Why Email Is Your Biggest Board Governance Risk — and Why Most BFSI Firms Still Haven’t Fixed It

When a major European bank’s board pack — containing unannounced M&A intentions — was forwarded outside its intended recipients in 2023, the information had travelled through six inboxes before anyone noticed. No breach. No malicious actor. Just email doing what email does. The question boards across the BFSI sector should be asking is not whether this could happen to them — but whether they’d know if it already had.

The Governance Gap No One Is Talking About

Email has been the default channel for board communication for decades. It is familiar, fast, and universally accessible. It is also fundamentally unsuited to the security, auditability, and control requirements of modern board governance — particularly in financial services, banking, and insurance (BFSI), where regulatory expectations around information handling are among the most demanding in any sector.

Yet across Nordic and international BFSI firms, email distribution of board materials remains the norm. Board packs arrive as PDF attachments. Amendments are sent as “updated version” replies. Sensitive annexes sit in inboxes indefinitely. And the audit trail — who received what, when, and whether they opened it — is effectively nonexistent. This is not a technology problem waiting for a solution. Board portal software exists, is mature, and is already trusted by some of the world’s most regulated institutions. The problem is inertia: a collective underestimation of what email-based governance is actually costing.

What Email Cannot Protect

The security limitations of email in a governance context are structural, not incidental. Consider what a standard board pack distribution via email actually involves:

• No access controls: once an attachment is sent, the sender loses all control over it. It can be forwarded, printed, screenshotted, or saved to personal devices without any record.
• No version integrity: a director who misses one amendment email may walk into a meeting with outdated financials, a superseded risk report, or a resolution that has already been revised.
• No audit trail: if a regulator asks who accessed a sensitive board paper and when, an email thread provides no reliable answer.
• No encryption at rest: most corporate email systems do not encrypt stored attachments to the standard required for board-level materials.

For BFSI firms operating under frameworks such as the UK’s Senior Managers and Certification Regime (SM&CR), the EU’s Digital Operational Resilience Act (DORA), or the Norwegian Code of Practice for Corporate Governance (NUES), these are not theoretical risks. They represent identifiable compliance gaps. [External link: ‘DORA information governance requirements’ →European Banking Authority (EBA) guidance on DORA, ICT risk management]

Why BFSI Boards Are Particularly Exposed

The sensitivity of information handled at board level in financial services is self-evident: capital allocation decisions, M&A activity, risk appetite statements, regulatory findings, executive remuneration. Any one of these, if improperly disclosed, carries material legal, reputational, and regulatory consequence.

What is less obvious is how the complexity of BFSI governance structures amplifies this exposure. Many Nordic financial institutions operate boards and committees across multiple jurisdictions — each with different directors, different regulatory contexts, and different access requirements. Managing this through email doesn’t just create security risk; it creates an operational burden that falls almost entirely on the company secretary or board administrator, who must manually segment, redact, and distribute materials while maintaining some semblance of version control.

Research from governance professionals consistently finds that board administrators in organisations without dedicated board management software spend six to twelve hours per meeting cycle on document collation, formatting, and distribution alone — time that could be directed toward governance quality rather than logistics. [External link: ‘governance burden on company secretaries’ → Governance Institute of ANZ / ICSA research on secretariat workload]

[Internal link: ‘the hidden cost of manual board administration’ → related blog on board admin efficiency]

What Board Portal Software Actually Solves

Board portal software — sometimes referred to as a digital boardroom platform — is purpose-built for the security and process requirements that email cannot meet. The distinction is not merely one of convenience. It is structural.

Where email distributes a document and loses control of it, a board portal gives administrators role-based access controls: different directors, different committees, different permissions — all managed centrally, all auditable. Where email creates version fragmentation, a board portal maintains a single source of truth: when an amendment is made, it is immediately visible to all authorised users, with read receipts confirming access.

For regulated firms, this auditability is not a feature — it is a compliance requirement. Regulators including the UK’s Financial Conduct Authority (FCA) and the Financial Reporting Council (FRC) have increasingly emphasised the importance of robust information governance at board level. A documented, encrypted, and access-controlled board process is not just better governance — it is a defensible one. [External link: ‘FRC corporate governance and board accountability’ → FRC UK Corporate Governance Code 2024]

Beyond security, the process benefits are significant. Directors access the current board pack from any device, annotate sections before the meeting, and arrive oriented and prepared. The meeting itself becomes more substantive, because less time is consumed by orientation and clarification.

[Internal link: ‘how board portals support compliance’ → compliance and security feature page]

The Inertia Problem — and How to Overcome It

If the case for board portal software is clear, why do so many BFSI firms still rely on email? The honest answer is that the costs of the current approach are largely invisible. No one receives an invoice for the hours spent reassembling a board pack after a last-minute amendment. The governance risk of an outdated document in a director’s inbox doesn’t appear as a line item until something goes wrong.

The organisations that have made the shift consistently report the same outcomes: faster preparation cycles, fewer errors, better-prepared directors, and a governance process that holds up to scrutiny. The transition itself is typically straightforward — the primary requirement is clarity about what you need the platform to do, and the discipline to retire the old process rather than run them in parallel.

For Nordic BFSI firms operating across borders, the argument is particularly compelling. Managing board communications across multiple jurisdictions through email is not just risky — it is, at scale, unmanageable. A digital boardroom environment centralises everything: materials, decisions, resolutions, records, and the audit trail that regulators expect to see. [External link: ‘Nordic corporate governance standards’ → NUES Norwegian Code of Practice for Corporate Governance]

The Standard Has Moved — Has Your Process?

Email was never designed to carry the weight of board governance. In an environment where regulatory expectations are rising, cyber threats are more sophisticated, and board effectiveness is under sharper scrutiny, continuing to rely on it is not a neutral choice — it is an active risk. The boards and executive teams that recognise this now are the ones building governance processes that are resilient, auditable, and fit for the level of accountability they carry. The gap between where most firms are and where they should be is measurable. More importantly, it is closeable.

▶ See how it works →

Or read our guide: The Hidden Cost of Manual Board Administration →