About the report
Produced
20 March 2024
Written by:
DownloadClick each term for related articles
1. Introduction
Welcome to the 2024 Global Directors' and Officers' (D&O) Survey Report, in collaboration with WTW. This year marks our most expansive survey yet, with contributions from over 50 countries. The enhanced participation and expanded regional coverage allows us to offer unprecedented insights into the challenges and priorities facing leadership across various industries.
The survey objective
The primary objective of this survey is to identify and analyse the top risks perceived by directors and officers worldwide, tracking shifts in risk priorities and uncovering emerging threats. By doing so, we aim to equip organisations with the knowledge to enhance their risk management strategies and insurance practices effectively.
The survey methodology
The survey methodology involved collecting responses from directors and officers and risk managers across more than 50 countries. This year, we expanded our focus to include new regions such as Africa and the Middle East, and have been able to provide a detailed analysis of more specific areas, including India. Our comprehensive approach ensures a diverse and inclusive understanding of the global risk environment.
Key findings:
Recommendations:
Once again, this D&O Survey, which elicited over 900 responses from 52 countries around the world, provides a valuable insight into the risks that are of concern to D&Os.
2. The Top Seven Risks
A change to this year’s top spot
Notably, social risks have climbed the ladder, with health and safety risks being considered a very or extremely important concern for 86% of respondents, up from an average of 45% over the previous three years. It now represents the number one overall concern, up from number five last year, knocking cyber-attacks off the top spot, where it has been for the last three years. It is unclear what the precise reason is for this rise in concern but, certainly in the UK, 2023 saw highly publicised fines levied on major corporations (e.g. Network Rail, Morrisons, Serco and Transport for London), alongside a noticeable uptick in enforcement notices issued by the Health and Safety Executive (HSE) and reports of the HSE’s impressive 94% conviction rate of individuals.
Cyber risks continue to cause concern
Concern about cyber risks comes in at a close second. Cyber risks are ever-evolving and with the availability of artificial intelligence (AI) tools, cyber threat actors are beginning to integrate AI into their operations, particularly in reconnaissance and social engineering, according to the latest report by the National Cyber Security Centre (NCSC). This, they say, will make such attacks more potent and challenging to detect and, potentially, lowers entry barriers for novice criminals, contributing to the global ransomware threat.
This is a worrying development and adds a further level of pressure on D&Os to implement adequate cybersecurity controls and to react efficiently and effectively in the face of an attack. Cyber risk goes hand in hand with the number four concern – data loss. With the GDPR having been in force for a few years now, plus reformed regimes in many other jurisdictions, companies and D&Os have witnessed the significant fines that can be issued by data protection authorities following a breach and the law is still developing on claims from data subjects. In addition, the first party costs following a breach can be considerable and reputational risk is high.
Systems and controls – A new entry to the rankings
Regulatory actions from financial regulators for cyber systems and controls failures can also be added to the risk landscape. A recent example in the UK is the £11.2m fine imposed on Equifax Ltd for cyber security breaches in 2017, which resulted in unauthorised access to millions of US, UK and Canadian citizens’ personal data. In fact, this is in line with a trend we have witnessed in recent years for financial regulators to impose significant fines for a range of systems and controls failings (indeed, many core failings include a PRIN 3 failure as standard now in the UK), demonstrating the importance of such controls in preventing insider trading, money laundering, bribery and fraud, amongst other things.
It is no surprise, therefore, that concerns about systems and controls are a new entry in the top seven risks list (at number five). Boards are expected to be on top of this issue and the Financial Reporting Council’s (FRC) recently revised UK Corporate Governance Code, which will apply to financial years beginning on or after 1 January 2025, focuses significantly on internal controls. The main substantive change is that boards now must explain through a declaration in their annual reports how they have covered all material controls – including financial, operational, reporting and compliance controls – and their conclusions.
