Duty, Risk & Resilience: Fiduciary Duty and the Full Spectrum of Enterprise Risk

The question is not whether boards should care about environmental, social, and resilience risks. The question is whether boards that fail to govern these risks adequately are meeting their fundamental legal obligation to protect financial value.

Duty of Care

Directors must exercise the care, diligence, and skill that a reasonably prudent person would exercise in comparable circumstances. This requires active engagement with the material risks facing the organisation — not passive acceptance of management's assessment.

Duty of Loyalty

Directors must act in the best interests of the company, not for personal gain or at the expense of shareholders. This includes the interests of the company as a going concern — which is inherently a long-term consideration.

Business Judgment Rule

Directors are protected from liability for good-faith business decisions based on reasonable information. The corollary is that decisions based on inadequate information — including wilful ignorance of material risk — do not attract protection.

Long-Term Value Obligation

Courts, regulators, and governance codes increasingly articulate an obligation to consider long-term value, not merely short-term profit. The UK Companies Act s.172 explicitly requires directors to consider the long-term consequences of decisions.

The actual governance question is not: 'Do companies owe duties to stakeholders beyond shareholders?' It is: 'Are there risks to shareholder financial value that directors are failing to govern adequately?' The answer to the second question is demonstrably yes — and that answer does not depend on resolving the first.

The appropriate response to this expansion of material risk is not to redefine directors' duties. It is to recognise that directors' duties — properly and honestly understood — have always required competent governance of material risk, and that the set of material risks has expanded substantially.

1

Physical Climate Risk

Acute & Chronic

Extreme weather events — floods, storms, wildfires, heat stress — damage physical assets, interrupt production, and destroy supply chain infrastructure. Chronic warming shifts precipitation patterns, reduces agricultural productivity, and alters resource availability over multi-decade horizons. Both translate directly into uninsured asset losses, revenue interruptions, and rising insurance premiums or uninsurability of key assets.

• Asset impairment

• Revenue loss

• Insurance cost / availability

• CapEx (hardening)

Swiss Re Institute estimates global insured losses from natural catastrophes exceeded USD 100bn in multiple recent years; Munich Re data shows an accelerating trend in weather-related losses since 1980.

2

Climate Transition Risk

Stranded Assets & Carbon Costs

Regulatory carbon pricing, emissions trading schemes, and changing market preferences can render fossil fuel reserves, carbon-intensive plant, and high-emission product lines uneconomic before the end of their asset lives. Carbon prices already applicable in 70+ jurisdictions affect operating costs; tightening regulations will expand scope and price levels materially.

• Asset write-downs

• COGS / operating costs

• CapEx redeployment

• Cost of capital

IEA Net Zero Roadmap (2023): no new oil and gas field development needed in a 1.5°C scenario. IPCC AR6: carbon prices of USD 135–5,500/tCO₂ may be required by 2030 across mitigation scenarios.

3

Water Scarcity & Stress

Operational & Supply Chain

Manufacturing, agriculture, energy generation, and mining are all water-intensive. Increasing water stress — documented across river basins globally by the World Resources Institute — creates direct operational constraints: production halts, regulatory restrictions on water extraction, higher water procurement costs, and conflict with communities over shared resources.

• Revenue (production limits)

• Operating costs

• Regulatory fines

• Licence risk

WRI Aqueduct data (2023): 25 countries face extremely high water stress. CDP Water Security Report (2023): companies face USD 339bn in water-related business risk vs. the cost of addressing it — a ratio of more than 5:1 in favour of action.

4

Biodiversity & Ecosystem Loss

Dependency & Liability

More than half of global GDP is estimated to be moderately or highly dependent on functioning ecosystems for inputs (soil, pollination, clean water, timber, fish stock). Ecosystem degradation disrupts supply chains, triggers new regulatory liability under emerging biodiversity frameworks (EU Nature Restoration Law, Kunming-Montreal GBF), and creates litigation risk for companies whose activities contribute to habitat destruction.

• COGS / input costs

• Regulatory liability

• Litigation

• Market access

World Economic Forum: USD 44tn of economic value dependent on nature. IPBES Global Assessment: biodiversity loss is accelerating at rates unprecedented in human history.

