Tag: BOD

Categories
Blog

When AI Incidents Collide with Disclosure Law: A Unified Playbook for Compliance Leaders

There was a time when the risk of artificial intelligence could be discussed as a forward-looking innovation issue. That time has passed. AI governance now sits squarely at the intersection of operational risk, regulatory enforcement, and securities disclosure. For compliance professionals, the question is no longer whether AI risk will mature into a board-level issue. It already has.

If your organization deploys high-risk AI systems in the European Union, you face post-market monitoring and serious incident reporting obligations under the EU AI Act. If you are a U.S. issuer, you face potential Form 8-K disclosure obligations under Item 1.05 when a cybersecurity incident becomes material. Add the NIST AI Risk Management Framework for severity evaluation, ISO 42001 governance expectations for evidence and documentation, and the compliance function, which stands at the crossroads of law, technology, and investor transparency.

The challenge is not understanding each framework individually. The challenge is integrating them into one operational escalation model. Today, we consider what that means for the Chief Compliance Officer.

The EU AI Act: Post-Market Monitoring Is Not Optional

The EU AI Act requires providers of high-risk AI systems to implement post-market monitoring systems. This is not a paper exercise. It requires structured, ongoing collection and analysis of performance data, including risks to health, safety, and fundamental rights. Where a “serious incident” occurs, providers must notify the relevant national market surveillance authority without undue delay. A serious incident includes events that result in death, serious harm to health, or a significant infringement of fundamental rights. The obligation is proactive and regulator-facing. Silence is not an option.

This means that if your AI-enabled hiring tool systematically discriminates, or your AI-driven medical device produces dangerous outputs, you may face mandatory reporting obligations in Europe even before your legal team finishes debating causation. The compliance implication is straightforward: you need an operational definition of “serious incident” embedded inside your incident response process. Waiting to interpret the statute after the event is not governance. It is risk exposure.

SEC Item .05: The Four-Business-Day Clock

Across the Atlantic, the Securities and Exchange Commission (SEC) has made its expectations equally clear. Item 1.05 of Form 8-K requires disclosure of material cybersecurity incidents within four business days after the registrant determines the incident is material. Here is where compliance professionals must lean forward: AI incidents can trigger cybersecurity implications. Data exfiltration through model vulnerabilities, adversarial manipulation of training data, or unauthorized system access to AI infrastructure may constitute cybersecurity incidents.

The clock does not start when the breach occurs. It starts when the company determines materiality. That determination must be documented, defensible, and timestamped. If your AI governance framework does not feed into your materiality assessment process, you have a structural weakness. Compliance must ensure that AI incident severity assessments are directly connected to the legal determination of materiality. The board will ask one question: When did you know, and what did you do? You must have an answer supported by contemporaneous documentation.

NIST AI RF: Speaking the Language of Severity

The NIST AI Risk Management Framework provides the operational vocabulary compliance teams need. Govern, Map, Measure, and Manage are not theoretical constructs. They form the backbone of defensible severity assessment. When an AI incident arises, you must evaluate:

  • Scope of affected stakeholders
  • Magnitude of operational disruption
  • Likelihood of recurrence
  • Financial exposure
  • Reputational harm

This impact-likelihood matrix is what transforms noise into signal. It allows the organization to distinguish between model drift requiring retraining and systemic failure requiring regulatory notification. Importantly, severity classification must not be left solely to engineering teams. Compliance, legal, and risk must participate in the evaluation. A purely technical assessment may underestimate regulatory or investor impact.

If the NIST severity rating is high-impact and high-likelihood, escalation must be automatic. There should be no debate about whether the issue reaches executive leadership. Governance means predetermined thresholds, not ad hoc discussions.

ISO 42001: If It Is Not Logged, It Did Not Happen

ISO 42001, the emerging AI management system standard, adds another layer of discipline: documentation. It requires structured governance, defined roles, documented controls, and demonstrable evidence of monitoring and incident handling. For compliance professionals, this is where audit readiness becomes real. When regulators ask for logs, you must produce:

  • Model version identifiers
  • Training data provenance
  • Decision traces and outputs
  • Operator interventions
  • Access logs and export records
  • Timestamps and system configurations

In other words, you need a chain of custody for AI decision-making. Without logging discipline, you will not survive regulatory scrutiny. Worse, you will not survive shareholder litigation. ISO 42001 forces organizations to treat AI systems with the same governance rigor as financial controls under SOX. That alignment should not surprise anyone. Both concern trust in automated decision systems.

One Incident, Multiple Obligations

Consider a practical scenario. A vulnerability in a third-party model component has compromised your AI-driven customer analytics platform. Sensitive customer data is exposed. The compromised system also produced biased credit scores during the attack window. You now face:

  • Potential serious incident reporting under the EU AI Act
  • Cybersecurity disclosure analysis under SEC Item 1.05
  • Data protection obligations under GDPR
  • Internal audit review of governance controls
  • Reputational fallout

If your organization handles each of these as separate tracks, you will lose time and coherence. Instead, you need a unified incident command structure with embedded regulatory triggers. As soon as the issue is identified, you preserve logs. Within 24 hours, severity scoring occurs under NIST criteria. Within 48 hours, the legal team evaluates materiality. By 72 hours, the evidence packet is assembled for board review. The board should receive:

  • Incident timeline
  • Severity classification
  • Regulatory reporting analysis
  • Financial exposure estimate
  • Remediation plan

This is not overkill. This is operational discipline.

The Board’s Oversight Obligation

Boards are increasingly being asked about AI governance. Institutional investors want transparency. Regulators want accountability. Plaintiffs’ lawyers want leverage. Directors should demand:

  1. Clear definitions of serious AI incidents.
  2. Pre-established escalation thresholds.
  3. Integrated disclosure decision protocols.
  4. Evidence preservation policies aligned with ISO standards.
  5. Regular tabletop exercises involving AI scenarios.

If your board has not run an AI incident simulation that includes SEC disclosure timing and EU reporting triggers, it is time to schedule one. Calm leadership during a crisis does not happen spontaneously. It is built through preparation.

The CCO’s Moment

This convergence of AI regulation and securities disclosure creates an opportunity for compliance professionals. The CCO can position the compliance function as the integrator between engineering, legal, cybersecurity, and investor relations. That requires proactive steps:

  • Embed AI into enterprise risk assessments.
  • Update incident response playbooks to include AI-specific triggers.
  • Align AI logging architecture with evidentiary standards.
  • Train leadership on materiality determination for AI incidents.
  • Report AI governance metrics to the board quarterly.

The compliance function should not be reacting to AI innovation. It should be shaping its governance architecture.

Governance Is Strategy

Too many organizations treat AI governance as defensive compliance. That mindset is outdated. Effective governance builds trust. Trust drives adoption. Adoption drives competitive advantage.

A well-documented post-market monitoring system demonstrates operational maturity. A disciplined severity assessment process demonstrates strong internal control. Transparent disclosure builds investor confidence. Conversely, fragmented incident handling erodes credibility. The market will reward companies that demonstrate responsible AI oversight. Regulators will scrutinize those who do not.

Conclusion: Integration Is the Answer

The EU AI Act, SEC Item 1.05, NIST AI RMF, and ISO 42001 are not competing frameworks. They are complementary lenses on the same reality: AI systems create risk that must be monitored, measured, disclosed, and documented.

Compliance leaders who integrate these frameworks into a single escalation and reporting architecture will protect their organizations. Those who treat them as separate checklists will struggle. AI risk is no longer hypothetical. It is operational, regulatory, and financial. The compliance function must be ready before the next incident occurs. Because when it does, the clock will already be ticking.

 

Categories
Blog

5 Strategic Board Playbooks for AI Risk (and a Bootcamp)

Artificial intelligence is no longer a future-state technology risk. It is a current-state governance issue. If AI is being deployed inside governance, risk, and compliance functions, then it is already shaping how your company detects misconduct, prioritizes investigations, manages regulatory obligations, and measures program effectiveness. That makes AI risk a board agenda item, not a management footnote.

In an innovation-forward organization, the goal is not to slow AI adoption. The goal is to professionalize it. Board of Directors and Chief Compliance Officers (CCOs) should approach AI the way they approached cybersecurity a decade ago: move it from “interesting updates” to a structured reporting cadence with measurable controls, clear accountability, and director education that raises the collective literacy of the room.

Today, we consider 5 strategic playbooks designed for a Board of Directors and a CCO operating in an industry-agnostic environment, building AI in-house, without a model registry yet, and with a cross-functional AI governance committee chaired and owned by Compliance. The program must also work across multiple regulatory regimes, including the DOJ Evaluation of Corporate Compliance Programs (ECCP), the EU AI Act, and a growing patchwork of state laws. We end with a proposal for a Board of Directors Boot Camp on their responsibilities to oversee AI in their organization.

