From a legal standpoint: Management in the face of new compliance obligations

Krg article

In an era of increasing regulatory requirements and the personal liability of members of governing bodies, due diligence on the part of the management board is becoming not only a standard of good governance but also a practical tool for mitigating legal and operational risks.

Management’s duty of care in practice – liability, documentation, and new compliance obligations

The role of a management board member is increasingly less about making sound business decisions alone. A critical factor is now the proper understanding of the standard of managerial due diligence. It is no longer sufficient to delegate responsibilities to employees, the IT department, accounting, or external advisers. What matters is whether the management board is able to demonstrate that decisions were made based on adequate information, analyses, expert recommendations, and a genuine assessment of risk.

Minutes of meetings, resolutions, audit reports, advisory opinions, training confirmations, and documentation of implemented recommendations are not unnecessary bureaucracy. In the event of an inspection, incident, or dispute, they may become the primary evidence that management acted with due diligence and within the bounds of reasonable business risk.

Importance is now attached to cybersecurity and sustainability regulations. The NIS2 Directive strengthens the role of management bodies in approving and overseeing cybersecurity risk management measures. Board members must ensure the functioning of an effective system of supervision, reporting, and incident response. Similarly, ESG obligations, although formally applicable only to certain categories of entities, are increasingly influencing their contractors, suppliers, and business partners, who are expected to confirm compliance with appropriate standards.

How a lack of documentation makes it harder to demonstrate due diligence

Why it matters – KR Group case study:

  • The company’s management viewed IT security as a purely technical responsibility.
  • No regular risk audits were conducted at management level, key security measures were not formally approved in minutes, and the incident response procedure was outdated.
  • A ransomware attack resulted in temporary system paralysis and a breach of confidentiality of certain data.
  • The company had to simultaneously carry out remediation actions, analyse obligations under personal data protection regulations, and communicate with business partners.
  • The greatest difficulty was the lack of documentation confirming that risks had been systematically analysed, safeguards approved at the appropriate management level, and employees prepared to act in a crisis.
  • As a result, demonstrating due diligence during proceedings became significantly more difficult than it would have been with properly maintained management documentation.

When to review compliance, cybersecurity, and ESG procedures

Should your organisation has not yet reviewed its compliance, cybersecurity, ESG procedures, or the way managerial decisions are documented, it is worth considering a governance responsibility audit. It helps structure processes that, in the event of an inspection, incident, or dispute, may be crucial for the security of both the company and its management.

Please contact us!

Complete the form and we will quickly provide you a preliminary offer

Request for Proposal

Read also

KR Group Insights

We share knowledge that supports informed business decision-making. In our Knowledge Zone, we publish articles, alerts, expert commentaries, and practical materials covering accounting, HR and payroll, taxation, law, and business.

Newsletter

Access to the most important information: tax, accounting and legal, crucial for your business.

KR Group - Comprehensive Services in Central and Eastern Europe

Region CEE

KR Group to polska, dynamicznie rozwijająca się grupa księgowo-podatkowa o międzynarodowym zasięgu. Zatrudniamy ponad 230 specjalistów w naszych oddziałach w Polsce, Czechach, Rumunii oraz Węgrzech.