5

Energy Security & Price Volatility

Input Cost Risk

Companies exposed to energy-intensive production face margin compression when energy prices spike, as demonstrated sharply during the 2021–2022 European gas crisis. Transition dynamics will create continued energy price volatility as fossil fuel investment declines ahead of renewable build-out. Companies without a credible energy transition plan face both cost risk and stranded infrastructure.

• COGS

• Operating margin

• CapEx (energy transition)

• Working capital

European gas prices increased 15× between 2020 and 2022 peak. IEA: energy security and affordability are co-equal transition goals but near-term volatility is structurally embedded.

6

Critical Material Scarcity

Strategic Resources

The energy transition, digitalisation, and electrification are driving extraordinary demand growth for lithium, cobalt, copper, rare earths, and other critical minerals. Supply concentration — over 70% of cobalt from the DRC, over 60% of rare earth processing in China — creates geopolitical exposure. Price spikes, export restrictions, and supply shortfalls translate directly into input cost inflation and production constraints.

• COGS

• Revenue (production limits)

• CapEx

• Working capital / inventory

IEA Critical Minerals and Clean Energy Transitions (2023): demand for lithium could increase 40× by 2040 in a net zero scenario. EU Critical Raw Materials Act (2024) designates 34 critical minerals.

7

Supply Chain Concentration

Single-Source Dependency

Over-reliance on single suppliers, single geographies, or just-in-time inventory models creates fragility that is exposed when disruption occurs — whether from natural disaster, geopolitical action, trade restriction, or counterparty failure. The COVID-19 pandemic was a global case study in the financial consequences of supply chain under-diversification, across automotive, pharmaceuticals, semiconductors, and food.

• Revenue (lost production)

• COGS (emergency sourcing)

• Gross margin

• Working capital

McKinsey Global Institute: industries can expect supply chain disruptions lasting more than a month every 3.7 years on average, costing nearly 45% of one year's profit over a decade.

8

Regulatory & Compliance Risk

Broadening Scope

The regulatory perimeter governing non-financial conduct is expanding rapidly across environmental, social, governance, and cyber dimensions. Non-compliance triggers direct financial penalties, mandatory remediation costs, operating licence suspension, and exclusion from public procurement. The CSRD, CSDDD, EU Taxonomy, and analogous frameworks globally create financial exposure for companies that have failed to build compliant governance and reporting systems.

• Regulatory fines

• Remediation costs

• Revenue (lost contracts)

• CapEx (compliance)

EU GDPR fines exceeded EUR 4bn cumulatively by 2024. UK FCA and US regulatory bodies are applying similar escalation to ESG-related disclosure failures.

9

Cybersecurity & Data Risk

Operational & Reputational

Cyber incidents create multi-vector financial losses simultaneously: operational downtime, ransom payments, regulatory fines (GDPR, NIS2), litigation from affected parties, and sustained reputational damage affecting customer trust and revenue. The attack surface is expanding with OT/IT convergence and cloud migration. Supply chain cyber risk — where third-party vulnerabilities compromise the organisation — is now the dominant threat vector.

• Revenue (downtime)

• Fines & litigation

• Remediation costs

• Share price / cost of capital

IBM Cost of a Data Breach Report 2024: average cost of a data breach USD 4.88m globally. NotPetya caused estimated USD 10bn in damages across multiple organisations.

10

Modern Slavery & Labour Exploitation

Supply Chain Liability

Companies with labour exploitation or modern slavery in their supply chains face direct financial exposure through mandatory due diligence legislation (CSDDD, German LkSG, UK Modern Slavery Act, US UFLPA). Regulators can impose import bans, block market access, and require remediation. Consumer backlash and investor divestment create additional revenue and valuation impacts. The US Uyghur Forced Labor Prevention Act has already resulted in the seizure and return of hundreds of millions of dollars of goods at the US border.

• Revenue (market access)

• Fines

• Import seizures

• Cost of capital

UFLPA enforcement: CBP has targeted over USD 3bn in goods since 2022. German LkSG enforcement commenced 2024 with fines up to 2% of global annual turnover.

