Following enforcement actions imposing corporate criminal or civil liability, shareholders often bring derivative actions seeking to hold directors liable for related compliance failures by alleging they breached their fiduciary duty to monitor the affairs of the corporation. Although Delaware courts have traditionally dismissed such claims with some regularity, the recent decision of the Delaware Court of Chancery in In re The Boeing Company Derivative Litigation (“In re Boeing”)1 is the latest in a series of cases, beginning with the Delaware Supreme Court’s 2019 decision in Marchand v. Barnhill (“Marchand”),2 allowing shareholder derivative claims to proceed against corporate directors for alleged failures to monitor “mission critical” risks facing their companies.
While nominally applying the standard for shareholder claims of failed director oversight first established 25 years ago in In re Caremark International Inc. Derivative Litigation (“Caremark”),3 these more recent decisions signal an evolution in how the Delaware courts evaluate such claims. By focusing on the nature and degree of director oversight of “mission critical” risks, these decisions highlight the need for active, risk-based corporate governance by directors. Successfully discharging the duty of oversight in this context depends more than ever on the company having effective enterprise risk management and compliance programs in which risks are regularly identified and prioritized in light of changes in laws, regulations, technology, or the company’s business itself. It is perhaps no accident that the courts’ recently sharpened focus on risk-based director oversight has arisen in the context of increasingly exacting scrutiny by enforcement authorities of corporate compliance programs as part of their discretionary assessment of whether, and if so how, to charge corporations. Identifying and prioritizing an enterprise’s evolving legal and compliance risks and deploying resources accordingly is thus critical to enable the board to meet its fiduciary duty of oversight to shareholders and to enable the corporation to meet expectations of enforcement authorities as well.
This Client Alert briefly summarizes key developments in the evolution of the fiduciary duty of oversight under Delaware law, discusses its symbiotic relationship with risk management and compliance, and offers guidance for corporate boards to ensure they are effectively carrying out their duty of oversight.
The Evolution of the Fiduciary Duty of Director Oversight under Delaware Law
The Caremark Standard
In 1996, the Delaware Court of Chancery in Caremark articulated a new standard for when directors may be held liable for breaching their fiduciary duty of oversight. In Caremark, a consolidated shareholder derivative action alleged Caremark’s directors breached their duty of oversight in connection with employee conduct that resulted in significant corporate fines from enforcement actions by state and federal authorities and federal indictments related to alleged unlawful payments to healthcare providers. The Court of Chancery was called upon to assess the fairness and reasonableness of a proposed settlement, which required the Court to consider the strength of the plaintiffs’ claim that the Caremark directors had breached their fiduciary duty of oversight.
In considering the parameters of the board’s oversight responsibilities, the Court of Chancery rejected a broad interpretation of the Delaware Supreme Court’s 1963 decision in Graham v. Allis-Chalmers Mfg. Co., in which the Supreme Court stated that “absent cause for suspicion there is no duty upon the directors to install and operate a corporate system of espionage to ferret out wrongdoing which they have no reason to suspect exists.”4 Noting the increasing importance of a properly informed corporate board, particularly in view of the increasing criminalization of corporate conduct and the imposition of significant corporate fines and penalties under the then-recently adopted federal Organizational Sentencing Guidelines, the Court of Chancery in Caremark defined a proactive fiduciary duty of oversight not limited to requiring director action only in response to red flags.5
According to the Court of Chancery, “a director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that the failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.”6 Acknowledging the high bar to establishing such liability, the court observed that “only a sustained or systematic failure of the board to exercise oversight – such as an utter failure to attempt to assure a reasonable information and reporting system exists – will establish the lack of good faith that is a necessary condition to liability.”7
The Court of Chancery concluded that the proposed settlement provided only “modest benefits” but was nonetheless fair and reasonable because the failure of oversight claim was “extremely weak” and “quite likely” would have been “susceptible to a motion to dismiss.”8 Although the court observed that the Caremark board had “a functioning committee charged with overseeing corporate compliance,”9 the record does not indicate that the full board or any board committee was tasked specifically with oversight of the company’s compliance with health care laws (as compared to corporate compliance generally), or that there was any regular management reporting to the board or to a board committee about compliance with relevant health care laws, the violations of which gave rise to significant corporate liability. Indeed, the compliance enhancements agreed as part of the settlement included specific, board-level engagement with and regular management reporting about these issues.10
Were today’s risk-based scrutiny evident in Marchand and most recently in In re Boeing applied in Caremark, the court almost certainly would not have been so dismissive of the shareholder’s failure of oversight claim in assessing the reasonableness of the proposed settlement.
