for the governance structures that surround them.

The Temptation of AI in the Boardroom

Boards are expected to absorb massive amounts of information, such as financial results, strategy papers, compliance reports, cybersecurity dashboards, and often under tight timelines. It is easy to see why a director might feed these materials into an AI tool to produce summaries or ask for red flags. Similarly, transcription services appear attractive for documenting complex board meetings and discussions. But here lies the trap: not all AI tools are created equal. Publicly available chatbots often train on user inputs, meaning that confidential board information could be incorporated into the system and potentially regurgitated to other users, including competitors.

Just as you would never allow directors to send board books through unsecured email, AI tools need guardrails.

Key Risks Identified in the Director’s Guide

The Skadden memorandum outlines several risks directors must consider when using AI in their corporate capacities:

  1. Confidentiality and Data Leakage – Uploading sensitive materials into public AI systems risks exposing trade secrets or personal data. Even if the information is deleted from a user’s history, the AI vendor may still retain and train on it.
  2. Discovery and Litigation Risks – AI chats are records. Like emails, they may be discoverable in litigation or regulatory reviews. Regulators could demand access to AI interactions if they involve matters under scrutiny, such as antitrust reviews of mergers and acquisitions (M&A) activity.
  3. Loss of Privilege – Using AI to transcribe board meetings or communications with counsel risks waiving attorney-client privilege. Once third parties have access, privilege may be lost forever.
  4. Accuracy and Hallucinations – AI outputs can be wrong, biased, or outdated. Treating AI results as authoritative without verification exposes directors to poor decision-making and potential breaches of fiduciary duties.
  5. Erosion of Human Judgment – Over-reliance on AI to make HR, strategy, or other critical decisions risks abdicating the duty of care and loyalty. Directors must remain firmly “in the loop”.

Compliance Lessons for Professionals

From these risks, we can distill key lessons for compliance officers advising boards and executives on AI governance.

1. Confidential Information Must Stay Inside the Perimeter

Compliance professionals should establish clear rules: no uploading of board materials, personal data, or trade secrets into public AI tools. Instead, direct the board to company-approved platforms that are vetted for security and configured to prevent training on sensitive inputs. This is not just a best practice; it may also be required to comply with contractual obligations, privacy laws, and internal data-protection policies.

2. Treat AI Chats as Discoverable Records

Boards should assume that anything shared with AI may one day be discoverable by others. Compliance professionals must include AI chats and transcripts in records-retention policies and advise directors to avoid discussing sensitive legal or competitive issues in public AI systems. This lesson mirrors earlier corporate missteps with text messages and messaging apps. AI is the new frontier for discoverability.

3. Preserve Privilege by Avoiding AI for Legal Matters

Directors must not use AI to record privileged discussions with counsel or board meetings, as this would violate the attorney-client privilege. Compliance officers should make this an explicit policy. Approved transcription tools may be used for training sessions or customer service calls, but never for board-level deliberations. Losing privilege could cripple a company’s defense in litigation. Compliance officers should hammer this home during board training.

4. Verify Before You Trust

AI has a well-documented tendency to “hallucinate.” Directors must be reminded: AI is not a single source of truth. Compliance programs should emphasize verification. Encourage directors to cross-check AI outputs against trusted sources and ensure management reviews AI-generated analyses before relying on them for decision-making.

5. AI Is a Tool, Not a Decision-Maker

The most important compliance lesson: AI augments but does not replace human judgment. Directors remain bound by duties of care and loyalty. Compliance professionals must make clear that delegating decision-making to AI tools could not only harm the company but also expose directors to personal liability.

Building a Compliance Framework for Board Use of AI

The Skadden guide closes by urging boards to develop clear policies for AI use, including approved tools, acceptable uses, and required disclosures. For compliance officers, this is an opportunity to lead.

Here are key framework elements to consider:

  • Approved Tools List – Maintain a list of AI platforms validated by IT and legal for security and compliance.
  • Acceptable Use Policy – Define when and how directors may use AI (e.g., industry research, summarizing public filings) versus prohibited uses (e.g., uploading board decks, transcribing meetings).
  • Training and Awareness – Provide directors with training on AI risks, including confidentiality, discoverability, and hallucinations.
  • Monitoring and Audit – Periodically review the use of AI by directors to ensure compliance with relevant policies and regulations.
  • Disclosure Requirements – Require directors to disclose if AI tools were used to generate or summarize board-related materials.