11

Workforce & Human Capital Risk

Talent, Health & Productivity

Labour market tightening, demographic shifts, and rising competition for skilled workers mean that companies with poor workplace cultures, inadequate health and safety records, or poor diversity performance face higher recruitment costs, elevated attrition, and productivity losses. Physical health risks — including those intensified by climate change, such as heat stress — have direct productivity impacts in outdoor and manufacturing sectors. Human capital is the largest operating cost for most service businesses.

• Operating costs (recruitment / attrition)

• Revenue (productivity)

• Litigation (H&S)

• Insurance

Gallup State of the Global Workplace: disengaged workers cost the global economy USD 8.9tn annually. WHO: heat stress could reduce working hours in exposed occupations by 2.2% by 2030.

12

Social Licence to Operate

Community & Stakeholder Risk

Social licence to operate — the informal but consequential acceptance of a company's activities by local communities, civil society, and the broader public — can be withdrawn faster than a regulatory licence. Loss of social licence creates project delays, cost overruns, injunctions, and market exits. For resource extraction, infrastructure, and consumer-facing companies, social licence is a real asset or liability on the balance sheet — even if it does not appear there.

• Revenue (project delay / cancellation)

• Legal costs

• Cost overruns

• Market valuation

Harvard Kennedy School research: social conflict costs mining projects USD 20m per week in delays at the median; major project delays can cost USD 5–20bn.

13

Deforestation & Land Use Change

Commodity Risk & Regulation

Companies sourcing commodities linked to deforestation — soy, palm oil, beef, cocoa, timber — face tightening supply as regulatory frameworks restrict commodity supply from deforested land. The EU Deforestation Regulation (EUDR) restricts market access for non-compliant supply chains from 2024. Financial institutions applying deforestation policies are restricting credit and investment to exposed companies.

• Revenue (market access)

• COGS (compliance sourcing)

• Cost of capital

• Regulatory fines

EU Deforestation Regulation: penalties including fines of at least 4% of EU turnover and market exclusion for non-compliant operators.

14

Environmental Pollution Liability

Air, Water & Soil

Legacy and ongoing environmental pollution — air emissions, water contamination, soil degradation, toxic waste — creates long-tail financial liability through regulatory enforcement, mandatory remediation, and litigation from affected communities and governments. Scientific attribution methods have advanced considerably, making it increasingly possible to link corporate activity to specific health or environmental outcomes and quantify damages.

• Remediation costs

• Litigation / settlement

• Regulatory fines

• Asset impairment

Superfund site remediation costs in the US often reach hundreds of millions of dollars per site. Volkswagen's Dieselgate settlement cost exceeded USD 33bn in fines, buybacks, and remediation.

15

Geopolitical & Trade Instability

Market & Supply Risk

Geopolitical instability, sanctions regimes, trade tariffs, export controls, and economic nationalism create sudden disruptions to market access, supply chain integrity, and asset values. Companies with significant cross-border operations or supply chains concentrated in geopolitically sensitive regions face abrupt revenue loss and asset impairment when relationships deteriorate — as demonstrated by the experience of companies operating in Russia following 2022 sanctions.

• Revenue (market access)

• Asset write-downs

• COGS

• Working capital

World Bank estimates of global trade disruption from geopolitical fragmentation: up to 2.4% of global GDP loss. Corporate losses from Russia exit 2022: BP alone wrote down USD 25.5bn.

16

Pandemic & Biological Risk

Systemic Operational Disruption

COVID-19 demonstrated that pandemic and biological risk is a material financial risk of the first order — not an implausible tail risk. IPCC and WHO scientists have documented that biodiversity loss, land use change, and climate change are increasing the likelihood of zoonotic spillover events. Companies without operational resilience plans face disproportionate financial loss when systemic biological risks materialise.

• Revenue collapse

• Working capital strain

• Supply chain costs

• Insurance

COVID-19 caused the largest recorded contraction in global GDP since World War II. IMF projections estimated cumulative output losses of approximately USD 12.5tn through 2024; broader estimates of total economic impact including indirect costs reach significantly higher. IPBES: pandemic risk is linked to ecosystem disruption and biodiversity loss.

17

Circular Economy & Waste Liability

Extended Producer Responsibility

Extended Producer Responsibility (EPR) legislation places direct financial liability on producers and importers for the end-of-life management of their products — packaging, electronics, batteries, textiles, and increasingly many other categories. Companies that have not designed for circularity face escalating EPR fees, landfill tax exposure, and the cost of retrofitting product design and reverse logistics infrastructure under regulatory compulsion.