Playbook 1: Put AI Risk on the Calendar, Not on the Wish List

If AI risk is always “important,” it becomes perpetually postponed. The first play is procedural: create a standing quarterly agenda item with a consistent structure.

Quarterly board agenda structure (20–30 minutes):

  1. What changed since last quarter? Items such as new use cases, material model changes, new regulations, and major control exceptions.
  2. AI full Risk Dashboard, with 8–10 board KPIs, trends, and thresholds.
  3. Top risks and mitigations, including three headline risks with actions, owners, and dates.
  4. Assurance and testing, which would include internal audit coverage, red-teaming results, and remediation progress.
  5. Decisions required include policy approvals, risk appetite adjustments, and resourcing.

This cadence does two things. First, it forces repeatability. Second, it creates institutional memory. Boards govern better when they can compare quarter-over-quarter progress, not when they receive one-off deep dives that cannot be benchmarked.

Playbook 2: Build the AI Governance Operating Model Around Compliance Ownership

In your design, Compliance owns AI governance and its use throughout the organization, supported by a cross-functional AI governance committee. That is a strong model, but only if it is explicit about responsibilities.

Three lines of accountability:

  • Compliance (Owner): policy, risk framework, controls, training, and board reporting.
  • AI Governance Committee (Integrator): cross-functional prioritization, approvals, escalation, and issue resolution.
  • Build Teams (Operators): documentation, testing, change control, and implementation evidence.

Boards should ask one simple question each quarter: Who is accountable for AI governance, and how do we know it is working? If the answer is “everyone,” then the real answer is “no one.” Your model makes the answer clear: Compliance owns it, and the committee operationalizes it.

Playbook 3: Create the AI Registry Before You Argue About Controls

You have no model registry yet. That is the first operational gap to close, because you cannot govern what you cannot inventory. In a GRC context, this is not a “nice to have.” Without an inventory, you cannot prove coverage, you cannot scope an audit, you cannot define reporting, and you cannot explain to regulators how you know where AI is influencing decisions.

Minimum viable AI registry fields (start simple):

  • Use case name and business owner;
  • Purpose and decision impact (advisory vs. automated);
  • Data sources and data sensitivity classification;
  • Model type and version, with change log;
  • Key risks (bias, privacy, explainability, security, reliability);
  • Controls mapped to the risk (testing, monitoring, approvals);
  • Deployment status (pilot, production, retired); and
  • Incident history and open issues.

Boards do not need the registry details. They need the coverage metric and the assurance that the registry is complete enough to support governance.

Playbook 4: Align to the ECCP, EU AI Act, and State Laws Without Creating a Paper Program

Many organizations make a predictable mistake: they respond to multiple frameworks by producing multiple binders. That creates activity, not effectiveness. A better approach is to use a single control architecture to map to multiple requirements. The board should see one integrated story:

  • DOJ ECCP lens: effectiveness, testing, continuous improvement, accountability, and resourcing;
  • EU AI Act lens: risk classification, transparency, human oversight, quality management, and post-market monitoring; and
  • State law lens: privacy, consumer protection concepts, discrimination prohibitions, and notice requirements where applicable

This mapping becomes powerful when it ties back to the board dashboard. The board is not there to read statutes. The board is there to govern outcomes.

Playbook 5: Use a Board Dashboard That Measures Coverage, Control Health, and Outcomes

You asked for a combined dashboard and narrative with 8–10 KPIs. Here is a board-level set designed for AI in governance, risk, and compliance functions, with in-house build, internal audit, and red teaming for assurance.

Board AI Governance KPIs (8–10)

1. AI Inventory Coverage Rate

Percentage of AI use cases captured in the registry versus estimated footprint.

2. Risk Classification Completion Rate

Percentage of registered use cases risk-classified (EU AI Act style tiers or internal tiers).

3. Pre-Deployment Review Pass Rate

Percentage of deployments that cleared required testing and approvals on first submission.

4. Model Change Control Compliance

Percentage of model changes executed with documented approvals, testing evidence, and rollback plans.

5. Explainability and Documentation Score

Percentage of in-scope use cases with complete documentation, rationale, and user guidance.

6. Monitoring Coverage

Percentage of production use cases with active monitoring for drift, anomalies, and performance degradation.

7. Issue Closure Velocity

Median days to close AI governance issues, by severity.

8. Internal Audit Coverage and Findings Trend

Number of audits completed, rating distribution, repeat findings, and remediation status.

9. Red Team Findings and Remediation Rate

Number of material vulnerabilities identified and percentage remediated within the target time.

10. Escalations and Incident Rate

Number of AI-related incidents or escalations (including near-misses), with severity and lessons learned.

These KPIs do not require vendor controls and align with an in-house build model. They also support both board oversight and compliance management.

AI Director Boot Camp

Your board has a medium level of literacy and needs a boot camp. I agree. Directors do not need to become engineers. They need a common vocabulary and a governance frame. The recommended boot camp design is one-half day, making it highly practical. It should include the following.

  1. AI in the company’s operating model. This means where it touches decisions, risk, and compliance outcomes.
  2. AI risk taxonomy, such as bias, privacy, security, explainability, reliability, third-party, and later.
  3. Regulatory landscape overview, including a variety of laws and regulatory approaches, including the DOJ ECCP approach to effectiveness, the EU AI Act risk framing, and several state law themes approaches.
  4. Governance model walkthrough to ensure the BOD understands the registry, risk classification, controls, monitoring, and escalation.
  5. Tabletop exercises, such as an AI incident in a GRC context with false negatives in monitoring or biased triage.
  6. Board oversight duties. Teach the BOD how they can meet their obligations, including which questions to ask quarterly, which thresholds trigger escalation, and similar insights.

The deliverable from the boot camp should be a one-page “Director AI Oversight Guide” with the KPIs, escalation triggers, and the quarterly agenda structure.

The Bottom Line for Boards and CCOs

This is the moment to treat AI risk like a board-governed discipline. The organizations that get it right will not be the ones with the longest AI policy. They will be the ones with the clearest operating model, the most reliable reporting cadence, and the strongest evidence of control effectiveness.

If Compliance owns AI governance, then Compliance must also own the proof. That proof is delivered through a registry, a quarterly board agenda item, a balanced KPI dashboard, and assurance through internal audit and red teaming. Add a director boot camp to create shared understanding, and you have the beginnings of a program that is innovation-forward and regulator-ready.

That is the strategic playbook: not fear, not hype, but governance.

Categories
Blog

Key Boards Issues for 2026: What Compliance and Governance Leaders Must See Coming

Boards entering 2026 are doing so in an environment defined not by stability, but by volatility. Regulatory priorities are shifting rapidly, geopolitical risk is reshaping markets, technology is accelerating faster than governance frameworks can keep pace, and long-standing assumptions about shareholder engagement and corporate oversight are being tested. In this environment, the role of compliance is no longer reactive or advisory at the margins. It is structural.

The Thoughts for Boards: Key Issues for 2026 memorandum from the law firm of Wachtell, Lipton, Rosen & Katz, which appeared in the Harvard Law School Forum on Corporate Governance, provides a valuable roadmap for boards navigating this uncertainty. For compliance professionals, however, the document does something more important: it reveals where governance risk is quietly migrating. The challenge for compliance leaders is not simply to track these developments, but to translate them into oversight, controls, and strategic guidance that boards can use going forward.

A More Permissive SEC Does Not Mean Less Risk

One of the most striking developments outlined in the memorandum is the SEC’s recalibration of its role. From easing reporting burdens to stepping back from adjudication of shareholder proposals under Rule 14a-8, the Commission is signaling greater deference to companies in deciding how and when to engage with shareholders. At first glance, this appears to reduce regulatory pressure. In reality, it shifts risk inward.

When regulators retreat, discretion moves to boards and management. Predictable SEC processes no longer mediate decisions about disclosure cadence, shareholder engagement, and proposal exclusion. They are governance judgments that will be evaluated ex post by investors, courts, activists, and the media. For compliance professionals, this means fewer bright lines and more gray zones.

The potential move toward semi-annual reporting is a prime example. While it may reduce short-termism, it also alters internal disclosure controls, forecasting discipline, and market expectations. Compliance must ensure that reduced frequency does not translate into reduced rigor. Less reporting does not mean less accountability.

DEI and ESG: From Public Messaging to Quiet Risk Management

The memorandum describes sustained political and regulatory pushback against DEI and ESG initiatives, including executive orders, revised SEC guidance, and heightened scrutiny of shareholder proposals. Yet it also notes an important countervailing force: institutional investors have not abandoned interest in these areas. They have become quieter. This creates a compliance paradox.

On one hand, public signaling around DEI and ESG may expose companies to political and regulatory risk. On the other hand, abandoning these initiatives entirely risks alienating long-term shareholders, employees, and business partners. The compliance function sits at the center of this tension. In 2026, DEI and ESG will increasingly be treated less as branding exercises and more as internal governance risks. Compliance leaders should focus on process integrity, consistency, and documentation rather than rhetoric. The question is no longer whether a company “supports” DEI or ESG, but whether its practices align with its stated values and risk disclosures.