Marchand and Oversight of “Mission Critical” Risks
In 2019, over 20 years after Caremark, the Delaware Supreme Court in Marchand introduced a risk-based gloss on the duty of oversight defined in Caremark. Marchand involved a shareholder derivative claim for losses to Blue Bell, an ice cream manufacturer, arising from a listeria outbreak that resulted in three deaths and forced Blue Bell to recall its products, suspend production, lay off a third of its workforce, and accept a private equity investment to address resulting liquidity issues that reduced the value of its shares. To fulfill its duty of oversight under Caremark, the Court in Marchand stated a board must “make a good faith effort to put in place a reasonable system of monitoring and reporting about the corporation’s central compliance risks.”11 The Court further observed that a board’s failure to take steps “to make sure it is informed of a compliance issue intrinsically critical to the company’s business operation” would “support an inference that the board has not made the good faith effort that Caremark requires.”12 The Court thus considered whether, before the listeria outbreak, the Blue Bell board tried in good faith to implement a reasonable board-level reporting and information system focused on the company’s “mission critical” risk of food safety.13
Reversing the Court of Chancery’s dismissal of the Caremark claim, the Supreme Court observed that the complaint alleged that, before the listeria outbreak, there was (1) no board committee that addressed food safety, (2) no process that required management to keep the board apprised of food safety compliance, risks, or reports, (3) no schedule for regular board consideration (e.g., quarterly or semi-annually) of any food safety risks, and (4) no evidence of any regular board-level discussion of food safety.14 The Supreme Court rejected the defendant directors’ arguments that corporate compliance with federal and state safety regulations, the existence of employee food safety manuals, periodic corporate compliance audits, or discretionary management reporting to the board about the company’s general operational performance, showed a good faith effort to establish a board-level information and reporting system related to food safety compliance.15 The necessary focus therefore is what the board itself has done to ensure that it is informed about “mission critical” corporate risks.
Since the Delaware Supreme Court’s decision in Marchand, there has been a series of cases in which the Court of Chancery has rejected defendants’ motions to dismiss Caremark claims alleging a board-level failure to monitor mission critical corporate risks.16 In re Boeing is the most recent example.
In re Boeing and the Need for “Rigorous Oversight” of “Mission Critical” Risks
In In re Boeing, plaintiff shareholders brought derivative claims against company directors for, among other things, breach of the duty of oversight in the aftermath of two fatal plane crashes of the 737 Max and the related grounding of its 737 Max fleet. The plaintiffs alleged oversight failures under both prongs of Caremark, namely, that the directors acted in bad faith (1) by failing to create an information and reporting system for the board to monitor the “mission critical” risk of aircraft safety before the two crashes and then (2) by ignoring the safety red flags that the first crash raised.17
Tracking the analysis in Marchand, the Court of Chancery found that the shareholders stated viable Caremark claims and thus denied the defendants’ motion to dismiss. The court concluded that the alleged absence of structures to inform the board about the “mission critical” issue of airplane safety gave rise to a reasonable inference that the directors acted in bad faith in breach of their duty of oversight.18 The court found persuasive the indicia of director bad faith and laxity in oversight that the Supreme Court noted in Marchand, namely, that before the first air crash there was (1) no board committee specifically mandated to monitor airplane safety,19 (2) no internal system for whistleblowers or employees to bring safety concerns to the board’s attention,20 (3) no schedule for or evidence of regular board monitoring or discussion of airplane safety,21 and (4) no process or protocol requiring management to keep the board regularly informed of issues related to airplane safety.22 As in Marchand, the court rejected the notion that committee responsibility for compliance generally,23 facial compliance by the company with regulatory requirements,24 or ad hoc, discretionary management reporting to the board,25 sufficed to meet the board’s obligation to provide “rigorous oversight” of “mission critical” risks.