• Operating costs (EPR fees)

• CapEx (product redesign)

• Regulatory fines

• Supply chain costs

EU Packaging and Packaging Waste Regulation: mandatory recycled content and EPR obligations expanding to all packaging producers. UK Plastic Packaging Tax and landfill tax escalator create direct per-tonne financial costs.

18

Technology Disruption & Obsolescence

Stranded Investment & Competitive Risk

Rapid technological change — in energy systems, manufacturing processes, digital platforms, and AI — creates the risk of stranded capital investment in technologies that become uneconomic before the end of their useful lives. Companies that fail to manage technology transitions as a structured risk expose their balance sheets to accelerated write-downs and face a deteriorating competitive position versus more agile rivals.

• Asset write-downs

• Revenue erosion

• CapEx (transition)

• Cost of capital

Bloomberg NEF: utility-scale solar costs fell 90% between 2009 and 2023 — companies that locked in long-term high-cost energy contracts face sustained margin compression.

19

Data Privacy & Digital Trust

Regulatory & Customer Risk

Data privacy regulation has expanded globally since GDPR. Non-compliance with privacy obligations creates direct financial exposure through regulatory fines (up to 4% of global turnover under GDPR), litigation, and the erosion of customer trust. AI adoption is accelerating this risk vector as organisations process larger volumes of personal data through automated systems that may not be adequately governed.

• Regulatory fines

• Litigation

• Revenue (customer trust)

• Operating costs (compliance)

GDPR fines exceeding EUR 4bn cumulatively by 2024. Meta has received fines exceeding EUR 1.2bn in a single GDPR decision. Ponemon Institute: breach of customer trust costs companies an average of 3–5% of customers following a data incident.

20

Reputational & Brand Risk

Amplification of All Other Risks

Reputational damage is the financial amplifier of all other risk categories. A single environmental incident, human rights scandal, data breach, or governance failure can destroy brand equity built over decades, trigger boycotts, accelerate customer attrition, and — for publicly listed companies — cause immediate and sustained market capitalisation destruction. Social media has reduced the time between incident discovery and reputational crisis to hours.

• Revenue (customer loss)

• Market cap

• Cost of capital

• Recruitment / retention

Reputation Institute: 60–80% of a company's market value is attributable to intangible assets including brand and reputation. BP's Deepwater Horizon caused a 51% market cap decline in the 40 days following the blowout (April–June 2010).

21

AI Operational & Decision Risk

Model Failure, Bias & Over-Reliance

As organisations embed AI models into consequential business decisions — credit underwriting, hiring, procurement, pricing, clinical support, logistics — the failure modes of those models become financial risks. AI systems can produce confidently wrong outputs (hallucination), encode discriminatory patterns from training data, degrade silently as the world changes around a static model, or create catastrophic single points of failure when an entire decision-making process is automated without human oversight. When AI fails at scale, losses are not linear — they are systemic and immediate across every decision the model was making. Companies that have replaced human judgment with AI judgment without adequate monitoring, validation, and fallback architecture are accumulating operational risk that is largely invisible until it crystallises.

• Revenue (automated decision errors)

• Litigation & regulatory fines

• Operational disruption

• Insurance / liability

National Institute of Standards and Technology (NIST) AI Risk Management Framework (AI RMF 1.0, 2023) documents the taxonomy of AI failure modes. Multiple financial institutions have faced regulatory action for algorithmic bias in credit and insurance decisions. Air Canada chatbot case (2024): court upheld liability for AI-generated misinformation, establishing precedent for corporate AI accountability.

22

AI Regulatory & Liability Risk

EU AI Act, Global Regulation & IP Exposure

The regulatory framework governing AI is developing at speed and with significant financial teeth. The EU AI Act — the world's first comprehensive AI regulation, fully applicable from 2026 — classifies AI systems by risk level and imposes mandatory conformity assessments, transparency requirements, and human oversight obligations on high-risk applications, with fines of up to 3% of global annual turnover for non-compliance and up to 6% for violations of prohibited AI practices. Parallel AI liability exposure arises from intellectual property claims (copyright litigation over training data is already active in multiple jurisdictions), discrimination law (automated decisions that produce disparate outcomes expose companies to employment and consumer protection claims), and product liability for AI-integrated products. Companies that have deployed AI systems without legal review, bias testing, or regulatory mapping are carrying unquantified regulatory and litigation exposure.