Tone at the top matters here more than ever. Boards must understand that silence does not equal neutrality. How a company governs these issues internally will determine its exposure externally.

Government as Shareholder: A New Governance Reality

Perhaps the most underappreciated development highlighted in the memorandum is the Trump Administration’s growing role as an equity holder in public companies deemed critical to national security. These investments vary widely in form, from passive economic stakes to golden shares with veto rights over strategic decisions. For compliance and governance professionals, this raises novel questions.

Government ownership blurs traditional distinctions between regulator and shareholder. It introduces new stakeholders with potentially divergent objectives, including national security, industrial policy, and geopolitical strategy. Even when governance rights are limited, the mere presence of the government on the cap table can alter decision-making dynamics and investor perceptions.

Compliance must be prepared to advise boards on conflicts of interest, disclosure obligations, and fiduciary duties in this new context. The risk is not simply regulatory; it is structural. Companies operating in sensitive sectors must assume that government involvement is no longer exceptional but potentially recurring.

AI Oversight Moves from Optional to Mandatory

Artificial intelligence dominated board agendas in 2025, and there is no indication that attention will diminish in 2026. The memorandum correctly emphasizes that AI is no longer confined to technology companies. It is embedded in products, operations, compliance monitoring, and decision-making across industries. For boards, the oversight challenge is acute. AI introduces opacity, speed, and scale that traditional governance frameworks were not designed to manage. For compliance officers, this creates both opportunity and risk.

AI is increasingly used within compliance itself, from transaction monitoring to proxy voting analytics. But the use of AI does not eliminate accountability. Boards will still be expected to understand how AI systems function, what risks they create, and how those risks are mitigated.

This is why board-level AI literacy is becoming a governance imperative. Compliance leaders should be proactive in helping boards understand AI not as a technical novelty, but as a risk multiplier. Data governance, model bias, explainability, and third-party reliance must all be incorporated into enterprise risk management frameworks.

Crypto and Digital Assets: Strategy First, Compliance Always

The memorandum highlights a friendlier regulatory environment for crypto-assets, alongside growing corporate interest in crypto treasury strategies and asset tokenization. This combination is dangerous if misunderstood. Regulatory friendliness is not regulatory clarity. Crypto engagement introduces risks related to custody, valuation, sanctions, AML, cybersecurity, and financial reporting. Boards that view crypto as a strategic opportunity without fully appreciating these risks are exposing the company to significant downside.

Compliance must insist on strategic discipline. Why is the company engaging with crypto? What problem is it solving? How does it align with the business model? Without clear answers, crypto becomes speculation rather than strategy. In 2026, compliance officers should expect to spend more time explaining why not to move quickly than how to move fast.

Shareholder Engagement Is Becoming More Fragmented, Not Less Important

The memorandum’s discussion of shareholder engagement reflects a fundamental shift. Institutional investors are splintering their stewardship approaches. Retail investors are more organized and more volatile. Proxy advisors are under regulatory and political attack. The result is unpredictability.

Boards can no longer rely on a small set of proxy advisor recommendations or institutional voting norms. Engagement must become more targeted, more frequent, and more informed. Compliance plays a critical role here by ensuring that engagement practices remain consistent with disclosure rules, insider trading controls, and governance policies.

The rise of retail activism and meme-stock dynamics also creates reputational risk that traditional governance tools were not designed to address. Social media is now a governance arena. Compliance must help boards understand that investor relations, communications, and risk management are increasingly inseparable.

Delaware Still Matters, Even as Alternatives Emerge

Finally, the memorandum addresses trends toward reincorporation in Texas and Nevada, as well as Delaware’s legislative response. While high-profile moves grab headlines, the underlying message is continuity rather than disruption. For most public companies, Delaware remains the default for a reason: predictability. Reincorporation carries costs, risks, and uncertainty that often outweigh perceived benefits. Compliance professionals should ensure that boards approach these decisions with discipline rather than reaction to political or cultural trends. Governance arbitrage is rarely a substitute for governance quality.

Conclusion: Compliance as Governance Infrastructure

The overarching lesson from the Key Issues for 2026 memorandum is that governance risk is becoming more diffuse, not less. Regulatory pullbacks, technological acceleration, geopolitical intervention, and fragmented shareholder bases all point to one conclusion: boards will be expected to exercise more judgment with fewer guardrails. As with all things under this Trump Administration, another key concept is volatility. That places compliance at the center of corporate governance.

In 2026, effective compliance will not be measured solely by the absence of enforcement actions. It will be measured by whether boards can navigate volatility and ambiguity without losing coherence, integrity, or trust. Compliance professionals who understand this shift will be indispensable partners in long-term value creation.

Categories
Blog

Netflix Acquisition of Warner Brothers: Part 1, Lessons on Board Oversight

I have long been fascinated by non-movie company attempts to break into the film business. I do not know if it is simply the glitz of Hollywood, the glamour of movies, or something else, but history has been littered with attempts by companies as diverse as Gulf & Western and AOL to purchase movie companies. They have almost always ended in unmitigated disaster for the acquirer, with the AOL/Time Warner merger widely viewed as one of the worst mergers of all time.

I was therefore intrigued by the news that Netflix will acquire Warner Bros. This news has sent shockwaves through the entertainment industry and the corporate governance world alike. It is a transformational deal that combines a digital-native streaming powerhouse with one of the most storied legacy studios in American history. For many commentators, the headline is about competition, content libraries, or the future shape of Hollywood. For compliance professionals, the far more important headline is this: governance again reveals itself as the ballast that keeps a company steady when the tides of strategy, technology, and disruption rise together.

Major acquisitions are rarely about the mechanics of financing or the elegance of strategic theory. They are about governance. They test whether the board has the visibility, discipline, controls, and documentation to manage a bet that will define corporate identity for decades. In this sense, the Netflix acquisition of Warner Bros. is a real-time case study for the compliance profession. It shows the growing importance of governance during periods of high-velocity change. It offers essential insights into what compliance teams must do to ensure oversight keeps pace with the moment.

Over the next several days, I will explore the deal from several compliance angles. In today’s Part 1, we look at the role of Board oversight.

The Heightened Governance Duties in Transformational Deals

Transformational deals differ from standard mergers. They cover not only business lines but often entire creative and operational identities. Netflix and Warner Bros. represent two very different eras of entertainment. Netflix is built on a culture of experimentation, transparent metrics, and rapid decision cycles. Warner Bros. carries a century of artistic legacy, union relationships, and long-term production pipelines.

When a board approves a deal that fuses these worlds, its oversight responsibilities increase significantly. The fiduciary duty of care requires directors to ask deeper questions, demand clearer scenario planning, and insist on stronger integration plans. Compliance plays a direct role here. Compliance leaders provide critical insight into risk velocity, regulatory exposure, cultural gaps, and integration vulnerabilities. That input helps the board demonstrate that it conducted a thoughtful and well-documented evaluation rather than relying on rosy projections or strategic rhetoric.

Moreover, regulators and shareholders expect boards to show greater rigor when a company expands its scope so dramatically. Documentation becomes more than an internal process. It serves as evidence that the board asked the right questions, sought independent advice, and understood the potential risks, rather than hoping they would resolve themselves.

Industry Volatility Raises the Oversight Stakes

No sector has experienced more disruption over the past decade than entertainment. Business models shift every few years. Distribution platforms multiply and consolidate. Audience expectations evolve faster than production cycles. At the same time, regulatory frameworks for data privacy, antitrust enforcement, worker protections, and digital rights management continue to expand.

A board overseeing a transformational acquisition in this environment must navigate not only the specifics of the deal but also the broader industry volatility. For compliance professionals, this means building risk models that incorporate shifting regulatory landscapes rather than static obligations. It also means framing governance conversations around future-state risks rather than only current compliance requirements.

For instance, combining Netflix’s content libraries and datasets with Warner Bros.’ creates new privacy, antitrust, and market-dominance considerations. These issues are not theoretical. They will sit at the center of regulatory reviews. Compliance teams must therefore ensure that the board has a complete picture of emerging risks in addition to traditional acquisition-related obligations.

Legacy Obligations and Integration Complexity

Warner Bros. carries decades of legacy obligations: union agreements, talent contracts, residual structures, intellectual property commitments, and international distribution deals. Netflix brings a leaner structure but a highly complex ecosystem of global partnerships, digital rights frameworks, and data-driven production strategies.

Where these systems collide, governance risk increases. The board must understand whether integration plans can reconcile the two companies without creating blind spots. Compliance professionals should guide directors through the implications of merging contract systems, production pipelines, distribution frameworks, and content governance models.