Final Thoughts

The “Do’s and Don’ts of Using AI” is a timely reminder: AI governance is not only about company-wide adoption. It also starts at the top, with the board itself. Directors tempted to use AI in their own roles face unique risks. These risks could compromise confidentiality, destroy privilege, or erode fiduciary oversight.

For compliance professionals, this presents an opportunity to serve as both educator and enforcer. Just as compliance led the charge on insider trading policies, conflicts of interest, and anti-bribery training, so too must we lead on AI governance.

The bottom line is that AI can be an extraordinary tool for directors. But without compliance guardrails, it can also be a governance trap. Our role is to ensure the boardroom and the company stay on the right side of that line.

Categories
Blog

Building a Compliance Playbook for AI: Board – Level Lessons in Cybersecurity Oversight

Artificial intelligence (AI) has been heralded as one of the most transformative technologies of our time. It promises efficiency, productivity, and entirely new business models. Yet, as with any tool of such power, AI is both a friend and a foe. For corporate directors, compliance officers, and risk professionals, AI presents a dual challenge: leveraging its defensive strengths while preparing for its potential weaponization by malicious actors.

The National Association of Corporate Directors (NACD), in partnership with the Internet Security Alliance (ISA), has released a special supplement to its Directors’ Handbook on Cyber-Risk Oversight devoted entirely to AI in cybersecurity. It is a timely publication. As adoption rates soar, 72% of companies were already using AI in 2024, and the risks are accelerating just as fast. For the compliance community, the report provides a roadmap for oversight, governance, and practical questions boards must ask management.

AI as Both Force Multiplier and Risk Multiplier

On one side of the ledger, AI enhances cybersecurity by automating threat detection, reducing false positives, identifying malware, and analyzing oceans of log data. Used wisely, AI allows companies to “get ahead of theft”. This includes identifying vulnerabilities before criminals exploit them. Generative AI and large language models (LLMs), in particular, can speed detection, enrich threat indicators, and even suggest remediation steps.

However, these same capabilities are available to cybercriminals. AI lowers the barrier of entry for less sophisticated hackers, turbocharges phishing and social engineering campaigns, and allows nation-states to refine cyberattacks at scale. This duality makes AI unique: it amplifies both opportunity and risk simultaneously.

Oversight Imperatives for Boards

The handbook identifies four key imperatives for boards responsible for overseeing AI and cybersecurity.

1. Director of Education – Boards must commit to continuous learning about AI’s risks, benefits, and regulatory developments. Few leaders yet possess the technical grounding needed to appreciate AI’s implications.

2. Threat and Opportunity Awareness – Directors must understand not just the dangers but also the strategic benefits AI can bring.

3. Regulation and Disclosure – Boards must anticipate evolving rules and disclosure obligations. AI oversight will require the same level of rigor as financial and ESG reporting.

4. Board Readiness – Boards must ensure management builds governance structures, ethical use frameworks, and clear communication channels about AI’s role.

Compliance Lessons from the NACD AI in Cybersecurity Handbook

1. Third-Party and Supply Chain Risk Will Intensify

Boards are advised to scrutinize vendors’ AI tools and data sources. As the handbook emphasizes, AI models can be trained on data with questionable provenance, intellectual property, personally identifiable information, or even classified information. Using such models can expose organizations to liability. For compliance professionals, this means conducting enhanced due diligence on third-party AI systems. Ask vendors how they source training data, what models they use, and whether they have human oversight mechanisms in place to ensure quality. AI risk is now a key component of supply chain risk.

2. Transparency Is a Non-Negotiable

AI systems often function as “black boxes.” Their lack of explainability poses reputational and legal risks when decisions cannot be justified. Boards are urged to push for transparency in AI deployment, both internally and in customer-facing applications. For compliance professionals, this means incorporating explainability into your AI governance framework. Require documentation of training data, decision-making logic, and model limitations. If regulators ask, you must be able to demonstrate your homework.

3. Continuous Monitoring Is the New Standard

As highlighted in the AI Seven-Step Governance Program, AI oversight requires more than pre-deployment testing. Continuous monitoring, auditing, and retraining must occur throughout the lifecycle of AI tools to ensure their effective use. For the compliance professional, this means your program must move beyond “check-the-box” vendor certifications. Build ongoing monitoring and assurance processes. Think of AI oversight as dynamic, not static.

