.png?width=542&name=Admincontrol_Logo-RGB_Reverse%20(1).png){kind=logo}
.png?width=542&name=Admincontrol_Logo-RGB_Colour%20(1).png){kind=logo}
Every year, boards spend time and money getting governance right. They update policies, train directors, review risk registers, and tighten controls. It's serious work, and it matters.
But there's one thing sitting at the centre of almost every board conversation, every discussion, decision, and document that rarely makes it onto the risk register.
Email.
Directors use it constantly. It's how board papers get shared, how decisions get nudged along, how sensitive topics get discussed between meetings. And in most organisations, it's almost entirely ungoverned.
That needs to change.
Email feels casual. That's the problem.
Think about how board decisions actually happen in practice. A paper goes out. A few directors reply with questions. Someone says "I'm fine with option B. Anyone disagree?" A couple of people say nothing. The chair takes that as agreement.
That email thread? It's now a board record. It could be treated as a formal decision. And if the organisation ever faces a lawsuit or a regulatory inquiry, it will almost certainly be pulled into evidence, exactly as written, with all the shorthand and half-finished thoughts intact.
Courts have been consistent on this for years: emails between directors carry the same legal weight as board minutes. The problem is that most directors don't write them that way.
Nobody knows where the records are
Most organisations have a policy on how long to keep documents. Few enforce it at board level.
In reality, board communications are all over the place. They're in personal Gmail accounts, on corporate servers, forwarded to assistants, printed out at home, or just lost when someone gets a new phone. Directors leave the board and take their email history with them.
This becomes a real problem when something goes wrong. If the company faces litigation or a regulatory investigation, investigators will look for every email every director sent about the relevant topic across every account, every device. When a board can't produce a clear record of how a decision was made, it raises uncomfortable questions: were they paying attention? Or are they hiding something?
Neither is a good answer.
Directors are a target, and most don't know it
Here's something worth sitting with: board members are among the most valuable targets for cybercriminals, and among the least protected.
Why valuable? Because directors know things such as upcoming deals, strategic plans, sensitive personnel decisions. That information is worth a lot to the right people.
Why unprotected? Because nobody wants to be seen monitoring the board's email. Directors often use personal devices and personal accounts for board business, well outside the organisation's security controls. Some push back on IT oversight on principle.
Hackers know this. Attacks targeting senior executives and board members (fake emails from trusted contacts, fraudulent wire transfer requests, attempts to steal deal information) are increasingly common. And the inbox is usually the way in.
Confidentiality is harder than it looks
Board members have a real obligation to keep certain things confidential. Email makes that very difficult.
It's not usually deliberate. A director gets a board paper and forwards it to their assistant to add it to their calendar. The assistant saves it to a shared folder. Someone else with access to that folder downloads it. Nobody did anything obviously wrong, but that sensitive document is now in three places it shouldn't be.
Once something is in the email system, it's almost impossible to contain. There's no taking it back once it's been forwarded, cached, or printed. And confidential board information has a way of reaching journalists, activists, and competitors through exactly these kinds of accidental chains.
So what should boards actually do?
This isn't an argument for banning email. That's not realistic. But it is an argument for treating email as a governance risk, because that's what it is.
A few practical steps make a real difference.
Use a proper board portal. Dedicated platforms for board communication exist for exactly this reason. They have access controls, audit trails, and proper security. The question isn't whether they're worth it, it's why more boards aren't using them already.
Be clear about what counts as a record. Directors should know which communications are official records, which aren't, and what happens to all of it when someone leaves the board. A policy nobody's read isn't a policy.
Hold directors to the same security standards as everyone else. If the organisation requires multi-factor authentication and approved devices for employees handling sensitive data, the same should apply to board members. No exceptions.
Ask a simple question before hitting send. Would I be comfortable if this email ended up as a exhibit in a court case? If the answer is no, pick up the phone instead.
Regulators are starting to pay attention
It's not just litigation risk. Regulators are increasingly looking at how boards make decisions, not just what decisions they made.
A board that can show clear records (structured papers, proper minutes, a logical decision trail) is in a much stronger position than one whose only record is a messy email thread. When a regulator asks "how did the board approach this risk?", the answer can't be "well, there were some emails..."
The boards most at risk in future regulatory reviews won't necessarily be the ones who made bad calls. They'll be the ones who can't show how any call was made.
The bottom line
Good governance is about being able to show that the board did its job: carefully, honestly, and with the right information. Email, as most boards use it today, works against that. It's too informal, too scattered, too insecure, and too hard to track.
Every other part of the governance framework depends on directors communicating well and keeping proper records. If the communication channel itself is broken, the rest of the framework is a lot weaker than it looks.
The inbox isn't just a convenience tool. For most boards, it's where governance quietly breaks down, and almost nobody is talking about it.
