Skip to content
Corvian Partners

Insights · Governance

Board governance under heightened scrutiny: what boards are now asked to prove

Alexander Gunning, Associate · 10 February 2026

The question Australian regulators put to boards has changed shape. A decade ago it was, in substance: does the company have a framework? Today it is: what did the board itself see, when did it see it, what did it ask, and what happened next. The distinction matters because the first question is answered by a policy document, and the second is answered only by the board’s own record.

Three developments define the current posture.

Section 180(1) and the stepping-stone route to the director

The care and diligence duty in s 180(1) of the Corporations Act 2001 (Cth) has, since ASIC v Cassimatis (No 8) [2016] FCA 1023, carried a well-understood enforcement geometry: where the company contravenes the law, ASIC does not need to make the director liable for the company’s contravention. It needs only to establish that a reasonably careful director in that position would not have permitted the company to be exposed to the risk of contravening. The company’s breach becomes the first step; the director’s supervision of the risk becomes the second.

The practical consequence is that any significant regulatory failure inside the company is, simultaneously, a latent inquiry into the board. Directors who assess their exposure only after the company’s conduct is questioned have usually already lost the period in which their own record could have been shaped by the questions they asked.

Cyber resilience as a supervised obligation

ASIC v RI Advice Group Pty Ltd [2022] FCA 496 established that inadequate cyber risk management can breach an Australian financial services licensee’s general obligations under s 912A. The decision’s significance travels well beyond licensees. It confirmed that cyber resilience is a supervised legal obligation with a measurable standard – not an IT function the governing body may treat as delegated and closed.

Since then, ASIC has said publicly and repeatedly that cyber preparedness sits within directors’ duties, and the pattern of Australian incident inquiries bears out the sequence: the incident is handled by management; the aftermath is addressed to the board. What did the board know about the control environment before the incident. Which uplift recommendations had been made, and which were deferred, and on what recorded reasoning.

Deferral is not itself the failure. Unexplained deferral is. A board that declined a control investment on recorded, costed reasoning is in a categorically different position from a board whose papers are silent.

CPS 230 and the operational-risk record

For APRA-regulated entities, Prudential Standard CPS 230 – in force since 1 July 2025 – completes the shift. It requires the board to be able to identify the entity’s critical operations, set tolerances for their disruption, and oversee the management of material service-provider risk. Each of those verbs generates a record, or fails to.

Entities outside APRA’s perimeter are not outside the trend. CPS 230’s logic – critical operations named, tolerances set, third-party dependence governed – is becoming the reference architecture against which the governance of any operationally complex Australian entity is informally judged, including by courts asked to decide what a reasonable director would have done.

The questions a board should be able to answer now

The common thread is that scrutiny has moved from the existence of governance to the evidence of it. Boards positioned well for the current environment tend to be able to answer, from their own record rather than management’s assurances:

  • Which of the entity’s risks the board has itself examined in the past twelve months, and what it asked.
  • Where the board’s information about those risks comes from, and whether any channel is independent of the function that owns the risk.
  • Which recommendations to the board were deferred or declined, and what reasoning was recorded.
  • Who would brief the board within the first day of a serious incident, and against what prepared position.

None of these questions requires a crisis to be answerable. All of them are asked after one.