4. Regulation Will Come Fast and Furious

The NACD warns that while regulators often lag innovation by three to five years, the window for AI is already shortening. Boards relying on a “wait and see” approach will find themselves overwhelmed when rules arrive. Clearly, the compliance function must do more than wait for the regulators. Even if the US government were inclined to do so, the necessary political will would not exist to allow for an agreement. This means you should align your approach today with emerging frameworks, such as the EU AI Act, the NIST AI Risk Management Framework, and OECD principles. Position your company to demonstrate proactive governance.

5. Disclosure Expectations Will Rise

AI adoption carries disclosure obligations across transparency, risk assessment, and incident reporting. Boards must assume that regulators and investors alike will demand clear, timely disclosure of AI-related incidents and governance practices. Compliance must lead the way in your corporation to build AI into your disclosure controls and procedures now. Ensure incidents involving AI failures are reported with the same rigor as material cybersecurity breaches.

6. The Board Must Get Educated—and Fast

The handbook emphasizes director education. Boards that lack AI fluency will struggle to provide proper oversight. Worse, they may overestimate management’s ability to mitigate AI risks. You should encourage board training through NACD, Carnegie Mellon’s CERT program, or trusted third-party advisors. Education is no longer optional; it may well become a fiduciary duty.

7. Governance Structures Must Evolve

Some companies are considering dedicated AI committees, while others integrate AI oversight into existing audit or risk committees. Either way, boards need clear lines of accountability. The questions boards should be asking management are listed extensively in the handbook, including:

  • How are competitors using AI?
  • Do we need a Chief AI Officer?
  • What is our exposure if adversaries use AI against us?
  • Have we segregated training data to know its provenance?
  • Are our policies aligned with the EU AI Act’s risk classifications?

Start these conversations today. Board agendas must include AI oversight as a recurring topic.

Building a Compliance Playbook for AI

The compliance professional can translate the NACD’s recommendations into a practical playbook for your program, incorporating the following key concepts.

  • Embed AI governance early – Don’t bolt compliance onto AI projects after the fact. Integrate governance into design and procurement stages.
  • Adopt a human-centered AI approach – Ensure AI is aligned with corporate values and ethical principles, not just efficiency goals.
  • Use risk quantification – Treat AI risk like any other enterprise risk: quantify, compare, and integrate into ERM frameworks.
  • Demand accountability – Require clear responsibility for AI oversight, whether it sits with the Chief Compliance Officer, CIO, or a new Chief AI Officer role.
  • Engage regulators early – Use disclosure and transparency as tools to build trust with regulators and stakeholders.

The Handbook makes clear that AI in cybersecurity is not just a technology issue. It is an enterprise risk, a boardroom issue, and a compliance mandate. For compliance professionals, this means you must step into the AI oversight conversation.

As with the FCPA decades ago, regulators and stakeholders will expect companies to transition from a reactive to a proactive approach. The time to build frameworks, train directors, and embed oversight is now. AI, like every disruptive technology before it, will reward the prepared and punish the complacent. Compliance professionals are uniquely positioned to bridge the technical and governance divide. By applying lessons from the NACD handbook, we can ensure that AI becomes not just a tool for criminals but a force multiplier for integrity, trust, and resilience in the digital age.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Your First Board Seat, A Guide to Success

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we conclude our 5-part series and consider several questions about compliance officers working with or on the Board. We also consider what you need to do to be successful after joining your first Board as a member.

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing your Compliance Program, 6th edition, which was recently released by LexisNexis. It is available here.

Categories
Blog

Board Week, Part 5: Your First Board Seat: A Compliance Professional’s Guide to Success

Ed. Note: this blog post concludes our 5-part series this week on Board issues for the compliance professional.

For many compliance professionals, being selected to serve on a board of directors is a career milestone. It signals that your judgment, risk insights, and crisis-tested leadership are valued at the highest level of governance. But stepping into that boardroom for the first time can feel daunting. The expectations are high, the norms are unspoken, and the stakes — governance, strategy, and shareholder value — could not be greater.

The good news? Compliance leaders already have many of the tools needed to thrive. You understand oversight, you know the difference between management and governance, and you have a keen sense of risk. What you need now is a roadmap for the first 90 days and beyond. Drawing from hard-won lessons and my own experiences, here is a playbook for how compliance professionals can not only survive but excel when they take their first board seat.

Mastering the First 90 Days

How you arrive determines how long and how well you serve.