• Regulatory fines (up to 7% global turnover, Art. 99)

• Litigation (IP, discrimination)

• CapEx (compliance remediation)

• Revenue (product withdrawal)

EU AI Act (Regulation 2024/1689): applies from August 2026, with high-risk AI system obligations across 8 defined sectors. US authors' coalition litigation against AI training data use ongoing. US EEOC guidance on algorithmic discrimination in employment decisions (2023).

23

AI-Driven Competitive Disruption

Strategic Obsolescence & Value Chain Displacement

AI is not a productivity improvement to existing business models — it is a structural reorganisation of entire value chains. Companies that fail to integrate AI capabilities face an accelerating competitive disadvantage as AI-enabled rivals reduce costs, improve quality, and deliver personalisation at scale. Equally, companies that adopt AI without strategic coherence risk destroying the human capital and institutional knowledge that differentiated them, while creating fragile dependencies on AI infrastructure they do not control. Both failure modes — failure to adopt and failure to adopt well — result in stranded investment, eroding market share, and declining margins. Boards need a view on AI adoption as a strategic risk, not merely an IT decision.

• Revenue erosion (market share)

• Gross margin compression

• Asset write-downs (stranded processes)

• Cost of capital

McKinsey Global Institute (2023): generative AI could add USD 2.6–4.4tn annually to the global economy. Goldman Sachs: AI could automate 26% of tasks in advanced economies. Companies in sectors from legal services to logistics are already experiencing AI-driven margin pressure from new entrants.

24

Human Migration & Access to People

War, Climate Displacement & Talent Scarcity

The global movement of people — driven by armed conflict, climate displacement, political persecution, and economic necessity — is one of the most consequential and least-governed risk factors in corporate supply chains and workforce planning. Migration creates both risks and dependencies simultaneously. Companies reliant on migrant labour in agriculture, construction, hospitality, and logistics face sudden workforce disruption when immigration policy tightens or displacement patterns shift. Companies operating in conflict-affected regions face the abrupt loss of locally skilled workforces as people flee. At the macroeconomic level, countries that export skilled workers through brain drain — driven by political instability, corruption, or lack of opportunity — lose the human capital needed to sustain economic growth, destabilising markets and supply chains that companies depend on. Climate-driven displacement is projected to force 1.2 billion people to move by 2050.

• Operating costs (labour scarcity / replacement)

• Revenue (workforce disruption)

• Supply chain continuity

• Market growth (emerging markets)

Institute for Economics and Peace: over 1.2 billion people could be displaced by climate change, conflict, and lack of opportunity by 2050. ILO Global Estimates on International Migrant Workers (2024): international migrants account for 4.7% of the global labour force — concentrated in high-income countries where they represent up to 20% of the workforce. UNHCR: 117 million people forcibly displaced globally as of 2024 — the highest recorded figure.

25

Digital Access & Technology Inequality

Infrastructure Gaps, Digital Divide & Corruption in Access

A country or region that lacks reliable digital infrastructure — broadband connectivity, electricity, device access, digital literacy — cannot participate fully in modern supply chains, cannot develop the skilled workforce that technology-intensive industries require, and cannot generate the economic growth that creates consumer markets. For companies with global supply chains or growth strategies targeting emerging markets, the digital divide is a direct constraint on capability and market development. Beyond pure infrastructure, corruption in technology procurement — a documented pattern in developing economies, where contracts for network infrastructure, software licensing, and device procurement are systematically diverted through bribery — both delays infrastructure development and creates direct compliance liability for technology companies involved in those procurement processes. Companies with anti-bribery exposure under the UK Bribery Act, US FCPA, or equivalent legislation face criminal liability for their commercial partners' conduct.

