Management’s duty of care in practice – liability, documentation, and new compliance obligations
The role of a management board member is increasingly less about making sound business decisions alone. A critical factor is now the proper understanding of the standard of managerial due diligence. It is no longer sufficient to delegate responsibilities to employees, the IT department, accounting, or external advisers. What matters is whether the management board is able to demonstrate that decisions were made based on adequate information, analyses, expert recommendations, and a genuine assessment of risk.
Minutes of meetings, resolutions, audit reports, advisory opinions, training confirmations, and documentation of implemented recommendations are not unnecessary bureaucracy. In the event of an inspection, incident, or dispute, they may become the primary evidence that management acted with due diligence and within the bounds of reasonable business risk.
Importance is now attached to cybersecurity and sustainability regulations. The NIS2 Directive strengthens the role of management bodies in approving and overseeing cybersecurity risk management measures. Board members must ensure the functioning of an effective system of supervision, reporting, and incident response. Similarly, ESG obligations, although formally applicable only to certain categories of entities, are increasingly influencing their contractors, suppliers, and business partners, who are expected to confirm compliance with appropriate standards.
How a lack of documentation makes it harder to demonstrate due diligence
Why it matters – KR Group case study:
- The company’s management viewed IT security as a purely technical responsibility.
- No regular risk audits were conducted at management level, key security measures were not formally approved in minutes, and the incident response procedure was outdated.
- A ransomware attack resulted in temporary system paralysis and a breach of confidentiality of certain data.
- The company had to simultaneously carry out remediation actions, analyse obligations under personal data protection regulations, and communicate with business partners.
- The greatest difficulty was the lack of documentation confirming that risks had been systematically analysed, safeguards approved at the appropriate management level, and employees prepared to act in a crisis.
- As a result, demonstrating due diligence during proceedings became significantly more difficult than it would have been with properly maintained management documentation.
When to review compliance, cybersecurity, and ESG procedures
Should your organisation has not yet reviewed its compliance, cybersecurity, ESG procedures, or the way managerial decisions are documented, it is worth considering a governance responsibility audit. It helps structure processes that, in the event of an inspection, incident, or dispute, may be crucial for the security of both the company and its management.