Concern about sanctions is a new entry on the top risks list
Effective systems and controls are also vital to prevent and detect breaches of sanctions laws. Our survey shows that concern about sanctions is a new entry on the top risks list, at number seven. In the UK, enforcement of sanctions laws has been bolstered by the introduction of the Economic Crime (Transparency and Enforcement) Act 2022. The Office of Financial Sanctions Implementation (OFSI) can now impose penalties for sanction breaches without needing to prove the individual’s knowledge of the breach, increasing the risk to D&Os. The OFSI can also now publicly report breaches, potentially damaging reputations. Whilst there has not been a stream of enforcement action thus far, exposure may increase as a result of the government’s announcement, on 11 December 2023, of a new unit – the Office of Trade Sanctions Implementation (OTSI) – to clamp down on sanctions evasion. The OTSI is intended to play a pivotal role in assisting businesses in complying with sanctions, investigating potential breaches, issuing civil penalties and referring cases to HMRC for criminal enforcement, where necessary. The OTSI will launch during the course of 2024.
Which risk has taken third place?
Regulatory risk, more generally, continues to be of concern (here, the number three concern), and with good reason. Whilst there are a host of regulators who are increasingly exercising their supervision and enforcement powers, all contributing to the regulatory space being a difficult one to navigate for D&Os, the largest activity emanates from financial regulators. In the UK, Financial Conduct Authority (FCA) enforcement activity remains a substantial exposure for companies and D&Os and the burden has increased this year with the introduction of the Consumer Duty, which sets higher expectations for the standard of care that firms provide to consumers. The FCA is also paying close attention to non-financial misconduct (aided by its recent consultation on diversity & inclusion), as well as continuing to promote individual accountability. D&Os are expected to lead a healthy culture from the top-down or face the consequences.
The FCA to increase its use of early intervention measures
Whilst enforcement case numbers are not increasing year-on-year, the FCA is upping its use of early intervention measures and the imposition of non-financial sanctions, with the aim of catching breaches/wrongdoing at an early stage. Areas of focus continue to be clamping down on unauthorised business, unsuitable advice, systems and controls failings and tackling anti-money laundering/financial crime and bribery and corruption. This latter risk is at number six on our list overall but climbs to number one for the largest companies (>$5bn), reflecting the increased focus by prosecutors on this area and the internationally coordinated investigations. A recent example saw the UK’s Serious Fraud Office (SFO) investigating, in collaboration with US, Dutch and Swiss prosecutors, a UK trading and mining company who was recently convicted for bribery under the Bribery Act 2010. The company paid US$29 million in bribes to increase oil trading profits in five African countries from 2011-2016. It was fined £280 million, the largest ever for a corporate bribery conviction, marking the first admission of a principal bribery offence under the Act. In addition to direct prosecutions against D&Os, the ‘failure to prevent’ regime in this Act (plus the Criminal Finances Act 2017 and the Economic Crime and Corporate Transparency Act 2023) could see follow on prosecutions against D&Os following cooperation by the entity to secure a deferred prosecution agreement (DPA). Indeed, the SFO secured its first DPA-related conviction in March 2023 but there are still more instances of cases being dropped.
ESG, a hot topic in the boardroom
Of interest is that despite the global and increasing regulatory focus on Corporate Social Responsibility, and ESG being a hot topic in the boardroom, once again climate change does not feature in the overall top seven risks. No longer featuring at all for Great Britain, despite its number one position last year, but a notable new entry for Asia (number three) and the Middle East (number six). This continues to be a surprise as it is clear any disclosure requirements create liability for companies and their boards, and how they tackle the issue of complying with their ESG requirements will be as big a liability as not complying or reaching targets. There are potentially huge knock-on effects to acting in the space not only for the company itself but also in terms of people and economies. Boards will need to fully understand all this before acting or could bear the brunt of claims arising from the mishandling of their ESG polices.