• Market growth (inaccessible markets)

• Supply chain capability limits

• FCPA / Bribery Act fines

• Revenue (corruption-exposed markets)

ITU 2023: 2.6 billion people remain offline globally, concentrated in Sub-Saharan Africa and South Asia. World Bank: a 10% increase in broadband penetration correlates with 1.3% GDP growth in developing economies. US DOJ FCPA enforcement: average corporate resolution exceeds USD 150m; Ericsson FCPA penalty (March 2023): USD 206m guilty plea for breaching a prior deferred prosecution agreement, arising from corruption across infrastructure procurement in multiple countries.

A director who cannot critically evaluate a climate risk assessment, challenge the assumptions in an AI governance framework, or read a supply chain human rights audit report cannot exercise the duty of care over those risks. Exposure to a summary slide does not constitute governance literacy.

Characteristics of Effective Board Education on Non-Financial Risk

• Sustained, not episodic — structured learning over 12–18 months, not a single annual briefing

• Technical depth, not just strategic overview — directors engage with the frameworks, standards, and evidence, not just the headlines

• External and independent — delivered by practitioners with genuine domain expertise, not filtered through management or corporate communications

• Assessment-linked — directors can demonstrate understanding of key concepts, not merely attendance at sessions

• Role-specific — tailored to the governance questions directors need to answer, not generic sustainability education

• Regularly refreshed — the regulatory and technical landscape changes rapidly; education must keep pace

1. Climate Science & Physical Risk

IPCC, scenario analysis, asset exposure

• IPCC warming scenarios (1.5°C, 2°C, 4°C) and confidence levels

• Difference between acute physical risk (extreme events) and chronic physical risk (long-term shifts)

• How to read a climate scenario analysis under TCFD / IFRS S2

• What a physical risk asset assessment looks like and what makes one credible

A board that cannot critically evaluate the physical climate risk assessment presented by management is not exercising due care — it is rubber-stamping. The ability to ask the right questions about scenario plausibility, asset exposure, and time horizons is a governance skill, not a scientific one. But it requires genuine familiarity with the science.

2. GHG Accounting & Carbon Economics

GHGP, Scope 1/2/3, carbon pricing

• Greenhouse Gas Protocol structure: Scope 1, 2, and 3 and the 15 value chain categories

• Difference between location-based and market-based Scope 2 accounting

• How carbon pricing mechanisms (ETS, carbon taxes) translate into operating costs

• What science-based targets are and how to evaluate whether the organisation's targets are credible

Carbon pricing exposure and Scope 3 liability are now directly material to financial planning. A director who cannot assess whether the organisation's emission reduction pathway is credible — or challenge management on GHG boundary decisions that may be understating exposure — is not fulfilling their duty of care on a demonstrably material financial risk.

3. Artificial Intelligence: Risk, Governance & Regulation

EU AI Act, model risk, algorithmic accountability

• Categories of AI risk: operational failure, bias and discrimination, regulatory non-compliance, IP liability

• EU AI Act risk classification: unacceptable, high-risk, limited-risk, and the financial consequences of each (fines up to 7% of global turnover for prohibited AI, up to 3% for other non-compliance)

• What 'high-risk AI system' means in law and which of the organisation's AI uses may qualify

• How to evaluate an AI governance framework: model documentation, bias testing, human oversight, incident response

• The difference between AI adoption risk (failing to adopt) and AI deployment risk (adopting badly)

AI is the fastest-growing source of unquantified regulatory and operational exposure on most corporate risk registers. The EU AI Act imposes fines of up to 7% of global turnover. Algorithmic discrimination cases are active in multiple jurisdictions. A board that treats AI as an IT matter rather than a governance matter is accumulating liability without oversight.

4. Cybersecurity Governance

ISO 27001, NIST CSF 2.0, OT/IT risk, NIS2

• The NIST CSF 2.0 GOVERN function and its explicit board-level accountability requirements

• Difference between management system assurance (ISO 27001 certification) and technical security testing

• How to interpret a cybersecurity risk dashboard: what metrics matter and what good looks like

• OT/IT convergence risk and why industrial control system security is different from IT security

• NIS2 Directive obligations and the personal liability of management bodies for systemic cybersecurity failures

Regulatory frameworks — NIS2, SEC cyber disclosure rules, emerging equivalents — are placing explicit governance obligations on boards and creating personal liability for directors in the event of inadequate oversight. A director cannot discharge this obligation by delegating entirely to a CISO. They must be able to engage meaningfully with cyber risk at the governance level.