A critical governance question is whether the two companies are aligned on their risk tolerances. Netflix has historically embraced rapid iteration and decision agility. Warner Bros. has traditionally embraced predictability rooted in long-standing industry practices. When these two philosophies meet, the board must ensure that the resulting enterprise neither undermines internal controls nor sacrifices necessary governance discipline in the name of speed.

What Regulators, Investors, and Stakeholders Expect

Regulatory expectations are rising across sectors, but particularly in media and technology. When a company expands both content ownership and distribution control, regulators begin to view governance structures as an essential element of market integrity.

Stakeholders will expect the board to have:

  1. Clear documentation of risk assessments;
  2. A detailed integration roadmap;
  3. Independent reviews of operational, cultural, and compliance risks;
  4. Transparent reporting structures that ensure accountability; and
  5. Regular updates on integration progress and risk mitigation.

For compliance professionals, this means preparing governance materials early, establishing a consolidated risk register, and ensuring that directors have access to complete and timely information. Investors will also demand visibility into how risks are evaluated and mitigated, particularly given the significant financial stakes. Compliance leaders must therefore integrate governance reporting into their communication strategy to ensure the board is fully supported in its oversight responsibilities.

How Compliance Shapes Integration Decision-Making

Compliance often gains more responsibility during acquisitions, but the Netflix–Warner Brothers deal highlights a deeper truth. Compliance is no longer a downstream function. It is a front-end strategic voice that helps define the success of integration.

During the first year post-acquisition, compliance must lead or co-lead several critical processes:

  • Harmonization of codes of conduct;
  • Rationalization of policies and procedures;
  • Alignment of reporting channels and speak-up systems;
  • Integration of third-party risk management;
  • Data governance and privacy harmonization; and
  • Internal control updates that reflect new operations.

Boards depend heavily on compliance to ensure that these systems are well designed and monitored. Without strong compliance leadership, integration risks multiply, and the transaction’s strategic goals begin to erode.

Strengthening Governance Protocols During High-Velocity Change

Given the scale of this deal, compliance professionals should view governance as a dynamic system rather than a static structure. The following actions can help support the board throughout the acquisition and integration period:

  1. Produce frequent, concise risk summaries tailored for directors.
  2. Encourage the board to test assumptions through independent validation.
  3. Establish a cross-functional governance working group that includes compliance, legal, HR, finance, and integration management.
  4. Prioritize early detection of cultural friction points.
  5. Maintain meticulous documentation of board engagement, decisions, and follow-up actions.

Governance is most valuable when it is forward-looking, actionable, and transparent. This deal demands that level of rigor.

The Compliance Lesson

The Netflix acquisition of Warner Bros. illustrates a simple but powerful truth: governance is not a corporate formality. It is the anchor that prevents strategic ambition from becoming strategic exposure. For compliance professionals, the mandate is clear. Build governance systems that give directors clarity, give regulators confidence, and give the enterprise the stability it needs to navigate a rapidly changing industry.

The acquisition is a strategic announcement. The governance behind it is the actual risk management.

Join us tomorrow in Part 2, where we will consider the potential culture clash.

Categories
Blog

20 Questions Every Board Should Ask About AI

In boardrooms around the world, one theme now appears with more regularity than cyber risk, M&A uncertainty, or even financial performance. That topic is artificial intelligence. Not the lofty philosophical debate about whether machines will overtake human judgment, but the immediate, pragmatic question every director is trying to solve: How do we oversee AI in a way that protects the enterprise, unlocks value, and keeps regulators out of the boardroom?

For compliance professionals, this is a defining moment. AI risk has become the newest frontier where the board relies heavily on the compliance function to guide them. Sometimes with clarity, sometimes with guardrails, and occasionally with a well-timed reality check. This is the type of risk that exposes governance gaps quickly, and the questions the board asks, or fails to ask, will determine whether the company thrives in the age of AI or becomes the following cautionary tale.

Today, I outline 20 critical questions that every board should ask about AI. Think of them not simply as oversight prompts but as governance accelerators. Each one creates visibility, accountability, and structure. Those three elements are the foundation of every effective compliance program.

1. What are our highest-impact AI use cases, and who owns them?

Boards cannot oversee what they cannot see. The first and arguably most crucial step is obtaining a clear inventory of where AI is embedded in operations, not at a conceptual level, but with owners, systems, and risk ratings attached. When accountability is vague, risk grows quietly in the background.

2. How does AI support our strategic objectives and create measurable value?

AI is not a magic wand. It must support strategy, not distract from it. Boards should ask whether AI materially improves revenue, reduces cost, enhances safety, increases accuracy, or strengthens customer outcomes. If the answer is ambiguous, the company may be deploying AI for the wrong reasons.

3. What data powers these systems, and do we have the legal and ethical rights to use it?

Data is the fuel for AI, but not all data is created or sourced equally. Boards should expect clarity on licensing rights, privacy implications, and any limitations on the use and reuse of data. If data lineage is unclear, the company’s regulatory exposure may be far greater than it realizes.

4. How are we assessing and mitigating bias in both data and outcomes?

Bias is not only a fairness issue. It poses operational, legal, and reputational risks. Boards should see a methodology, not simply an aspiration. That includes periodic testing, remediation procedures, and documentation that can withstand scrutiny from regulators, auditors, or litigators.

5. What guardrails prevent employees from entering sensitive information into generative AI tools?

Most AI failures begin with human error. Boards should understand which safeguards are currently in place, including policies, training programs, and technical restrictions, and how the company tests their effectiveness.

6. What is our model validation process before deployment?

Deploying unvalidated models, or worse, models validated exclusively by developers, invites significant risk. Boards should confirm that model validation includes accuracy testing, robustness checks, and cross-functional review involving compliance, legal, risk, and data science.

7. How do we monitor for model drift or degraded performance over time?

AI is not static. Models evolve, environments shift, and accuracy degrades. Ongoing monitoring is essential. Boards should request a drift detection plan that includes clear thresholds, well-defined triggers, designated responsible owners, and documented response actions.

8. What is our incident response plan for AI failures, hallucinations, or data leakage?

AI failures rarely resemble traditional IT outages. They can be subtle, gradual, or hidden until significant damage occurs. A strong incident response plan clarifies roles, timelines, escalation paths, and expectations for communication with customers and regulators. Boards should insist on a rehearsal, not merely a promise.

9. How are we documenting AI-related decisions?

When regulators come calling, documentation becomes destiny. Boards should ensure that decisions tied to high-impact AI models are recorded in a manner that demonstrates thoughtful oversight, rather than blind reliance on automation.

10. Which AI regulatory regimes apply to us across global markets?

The regulatory landscape is evolving rapidly. The EU AI Act, sector-specific guidance from the United States, China’s AI regulations, and new frameworks emerging in Australia, Brazil, Singapore, and the United Kingdom are just a few examples. Boards should expect a regulatory heat map that outlines exposure, obligations, and enforcement priorities.

11. How do we manage the risk associated with third-party AI vendors and model providers?

Vendors introduce significant risk, particularly when foundation models or APIs change without notice. Contracts must include audit rights, IP protections, confidentiality provisions, and mechanisms for monitoring downstream risk. Boards should look for a vendor governance framework, not a spreadsheet with logos.

12. What training have employees received on the responsible use of AI?

Employees cannot follow principles they do not understand. Boards should expect role-based training with regular refreshers, testing, and usage monitoring, rather than one-time videos or superficial check-the-box modules.

13. How do we ensure human oversight for high-impact or high-risk decisions?

This is where compliance delivers real value. “Human in the loop” cannot simply mean that a person glanced at a dashboard. It means the right individuals reviewed the right decisions with clarity on when they are obligated to intervene.

14. What KPIs tell us whether our AI systems are performing safely and as intended?

Boards should expect dashboards containing more than accuracy scores. KPIs should include incident counts, time-to-remediation, drift flags, bias findings, and operational impacts. What the company measures reveals what the company values.

15. What controls protect AI models and proprietary data from cyber threats?

AI significantly expands the attack surface. Models can be stolen, manipulated, or poisoned. Boards should see evidence of hardened access controls, encryption, logging, and monitoring, along with procedures for handling prompt-injection attacks and adversarial inputs.

16. How do we ensure transparency with customers, employees, and regulators when AI is used?

Transparency is becoming a regulatory expectation in many jurisdictions. Boards should verify whether AI disclosures are clear, accurate, and accessible to users, rather than being hidden in dense terms of service.

17. Are we over-relying on AI in any mission-critical processes?

AI concentration risk is real. When too many decisions or functions depend on a single model or vendor, the entire enterprise becomes fragile. Boards should evaluate whether redundancies exist and whether a single point of AI failure could create systemic risk.

18. What ethical principles guide our AI development and deployment?

Ethical frameworks only matter when they are embedded in daily processes and decision-making. Boards should expect evidence that ethical considerations influenced model selection, data sourcing, vendor evaluation, and deployment controls.