1. Listen Hard

Your first task is to absorb as much as possible. That means reading everything, including board books, minutes, charters, risk registers, and committee reports—to map who influences what and how decisions are made. Pay attention not just to the formal processes but also to the informal alliances and power dynamics. And always keep in mind the golden rule of governance: noses in, fingers out. Boards are not there to manage operations. You are there to oversee, question, and guide, not to run the business.

2. Pick Your Moments

New directors often feel pressure to speak up quickly to demonstrate their belonging. Resist that urge. Early on, focus on asking clarifying questions rather than staking strong positions. For example:

  • “Can you walk me through the assumptions behind this forecast?”
  • “How does this proposal fit into our risk appetite?”

If you sense a question may take the discussion into weeds, make a note and raise it later with the chair, CFO, or committee lead. This shows respect for the board’s time and demonstrates that you know when and how to engage.

3. Add Value in Your Lane

Compliance professionals bring unique expertise that most boards need. Use it wisely. Offer short, focused contributions that advance the discussion without grandstanding. Boards value directors who are helpful, not those who are performative. Demonstrate your ability to contribute in ways that strengthen governance. Examples include:

  • A memo on third-party risk in an emerging market.
  • A list of key oversight questions for AI adoption.
  • A template for crisis after-action reviews.

4. Build Relationships

Your effectiveness as a director depends on trust. Schedule one-on-ones with committee chairs, the CFO, the general counsel, and the CHRO. These conversations will help you understand priorities, build rapport, and identify how your skills can best complement the board. Ask open-ended questions such as:

  • “What keeps you up at night?”
  • “How can I be useful to you in this role?”

5. Model Integrity

Boards need truth-tellers, and compliance professionals are uniquely qualified for this role. If messaging strays from your values in a crisis or if you sense spin overtaking substance, speak up. Deliver the truth with respect, but do not shy away from speaking it. Integrity, modeled consistently, builds credibility faster than any technical expertise.

Learning the Subtle Arts: EQ, Voice, and Timing

Technical skills will get you to the boardroom. Emotional intelligence will determine your influence once you’re there.

1. Ask the Deceptively Simple Question

The best directors are not the ones who speak most often; they’re the ones who move the conversation the farthest. One way to do that is by asking questions that reframe the discussion. For example:

  • “What would have to be true for this initiative to fail?”
  • “Which stakeholders haven’t we heard from?”
  • “What’s our escalation trigger if this risk materializes?”

These questions cut through complexity and shift the board from passive review to active oversight.

2. Use Tone Intentionally

Tone is a powerful instrument. There are moments when it is necessary to be assertive, such as when the stakes are high or values are at stake. At other times, your role is to synthesize, invite, and build consensus.

By modulating your tone, you signal confidence without arrogance and influence without domination. Consider phrases like:

  • “I’m curious…” to open space for dialogue.
  • “I recommend…” when it’s time to guide toward a decision.

3. Find a Mentor

Every first-time director should find a seasoned board member to serve as an informal mentor. A five-minute call before or after a meeting can provide invaluable insight into board culture, expectations, and unwritten rules.

Ask them candidly: “How did I land in that discussion? Was my intervention useful? What would you have done differently?” That kind of feedback can accelerate your growth exponentially.

Beyond the First 90 Days: Building Long-Term Effectiveness

Once you’ve navigated your first board cycle, the question becomes: how do you sustain credibility and build influence over time?

1. Deepen Your Governance Acumen

Compliance professionals often arrive with strong risk instincts but limited exposure to broader governance topics, such as executive compensation, shareholder engagement, and capital allocation. Make it a goal to broaden your perspective. Read widely, attend director education programs, and seek assignments on committees outside your comfort zone.

2. Balance Oversight with Strategic Contribution

Boards do not want directors who only highlight risks; they want directors who help balance risk with opportunity. As a compliance professional, learn to frame your insights in terms of strategic choices. This positions you as a partner in growth, not just a gatekeeper. For example:

  • Instead of: “This market carries high corruption risk.”
  • Say: “Here are the three risk mitigation strategies we can pursue if we want to expand into this market. Each has different costs and oversight implications.”

3. Stay Curious and Current

The regulatory environment evolves constantly. Bring fresh insights on new enforcement trends, ESG requirements, AI governance, or data privacy. Share these in concise, board-relevant formats, such as one-page updates, dashboards, or curated case studies. Being the director who consistently adds current, relevant context makes you indispensable.

