Leading Through Complexity: The Evolving Global Regulatory Environment
Effective board oversight makes it necessary to stay updated with global regulatory changes and compliance reporting requirements. The discussion emphasized the importance of boards keeping informed of the changing regulatory landscape and ensuring that management is monitoring and engaging appropriately, given some participants’ view that “if you’re not at the table, you’re on the menu.” These were among the key insights to emerge during the Directors Dialogue session organized in Philadelphia on May 1 by Drexel LeBow’s Raj & Kamla Gupta Governance Institute.
U.S. Regulatory Landscape
The United States is witnessing what some have called the “federalization of corporate governance,” characterized by rapid and extensive rulemaking impacting various commercial entities, including public and private companies, investment firms, and investors. The SEC’s 2023 Regulatory Flexibility Agenda outlined plans to adopt and finalize 25 rules in 2024, covering areas like climate and cybersecurity disclosures, corporate board diversity, human capital management and proxy process amendments.
Global Regulatory Trends
The trend toward active regulatory rulemaking is not confined to the U.S. but is also evident globally, with states, countries, industries and international bodies like the European Union engaging in similar activities. The diversity in regulatory content across different jurisdictions complicates compliance, especially for organizations operating in multiple regions.
Artificial Intelligence (AI)
The Biden administration’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence calls for increased transparency and mandates federal agencies to issue guidelines for AI usage in their respective industries and created the U.S. AI Safety Institute to be responsible for executing the order’s policies. As the 2024 presidential election increases the debate in the U.S. around generative AI’s impact on social media platforms and misinformation, Congress is considering several legislative proposals while California, Colorado and other states are also developing AI regulations.
This contributes to a growing global regulatory approach to AI, including the recently adopted EU’s AI Act, which applies to any company doing business in the EU. As the first comprehensive AI law, the AI Act will set the de facto global standard, much like the EU’s General Data Protection Regulation (GDPR) did for data privacy.
Data Privacy and Cybersecurity
From 2021 to 2023, 17 new countries enacted data privacy laws, totaling more than 162 privacy laws globally. By 2024, it is predicted that 75% of the world’s population will have their personal information protected by some form of a modern data privacy regulations. In July 2023, the SEC introduced broad cybersecurity disclosure rules for public companies, enhancing transparency by mandating disclosures about the board’s oversight of cybersecurity threats and details of certain cyber incidents. Domestic legislation in the U.S. includes various state-level privacy acts, while the EU’s GDPR continues to influence global data protection standards and extends to the handling obligations of companies whose operations have even a minimal European nexus.
Climate Regulations
In March 2024 the SEC adopted rules to enhance and standardize climate-related disclosures for investors in an effort to standardize climate-related disclosures by public companies and in public offerings. Other jurisdictions like California, the EU, and the UK are also pursuing stringent climate disclosure regulations that will affect US companies. The EU’s Corporate Sustainability Reporting Directive will require comprehensive sustainability reporting from 2026, impacting both EU and non-EU entities.
Enforcement Trends
Enforcement actions by state and federal agencies including the SEC, Department of Justice, the Federal Trade Commission and the New York State Department of Financial Services are on the rise, targeting issues like cybersecurity and consumer information protection. High-profile cases include settlements by Aerojet Rocketdyne, Morgan Stanley Smith Barney LLC, Blackbaud Inc., OneMain Financial Group LLC and Microsoft Corp., highlighting the increasing scrutiny across industries on compliance failures.
Political and Regulatory Uncertainty
Political polarization and the upcoming U.S. election add to regulatory uncertainty. Cases against SEC and California climate rules, potential legislative actions to nullify SEC climate rules, and campaign promises to reverse Biden-era regulations contribute to a volatile and unpredictable regulatory environment.
Given the high level of uncertainty, the increased compliance costs, and the potential impact on corporate governance, some business leaders are adopting a wait-and-see approach. Although this approach might be tempting, board members and directors cannot afford to be complacent or uninformed. Instead, they must have access to internal and/or external regulatory expertise, be aware of rulemaking activity at home and abroad, and ensure sufficient advocacy on behalf of the company is exerted at appropriate points in the rulemaking process.
Regulatory Risk Management and Oversight
Organizations face significant challenges in keeping up with regulatory changes, which require substantial resources and expertise. Despite growing compliance teams, companies struggle to meet evolving requirements.
While the number of employees tasked with monitoring the increasingly complex and evolving global regulatory environment is growing, the average size of boards of directors remains largely the same despite the increase in global rulemaking and the uncertainty it injects into the governance process.
Boards must understand and respect the difference between risk management and risk oversight. They cannot and should not be involved in day-to-day risk management. Rather, they should ensure management is addressing regulatory risk in line with the company’s risk profile, organizational goals and strategy; maintain oversight of the organization’s risk management framework and policies; set the organization’s risk appetite and tolerance levels; monitor the organization’s risk profile and key corporate risk factors; and ensure management has adequate resources, systems and controls to manage risks effectively.
Best Practices for Boards
Boards should adopt proactive measures, including:
- Tracking regulatory changes and engaging in policy discussions (when appropriate).
- Meeting (when appropriate) with government bodies during the rulemaking process; sharing a company’s idiosyncratic issues can be powerful and impactful.
- Maintaining awareness of global regulations and their implications.
- Distinguishing between risk management and oversight.
- Fostering boardroom discussions on complex issues like cybersecurity, AI and climate change, bringing in external experts when appropriate.
- Evaluating the use of specialized committees to oversee specific risks such as a sustainability committee for ESG-related risks.
- Considering prospective directors with regulatory expertise in board succession planning to enhance governance and attractiveness to investors and future directors.
- Overseeing regulatory risk in the value chain stemming from vendors that are subject to different geographic- and industry-specific regulatory requirements, and who have varying levels of risk tolerance and compliance standards.
- Considering regulatory changes as opportunities for strategic positioning.
Navigating the complex and evolving regulatory landscape requires boards to stay informed, proactive and engaged in advocacy efforts to effectively manage risks and seize opportunities for strategic advantage.
This article is part of the 2024 Directors Dialogue Digest series, Changing Leadership for a Changing World. Join the Institute’s mailing list for early access to valuable research, industry updates and more.