Directors' Exposure to Risk

Directors' Exposure to Risk

Sep 09, 2021

Directors are not protected by limited liability, and retain responsibility and potential liability for decisions taken by the board and its committees

Be aware of the risks you take

All business involves risk. Companies have limited liability but directors do not. 


Although it is boards who take decisions, and some activities are delegated to the company secretary and individual committees, directors retain personal responsibility and potential liability:

  • Failure to file accounts or returns
  • Health and safety legislation
  • Employment law
  • Control and disposal of hazardous waste

In addition, there could be litigation with regard to corporate manslaughter and the Bribery Act arising from activities by employees. It is important to ensure that the board has strong policies on these matters and ensures that appropriate training and processes are implemented.


You can mitigate these risks by taking out professional indemnity insurance and learning to become a professional and effective director.


If you disagree with a decision, even if you are outvoted, you can still be liable for the results. Make sure that your objection is recorded.

Financial risk

Loan capital is not protected and in smaller companies directors are sometimes asked to guarantee loans to the company. 

Where shares are partly pay shareholders could be called upon to pay the outstanding sum.


If a company gets into financial difficulties, the board should seek professional advice immediately.


If the company carries on trading to the detriment of its creditors, this is wrongful trading.


Any director who should have concluded the ‘point of no return’ had been reached can be held personally liable for the debts if the company then goes into liquidation.


Taking advantage of limited liability protection depends on keeping proper records, processes and procedures:

  • Board meeting properly constituted
  • Board meeting took place with agenda
  • Board meeting properly minuted
  • Proper information provided and records kept


You can be disqualified from being a director if you don’t meet your legal responsibilities. Anyone can report a company director’s conduct as being ‘unfit’.


‘Unfit conduct’ includes:

  • Allowing the company to continue trading when it can’t pay its debts
  • Not keeping proper company accounting records
  • Not sending accounts and returns to Companies House
  • Not paying tax owed by the company
  • Using company money or assets for personal benefit

The following bodies in the UK can apply to have you disqualified:

  • The Insolvency Service
  • Companies House
  • The Competitions and Markets Authority (CMA)
  • The courts
  • A company insolvency practitioner

If you are disqualified, it could be from two to 15 years.


In addition, there might be relevant government regulations or restrictions in the company’s Articles of Association that disqualify you from being a director of this particular company.

Managing risk at board level

Successful business involves risk.


All members of the board should have a feeling for the main business risks.


The board should establish ways of monitoring the development of these risks and seek reassurance that such risks of being managed in an appropriate manner by the management team.


New forms of risk

Rapid technology advancement has created both opportunity and risk.


Cyber security, employees using their own computers and mobile devices, and social media are just three IT risks that are likely to have deficient or non-existent internal controls, which in turn cause privacy breaches, ​

These are in addition to traditional risks such as fraud, health and safety, environmental and reputational risks.


Risk appetite and tolerance

Risk appetite is the amount of risk that an organisation is willing to accept in order to meet its strategic objectives.


Organisations will have different risk appetites depending on their sector, culture and objectives. They will also have different risk appetites depending on their sector, culture and objectives.


Organisations have to take some risks and avoid others.


While risk appetite is about the pursuit of risk, risk tolerance is about what an organisation can actually cope with. Risk appetite and tolerance need to be high on any board’s agenda and are a core consideration of an enterprise risk management approach.


Dealing with risk

There are four possible responses to risk:

  • Avoid the risk. Do not commit to planned action and abandon the proposed project.
  • Mitigate the risk. Invest in standby equipment, duplicate or triplicate critical components, train staff or adopt risk policies such as requiring senior executives to travel in different vehicles.
  • Transfer the risk. Insure against the risk or otherwise spread the exposure to third parties.
  • Retain the risk. In this case the board must evaluate the impact of a worst-case scenario and the ability of the organisation to recover.

Risk management

Boards should have nominated directors with risk expertise.


Every company board should approve the risk appetite framework, including internal control reporting and independent, coordinated, assurance over controls mitigating each risk and their interactions. There should be annual third-party reviews, reporting directly to the board and audit and risk committees.


The CEO should always consider him/herself as the de facto chief risk officer and seek to encourage an appropriate sense of risk consciousness at all levels of the company.


Risk governance

A risk governance framework should include well-defined organisational responsibilities for risk management, typically referred to as the three lines of defence.


Business units are the first line of defence. They take risks and are responsible and accountable for the ongoing management of risks.


The second line of defence includes an independent risk management function. The risk management function complements the business line’s risk activities through its monitoring and reporting responsibilities.


The second line of defence also includes an independent and effective compliance function.


The third line of defence consists of an independent and effective audit function. Internal auditors must be competent and appropriately trained and not involved in developing, implementing or operating the risk management function of other first or second line of defence functions.


Risk register

Business risk is classified into six different main types:


1. Strategic risk: risks associated with the operations of that particular industry.

  This kind of risk arises from:

  • Business environment: buyers and seller interacting to buy and sell goods and services; changes in supply and demand, competitive structures and introduction of new technologies
  • Transaction: assets relocation of mergers and acquisitions, spin-offs, alliances and joint ventures
  • Investor relations: strategy for communicating with individuals who have invested in the business

2. Financial risk: risks associated with the financial structure and transactions of the particular industry


3. Operational risk: risks associated with the operational and administrative procedures of the particular industry


4. Compliance risk: risks associated with the need to comply with the rules and regulations of the government


5. Reputational risk: risks relating to external perceptions, including social media and corporate response to accidents, disasters and product failures


6. Other risks: risks like natural disasters, such as flooding, and others that depend upon the nature and scale of the industry

What to do next

If you would like to know more about how we can support your personal development as a director, facilitate an away day or corporate retreat, or assist with your board's corporate governance, contact us or call +44 (0) 7970 891 343.