5. Human Rights & Supply Chain Due Diligence

UNGPs, CSDDD, modern slavery, forced labour

• The UN Guiding Principles on Business and Human Rights (UNGPs) and the corporate responsibility to respect

• What mandatory human rights due diligence requires under CSDDD, German LkSG, and equivalent legislation

• How to evaluate a human rights risk assessment: salient issues identification, supply chain mapping, grievance mechanisms

• US UFLPA enforcement: import ban mechanism and what supply chain evidence is required to rebut a forced labour presumption

CSDDD imposes direct obligations on boards to oversee and integrate human rights due diligence into corporate strategy. Import bans, fines of up to 5% of global net worldwide turnover, and civil liability for affected persons are the financial consequences of failure. Board-level literacy is not optional when the legislation explicitly addresses board duties.

6. Nature, Biodiversity & Water Risk

TNFD, IPBES, ecosystem service dependency

• How to use the TNFD (Taskforce on Nature-related Financial Disclosures) LEAP framework to assess nature dependency and impact

• Which industries face the highest ecosystem service dependency and what supply chain disruption looks like when those services fail

• Water stress mapping tools (WRI Aqueduct) and how to interpret water risk for operational sites

• Emerging regulatory liability under the EU Nature Restoration Law and Kunming-Montreal Global Biodiversity Framework commitments

The World Economic Forum identifies biodiversity loss as a top-5 global risk by impact over a 10-year horizon. The TNFD framework — following the TCFD model — is moving from voluntary to expected disclosure. Directors who cannot evaluate nature-related dependencies in their business model will be as exposed as those who ignored climate risk a decade ago.

7. Geopolitical, Trade & Sanctions Risk

Supply chain exposure, sanctions regimes, trade law

• How to read a geopolitical risk assessment and distinguish analytical rigour from speculation

• Sanctions regime architecture: OFAC (US), OFSI (UK), EU sanctions — what triggers liability and for whom

• Supply chain concentration risk: how to evaluate single-country and single-supplier dependency

• Export control regimes and how technology restrictions affect product strategy and market access

The Russia experience of 2022 demonstrated that geopolitical risk can crystallise with days of notice, triggering mandatory asset write-downs, market exit costs, and sanctions compliance obligations simultaneously. A board with no framework for evaluating geopolitical exposure cannot make informed strategic decisions about market entry, supply chain design, or asset allocation.

8. Non-Financial Assurance & Verification

Assurance standards, provider selection, limited vs reasonable

• The difference between limited and reasonable assurance and the evidentiary threshold each requires

• How to evaluate the competence of a non-financial assurance provider — by domain expertise, not brand name

• What ISAE 3000 and ISAE 3410 require from a practitioner providing sustainability assurance

• How to read an assurance conclusion: what it does and does not tell the board

• The role of internal audit in an integrated assurance model

The board relies on assurance to form a view on the reliability of management's information. A director who cannot distinguish a credible assurance engagement from a perfunctory one cannot exercise the oversight function. As CSRD mandates assurance over sustainability reporting, the board's ability to evaluate assurance quality becomes a direct governance obligation.

9. Non-Financial Regulatory & Legal Literacy

CSRD, CSDDD, EU AI Act, US state laws, UK frameworks

• The core obligations of CSRD: who is in scope, what must be disclosed, assurance requirements, and timeline

• How the EU Taxonomy Regulation defines 'sustainable' activities and its relevance to capital access and cost

• US state-level disclosure landscape: California SB 253/261, New York legislation, and how they interact with federal inaction

• UK frameworks: Companies Act s.172, Modern Slavery Act, TCFD-aligned mandatory disclosure, and the evolving FCA ESG agenda

Directors cannot oversee regulatory compliance in a domain they do not understand at a basic level. The expanding non-financial regulatory perimeter affects market access, capital cost, operating licence, and personal director liability. A director who is unaware of the obligations their organisation is subject to cannot meet the standard of care required by law.