In conclusion…
The list of the top seven risks reveals the various difficulties and challenges that D&Os encounter, which could have serious implications for them. To avoid and reduce these risks, it is essential to have effective risk management and appropriate systems and controls in place. A failure to ensure robustness of these may not only have a material impact on business operations and financials, from large fines and penalties, but there is also the potential for shareholder litigation following stock drops brought about because of the reputational damage to companies caused by such failure.
Authors: James Cooper and Eve Richards
The highest perceived risk for respondents from the financial services and insurance industry remains cyber-attacks, and we expect the unease around governance and the focus by regulators on systems and controls correlates, at least in part, with that concern. However, strikingly, for the first time this year we see health and safety coming in as a very close number four with 84% of financial services and insurance respondents identifying it as a risk concern (compared to only 35% in last year’s survey). We consider below why this might be.
3. What do the results say about Financial Institutions
What might have triggered health and safety as a board concern?
The FT recently reported that across all industries, employee health has barely improved since the COVID-19 pandemic, noting that indicators of ill health include alcohol consumption, obesity and lack of sleep. The financial services industry scored particularly high in the survey regarding the former. We have also witnessed a rise in health and safety investigations and prosecutions by the Health and Safety Executive, who have maintained an impressive conviction rate.
That said, we think there is another trend which may be influencing the results in the financial services industry, and that is the focus on non-financial misconduct in the industry and a recognition that such behaviour can impinge on well-being as well as financial results.
Non-financial misconduct
While not appearing in the top seven risks for financial services and insurance, this year’s survey nonetheless indicates an increasing concern in respect of employment claims (57% identifying it as a risk concern, compared with 36% last year). This is echoed by increasing concern about the breach of human rights within or by business operations (64% this year, up from 42% last year) and all other social factors featuring as questions in this year’s survey. This, arguably, in part, reflects regulators’ increasing interest in non-financial misconduct.
In 2018, the Women and Equalities Committee of the UK Parliament published its report on sexual harassment in the workplace, leading the UK’s financial conduct regulator, the Financial Conduct Authority (FCA), to explain the basis on which it sees sexual misconduct as falling within the scope of the regulatory framework. The FCA has also brought a number of cases against individuals whose non-work-related conduct was deemed to affect their integrity such that they could not be considered “fit and proper” to work in financial services. The FCA has placed increasing weight on the role of culture in recent years – for example in a ‘Dear CEO letter’ to insurance firms in January 2020, the FCA identified non-financial misconduct and an unhealthy culture as a key root cause of harm:
“We view both lack of diversity and inclusion, and non-financial misconduct as obstacles to creating an environment in which it is safe to speak up, the best talent is retained, the best business choices made, and the best risk decision taken”.
This issue is not abating, and firms may be coming to appreciate that there is a correlation between culture and employee well-being. Specifically, the impact on employees’ health and well-being within a culture which tolerates bullying and discrimination.
In July 2023, the House of Commons Treasury Committee (TC) called for evidence on the barriers faced by women in financial services as it launched an enquiry called ‘Sexism in the City’, examining the progress made in removing gender pay gaps and what role firms, the Government and regulators should play in combatting sexual harassment and misogyny. The report, published in March 2024, concluded that there have been “incremental improvements for women working in financial services on certain metrics, such as the proportion of women holding senior roles. Overall, there has been a disappointing lack of progress on sexual harassment and bullying, including serious sexual misconduct. Despite the best efforts of some far too little progress has been made and serious problems which should have been rooted out still persist.” The TC enquiry was prompted, at least in part, by allegations of sexual misconduct at Odey Asset Management. Ultimately, those allegations led to the winding down of the firm and investigations into both the firm (now closed) and Mr Odey himself. The FCA’s response to the report notes that it shares the TC’s view that change is needed, which is why it is consulting on its diversity and inclusion proposals (a consultation was launched in September 2023 in this regard).
Recommendations
Addressing these issues is a key regulatory focus and both of the UK regulators, the FCA and the Prudential Regulatory Authority (PRA), confirmed proposals to require certain firms to provide data, with a view to understanding how cases of non-financial misconduct are resolved. We will be carefully monitoring the proposals. In the meantime, directors may wish to satisfy themselves that their D&O and E&O policies cover regulatory investigations and consider employment practices liability insurance.