19. How is Internal Audit providing independent assurance over AI?

Internal Audit must play a role. AI risk touches processes, data, controls, vendors, and governance. These are areas Internal Audit already understands well. Boards should expect AI to be included in the annual audit plan, supported by a structured methodology.

20. What investments are required to manage AI risk in the next 12 months?

Boards appreciate transparency, not surprises. AI governance necessitates ongoing investment in personnel, skills, monitoring tools, testing environments, and data management capabilities. If AI grows without proportional governance funding, the company creates risk rather than value.

Why These Questions Matter Now

We are entering an era in which regulators expect boards to demonstrate active oversight of AI, just as they do for cybersecurity, financial controls, and data privacy. Gone are the days when AI could be treated as an IT experiment or a futuristic curiosity. Today, it sits squarely in the center of corporate governance. This means compliance oversight is required. For compliance professionals, this is an opportunity to step forward and provide structure. We can shape the conversation, establish frameworks, and guide leadership toward responsible adoption and implementation. These 20 questions give the boards the clarity they need and ensure compliance with the influence it deserves.

AI presents extraordinary potential, but potential without oversight becomes risk. Compliance professionals can ensure that the board asks the right questions, receives the necessary information, and establishes the appropriate controls to ensure effective oversight. In the age of AI, strong governance is not simply a competitive advantage. It is a survival strategy.

If you would like the whole 20 Question list, please leave us a Voicemail.

Categories
Blog

Compliance and Building Resilient Boards

In today’s volatile world, the word “resilience” has become the boardroom’s rallying cry. From geopolitical risk to technological disruption, boards and C-suites are being asked to navigate what Deloitte calls a “multiverse” of parallel realities, balancing short-term shocks with long-term strategy. But BOD resilience is not just about surviving turbulence. It is about thriving through uncertainty. And that is where the corporate compliance function, often underestimated as a back-office monitor, can emerge as a strategic partner in building board-level resilience. This is the key message that resonates from a recent article in the Harvard Law School Forum on Corporate Governance, How Board and C-Suite Collaboration Can Build Organizational Resilience.

Effective collaboration between boards and executive teams strengthens organizational adaptability, foresight, and integrity. Resilience is not the absence of risk; rather, it is the ability to master a response. Today, we consider this article and mine it for lessons for compliance leaders seeking to help their boards become more resilient, responsive, and ready for the future.

1. Compliance as the Early-Warning System for the Board

The Deloitte survey highlights a growing reality: boards are increasingly overwhelmed by short-term risks, ranging from cyberattacks to economic volatility. They may overlook longer-term imperatives such as innovation and human capital development. Compliance professionals are uniquely positioned to serve as an early warning system for emerging risks. Through monitoring, testing, and continuous improvement, compliance provides data-driven insight into what is actually happening inside the business before it becomes a headline or regulatory crisis.

A resilient board depends on credible information flow. That means compliance must extend beyond reporting incidents to providing actionable intelligence. By translating risk data into actionable insight and identifying patterns in third-party due diligence, supply chain vulnerabilities, or employee reporting trends, the compliance function helps directors see around corners. As Gordon Nixon, chair of BCE Inc., put it, leadership today requires the ability to “synthesize complexity into decisive action.” Compliance gives boards the tools to do just that.

2. Turning Oversight Into Scenario Planning

According to Deloitte’s data, 86% of boards have increased their focus on risk monitoring and scenario planning, with 39% significantly stepping up their efforts. That is good news, but only if those exercises move beyond hypotheticals. This is where compliance can play a catalytic role. Scenario planning is most effective when it draws from real operational data, and no function gathers more cross-enterprise data than compliance. Every whistleblower report, transaction review, and training completion rate tells part of a story about how the organization will respond when tested.

A compliance leader should therefore help transform board discussions from abstract governance into strategic foresight. When boards examine potential crises, such as cyber breaches, sanctions violations, or ESG missteps, compliance can provide not just the risk but also the response map, including who is responsible, how escalation works, what past data reveals about reaction speed, and how remediation was measured.

3. Strengthening the Board–C-Suite Communication Loop

The Deloitte study finds that open, transparent communication between the board and CEO is the single most important factor in organizational resilience, cited by 66% of respondents. That transparency must extend beyond financial performance; it must include culture, ethics, and conduct. Compliance officers can serve as trusted interpreters between management and directors. Often, executives filter messages to the board, softening bad news or emphasizing short-term wins. A strong compliance function ensures that uncomfortable truths, emerging investigations, cultural risks, or weak control environments are brought to the board’s attention promptly and accurately.

Moreover, compliance officers can help foster “psychological safety,” a quality Deloitte found lacking on many boards. When executives and directors feel safe discussing failures and near misses, they can act more decisively and learn faster. Compliance teams, with their neutral and process-driven perspective, can facilitate those candid conversations.

4. Building the Skill Base for Resilient Oversight

One of the report’s most striking findings is a gap between board and C-suite perceptions of readiness. While 86% of directors believe they are providing the right support to management, only 73% of executives agree. The gap is even wider in terms of skill composition. Nearly half of C-suite respondents say boards lack the necessary expertise to guide them through today’s environment.

That is a call to action for compliance leaders. The modern compliance function serves as a knowledge hub, continuously monitoring global regulatory trends, AI governance frameworks, and emerging ESG risks. Boards can leverage this intelligence to refresh their own competencies. For example, compliance-led workshops on anti-corruption enforcement trends, cybersecurity reporting requirements, or AI ethics can help directors stay informed and prepared to challenge management with the right questions.

Sheila Murray, chair of Teck Resources, put it best: “If somebody’s coming to meetings and not participating, that’s on me. I’ve got to bring out the best in them.” Compliance can help by providing the content that sparks meaningful participation.

5. Embedding Agility and Integrity Into Board Culture

According to Deloitte, the most resilient organizations strike a balance between governance and agility. That’s easier said than done. Rigid board processes can impede responsiveness, while overly informal structures risk undermining accountability. Compliance can help build the right balance by institutionalizing agility without sacrificing integrity.

For instance, compliance can work with corporate secretaries to ensure that board minutes document not just decisions but also the rationale behind them. That strengthens the record for regulators and demonstrates that directors acted in good faith. Similarly, compliance can help shape board procedures to allow for rapid, ethics-aligned decisions in crisis conditions.

Roy Dunbar, an independent director at McKesson and Duke Energy, describes it this way: “What you want is to go deeper and ask more challenging questions around, ‘What are the threats? What are the opportunities? Where is growth going to come from? ” Those deeper questions about sustainability, AI, and ethical governance are exactly where compliance expertise can bring clarity.

From Reactive Oversight to Proactive Partnership

The Deloitte report concludes with a vision of co-creation between boards and management, transitioning from rigid oversight to a synergistic partnership. That’s also the next frontier for compliance. No longer confined to detection and discipline, the compliance function can become the architect of organizational resilience.

How? By helping boards connect the dots between ethics and performance. A resilient board is one that not only identifies risk but also ensures that values drive decision-making at every level. When compliance embeds those values into strategic planning, linking ethical conduct to innovation, transparency to investor trust, and governance to growth, the board’s resilience becomes systemic, not situational.

In a world where, as Anjali Bansal observed, “the level of uncertainty today is absolutely unprecedented,” resilience will depend less on predicting the next crisis and more on ensuring the integrity of the response. That is the mission compliance was born to serve.

What It Means for the Chief Compliance Officer

For the CCO, this moment represents both an invitation and a mandate. The board needs a partner who can translate regulatory language into strategic value and who can help bridge the trust gap between directors and management.

Here is how the CCO can deliver:

  1. Be the Board’s Barometer: Regularly update directors on the ethical health of the organization, including hotline data, investigation closure rates, and culture metrics, so that they can gauge the tone and trust across business units.
  2. Champion Cross-Functional Risk Alignment: Ensure that compliance, internal audit, and enterprise risk functions speak with one voice in board reporting. Fragmented risk narratives breed confusion, not confidence.
  3. Embed Compliance Into Resilience Planning: Collaborate with HR, IT, and finance to map how regulatory compliance underpins business continuity and crisis management.
  4. Educate for Anticipation, Not Reaction: Keep the board informed about emerging compliance trends, such as AI ethics, ESG reporting, or sanctions enforcement, so directors are prepared to govern the risks of tomorrow.
  5. Strengthen the Ethical Reflex: Make ethics an instinct, not an initiative, by integrating compliance into strategy discussions, M&A reviews, and innovation frameworks.

When the compliance function evolves from a rule enforcer to a resilience partner, it transforms board oversight from passive to proactive. It gives directors not just the confidence to govern but the courage to lead.