10. Financial Modelling of Non-Financial Risk

Translating risk into P&L, balance sheet, and valuation impact

• How to translate non-financial risk into financial statement impact: revenue, cost, asset value, and cost of capital effects

• Climate and nature-related stress testing: how scenario analysis is used to quantify potential financial exposure

• How to interpret TCFD-aligned financial risk disclosures and challenge the assumptions behind them

• How institutional investors and credit rating agencies are integrating non-financial risk into valuation and credit assessment

The ultimate purpose of risk governance is to protect financial value. A director who understands individual risk categories but cannot connect them to the organisation's financial position cannot assess whether management's response is proportionate or whether the organisation's risk appetite is appropriate. This translation skill is the capstone of non-financial governance literacy.

Step 1: Know What You Don't Know — Then Fix It

• Conduct a skills and expertise audit of the board — map board expertise against the twenty-five risk areas.

• Identify gaps and determine whether to address them through recruitment, advisory structures, or structured education.

• Commission a multi-year board education programme across the ten domains set out in Section 6 — not a single annual briefing.

• Be honest about which risk areas the board currently cannot assess critically — and document that as a governance risk.

Step 2: Demand Evidence-Based Materiality Assessment

• Commission a rigorous, evidence-based materiality assessment spanning all twenty risk categories.

• Insist that the assessment draws on scientific and expert sources — not just management opinion or media scanning.

• Ensure the output is prioritised, documented, and formally approved at board level.

Step 3: Establish Governance Accountability

• Assign explicit board-level accountability for each material risk — to the full board, a committee, or a named director.

• Expand the audit committee's mandate (or establish a new committee) to cover non-financial risk oversight.

• Define the reporting cadence, metrics, and escalation thresholds for each material risk.

Step 4: Commission Independent Assurance

• Identify which material risk areas require independent assurance — and at what level of rigour.

• Select assurance providers on the basis of genuine domain expertise, not simply existing audit relationships.

• Ensure assurance conclusions are reported to the board, not just to management.

Step 5: Connect Risk Governance to Strategy and Capital Allocation

• Ensure that material risk assessments are explicitly considered in strategic planning processes.

• Challenge capital allocation decisions that increase exposure to unmanaged material risks.

• Articulate to investors how the board's risk governance framework protects long-term financial value.

Fiduciary duty has not changed. The world in which it must be exercised has. Boards that govern accordingly are not doing something extra. They are doing their job.

Principal Evidence Sources Referenced in This Whitepaper

• IPCC Sixth Assessment Report (AR6), 2021–2023 — physical and financial risk assessment for climate change

• IPBES Global Assessment Report on Biodiversity and Ecosystem Services, 2019

• IEA World Energy Outlook and Critical Minerals reports, 2023

• World Resources Institute Aqueduct Water Risk Atlas, 2023

• World Economic Forum Global Risks Report, 2024

• Swiss Re Institute — sigma natural catastrophe loss data

• Munich Re NatCatSERVICE — global disaster and insured loss database

• McKinsey Global Institute — supply chain resilience analysis

• IBM Cost of a Data Breach Report, 2024

• Reputation Institute — intangible asset and brand valuation research

• CDP Water Security and Climate Change reports

• WHO: Heat stress and climate-linked occupational health projections

• Harvard Kennedy School: Social conflict cost of mining projects research

• World Bank: COVID-19 and geopolitical fragmentation economic impact estimates

• EU GDPR enforcement register — European Data Protection Board

• Bloomberg NEF: Renewable energy cost deflation data

• UK Companies Act 2006, s.172 (duty to promote success of the company)

• OECD Due Diligence Guidance for Responsible Business Conduct

Speeki

Speeki is a non-financial assurance and technology company. We combine an intelligent technology platform with deep domain assurance expertise across environmental, social, human rights, cybersecurity, and circular economy performance.

We provide independent non-financial assurance engagements and the underlying technology infrastructure that organisations need to generate accurate, reliable, and auditable non-financial data — giving boards, audit committees, investors, and regulators the confidence they require.

This whitepaper is the second in Speeki's Board Governance Series. It accompanies our whitepaper on non-financial assurance: Board-Ready for Non-Financial Assurance — A Practical Guide for Boards and Audit Committees.

To learn more about Speeki's assurance and technology capabilities, visit speeki.com.

© 2025 Speeki. This whitepaper is for informational purposes only and does not constitute legal, regulatory, or professional advice.