Authors: Laura Cooke and Claire Nightingale
References
The primary focus in recent years has been on ‘E’ (environmental) risks, particularly climate-related risks, but ESG is far more wide-reaching, and encompasses a range of issues under the ‘S’ (social) umbrella – for example, workplace culture, diversity, equity and inclusion (DEI) and community impact – and the ‘G’ (governance) umbrella, which ensures the board of directors is identifying, analysing, putting into action and reporting on the ‘E’ and ‘S’ issues.
4. ESG related risks
In response to the increasing attention paid to ESG factors, the questions in last year’s survey were reorganised to fit within an ESG framework. Given that the level of attention has only increased in the past twelve months (and, indeed, political uncertainty and polarisation of views in some jurisdictions to varying degrees), we have maintained this structure for this year’s survey.
For comparative purposes, our review of the responses on ESG-related factors in last year’s survey can be accessed here.
Social risks on the rise
While there are variations between results when looked through a jurisdiction or industry lens, this year’s survey shows that, overall, all ESG-related risks are of more concern to D&Os than they have been in the past but social risks – health and safety (H&S), human rights, supplier business practices and employment claims – have particularly grown in importance, with each risk perceived as much higher than in previous years. Notably, H&S risks are now considered the number one concern, perhaps linked to a rise in employment litigation (the survey shows concern about such claims has also risen).
There are many reasons why ‘S’ issues have become increasingly important in recent years, including (i) changing consumer attitudes, with consumers expressing more interest and concern about how companies’ operations impact society; (ii) more attention on social issues as a result of highly publicised cases involving inequality and human rights; (iii) regulatory pressure to improve corporate behaviour and increase board accountability for their impact on their workforce and the broader community; and (iv) increasing demand from investors, who want to know how social factors are incorporated into investment decisions. There is also greater awareness of studies which have indicated that a company which invests in good, responsible social practices results in better financial performance.
Why companies are engaging in ‘green hushing’
Whilst ‘S’ issues are of concern across the board, the survey shows that larger companies are more concerned with ‘E’ issues than smaller companies, likely reflecting the greater regulatory burdens these companies face. Unsurprisingly, the energy and utilities sector ranks climate change risks the highest and is the only sector which has it within its top seven risks.
One of the more notable developments in the last year relating to ESG is the increase in ‘anti-ESG sentiment’. For example, we have witnessed some states in the US taking ‘anti-ESG’ measures, including divestment policies and ‘anti-boycott laws’, limiting the state’s business with companies that take into account ESG factors in their operations. It has been suggested that this may lead to companies engaging in ‘green hushing’ – downplaying their ESG efforts to avoid backlash.
On the flip side, a number of other states in the US have enacted legislation encouraging or requiring fiduciaries of state pension plans to take ESG factors into account when such factors may be financially material and disclose how they are doing so. Bills have also been introduced calling for the mandatory divestment of public funds from certain industries like fossil fuels, firearms and nuclear power. These bills have generally not been passed into law and have faced significant opposition, particularly as they remove the discretion of fiduciaries to assess materiality. The approach proposed or enacted by different US states is, for the most part, determined along party political lines but there are variations and nuances between them all.
While other jurisdictions have not witnessed a similar backlash yet (or, at least, not to the same degree), in the UK at least, ‘green issues’ may be thought to have been de-prioritised of late in some quarters.
In sum, there is currently a very complex patchwork of current and upcoming regulations at both the state and federal levels in the US applicable to ESG. This makes for an incredibly difficult and ever-changing landscape for D&Os to navigate, and the political overlay adds volatility and unpredictability as to the direction and speed of travel. This is particularly so for D&Os of multi-nationals as the situation becomes more complex still when one factors in current and upcoming regulations in other jurisdictions.