Categories
Blog

Brewer v. Turner: When Board Delay Becomes Bad Faith

In corporate governance, timing is everything. A board’s oversight failure does not always come from what it does not see; often, it comes from how long it waits to act once the warning lights flash red. This cautionary tale originates from the shareholder action in the case of Brewer v. Turner, a Delaware Court of Chancery decision that permitted a Caremark claim against the directors of Regions Financial Corporation to proceed. The opinion marks another milestone in the court’s expanding interpretation of fiduciary “bad faith.” It offers an unmistakable message to compliance professionals: delay can be fatal, and now it can also lead to exposure.

A New Chapter in Caremark

In the article in the Harvard Law School Forum on Corporate Governance, titled Caremark Claim Survives Board’s Delay in Ending Illegal Practices, lawyers from Fried Frank considered the case. At issue was the board’s handling of a whistleblower complaint from its former Deputy General Counsel, Jeffrey A. Lee, who alleged that Regions’ overdraft-fee practices violated CFPB regulations. Eighteen months after receiving his detailed complaint, the bank finally ended those practices. By then, the Consumer Financial Protection Bureau had investigated and levied $191 million in penalties and restitution.

The court concluded that the board’s delay could itself amount to bad faith. Hiring outside counsel and forming committees did not shield the directors from liability. As Chancellor Kathaleen McCormick wrote, “Everyone knows that delay can be intentional and a tactic to avoid the consequences of acting appropriately.” For compliance officers, this ruling signals that boards can no longer hide behind process if the substance and speed of oversight fall short of expectations.

Today, examine the lessons compliance leaders should take from the case.

1. Red Flags Require Immediate, Documented Response

Historically, Delaware courts were reluctant to treat whistleblower complaints as “red flags.” They often viewed such claims as speculative unless corroborated by concrete evidence of wrongdoing. But in Regions, the whistleblower’s position mattered: he was a lawyer responsible for assessing legal risk. His complaint was detailed, specific, and sent to the Audit Committee, a combination that the court found impossible to ignore. That shift widens the compliance risk perimeter. A whistleblower who possesses subject-matter authority, particularly someone in compliance, legal, risk, or audit, can now trigger a board-level duty to act.

For the CCO:

Implement a rapid-response framework for any internal report that raises concerns about legal or regulatory violations. Require escalation to the board or relevant committee within days, not weeks. Then document every step: receipt, investigation, deliberation, and resolution. When courts review the record, speed and transparency become your strongest defenses.

2. Delay Can Be the New Bad Faith

Perhaps the most groundbreaking element of this case is the court’s recognition that delay itself can constitute bad faith. The board did not ignore the red flag; it simply took 18 months to address the illegal conduct while seeking to offset the lost revenue. That conscious hesitation, prioritizing profits over compliance, transformed a mere oversight lapse into a potential breach of fiduciary duty. This is a paradigm shift. Previously, a board’s response, no matter how sluggish or ineffective, was often enough to defeat Caremark liability. No longer. The court has now drawn a line between discretionary pacing and strategic stalling.

For the CCO:

Build timelines into remediation plans. When an investigation confirms illegality, establish a clear corrective-action schedule, present it to the board, and insist on documented follow-through. If management requests “time to replace lost revenue,” remind them and the board that regulatory risk compounds with every day of delay.

3. Law Firm Engagement Is Not Absolution

The region’s board tried to defend its actions by noting that it had hired a law firm to review the overdraft program. But the court found that “merely hiring an attorney” does not immunize directors from bad faith findings. What mattered was not the hiring, but what the board did with the firm’s advice, and the minutes didn’t say.

For compliance professionals, this point should feel familiar. Retaining outside counsel is prudent, but outsourcing judgment is perilous. A board that commissions a report yet fails to discuss or implement its recommendations appears, in the eyes of Delaware law, to be checking boxes rather than managing risk.

For the CCO:

Whenever outside counsel is engaged, insist on:

  1. The written scope of work aligned with the suspected violation.
  2. Formal delivery of findings to the full board or its committee.
  3. Recorded deliberations on next steps.
  4. Follow-up updates tracking implementation of counsel’s recommendations.

Compliance is not a spectator sport. Documenting action, not merely delegation, demonstrates good faith.

4. Central Compliance Risks Deserve Central Oversight

The court emphasized that overdraft-fee compliance was a “central risk” for a retail bank and thus a board-level responsibility. This reasoning expands the range of risks boards must personally monitor, rather than delegate entirely to management. Each industry has its equivalents: drug safety in the pharmaceutical industry, anti-bribery in global operations, and data security in the tech sector. When violations occur within these core domains, the argument that “management had it under control” will no longer be a sufficient defense for directors.

For the CCO:

Regularly update your board on the organization’s central compliance risks. Tie each risk to explicit board-level monitoring responsibilities. Provide metrics, internal audit findings, incident counts, and regulatory inquiries that show oversight in action. In the post-Brewer v. Turner environment, silence equals exposure.

5. Meeting Minutes Are Compliance Evidence

A striking aspect of the case was the court’s observation that the board minutes were “largely redacted” and recorded only cursory discussions. This absence of detail undermined the directors’ defense that they had acted responsibly. The court essentially inferred neglect from the lack of written proof. Compliance officers should view board minutes as the audit trail of integrity. If your minutes merely note that “the issue was discussed,” you may have built a weak defense for a strong case.

For the CCO:

Work with your corporate secretary to ensure that minutes:

  • Record substantive deliberation, not boilerplate.
  • Reference specific documents reviewed, such as legal opinions or risk assessments.
  • Capture decisions, follow-ups, and accountability for each item.

When regulators or plaintiffs seek evidence of good-faith oversight, well-crafted minutes speak louder than affidavits.

Broader Compliance Takeaways

The Brewer decision reflects a judiciary that is increasingly willing to look beyond formality and assess intent. In the compliance world, this mirrors what the DOJ’s 2024 Evaluation of Corporate Compliance Programs emphasized: that outcomes matter, but so do the timeliness and sincerity of response. A compliance program that detects misconduct yet allows it to persist for months or years cannot claim to be effective.

The ruling also underscores why Caremark risk is a personal matter. Because these claims rest on findings of bad faith, neither the DGCL Section 102(b)(7) exculpation clauses nor most D&O insurance policies will shield directors or officers from liability. The best protection remains proactive compliance, not post-hoc coverage. Finally, note the procedural context: new DGCL amendments restrict shareholder access to corporate books and records, potentially reducing frivolous oversight suits. Yet for legitimate claims supported by detailed facts, as in Brewer, the bar has been lowered. Courts are signaling that they will continue to allow well-pled Caremark cases to proceed when evidence shows a conscious disregard.

What It Means for the Chief Compliance Officer

For the CCO, Brewer v. Turner is both a warning and a roadmap. It is a warning that oversight delay equals liability. You can no longer rely on the board’s procedural comfort—hiring counsel, forming committees, or debating endlessly—to prove good faith. Results and responsiveness now define the legal standard.

But it is also a roadmap for strengthening your partnership with the board. You can help directors stay ahead of Caremark exposure by:

  1. Defining red flags. Work with Audit and Risk Committees to set escalation thresholds for legal-risk incidents.
  2. Accelerating action. Create escalation SLAs with responses within 24 hours for high-severity issues.
  3. Documenting diligence. Ensure every board discussion about misconduct is supported by complete, unredacted minutes.
  4. Tracking remediation. Maintain a dashboard showing when each issue was raised, investigated, and resolved.
  5. Aligning incentives. Reinforce that executive bonuses and promotions depend on compliance performance, not just profitability.

At its heart, Caremark is not about punishing hindsight; rather, it is about enforcing foresight. The compliance professional’s role is to make foresight possible by ensuring that red flags are identified quickly, decisions are properly documented, and illegal conduct is corrected before it metastasizes into corporate trauma.

Final Thoughts

The Brewer case stands as a modern parable of fiduciary patience gone wrong. A board that meant to deliberate found itself accused of delay; a company that tried to plan found itself punished for profit-driven hesitation. For compliance leaders, the moral is clear: you cannot strategize your way out of illegality. When a red flag rises, the clock starts, and every tick is a test of integrity. The essence of compliance is not preventing failure. It is ensuring you act decisively when failure appears. In the wake of Brewer, that truth has never been more legally or morally binding.

Categories
Blog

From Good to Great Governance: How Aspiring Directors Can Master the Art of Board Leadership

Exceptional boards do not happen by accident. They are the result of disciplined, emotionally intelligent, and strategically minded leadership —the kind that transforms oversight from a duty into an engine of organizational performance.

For anyone seeking a seat at the board table, the message from PwC in their Harvard Law School Forum on Corporate Governance article Effective Board Leadership: The Art of Doing It Well and the Risks of Getting It Wrong could not be clearer: you are not applying for a title;  instead, you are accepting a stewardship. Board leadership is about building trust, balancing competing priorities, and guiding organizations through uncertainty with integrity and foresight.