4. Protect Your Independence

Finally, never forget that your duty is to the organization and its stakeholders, not to management. Independence is your north star. If you sense pressure to conform or remain silent, remember that your value lies in your judgment, courage, and integrity. Serving on a board for the first time is both an honor and a responsibility. For compliance professionals, it is also a natural progression. You already live in the space between risk and resilience, rules and judgment, compliance and culture.

To succeed, you must combine that technical expertise with the subtler arts of listening, timing, and relationship-building. Arrive prepared, model integrity, and contribute strategically. Do that, and you will not only occupy a seat at the table but also shape decisions that steer the organization toward long-term success.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – So You Want to Be on a Board

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today’s episode continues our five-part series, considering several questions about compliance officers working with or on the Board, and moves on to how a CCO can make themselves more marketable to sit on a Board.

For more on this topic, check out The Compliance Handbook, a Guide to Operationalizing your Compliance Program, 6th edition, which was recently released by LexisNexis. It is available here.

Categories
Blog

Board Week, Part 4: So You Want to Be on a Board

If you work in compliance, you already speak the language boards care about risk, resilience, integrity, and long-term value. The opportunity now is to package your experience so that directors and the searchers who advise them will view you as a business voice who specializes in compliance, rather than the other way around. Drawing on insights from women leaders who have navigated their way to board service, along with hard-won boardroom lessons, we present today a step-by-step playbook for compliance professionals who want a seat at the table.

Reframe Your Value: From “Compliance Leader” to “Board-Ready Risk Strategist”

Boards add people to fill needs, not aspirations. Translate your day job into board outcomes.

As a CCO, you use judgment under uncertainty. Some of the key tasks of every compliance officer include triaging investigations, balancing disclosure risk, and managing interactions with regulators. Boards prize seasoned judgment more than technical depth. You also have a broad, enterprise risk lens. Recast hotline trends, third-party risk, sanctions exposure, data privacy, and culture measurement as strategy inputs and value protection, not just controls.

You should already have fluency crisis preparation and management. You know incident response cycles (facts are murky, pressure is high, stakeholders differ). That calm, evidence-first approach is board gold. Finally, show that you understand the boundary: boards govern, while management operates. You can probe, synthesize, and guide without taking control of the show.

Deliverable: Write a one-page Board Bio (not a resume). Lead with judgment, strategy impact, crisis experience, and committee relevance (Audit/Risk/Gov). Keep it crisp; your first paragraph must sing.

Choose Your On-Ramps: Nonprofit, Private, Public—In That Order (Usually)

Recruiters fill a minority of board seats; most come through networks and word of mouth. For many compliance professionals, the fastest on-ramp is to mission-driven or local nonprofit boards, followed by private company boards, and then public boards.

Nonprofit boards hone the muscle memory of governance, committee work, and board dynamics. You learn agendas, pre-reads, fiduciary duties, and the cadence of challenge/support. You also practice EQ moves, such as knowing when to ask in the room versus follow up offline. Private company boards value operators who have built programs and navigated growth risk, which are perfect for compliance leaders who have matured third-party, privacy, or cyber programs at scaling companies. Finally, public company boards hire for specific committee needs, prior board experience, and public company expertise (audit, compensation, nominating/governance, cyber risk).

Action to take: Pick three nonprofits whose mission you genuinely care about. Offer to help first (advisory project, committee seat), then raise your hand for the board. Passion + preparation beats paper credentials.

Build a Targeted Narrative, Not a Generic Pitch

Your pitch should not be “I want a board seat.”; but rather Here’s the problem I’m built to solve.”

If you are a controls/assurance pro (SOX, internal audit, investigations): position for Audit or Risk committee. Emphasize financial integrity, whistleblower credibility, remediation discipline, and root cause rigor. If you are a tech-savvy, privacy-conscious, or cyber-savvy CCO, aim for Risk or Technology oversight. Stress incident playbooks, data governance, AI/ML risk, and cross-functional response. If you are facing cultural/ethical issues, look to nomination and governance needs. Areas such as board composition, CEO succession risk, incentive design that deters misconduct, and culture as control.

Homework: Then do industry homework. If you’re pursuing a career in healthcare, life sciences, fintech, or manufacturing, read 10-Ks, enforcement actions, and peer risk factors; convert your experience into sector-specific oversight value.