The court also found that the plaintiff shareholders stated a viable claim that the board failed to respond in good faith to the red flag safety issues embodied in the public reporting about the first 737 Max crash. Notably, after the first crash, the board allegedly failed to request information from management, to timely convene a mandatory meeting to discuss the crash, or to timely initiate an inquiry into the cause of the crash.26
An Effective Risk-Based Compliance Program Is Essential to Enable Directors to Fulfill Their Fiduciary Duty to Monitor Mission Critical Corporate Risks and for Corporations to Meet the Increasingly Exacting Expectations of Enforcement Authorities
By analogy to the less well-known half of Muhammad Ali’s famous quotation, “Float like a butterfly, sting like a bee, the hands can’t hit what the eyes can’t see,” a board obviously cannot monitor risks it does not know about, much less do so rigorously. By scrutinizing whether and to what extent directors have exercised oversight of “mission critical” risks, Marchand and the cases that have followed it effectively require boards to engage in risk-based corporate governance. In so doing, Delaware courts have tied more closely than ever a board’s ability to exercise its duty of oversight to the corporation having effective enterprise risk management and compliance programs that identify and prioritize evolving corporate legal and regulatory risk so that the board can design and implement appropriately calibrated board-level monitoring of relevant risks and deploy its resources accordingly.
The increasing judicial scrutiny of board oversight of key corporate risks has been paralleled by increasingly exacting scrutiny by enforcement authorities of the effectiveness of corporate compliance programs in deciding whether and how to prosecute corporate misconduct. These developments underscore the symbiotic relationship between corporate governance and corporate compliance.
Since 1999, the Department of Justice has issued formal guidelines identifying the factors federal prosecutors should consider in determining whether and, if so, how business entities should be charged.27 Though not determinative, one factor in this discretionary calculus has consistently been the existence and effectiveness of a corporate compliance program to detect and prevent misconduct. In the 2003 version of these guidelines, entitled “Principles of Federal Prosecution of Business Organizations,” the Department cited Caremark and stated that, in assessing a corporate compliance program, prosecutors may consider “whether the corporation has established corporate governance mechanisms that can effectively detect and prevent misconduct,” including whether the company’s “directors established an information and reporting system . . . reasonable to provide management and the board of directors with timely and accurate information sufficient to allow them to reach an informed decision regarding the organization’s compliance with the law.”28 Thus, just as the Caremark court grounded its delineation of a proactive duty of corporate oversight in part on the increasing criminalization of corporate conduct and the resulting increased exposure of corporations to significant criminal fines, the Department recognized that its assessment of whether and how to prosecute a corporation could be informed in part by the effectiveness of the corporation’s system of corporate governance. An effective compliance program evidenced and supported by effective governance thus can help corporations avoid or mitigate the risk of significant criminal liability just as effective governance informed and supported by an effective compliance program can help avoid or mitigate the risk of director liability.
Similar to the guidelines issued by the Department of Justice, the Securities and Exchange Commission in 2001 issued a framework for evaluating whether and, if so, to what extent, to afford lenient treatment to companies under investigation (the “Seaboard Report”). Though not citing Caremark, certain Seaboard factors relate to director oversight, including (1) whether and, if so, when a company’s audit committee and board of directors were fully informed of relevant misconduct, and (2) whether management or the board oversaw any internal investigation of such misconduct.29
While the assessment of the effectiveness of corporate compliance programs, including by reference to corporate governance, has been a relevant, though non-determinative, factor in the prosecution calculus of the Department of Justice and other enforcement authorities for some time, the level of scrutiny with which authorities have assessed the effectiveness of corporate compliance programs has increased dramatically in recent years. For example, in 2015 the Department of Justice for the first time hired an external compliance consultant to inform its program assessments.30 In addition, in 2017, the Department published, and has since twice revised, guidance on how it evaluates corporate compliance programs.31 The most recent version of this guidance, published in 2020, spans almost 20 pages and focuses in material part on whether and to what extent a company’s corporate compliance program is risk-based in design and implementation; with respect to corporate governance, the guidance specifically asks “what types of information have the board of directors and senior management examined in their exercise of oversight in the area in which misconduct has occurred?”32 As anyone who has had to explain a corporate compliance program to US enforcement authorities in the last several years can attest, the level of scrutiny outlined in this guidance exists in practice as well as on paper.