D&Os are at the heart of shaping corporate culture and reporting on ESG issues, getting it wrong or failing to adequately prioritise these issues can lead to significant consequences
The regulatory space is driving the risk for D&Os. There are additional reporting obligations in many jurisdictions. For example, the UK has brought in specific climate-related disclosure rules (which are a mix of mandatory or ‘comply or explain’ depending on the size of the company and whether it is listed) and is consulting on DEI issues and, in the EU, there is the Corporate Sustainability Reporting Directive (CSRD), which expands the scope of the companies which are required to make sustainability disclosures and includes more stringent and harmonised reporting obligations. Australia has climate reporting proposals on the table and, in the US, specific disclosure guidelines were adopted by the SEC on 6 March 2024. Of note, the adopted version is a much-diluted version of the proposals originally on the table. Nonetheless, we expect there to be some pushback on the guidelines given the current US sentiment towards climate (and broader ESG) issues.
Increased scrutiny of non-financial disclosures
There is also greater scrutiny of non-financial disclosures, in addition to a raft of new regulations which could result in regulatory action if they are breached. In the UK, for example, the FCA announced a new regime (PS23/26) to increase trust in the market through sustainability disclosure and labelling. The regime has (i) a new anti-greenwashing rule, in force from 31 May 2024, which makes UK-based firms ensure that sustainability claims are accurate, clear, and fair; (ii) four new labels for investment products; and (iii) rules on proper marketing and information about the sustainability of financial products and services, to protect consumers and improve investor confidence. Similarly, in the EU, Members of the European Parliament (MEPs) recently announced that they have adopted a directive to protect consumers from deceptive marketing practices. The directive, amongst other things, adds some harmful marketing behaviours linked to greenwashing to the EU list of prohibited commercial practices. In Australia, regulators have recently had a particular focus on misleading conduct in relation to sustainable finance, including greenwashing, which we expect to be an ongoing trend in 2024. Interestingly, regulators there have utilised existing legislative instruments as a means of enforcement, rather than seeking to introduce a new regime.
Cracking down on ESG breaches
Breaching ESG rules and disclosure laws could lead to regulatory investigations and enforcement proceedings against companies and their D&Os. We are already seeing claims against companies in the US – for example, the SEC imposed a US$19 million fine on a bank-owned asset manager for misleading ESG disclosures and, in Australia, ASIC issued infringement notices and took a number of sustainable finance cases to court, including three serious instances of greenwashing and issued a number of greenwashing infringement notices.
Of course, regulatory investigations and actions can lead to securities class actions and shareholder derivative suits. Shareholders in the US have already filed a number of actions disputing companies’ ESG initiatives, which have been largely unsuccessful to date. A particular focus of those actions is failures in relation to DEI.
In 2023, shareholders increasingly sought to use the derivative action process to hold directors accountable for climate-related risks and the UK saw some interesting cases – an environmental charity brought an action against an oil industry company, in which the claimants were arguing directors should be personally liable for failing to implement an energy transition strategy aligned with the 2015 Paris Agreement and a UK company law, climate litigation, and pension law case, in which the claimants alleged mismanagement of the fund on several grounds, including over-investment in fossil fuel assets. Whilst these cases failed at the permission stage, we can expect similar litigation from climate-focused non-governmental organisations (NGOs), activists, and investors in due course and, certainly, the courts’ examination of directors’ duties in an ESG context will be studied closely.
ESG is an enormous, fast-moving area and can be extremely challenging for D&Os to find a course through, particularly with the current political sentiment.
Authors: Laura Cooke and Angus Duncan
Since the pandemic, during which insolvency rates were low due to Government measures, there has been a considerable rise in insolvencies in the UK and many other jurisdictions. High interest rates have significantly increased the cost of borrowing and many companies are saddled with mountains of debt that was taken out in better times and which are now difficult to repay. In addition, high inflation and energy costs, lower consumer confidence and volatile supply chains have all contributed to making the last few years very difficult for businesses.