Network Like It’s Your Job (Because It Is)

Board seats are an art, not a posting. Your path will resemble a mosaic more than a pipeline.

Warm introductions often outshine cold resumes. Tell three people each week in positions such as GCs, CFOs, fellow CCOs, auditors, and PE operating partners exactly which needs you need to fill and in which sector. Peer groups are multipliers. Join compliance councils, audit institute chapters, NACD/director forums, and alumni boards. Offer to moderate a panel on “Board Oversight of Third-Party Risk” or “AI and Culture Risk.” Finally, be visible in solving problems. Publish a short LinkedIn series on board-relevant topics (e.g., “A director’s five questions for sanctions exposure”). Speak briefly; show judgment.

Remember: Patience wins. Boards decide on quarterly cycles, not recruiting sprints.

Get Committee-Ready—Fast

Most first-time directors enter through committees. Make yourself instantly addictive:

The Audit Committee. Develop a new approach that ties investigations, SOX controls, fraud risk assessments, and hotline patterns to financial statement risk. Show how your work protected revenue or EBITDA. The Risk Committee brings a heat map that integrates cyber, third-party, geopolitical, product safety, and culture risk. Demonstrate scenario planning and escalation criteria. The Nom/Gov Committee connects incentive structures, succession planning, ethics benchmarks, and board composition to long-term value. Finally, consider the Compensation Committee by translating root causes of misconduct into incentive design advice (pay for how results are achieved, not just that they’re completed).

Deliverable: Create a two-page Board Briefing Pack you can share confidentially when asked: a sample dashboard, escalation triggers, and a case study where your counsel changed a decision.

Do the Diligence: Culture, Time, and Risk

Do not treat an offer like a trophy; do your homework for the Company and the position. Ensure you are a cultural fit. Talk to multiple directors and at least two executives. Ask how the board challenges management, how dissent is handled, and how pre-reads and follow-ups actually work. If they are reticent to connect you, that is a red flag. Make sure you understand the time reality. Beyond quarterly meetings, count committee meetings, prep, and off-cycle crises. Nonprofit boards can be especially “needy”; set eyes-open expectations. And last but certainly not least, tie down the D&O and indemnification. Always ask to see the policy and indemnity language, including limits, carve-outs, and advancement of expenses. For public or PE-backed companies, confirm coverage by entity and by capacity.

Make Your Board Bio and Outreach Ready This Month

Create a one-page Board Bio. It should contain an Opening (3–4 lines) that demonstrates your judgment, sector context, and committee fit (e.g., “Audit/Risk-ready executive who led global compliance and crisis response across 30 countries; proven board advisor on cyber, sanctions, and culture risk”). It should contain 3-5 selected impact bullets tying actions you have taken to outcomes (“Reduced investigation cycle time 40% and increased substantiation quality; informed board decision to exit a high-risk distributor, avoiding potential enforcement exposure”). Add your board interests in selected industries, committee preferences, and geography. Of course, add your contact information.

Action: Take this and create an outreach list with 15 names, including those from legal, finance, audit, PE ops partners, CEOs you’ve advised, and nonprofit leaders. Ask for needs-first conversations, not a seat at the table.

Final Word: You’re More Board-Ready Than You Think

Boards do not need passengers; they need steady judgment, crisis fluency, and a practical grasp of how controls become strategy. That’s your wheelhouse. Do the homework, shape a needs-first narrative, and start where you can make an impact now. The seat will often come from a conversation you did not know would matter.

And when it does, remember the rule that separates great directors from the rest: noses in, fingers out, with a steady hand on the compass of integrity.

30-60-90 Action Plan

Next 30 days

  • Draft board bio + two-page briefing pack.
  • Reconnect with five execs who’ve seen your judgment under pressure; ask for introductions to their board contacts.
  • Identify and approach one nonprofit and one private company where your risk expertise is directly relevant.

Days 31–60

  • Speak on one panel/webinar: “Board Oversight of Third-Party & Sanctions Risk” or “What Directors Need to Know About AI and Culture.”
  • Conduct three informational interviews with current directors and refine your narrative based on their feedback.

Days 61–90

  • Commit to a nonprofit board or board committee role.
  • Join a director education program (NACD or equivalent) and complete a module on Audit/Risk oversight.
  • Publish a three-post LinkedIn series: “A Director’s Playbook for Crisis Escalation,” “Five Board Questions for AI Risk,” “Culture as a Control.”