In light of the foregoing developments, corporations and their governing boards are challenged more than ever to have effective risk-based corporate compliance and corporate governance. Recognizing that there is not a one-size-fits-all approach for either, but that approaches can and should be adapted reasonably to the facts and circumstances of individual companies in view of their size, resources, and risks, the steps boards should consider taking to ensure they exercise appropriate oversight of relevant risks include the following:
- Ensure that management conducts periodic enterprise risk assessments, repeated at reasonable intervals, to identify and prioritize the evolving key legal, regulatory, and operational risks the corporation faces;
- Ensure that a board committee has been mandated expressly to monitor each risk identified as central or critical, and tailor the level of oversight accordingly. Any difference in the assessed significance of the risks meriting board-level scrutiny could be reflected, for example, in the frequency of committee or board meetings at which a given risk is addressed;
- Ensure that a regular cadence exists for management to report information and developments relevant to such risks to the responsible committee, including to allow the committee and the board to satisfy themselves that sufficient corporate resources are being devoted to address key risks. Relatedly, establish a protocol for off-cycle reports by management to the responsible committee of material developments related to covered risks, and ensure that certain types of risks identified in internal whistleblower hotlines are sent directly to the responsible committee or escalated promptly to the committee by management;
- Establish a schedule for consideration by the full board of information and developments related to the risks identified as central to the organization; and
- Ensure that board and committee minutes appropriately reflect the directors’ oversight efforts.
A good faith effort to design and implement effective risk-based corporate governance and compliance will protect and serve the interests of the corporation, its governing board, its shareholders, and other stakeholders.
1 No. 2019-0907, 2021 BL 337478 (Del. Ch. Sept. 7, 2021).
2 212 A.3d 805 (Del. 2019).
3 698 A.2d 959 (Del. Ch. 1996).
4 188 A.2d at 130.
5 698 A.2d at 969-70.
6 Id. at 970. The Delaware Supreme Court subsequently endorsed this formulation as “articulat[ing] the necessary conditions predicate for director oversight liability.” Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006). Although this Client Alert focuses primarily on the director duty to act in good faith to create a reasonable board-level information and reporting system, this duty also requires directors to monitor information generated by such a system and to respond appropriately to red flags when presented. See, e.g., Stone, 911 A.2d at 370 (stating that oversight liability may arise because “(a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention”).
7 698 A.2d at 971.
8 Id. at 970-71.
9 Id. at 970.
10 Id. at 966
11 212 A.3d at 824.
12 Id. at 822.
13 Id. at 822, 824.
14 Id. at 822.
15 Id. at 822-23.
16 See Teamsters Local 443 Health Servs. & Ins. Plan v. Chou, No. 2019-0816, 2020 BL 320972 (Del. Ch. Aug. 24, 2020); Hughes v. Xiaoming Hu, No. 2019-0112, 2020 BL 155470 (Del. Ch. Apr. 27, 2020); Inter Mktg. Grp. USA, Inc. v. Armstrong, No. 2017-0030, 2020 BL 516916 (Del. Ch. Jan. 31, 2020); In re Clovis Oncology, Inc. Deriv. Litig., No. 2017-0222, 2019 BL 373697 (Del. Ch. Oct. 1, 2019).
17 2021 BL 337478 at *27.
18 See id.
19 Id. at *28-29.
20 Id. at *29.
21 Id. at *29-30.
22 Id. at *31-34.
23 Id. at *6, 28-29.
24 Id. at *30-31.
25 Id. at *32-33.
26 Id. at *35-36.
27 See Memorandum from Eric Holder, Deputy Attorney Gen., Dep’t of Justice, on Bringing Criminal Charges Against Corporations, to Dep’t Component Heads and US Att’ys (Jun. 16, 1999), available here.
28 Memorandum from Larry D. Thompson, Deputy Attorney Gen., Dep’t of Justice, on Principles of Federal Prosecution of Business Organizations, to Dep’t Component Heads and US Att’ys (Jan. 20, 2003), available here. The most recent version of this guidance was published in July 2020, available here.
29 Sec. Exch. Comm’n, Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 and Commission Statement on the Relationship of Cooperation to Agency Enforcement Decisions (2001), available here. 30 See “Assistant Attorney General Leslie R. Caldwell Speaks at SIFMA Compliance and Legal Society New York Regional Seminar,” Dep’t of Justice Office of Public Affairs (Nov. 2, 2015), available here.
31 See Dep’t of Justice, Evaluation of Corporate Compliance Programs (2017), available here; Dep’t of Justice, Evaluation of Corporate Compliance Programs (2019), available here; Dep’t of Justice, Evaluation of Corporate Compliance Programs (2020), available here.
32 Dep’t of Justice (2020), supra n.31 at 10-11.