Today, I want to explore what aspiring board leaders can learn from PwC’s insights and how you can start cultivating the mindset and behaviors that distinguish a “good” director from a transformative one.

The Leadership Mindset: From Governance to Guidance

A company’s long-term health depends as much on its board as on its CEO. In a world of activist investors, digital disruption, and ESG scrutiny, the boardroom is no longer a ceremonial space. It’s where strategy, risk, and purpose intersect, and that intersection demands leaders who are curious, decisive, and adaptable. Board leaders, whether they are chairs, lead directors, or committee heads, do not lead by authority. They lead by influence. They unite peers, challenge management constructively, and maintain independence while working together with executives to deliver sustainable value.

For those preparing to join a board, it is important to understand early that governance is not about “watching management.” It’s about partnering with management to ensure that the organization not only complies but thrives. The most successful board leaders approach oversight like coaches, not referees, creating the conditions where CEOs and directors alike can perform at their best.

Emotional Intelligence Is a Strategic Advantage

PwC’s research emphasizes a trait too often overlooked in governance: emotional intelligence (EQ). Great board leaders cultivate psychological safety, encourage diverse viewpoints, and model humility. They admit when they do not know something. Aspiring directors should take note. Technical expertise, such as in finance, law, or operations, may get you into the boardroom. But EQ keeps you there. The best chairs and lead directors are skilled listeners who can defuse conflict, mediate divergent views, and maintain composure under pressure.

In practice, that means building trust one conversation at a time. It’s asking the right questions without posturing, pushing back without condescension, and fostering a tone of curiosity over certainty. When you can balance empathy with accountability, you create what PwC calls a “high-functioning relationship” between the board and CEO, one where issues are addressed early, tensions are managed constructively, and decisions are made with confidence.

Strategic Foresight: Thinking Beyond the Quarter

Boards exist to safeguard long-term value creation. Yet too many still fall into the trap of quarterly thinking, consumed by immediate performance metrics rather than strategic trajectory. Exceptional board leadership requires foresight: setting agendas that focus on the future, integrating strategy into CEO evaluation and succession planning, and regularly revisiting assumptions about risk and opportunity.

For future board members, this means you should always be thinking beyond compliance. During your candidacy, articulate how your experience contributes to forward-looking oversight. Can you connect market trends to strategic implications? Can you help a board think differently about innovation, sustainability, or geopolitical risk? Directors who elevate the conversation from “what happened” to “what’s next” are the ones who stand out and make a difference.

The Discipline of Continuous Improvement

The PwC framework underscores a powerful truth: even great boards can stagnate. Effective leadership is not static; it must evolve with the organization, industry, and stakeholder landscape. That’s why outstanding boards embrace structured self-assessment and external evaluation. They seek feedback not as a formality but as a growth mechanism. PwC’s data reveals that while 59% of directors believe their leadership manages board assessments well, only 34% think their leaders effectively address underperforming directors. That gap is where complacency grows.

For those aspiring to join boards, this insight is gold. It means that the best directors are learners, not lecturers. They reflect on their own blind spots, solicit feedback, and model a growth mindset. As a future board leader, consider developing a personal feedback practice now, whether through executive coaching, peer mentorship, or 360° reviews. Self-awareness today is preparation for stewardship tomorrow.

Balancing Oversight and Partnership

Every new director eventually faces a defining moment when the line between governance and management blurs. Do you step in or step back? The authors remind us that great board leadership maintains clarity of role. Directors exist to guide, not to manage. The best board chairs coordinate with the CEO regularly but avoid micromanaging execution. They set thoughtful agendas, focus discussions on outcomes, and intervene only when governance or ethics are at stake.

For those aiming for the boardroom, influence comes from credibility and restraint. You’ll need to learn when to question, when to support, and when to challenge, all while preserving trust. The art of board leadership lies in that balance; firm yet fair, supportive yet independent.

Building and Refreshing the Board Itself

A strong board is not just a collection of impressive resumes. It is a living organism that must evolve with the company’s mission. Outstanding board leaders take ownership of composition and succession. They identify skills gaps, coach underperformers, and bring in fresh perspectives to maintain energy and relevance. They also plan their own exits. PwC suggests that leadership roles should peak within five years and refresh within eight to ten years. This timeframe should allow enough time to build mastery without stagnating new ideas. Aspiring directors should see this as an invitation, not a warning. Governance needs renewal, and you may be the fresh perspective a board needs. Bring both humility and courage to that opportunity.

Navigating Stakeholders and Reputation Risk

Today’s directors must be diplomats as much as strategists. Shareholders, employees, regulators, activists, and the public all expect transparency and accountability. PwC highlights that effective board leaders help define who matters most, coordinate messaging with management, and ensure the board’s voice aligns with corporate purpose. They understand that trust is not a given but rather is earned through credibility, communication, and consistency. If you are pursuing a board role, develop your own credibility now. Contribute thoughtfully in your industry, write, speak, and mentor. Build a reputation for substance over self-promotion. Boards increasingly seek directors who can represent them confidently in complex stakeholder environments.

When Leadership Fails — And How to Fix It

Even the best boards occasionally lose their rhythm. Groupthink sets in. The CEO relationship frays. Performance lags. PwC’s guidance here is pragmatic: act early. Use governance processes such as evaluations, nominating committees, and role clarifications to diagnose and correct the course before a crisis strikes. For future board members, this means understanding that courage is part of the job. You must be willing to speak uncomfortable truths, advocate for leadership transitions, and uphold the board’s fiduciary duty even when it is personally difficult. As one seasoned chair told PwC researchers, “An ounce of prevention is worth a pound of cure.” Effective directors prevent dysfunction through vigilance, not intervention after the fact.

The Final Lesson: Leadership as Legacy

At its core, Effective Board Leadership offers a simple but profound insight: governance is leadership at its highest level. It is about service over status, stewardship over self-interest, and purpose over politics. For those aspiring to board roles, the path forward is clear. Cultivate emotional intelligence, strategic foresight, and moral courage. Learn to listen as well as lead. And above all, remember that the board’s greatest power lies not in authority but in example.

Because great governance, like great leadership, is never accidental. It’s intentional, exacting, and indispensable.

Categories
Blog

Risk Management and the Board: Why Oversight is Now a Strategic Imperative

In today’s business landscape, boards of directors are navigating a storm of risks that would test even the most resilient organizations. This topic was explored in a recent article titled “Risk Management and the Board of Directors.” Geopolitical uncertainty, economic volatility, cybersecurity threats, climate change, and the uncharted waters of generative AI are no longer background noise. They have moved to the front and center in boardrooms. Against this backdrop, risk management has emerged not just as an operational necessity but as a governance and strategic imperative. For compliance professionals, this raises a critical question: what role should the board play in risk management, and how can compliance officers support them in fulfilling that role effectively?

Oversight, Not Management

A crucial distinction must be made: boards are not responsible for managing risk on a day-to-day basis. That responsibility belongs to management. But boards do carry the weight of oversight. This oversight includes monitoring the most significant corporate risk factors, ensuring that appropriate risk systems are in place, and verifying that those systems function in practice.

Think about the Boeing case. Regulators and auditors identified multiple failures in Boeing’s manufacturing controls and safety processes, resulting in devastating reputational and financial consequences that continue to unfold. The lesson is clear. It is not enough for a board to approve a risk framework and then step away. Boards must oversee, probe, and confirm that those frameworks are embedded in operations across the enterprise.

Compliance officers can support this by providing boards with accurate, timely, and actionable reporting. Minutes, board packets, and oversight documentation are not administrative afterthoughts. They are evidence of diligence that courts, regulators, and investors increasingly scrutinize.

Tone at the Top: Culture as the Foundation

If oversight is the board’s mandate, then culture is the foundation that determines whether risk management succeeds or fails. Boards set the “tone at the top,” and that tone resonates throughout the organization.

Transparency, consistency, and communication are essential. A board that prioritizes ethics, compliance, and stakeholder safety sends a clear message: compliance failures and corner-cutting will not be tolerated. Conversely, when boards tolerate delay or indecision in addressing risks, such as safety lapses, misconduct, or harassment, they erode employee trust, tarnish their reputation, and invite regulatory scrutiny.

Board Readiness in a Dynamic Environment

Boards must prepare not only for the risks they know but for those that are emerging. This means ongoing director training, scenario planning, and recruitment strategies that close knowledge gaps. While no board can house every kind of subject matter expertise, they must know when to bring in advisors, leverage external resources, and engage with stakeholders directly.

A readiness mindset also means anticipating the unexpected. Crisis response plans, covering a range of scenarios from cyberattacks to workplace misconduct, should be in place and regularly tested to ensure their effectiveness. Compliance leaders should be part of these conversations, ensuring that prevention, detection, and remediation are embedded into strategy, not bolted on as afterthoughts.