5. Insolvency Risk
An increase in company insolvencies throughout 2023
Insolvency specialists[1] estimate that more than 47,000 businesses are near collapse in the UK at the start of 2024 and, according to the 2023 statistics released by the Insolvency Service, the number of registered company insolvencies for 2023 was 25,158, the highest annual number since 1993, and Q4 2023 saw the highest quarterly insolvency numbers since Q4 2008 (during the global financial crisis).
This upward trend is reflected in many other jurisdictions, including the US, Australia and the EU.
Despite these reports, concern about insolvency does not feature in the top seven risks of our D&O survey and only features as a number six concern for the smallest companies (<$50m) (though when viewing the data historically, concern has risen from 45% of respondents considering it to be an extremely important risk in 2022 to 59% in 2023).
Large companies are also at risk of failure
Whilst it might be true that SMEs are quicker to fail and in greater numbers, larger companies are not impervious to the risk of failing or the considerable consequences that could follow for D&Os. In addition, when such companies do fail, there are significant ramifications, as was seen when Carillion collapsed. Further, there is evidence that there has been an uptick in larger companies failing. For example, Cornerstone research[2] shows that “In 1H 2023, 72 large companies filed for bankruptcy, already surpassing the total number of bankruptcies filed in 2022 and more than three times the number of bankruptcies in 1H 2022…there were [also] 16 mega bankruptcies (those filed by companies with over $1 billion in reported assets) in 1H 2023, matching the full-year total for 2022 and higher than the 2005-2022 half-year average of 11.”
What impact does this have on D&Os?
Insolvency-related claims are a large source of claims against directors in many jurisdictions, including the UK, but the risk of claims has increased as insolvencies have rocketed. Further, during difficult economic times, there is a higher risk of fraudulent, dishonest or wrongful actions – this could all lead to more actions against D&Os for breaches of insolvency legislation and their duties to the company, in addition to disqualification proceedings and orders for compensation.
Claims
Claims arising from the ‘twilight zone’ – the time when insolvency is a very real possibility but before the company is officially insolvent – are common in most jurisdictions. In the UK, insolvency practitioners are obliged to examine the decision-making of directors in the time leading up to the insolvency and an investigation into directors' conduct and the company's affairs happens in every case, with resulting civil claims (for example, for wrongful trading, fraudulent trading, misfeasance or breach of fiduciary duty) being common.
In 2023, there were a range of cases against D&Os arising out of insolvency events, which clarified some important points that are worth bearing in mind:
In the UK, Insolvency Practitioners must submit reports to the Secretary of State on the conduct of every director (including shadow directors) who acted in that capacity in the three years prior to insolvency, regardless of their conduct. These reports are then considered by the Insolvency Service and, where the conduct suggests that they may be unfit to be concerned in the management of a company, investigation, enforcement and disqualification may follow.
The misuse of COVID-19 loans
Statistics show that the Insolvency Service has intensified its actions against unfit directors, especially those who misused COVID-19 loans (583 of the 850 director disqualifications in the last year included an allegation relating to COVID-19 financial support scheme abuse) and the average disqualification period has increased to over eight years, up from five years and ten months in 2021-22. Directors who seek to dissolve companies to evade debts are also being sanctioned in greater numbers following the new powers bestowed by the Rating (Coronavirus) and Directors Disqualification (Dissolved Companies) Act 2021. In addition, the Insolvency Service has a high criminal conviction rate and recently succeeded in obtaining its first court compensation order (for £50,000) against a director for his abuse of the Bounce Back Loan scheme.
In summary
Insolvency risk is high and, given the current climate, it is more important than ever that directors of all companies are cognisant of the risk and are operating adequate risk management strategies to prevent insolvency or mitigate the consequences. This includes regular review of profitability, debt and capitalisation figures and prudent decision-making in the ‘insolvency zone’, bearing in mind the range of duties directors have to the company, its shareholders and creditors.
Authors: Mandip Sagoo and Angus Duncan
End