Investors, regulators, and even the courts of Delaware are sharpening their focus on board-level risk oversight. The Caremark line of cases continues to set a high bar, but boards that fail to engage in good faith with core risks run the risk of liability. Compliance officers can help directors demonstrate that their oversight is active, engaged, and documented.

Practical Recommendations for Compliance Professionals

What does this mean for compliance officers working with boards? Here are four takeaways:

1. Provide Clear, Actionable Risk Reporting

Boards cannot oversee what they cannot see, and too often, directors are presented with overwhelming data that obscures the real risks. Compliance should deliver reporting that distills information into clear, concise insights, showing not just what happened but why it matters. The most effective reports highlight trends, identify root causes, and directly connect risks to business strategy, enabling the board to act with confidence.

2. Integrate Oversight into Strategy

Compliance risk management should never be treated as an afterthought, bolted onto the business after decisions are made. Instead, compliance officers must help boards see how compliance oversight is deeply intertwined with growth, innovation, and operational resilience. By linking compliance considerations to strategy, compliance becomes a driver of sustainable success rather than a box-checking obligation.

3. Focus on Emerging Risks

Generative AI, biodiversity loss, and geopolitical fragmentation are no longer distant or theoretical; instead, they are reshaping risk landscapes as we speak. Boards need compliance officers to translate these complex issues into practical implications before they escalate into crises that erode value and reputation. A forward-looking compliance function enables directors to anticipate threats, allocate resources effectively, and avoid being blindsided.

4. Reinforce Culture and Ethics

Tone at the top must resonate throughout the organization, and compliance is the bridge that connects board-level values to everyday business practices. Compliance officers can help embed cultural expectations by weaving red flags, lessons learned, and behavioral standards into training, communications, and accountability structures. When done well, this alignment ensures that ethical behavior is not aspirational but operational, lived out across all levels of the enterprise.

Why It Matters Now

The expectations for board-level risk oversight are higher than ever. Regulators want evidence that boards are engaged. Courts are scrutinizing oversight failures with fresh vigor. Investors are pressing for transparency on ESG, cyber, and DEI risks. And employees, your most important stakeholders, expect boards to prioritize safety, inclusion, and integrity.

For compliance professionals, this creates both a challenge and an opportunity. The challenge is to help boards stay ahead of complex risks in an environment of constant change. The opportunity is to elevate the compliance function as a strategic partner in governance, resilience, and corporate integrity.

Final Thoughts

Risk management is no longer just an operational function; it has become a strategic imperative. It is a governance issue that sits squarely in the boardroom. Boards do not need to manage risk, but they must actively oversee it, document their oversight, and ensure that culture and strategy align with risk management systems.

As compliance professionals, we are uniquely positioned to support this mandate. We provide the frameworks, reporting, and insights that help boards meet their obligations and protect the enterprise. In doing so, we not only maintain compliance but also enhance resilience, protect reputation, and foster trust with stakeholders.

The message is clear: oversight is not optional, culture is not cosmetic, and preparation is not a luxury. For today’s boards and for the compliance professionals who advise them, risk management is a strategic imperative that can no longer be ignored.

Categories
Blog

Directors and AI: Do’s, Don’ts, and Compliance Lessons

Artificial intelligence (AI) has rapidly become embedded in the daily workflows of executives, employees, and, increasingly, board directors. From drafting strategy summaries to analyzing industry data, directors are turning to AI chatbots and transcription tools in the same way they once adopted email, spreadsheets, or virtual board portals. However, unlike those earlier technologies, AI presents new risks, and for directors, these risks intersect directly with fiduciary duties and corporate governance obligations.

A recent memorandum by Skadden, Arps, Slate, Meagher & Flom LLP, published through the Harvard Law School Forum on Corporate Governance, outlines practical dos and don’ts for directors using AI in their board roles. The message is clear: while AI offers great promise, directors must use it with caution. For compliance professionals, this guidance provides important lessons not only for boardrooms but also for the governance structures that surround them.

The Temptation of AI in the Boardroom

Boards are expected to absorb massive amounts of information, such as financial results, strategy papers, compliance reports, cybersecurity dashboards, and often under tight timelines. It is easy to see why a director might feed these materials into an AI tool to produce summaries or ask for red flags. Similarly, transcription services appear attractive for documenting complex board meetings and discussions. But here lies the trap: not all AI tools are created equal. Publicly available chatbots often train on user inputs, meaning that confidential board information could be incorporated into the system and potentially regurgitated to other users, including competitors.

Just as you would never allow directors to send board books through unsecured email, AI tools need guardrails.

Key Risks Identified in the Director’s Guide

The Skadden memorandum outlines several risks directors must consider when using AI in their corporate capacities:

  1. Confidentiality and Data Leakage – Uploading sensitive materials into public AI systems risks exposing trade secrets or personal data. Even if the information is deleted from a user’s history, the AI vendor may still retain and train on it.
  2. Discovery and Litigation Risks – AI chats are records. Like emails, they may be discoverable in litigation or regulatory reviews. Regulators could demand access to AI interactions if they involve matters under scrutiny, such as antitrust reviews of mergers and acquisitions (M&A) activity.
  3. Loss of Privilege – Using AI to transcribe board meetings or communications with counsel risks waiving attorney-client privilege. Once third parties have access, privilege may be lost forever.
  4. Accuracy and Hallucinations – AI outputs can be wrong, biased, or outdated. Treating AI results as authoritative without verification exposes directors to poor decision-making and potential breaches of fiduciary duties.
  5. Erosion of Human Judgment – Over-reliance on AI to make HR, strategy, or other critical decisions risks abdicating the duty of care and loyalty. Directors must remain firmly “in the loop”.

Compliance Lessons for Professionals

From these risks, we can distill key lessons for compliance officers advising boards and executives on AI governance.

1. Confidential Information Must Stay Inside the Perimeter

Compliance professionals should establish clear rules: no uploading of board materials, personal data, or trade secrets into public AI tools. Instead, direct the board to company-approved platforms that are vetted for security and configured to prevent training on sensitive inputs. This is not just a best practice; it may also be required to comply with contractual obligations, privacy laws, and internal data-protection policies.

2. Treat AI Chats as Discoverable Records

Boards should assume that anything shared with AI may one day be discoverable by others. Compliance professionals must include AI chats and transcripts in records-retention policies and advise directors to avoid discussing sensitive legal or competitive issues in public AI systems. This lesson mirrors earlier corporate missteps with text messages and messaging apps. AI is the new frontier for discoverability.

3. Preserve Privilege by Avoiding AI for Legal Matters

Directors must not use AI to record privileged discussions with counsel or board meetings, as this would violate the attorney-client privilege. Compliance officers should make this an explicit policy. Approved transcription tools may be used for training sessions or customer service calls, but never for board-level deliberations. Losing privilege could cripple a company’s defense in litigation. Compliance officers should hammer this home during board training.

4. Verify Before You Trust

AI has a well-documented tendency to “hallucinate.” Directors must be reminded: AI is not a single source of truth. Compliance programs should emphasize verification. Encourage directors to cross-check AI outputs against trusted sources and ensure management reviews AI-generated analyses before relying on them for decision-making.

5. AI Is a Tool, Not a Decision-Maker

The most important compliance lesson: AI augments but does not replace human judgment. Directors remain bound by duties of care and loyalty. Compliance professionals must make clear that delegating decision-making to AI tools could not only harm the company but also expose directors to personal liability.

Building a Compliance Framework for Board Use of AI

The Skadden guide closes by urging boards to develop clear policies for AI use, including approved tools, acceptable uses, and required disclosures. For compliance officers, this is an opportunity to lead.

Here are key framework elements to consider:

  • Approved Tools List – Maintain a list of AI platforms validated by IT and legal for security and compliance.
  • Acceptable Use Policy – Define when and how directors may use AI (e.g., industry research, summarizing public filings) versus prohibited uses (e.g., uploading board decks, transcribing meetings).
  • Training and Awareness – Provide directors with training on AI risks, including confidentiality, discoverability, and hallucinations.
  • Monitoring and Audit – Periodically review the use of AI by directors to ensure compliance with relevant policies and regulations.
  • Disclosure Requirements – Require directors to disclose if AI tools were used to generate or summarize board-related materials.

Final Thoughts

The “Do’s and Don’ts of Using AI” is a timely reminder: AI governance is not only about company-wide adoption. It also starts at the top, with the board itself. Directors tempted to use AI in their own roles face unique risks. These risks could compromise confidentiality, destroy privilege, or erode fiduciary oversight.

For compliance professionals, this presents an opportunity to serve as both educator and enforcer. Just as compliance led the charge on insider trading policies, conflicts of interest, and anti-bribery training, so too must we lead on AI governance.

The bottom line is that AI can be an extraordinary tool for directors. But without compliance guardrails, it can also be a governance trap. Our role is to ensure the boardroom and the company stay on the right side of that line.